--- 1/draft-ietf-ippm-ipsec-04.txt 2014-09-19 08:17:22.559025879 -0700 +++ 2/draft-ietf-ippm-ipsec-05.txt 2014-09-19 08:17:22.655028213 -0700 @@ -1,20 +1,20 @@ IPPM WG K. Pentikousis, Ed. Internet-Draft EICT -Intended status: Standards Track Y. Cui -Expires: January 23, 2015 E. Zhang +Intended status: Standards Track E. Zhang +Expires: March 23, 2015 Y. Cui Huawei Technologies - July 22, 2014 + September 19, 2014 IKEv2-based Shared Secret Key for O/TWAMP - draft-ietf-ippm-ipsec-04 + draft-ietf-ippm-ipsec-05 Abstract The O/TWAMP security mechanism requires that both the client and server endpoints possess a shared secret. Since the currently- standardized O/TWAMP security mechanism only supports a pre-shared key mode, large scale deployment of O/TWAMP is hindered significantly. At the same time, recent trends point to wider IKEv2 deployment which, in turn, calls for mechanisms and methods that enable tunnel end-users, as well as operators, to measure one-way and @@ -34,21 +34,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 23, 2015. + This Internet-Draft will expire on March 23, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -66,25 +66,25 @@ 3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4 3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 5 3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 6 4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 6 4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 6 4.2. Server Greeting Message Update . . . . . . . . . . . . . 7 4.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9 4.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 - 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 + 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . 11 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to measure network performance parameters, such as latency, bandwidth, and packet loss by sending probe packets and monitoring their experience in the network. In order to guarantee the accuracy of network measurement results, security aspects must be considered. Otherwise, attacks may occur and the authenticity of the measurement @@ -115,30 +115,39 @@ cellular networks, such as UMTS and GSM, IPsec use penetration is lower, but still quite significant. If the shared key can be derived from the IKEv2 SA, O/TWAMP can support cert-based key exchange and make it more flexible in practice and more efficient. The use of IKEv2 also makes it easier to extend automatic key management. In general, O/TWAMP measurement packets can be transmitted inside the IPsec tunnel, as it occurs with typical user traffic, or transmitted outside the IPsec tunnel. This may depend on the operator's policy and is orthogonal to the mechanism described in this document. - We note that protecting unauthenticated O/TWAMP traffic using IPsec - security services is sufficient in many cases. That said, protecting + When IPsec is deployed, protecting O/TWAMP traffic in unauthenticated + mode using IPsec is one option. Another option is to protect O/TWAMP + traffic using O/TWAMP layer security established using the PSK + derived from IKEv2 but bypassing the IPsec tunnel. Protecting unauthenticated O/TWAMP control and/or test traffic via AH or ESP - cannot provide various security modes and cannot authenticate part of - a O/TWAMP packet as mentioned in [RFC4656]. In real-world - deployments this may hinder timestamp accuracy. This document - describes how to derive the shared secret key from the IKEv2 SA and - employ the security service at the O/TWAMP layer. This method SHOULD - be used when O/TWAMP traffic is bypassing IPsec protection and is - running over an external network exactly between two IKEv2 systems. + cannot provide various security options, e.g. it cannot authenticate + part of a O/TWAMP packet as mentioned in [RFC4656]. For measuring + latency, timestamp is carried in O/TWAMP traffic. The sender has to + fetch the timestamp, encrypt it, and send it. In this case, the + middle step can be skipped, potentially improving accuracy as the + sequence number can be encrypted and authenticated before the + timestamp is fetched. It is the same case for the receiver since it + can obtain the timstamp by skipping the decryption step. In such + cases, protecting O/TWAMP traffic using O/TWAMP layer security but + bypassing IPsec tunnel has its advantages. This document describes + how to derive the shared secret key from the IKEv2 SA and employ the + security service at the O/TWAMP layer. This method SHOULD be used + when O/TWAMP traffic is bypassing IPsec protection and is running + over an external network exactly between two IKEv2 systems. The remainder of this document is organized as follows. Section 3 summarizes O/TWAMP protocol operation with respect to security. Section 4 presents a method of binding O/TWAMP and IKEv2 for network measurements between the client and the server which both support IKEv2. Finally, Section 5 discusses the security considerations arising from the proposed mechanisms. 2. Terminology @@ -271,60 +280,53 @@ derived using IKEv2 [RFC5996]. 4.1. Shared Key Derivation In the authenticated, encrypted and mixed modes, the shared secret key MUST be derived from the IKEv2 Security Association (SA). Note that we explicitly opt to derive the shared secret key from the IKEv2 SA, rather than the child SA, since the use case whereby an IKEv2 SA can be created without generating any child SA is possible [RFC6023]. - When the shared secret key is derived from the IKEv2 SA, SKEYSEED - must be generated first. SKEYSEED and its derivatives MUST be - computed as per [RFC5996], where prf is a pseudorandom function: - - SKEYSEED = prf( Ni | Nr, g^ir ) - - Ni and Nr are, respectively, the initiator and responder nonces, - which are negotiated during the initial exchange (see Section 1.2 of - [RFC5996]). g^ir is the shared secret from the ephemeral Diffie- - Hellman exchange and is represented as a string of octets. + When the shared secret key is derived from the IKEv2 SA, SK_d must be + generated first. SK_d MUST be computed as per [RFC5996]. The shared secret key MUST be generated as follows: - Shared secret key = PRF( SKEYSEED, "IPPM" ) + Shared secret key = PRF( SK_d, "IPPM" ) - Wherein the string "IPPM" comprises four ASCII characters. It is - recommended that the shared secret key is derived in the IPsec layer. - This way, the IPsec keying material is not exposed to the O/TWAMP - client. Note, however, that the interaction between the O/TWAMP and - IPsec layers is host-internal and implementation-specific. - Therefore, this is clearly outside the scope of this document, which - focuses on the interaction between the O/TWAMP client and server. - That said, one possible way could be the following: at the client - side, the IPSec layer can perform a lookup in the Security - Association Database (SAD) using the IP address of the server and - thus match the corresponding IKEv2 SA. At the server side, the IPSec - layer can look up the corresponding IKEv2 SA by using the SPIs sent - by the client, and therefore extract the shared secret key. In case - that both client and server do support IKEv2 but there is no current - IKEv2 SA, two alternative ways could be considered. First, the O/ - TWAMP client initiates the establishment of the IKEv2 SA, logs this - operation, and selects the mode which supports IKEv2. Alternatively, - the O/TWAMP client does not initiate the establishment of the IKEv2 - SA, logs an error for operational management purposes, and proceeds - with the modes defined in [RFC4656][RFC5618]. Again, although both - alternatives are feasible, they are in fact implementation-specific. + Wherein the string "IPPM" comprises four ASCII characters and prf is + a pseudorandom function. It is recommended that the shared secret + key is derived in the IPsec layer. This way, the IPsec keying + material is not exposed to the O/TWAMP client. Note, however, that + the interaction between the O/TWAMP and IPsec layers is host-internal + and implementation-specific. Therefore, this is clearly outside the + scope of this document, which focuses on the interaction between the + O/TWAMP client and server. That said, one possible way could be the + following: at the client side, the IPSec layer can perform a lookup + in the Security Association Database (SAD) using the IP address of + the server and thus match the corresponding IKEv2 SA. At the server + side, the IPSec layer can look up the corresponding IKEv2 SA by using + the SPIs sent by the client, and therefore extract the shared secret + key. In case that both client and server do support IKEv2 but there + is no current IKEv2 SA, two alternative ways could be considered. + First, the O/TWAMP client initiates the establishment of the IKEv2 + SA, logs this operation, and selects the mode which supports IKEv2. + Alternatively, the O/TWAMP client does not initiate the establishment + of the IKEv2 SA, logs an error for operational management purposes, + and proceeds with the modes defined in [RFC4656][RFC5357][RFC5618]. + Again, although both alternatives are feasible, they are in fact + implementation-specific. If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the corresponding shared secret key generated from the SA can continue to - be used until the lifetime of the shared secret key expires. + be used until the O/TWAMP session terminates. 4.2. Server Greeting Message Update To achieve a binding association between the key generated from IKEv2 and the O/TWAMP shared secret key, Server Greeting Message should be updated as in Figure 2. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -349,46 +351,49 @@ | | | MBZ (12 octets) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: Server Greeting format The Modes field in Figure 2 will need to allow for support of key derivation as discussed in Section 4.1. As such, the Modes value extension MUST be supported by implementations compatible with this - document, indicating support for deriving shared key from IKEv2 SA. - Three new Modes including authenticated mode over IKEv2(IANA.TBA.O/ - TWAMP.IKEAuth),encrypted mode over IKEv2(IANA.TBA.O/TWAMP.IKEEnc) and - mixed mode over IKEv2(IANA.TBA.TWAMP.IKEMix) are proposed. - - Authenticated mode over IKEv2 means that the client and server - operate in authenticated mode with the shared secret key derived from - IKEv2 SA. Encrypted mode over IKEv2 means that the client and server - operate in encrypted mode with the shared secret key derived from - IKEv2 SA. Mixed mode over IKEv2 means that the client and server - operate in encrypted mode for the O/TWAMP-Control protocol while - operating in unauthenticated mode for the O/TWAMP-Test protocol with - shared secret key derived from IKEv2 SA. + document, indicating support for deriving the shared key from the + IKEv2 SA. The new Modes value indicating support for this + specification is IANA.TBA.TWAMP.IKEv2Derived (note to IANA: 128 is + preferred, i.e. bit in position 7). Clearly, an implementation + compatible with this specification MUST support the authenticated, + encrypted and mixed modes as per [RFC4656][RFC5357][RFC5618]. - The choice of this set of Modes values poses the least backwards - compatibility problems to existing O/TWAMP clients. Robust client - implementations of [RFC4656] would disregard the fact that the first - 29 Modes bits in the Server Greeting is set. If the server supports - other Modes, as one would assume, the client would then indicate any - of the Modes defined in [RFC4656] and effectively indicate that it - does not support key derivation from IKEv2. At this point, the - Server would need to use the Modes defined in [RFC4656] only. + The choice of this set of Modes values poses no backwards + compatibility problems to existing O/TWAMP clients. Robust legacy + client implementations would disregard the fact that the + IANA.TBA.TWAMP.IKEv2Derived Modes bit in the Server Greeting is set. + On the other hand, a client compatible with this specification can + easily identify that the O/TWAMP server contacted does not support + this specification. If the server supports other Modes, as one could + assume, the client would then decide which Mode to use and indicate + such accordingly as per [RFC4656][RFC5357]. A client compatible with + this specification which decides not to employ IKEv2 derivation, can + simply behave as a purely [RFC4656]/[RFC5357] compatible client. 4.3. Set-Up-Response Update - The Set-Up-Response Message should be updated as in Figure 3. + The Set-Up-Response Message should be updated as in Figure 3. When a + O/TWAMP client compatible with this specification receives a Server + Greeting indicating support for Mode IANA.TBA.TWAMP.IKEv2Derived it + SHOULD reply to the O/TWAMP server with a Set-Up response that + indicates so. For example, a compatible O/TWAMP client choosing the + authenticated mode with IKEv2 shared secret key derivation should set + Mode to 130, i.e. set the bits in positions 1 and 7 (TBD IANA) to + one. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mode | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Key ID (80 octets) | | | | | @@ -402,43 +407,43 @@ | Client-IV (12 octets) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3: Set-Up-Response Message The Security Parameter Index (SPI)(see [RFC4301] [RFC5996]) can uniquely identify the Security Association (SA). If the client supports the derivation of shared secret key from IKEv2 SA, it will choose the corresponding mode value and carry SPIi and SPIr in the - Key ID field. SPIi and SPIr are included in the Key ID field of Set- - Up- Response Message to indicate the IKEv2 SA from which the O/TWAMP - shared secret key derived from. The length of SPI is 4 octets. - Therefore, the first 4 octets of Key ID field carry SPIi and the - second 4 octets carry SPIr. The remaining bits of the Key ID field - are set to zero. + Key ID field. SPIi and SPIr MUST be included in the Key ID field of + Set-Up-Response Message to indicate the IKEv2 SA from which the O/ + TWAMP shared secret key derived from. The length of SPI is 4 octets. + Therefore, the first 4 octets of Key ID field MUST carry SPIi and the + second 4 octets MUST carry SPIr. The remaining bits of the Key ID + field MUST set to zero. A O/TWAMP server which supports the specification of this document, - can obtain the SPIi and SPIr from the first 8 octets and ignore the - rest octets of the Key ID field. Then, the client and the server can - derive the shared secret key based on the mode value and SPI. If the - O/TWAMP server cannot find the IKEv2 SA corresponding to the SPIi and - SPIr received, it MUST log the event for operational management - purposes. In addition, the O/TWAMP server SHOULD set the Accept - field of the Server-Start message to the value 6 to indicate that - server is not willing to conduct further transactions in this O/ + MUST obtain the SPIi and SPIr from the first 8 octets and ignore the + remaining octets of the Key ID field. Then, the client and the + server can derive the shared secret key based on the mode value and + SPI. If the O/TWAMP server cannot find the IKEv2 SA corresponding to + the SPIi and SPIr received, it MUST log the event for operational + management purposes. In addition, the O/TWAMP server SHOULD set the + Accept field of the Server-Start message to the value 6 to indicate + that server is not willing to conduct further transactions in this O/ TWAMP-Control session since it can not find the corresponding IKEv2 SA. 4.4. O/TWAMP over an IPsec tunnel IPsec AH [RFC4302] and ESP [RFC4303] provide confidentiality and - data integrity to IP datagrams. Thus and IPsec tunnel can be used to + data integrity to IP datagrams. Thus an IPsec tunnel can be used to provide the protection needed for O/TWAMP Control and Test packets, even if the peers choose the unauthenticated mode of operation. If the two endpoints are already connected through an IPSec tunnel it is RECOMMENDED that the O/TWAMP measurement packets are forwarded over the IPSec tunnel if the peers choose the unauthenticated mode in order to ensure authenticity and security. 5. Security Considerations As the shared secret key is derived from the IKEv2 SA, the key @@ -451,31 +456,30 @@ attacks are as defined in [RFC5996]. As a more general note, the IPPM community may want to revisit the arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet security mechanisms, such as TLS and DTLS, may also be considered for future use over and above of what is already specified in [RFC4656] [RFC5357]. 6. IANA Considerations - IANA will need to allocate additional values for the Modes options - presented in this document. + IANA is requested to allocate the IANA.TBA.TWAMP.IKEv2Derived Modes + value in the TWAMP-Modes registry. 7. Acknowledgments - Emily Bi contributed to an earlier version of this document. - - We thank Eric Chen, Yaakov Stein, Brian Trammell, John Mattsson, and - Steve Baillargeon for their comments and text suggestions, and Al - Morton for the good discussion and pointers to earlier related work - in IPPM WG. + We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John + Mattsson, and Steve Baillargeon for their comments and text + suggestions. Al Morton deserves a special mention for his text + contributions and the good discussion and pointers to earlier related + work in IPPM WG. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 2005. @@ -506,34 +510,35 @@ [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)", RFC 6023, October 2010. Authors' Addresses + Kostas Pentikousis (editor) EICT GmbH EUREF-Campus Haus 13 Torgauer Strasse 12-15 10829 Berlin Germany Email: k.pentikousis@eict.de - Yang Cui - Huawei Technologies - Otemachi First Square 1-5-1 Otemachi - Chiyoda-ku, Tokyo 100-0004 - Japan - - Email: cuiyang@huawei.com - Emma Zhang Huawei Technologies Huawei Building, Q20, No.156, Rd. BeiQing Haidian District , Beijing 100095 P. R. China Email: emma.zhanglijia@huawei.com + + Yang Cui + Huawei Technologies + Otemachi First Square 1-5-1 Otemachi + Chiyoda-ku, Tokyo 100-0004 + Japan + + Email: cuiyang@huawei.com