| draft-ietf-ippm-ipsec-05.txt | draft-ietf-ippm-ipsec-06.txt | |||
|---|---|---|---|---|
| IPPM WG K. Pentikousis, Ed. | IPPM WG K. Pentikousis, Ed. | |||
| Internet-Draft EICT | Internet-Draft EICT | |||
| Intended status: Standards Track E. Zhang | Intended status: Standards Track E. Zhang | |||
| Expires: March 23, 2015 Y. Cui | Expires: May 14, 2015 Y. Cui | |||
| Huawei Technologies | Huawei Technologies | |||
| September 19, 2014 | November 10, 2014 | |||
| IKEv2-based Shared Secret Key for O/TWAMP | IKEv2-based Shared Secret Key for O/TWAMP | |||
| draft-ietf-ippm-ipsec-05 | draft-ietf-ippm-ipsec-06 | |||
| Abstract | Abstract | |||
| The O/TWAMP security mechanism requires that both the client and | The O/TWAMP security mechanism requires that both the client and | |||
| server endpoints possess a shared secret. Since the currently- | server endpoints possess a shared secret. Since the currently- | |||
| standardized O/TWAMP security mechanism only supports a pre-shared | standardized O/TWAMP security mechanism only supports a pre-shared | |||
| key mode, large scale deployment of O/TWAMP is hindered | key mode, large scale deployment of O/TWAMP is hindered | |||
| significantly. At the same time, recent trends point to wider IKEv2 | significantly. At the same time, recent trends point to wider IKEv2 | |||
| deployment which, in turn, calls for mechanisms and methods that | deployment which, in turn, calls for mechanisms and methods that | |||
| enable tunnel end-users, as well as operators, to measure one-way and | enable tunnel end-users, as well as operators, to measure one-way and | |||
| skipping to change at page 1, line 45 | skipping to change at page 1, line 45 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 23, 2015. | This Internet-Draft will expire on May 14, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Scope and Applicability . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4 | 4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 5 | 4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4 | |||
| 3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 6 | 4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6 | |||
| 4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 6 | 4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 6 | 5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. Server Greeting Message Update . . . . . . . . . . . . . 7 | 5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7 | |||
| 4.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9 | 5.2. Server Greeting Message Update . . . . . . . . . . . . . 8 | |||
| 4.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 10 | 5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 5.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 11 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 11 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 12 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the | The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the | |||
| Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to | Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to | |||
| measure network performance parameters, such as latency, bandwidth, | measure network performance parameters, such as latency, bandwidth, | |||
| and packet loss by sending probe packets and monitoring their | and packet loss by sending probe packets and monitoring their | |||
| experience in the network. In order to guarantee the accuracy of | experience in the network. In order to guarantee the accuracy of | |||
| network measurement results, security aspects must be considered. | network measurement results, security aspects must be considered. | |||
| skipping to change at page 3, line 47 | skipping to change at page 3, line 49 | |||
| traffic using O/TWAMP layer security established using the PSK | traffic using O/TWAMP layer security established using the PSK | |||
| derived from IKEv2 but bypassing the IPsec tunnel. Protecting | derived from IKEv2 but bypassing the IPsec tunnel. Protecting | |||
| unauthenticated O/TWAMP control and/or test traffic via AH or ESP | unauthenticated O/TWAMP control and/or test traffic via AH or ESP | |||
| cannot provide various security options, e.g. it cannot authenticate | cannot provide various security options, e.g. it cannot authenticate | |||
| part of a O/TWAMP packet as mentioned in [RFC4656]. For measuring | part of a O/TWAMP packet as mentioned in [RFC4656]. For measuring | |||
| latency, timestamp is carried in O/TWAMP traffic. The sender has to | latency, timestamp is carried in O/TWAMP traffic. The sender has to | |||
| fetch the timestamp, encrypt it, and send it. In this case, the | fetch the timestamp, encrypt it, and send it. In this case, the | |||
| middle step can be skipped, potentially improving accuracy as the | middle step can be skipped, potentially improving accuracy as the | |||
| sequence number can be encrypted and authenticated before the | sequence number can be encrypted and authenticated before the | |||
| timestamp is fetched. It is the same case for the receiver since it | timestamp is fetched. It is the same case for the receiver since it | |||
| can obtain the timstamp by skipping the decryption step. In such | can obtain the timestamp by skipping the decryption step. In such | |||
| cases, protecting O/TWAMP traffic using O/TWAMP layer security but | cases, protecting O/TWAMP traffic using O/TWAMP layer security but | |||
| bypassing IPsec tunnel has its advantages. This document describes | bypassing IPsec tunnel has its advantages. This document describes | |||
| how to derive the shared secret key from the IKEv2 SA and employ the | how to derive the shared secret key from the IKEv2 SA and employ the | |||
| security service at the O/TWAMP layer. This method SHOULD be used | security service at the O/TWAMP layer. This method SHOULD be used | |||
| when O/TWAMP traffic is bypassing IPsec protection and is running | when O/TWAMP traffic is bypassing IPsec protection and is running | |||
| over an external network exactly between two IKEv2 systems. | over an external network exactly between two IKEv2 systems. | |||
| The remainder of this document is organized as follows. Section 3 | After clarifying the terminology and scope in the subsequent | |||
| summarizes O/TWAMP protocol operation with respect to security. | sections, the remainder of this document is organized as follows. | |||
| Section 4 presents a method of binding O/TWAMP and IKEv2 for network | Section 4 summarizes O/TWAMP protocol operation with respect to | |||
| measurements between the client and the server which both support | security. Section 5 presents the method for binding TWAMP and IKEv2 | |||
| IKEv2. Finally, Section 5 discusses the security considerations | for network measurements between the client and the server which both | |||
| arising from the proposed mechanisms. | support IKEv2. Finally, Section 6 discusses the security | |||
| considerations arising from the proposed mechanisms. | ||||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 3. O/TWAMP Security | 3. Scope and Applicability | |||
| This document specifies a method for enabling network measurements | ||||
| between a TWAMP client and a TWAMP server which both support IPsec. | ||||
| In short, the shared key used for securing TWAMP traffic is derived | ||||
| using IKEv2 [RFC7296]. This document reserves from the TWAMP-Modes | ||||
| registry the Mode value IANA.TBA.TWAMP.IKEv2Derived which MUST be | ||||
| used by TWAMP implementations compatible with this specification. | ||||
| Although the control procedures described in this document are | ||||
| applicable to OWAMP per se, the lack of an established IANA registry | ||||
| for OWAMP Mode values technically prevents us from extending OWAMP | ||||
| Mode values. Therefore, independent OWAMP implementations SHOULD be | ||||
| checked for full compatibility with respect to the use of this Mode | ||||
| value. Until an IANA registry for OWAMP Mode values is established, | ||||
| the use this feature in OWAMP implementations MUST be arranged | ||||
| privately among consenting OWAMP users. | ||||
| 4. O/TWAMP Security | ||||
| Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in | Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in | |||
| the following subsections. | the following subsections. | |||
| 3.1. O/TWAMP-Control Security | 4.1. O/TWAMP-Control Security | |||
| O/TWAMP uses a simple cryptographic protocol which relies on | O/TWAMP uses a simple cryptographic protocol which relies on | |||
| o AES in Cipher Block Chaining (AES-CBC) for confidentiality | o AES in Cipher Block Chaining (AES-CBC) for confidentiality | |||
| o HMAC-SHA1 truncated to 128 bits for message authentication | o HMAC-SHA1 truncated to 128 bits for message authentication | |||
| Three modes of operation are supported in the OWAMP-Control protocol: | Three modes of operation are supported in the OWAMP-Control protocol: | |||
| unauthenticated, authenticated, and encrypted. In addition to these | unauthenticated, authenticated, and encrypted. In addition to these | |||
| modes, the TWAMP-Control protocol also supports a mixed mode, i.e. | modes, the TWAMP-Control protocol also supports a mixed mode, i.e. | |||
| the TWAMP-Control protocol operates in encrypted mode while TWAMP- | the TWAMP-Control protocol operates in encrypted mode while TWAMP- | |||
| Test protocol operates in unauthenticated mode. The authenticated, | Test protocol operates in unauthenticated mode. The authenticated, | |||
| encrypted and mixed modes require that endpoints possess a shared | encrypted and mixed modes require that endpoints possess a shared | |||
| secret, typically a passphrase. The secret key is derived from the | secret, typically a passphrase. The secret key is derived from the | |||
| passphrase using a password-based key derivation function PBKDF2 | passphrase using a password-based key derivation function PBKDF2 | |||
| skipping to change at page 5, line 45 | skipping to change at page 6, line 18 | |||
| with Client- IV as the IV. Correspondingly, the server encrypts its | with Client- IV as the IV. Correspondingly, the server encrypts its | |||
| side of the connection using Server-IV as the IV. The IVs themselves | side of the connection using Server-IV as the IV. The IVs themselves | |||
| are transmitted in cleartext. Encryption starts with the block | are transmitted in cleartext. Encryption starts with the block | |||
| immediately following that containing the IV. | immediately following that containing the IV. | |||
| The AES Session-key and HMAC Session-key are generated randomly by | The AES Session-key and HMAC Session-key are generated randomly by | |||
| the client. The HMAC Session-key is communicated along with the AES | the client. The HMAC Session-key is communicated along with the AES | |||
| Session-key during O/TWAMP-Control connection setup. The HMAC | Session-key during O/TWAMP-Control connection setup. The HMAC | |||
| Session-key is derived independently of the AES Session-key. | Session-key is derived independently of the AES Session-key. | |||
| 3.2. O/TWAMP-Test Security | 4.2. O/TWAMP-Test Security | |||
| The O/TWAMP-Test protocol runs over UDP, using the client and server | The O/TWAMP-Test protocol runs over UDP, using the client and server | |||
| IP and port numbers that were negotiated during the Request-Session | IP and port numbers that were negotiated during the Request-Session | |||
| exchange. O/TWAMP- Test has the same mode with O/TWAMP-Control and | exchange. O/TWAMP- Test has the same mode with O/TWAMP-Control and | |||
| all O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control | all O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control | |||
| session mode except when operating in mixed mode. | session mode except when operating in mixed mode. | |||
| The O/TWAMP-Test packet format is the same in authenticated and | The O/TWAMP-Test packet format is the same in authenticated and | |||
| encrypted modes. The encryption and authentication operations are, | encrypted modes. The encryption and authentication operations are, | |||
| however, different. Similarly with the respective O/TWAMP-Control | however, different. Similarly with the respective O/TWAMP-Control | |||
| skipping to change at page 6, line 28 | skipping to change at page 7, line 5 | |||
| the session identifier (SID), which serve as inputs of the | the session identifier (SID), which serve as inputs of the | |||
| key derivation function (KDF). The O/TWAMP-Test AES Session- | key derivation function (KDF). The O/TWAMP-Test AES Session- | |||
| key is generated using the O/TWAMP- Control AES Session-key, | key is generated using the O/TWAMP- Control AES Session-key, | |||
| with the 16-octet session identifier (SID), for encrypting | with the 16-octet session identifier (SID), for encrypting | |||
| and decrypting the packets of the particular O/TWAMP-Test | and decrypting the packets of the particular O/TWAMP-Test | |||
| session. The O/TWAMP-Test HMAC Session-key is generated | session. The O/TWAMP-Test HMAC Session-key is generated | |||
| using the O/TWAMP-Control HMAC Session-key, with the 16-octet | using the O/TWAMP-Control HMAC Session-key, with the 16-octet | |||
| session identifier (SID), for authenticating the packets of | session identifier (SID), for authenticating the packets of | |||
| the particular O/TWAMP-Test session. | the particular O/TWAMP-Test session. | |||
| 3.3. O/TWAMP Security Root | 4.3. O/TWAMP Security Root | |||
| As discussed above, the AES Session-key and HMAC Session-key used by | As discussed above, the AES Session-key and HMAC Session-key used by | |||
| the O/TWAMP-Test protocol are derived from the AES Session-key and | the O/TWAMP-Test protocol are derived from the AES Session-key and | |||
| HMAC Session-key which are used in O/TWAMP-Control protocol. The AES | HMAC Session-key which are used in O/TWAMP-Control protocol. The AES | |||
| Session-key and HMAC Session-key used in the O/TWAMP-Control protocol | Session-key and HMAC Session-key used in the O/TWAMP-Control protocol | |||
| are generated randomly by the client, and encrypted with the shared | are generated randomly by the client, and encrypted with the shared | |||
| secret associated with KeyID. Therefore, the security root is the | secret associated with KeyID. Therefore, the security root is the | |||
| shared secret key. Thus, for large deployments, key provision and | shared secret key. Thus, for large deployments, key provision and | |||
| management may become overly complicated. Comparatively, a | management may become overly complicated. Comparatively, a | |||
| certificate-based approach using IKEv2 can automatically manage the | certificate-based approach using IKEv2 can automatically manage the | |||
| security root and solve this problem, as we explain in Section 4. | security root and solve this problem, as we explain in Section 5. | |||
| 4. O/TWAMP for IPsec Networks | 5. O/TWAMP for IPsec Networks | |||
| This section presents a method of binding O/TWAMP and IKEv2 for | This section presents a method of binding O/TWAMP and IKEv2 for | |||
| network measurements between a client and a server which both support | network measurements between a client and a server which both support | |||
| IPsec. In short, the shared key used for securing O/TWAMP traffic is | IPsec. In short, the shared key used for securing O/TWAMP traffic is | |||
| derived using IKEv2 [RFC5996]. | derived using IKEv2 [RFC7296]. | |||
| 4.1. Shared Key Derivation | 5.1. Shared Key Derivation | |||
| In the authenticated, encrypted and mixed modes, the shared secret | In the authenticated, encrypted and mixed modes, the shared secret | |||
| key MUST be derived from the IKEv2 Security Association (SA). Note | key MUST be derived from the IKEv2 Security Association (SA). Note | |||
| that we explicitly opt to derive the shared secret key from the IKEv2 | that we explicitly opt to derive the shared secret key from the IKEv2 | |||
| SA, rather than the child SA, since the use case whereby an IKEv2 SA | SA, rather than the child SA, since the use case whereby an IKEv2 SA | |||
| can be created without generating any child SA is possible [RFC6023]. | can be created without generating any child SA is possible [RFC6023]. | |||
| When the shared secret key is derived from the IKEv2 SA, SK_d must be | When the shared secret key is derived from the IKEv2 SA, SK_d must be | |||
| generated first. SK_d MUST be computed as per [RFC5996]. | generated first. SK_d MUST be computed as per [RFC7296]. | |||
| The shared secret key MUST be generated as follows: | The shared secret key MUST be generated as follows: | |||
| Shared secret key = PRF( SK_d, "IPPM" ) | Shared secret key = PRF( SK_d, "IPPM" ) | |||
| Wherein the string "IPPM" comprises four ASCII characters and prf is | Wherein the string "IPPM" comprises four ASCII characters and prf is | |||
| a pseudorandom function. It is recommended that the shared secret | a pseudorandom function. It is recommended that the shared secret | |||
| key is derived in the IPsec layer. This way, the IPsec keying | key is derived in the IPsec layer. This way, the IPsec keying | |||
| material is not exposed to the O/TWAMP client. Note, however, that | material is not exposed to the O/TWAMP client. Note, however, that | |||
| the interaction between the O/TWAMP and IPsec layers is host-internal | the interaction between the O/TWAMP and IPsec layers is host-internal | |||
| skipping to change at page 7, line 41 | skipping to change at page 8, line 18 | |||
| Alternatively, the O/TWAMP client does not initiate the establishment | Alternatively, the O/TWAMP client does not initiate the establishment | |||
| of the IKEv2 SA, logs an error for operational management purposes, | of the IKEv2 SA, logs an error for operational management purposes, | |||
| and proceeds with the modes defined in [RFC4656][RFC5357][RFC5618]. | and proceeds with the modes defined in [RFC4656][RFC5357][RFC5618]. | |||
| Again, although both alternatives are feasible, they are in fact | Again, although both alternatives are feasible, they are in fact | |||
| implementation-specific. | implementation-specific. | |||
| If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the | If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the | |||
| corresponding shared secret key generated from the SA can continue to | corresponding shared secret key generated from the SA can continue to | |||
| be used until the O/TWAMP session terminates. | be used until the O/TWAMP session terminates. | |||
| 4.2. Server Greeting Message Update | 5.2. Server Greeting Message Update | |||
| To achieve a binding association between the key generated from IKEv2 | To achieve a binding association between the key generated from IKEv2 | |||
| and the O/TWAMP shared secret key, Server Greeting Message should be | and the O/TWAMP shared secret key, Server Greeting Message should be | |||
| updated as in Figure 2. | updated as in Figure 2. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | | | | | | |||
| | Unused (12 octets) | | | Unused (12 octets) | | |||
| skipping to change at page 8, line 34 | skipping to change at page 9, line 6 | |||
| | Count (4 octets) | | | Count (4 octets) | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | | | | | | |||
| | MBZ (12 octets) | | | MBZ (12 octets) | | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 2: Server Greeting format | Figure 2: Server Greeting format | |||
| The Modes field in Figure 2 will need to allow for support of key | The Modes field in Figure 2 will need to allow for support of key | |||
| derivation as discussed in Section 4.1. As such, the Modes value | derivation as discussed in Section 5.1. As such, the Modes value | |||
| extension MUST be supported by implementations compatible with this | extension MUST be supported by implementations compatible with this | |||
| document, indicating support for deriving the shared key from the | document, indicating support for deriving the shared key from the | |||
| IKEv2 SA. The new Modes value indicating support for this | IKEv2 SA. The new Modes value indicating support for this | |||
| specification is IANA.TBA.TWAMP.IKEv2Derived (note to IANA: 128 is | specification is IANA.TBA.TWAMP.IKEv2Derived (note to IANA: 128 is | |||
| preferred, i.e. bit in position 7). Clearly, an implementation | preferred, i.e. bit in position 7). Clearly, an implementation | |||
| compatible with this specification MUST support the authenticated, | compatible with this specification MUST support the authenticated, | |||
| encrypted and mixed modes as per [RFC4656][RFC5357][RFC5618]. | encrypted and mixed modes as per [RFC4656][RFC5357][RFC5618]. | |||
| The choice of this set of Modes values poses no backwards | The choice of this set of Modes values poses no backwards | |||
| compatibility problems to existing O/TWAMP clients. Robust legacy | compatibility problems to existing O/TWAMP clients. Robust legacy | |||
| client implementations would disregard the fact that the | client implementations would disregard the fact that the | |||
| IANA.TBA.TWAMP.IKEv2Derived Modes bit in the Server Greeting is set. | IANA.TBA.TWAMP.IKEv2Derived Modes bit in the Server Greeting is set. | |||
| On the other hand, a client compatible with this specification can | On the other hand, a client compatible with this specification can | |||
| easily identify that the O/TWAMP server contacted does not support | easily identify that the O/TWAMP server contacted does not support | |||
| this specification. If the server supports other Modes, as one could | this specification. If the server supports other Modes, as one could | |||
| assume, the client would then decide which Mode to use and indicate | assume, the client would then decide which Mode to use and indicate | |||
| such accordingly as per [RFC4656][RFC5357]. A client compatible with | such accordingly as per [RFC4656][RFC5357]. A client compatible with | |||
| this specification which decides not to employ IKEv2 derivation, can | this specification which decides not to employ IKEv2 derivation, can | |||
| simply behave as a purely [RFC4656]/[RFC5357] compatible client. | simply behave as a purely [RFC4656]/[RFC5357] compatible client. | |||
| 4.3. Set-Up-Response Update | 5.3. Set-Up-Response Update | |||
| The Set-Up-Response Message should be updated as in Figure 3. When a | The Set-Up-Response Message should be updated as in Figure 3. When a | |||
| O/TWAMP client compatible with this specification receives a Server | O/TWAMP client compatible with this specification receives a Server | |||
| Greeting indicating support for Mode IANA.TBA.TWAMP.IKEv2Derived it | Greeting indicating support for Mode IANA.TBA.TWAMP.IKEv2Derived it | |||
| SHOULD reply to the O/TWAMP server with a Set-Up response that | SHOULD reply to the O/TWAMP server with a Set-Up response that | |||
| indicates so. For example, a compatible O/TWAMP client choosing the | indicates so. For example, a compatible O/TWAMP client choosing the | |||
| authenticated mode with IKEv2 shared secret key derivation should set | authenticated mode with IKEv2 shared secret key derivation should set | |||
| Mode to 130, i.e. set the bits in positions 1 and 7 (TBD IANA) to | Mode to 130, i.e. set the bits in positions 1 and 7 (TBD IANA) to | |||
| one. | one. | |||
| skipping to change at page 9, line 40 | skipping to change at page 10, line 27 | |||
| | | | | | | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | | | | | | |||
| | Client-IV (12 octets) | | | Client-IV (12 octets) | | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 3: Set-Up-Response Message | Figure 3: Set-Up-Response Message | |||
| The Security Parameter Index (SPI)(see [RFC4301] [RFC5996]) can | The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) can | |||
| uniquely identify the Security Association (SA). If the client | uniquely identify the Security Association (SA). If the client | |||
| supports the derivation of shared secret key from IKEv2 SA, it will | supports the derivation of shared secret key from IKEv2 SA, it will | |||
| choose the corresponding mode value and carry SPIi and SPIr in the | choose the corresponding mode value and carry SPIi and SPIr in the | |||
| Key ID field. SPIi and SPIr MUST be included in the Key ID field of | Key ID field. SPIi and SPIr MUST be included in the Key ID field of | |||
| Set-Up-Response Message to indicate the IKEv2 SA from which the O/ | Set-Up-Response Message to indicate the IKEv2 SA from which the O/ | |||
| TWAMP shared secret key derived from. The length of SPI is 4 octets. | TWAMP shared secret key derived from. The length of SPI is 4 octets. | |||
| Therefore, the first 4 octets of Key ID field MUST carry SPIi and the | Therefore, the first 4 octets of Key ID field MUST carry SPIi and the | |||
| second 4 octets MUST carry SPIr. The remaining bits of the Key ID | second 4 octets MUST carry SPIr. The remaining bits of the Key ID | |||
| field MUST set to zero. | field MUST set to zero. | |||
| skipping to change at page 10, line 17 | skipping to change at page 11, line 5 | |||
| remaining octets of the Key ID field. Then, the client and the | remaining octets of the Key ID field. Then, the client and the | |||
| server can derive the shared secret key based on the mode value and | server can derive the shared secret key based on the mode value and | |||
| SPI. If the O/TWAMP server cannot find the IKEv2 SA corresponding to | SPI. If the O/TWAMP server cannot find the IKEv2 SA corresponding to | |||
| the SPIi and SPIr received, it MUST log the event for operational | the SPIi and SPIr received, it MUST log the event for operational | |||
| management purposes. In addition, the O/TWAMP server SHOULD set the | management purposes. In addition, the O/TWAMP server SHOULD set the | |||
| Accept field of the Server-Start message to the value 6 to indicate | Accept field of the Server-Start message to the value 6 to indicate | |||
| that server is not willing to conduct further transactions in this O/ | that server is not willing to conduct further transactions in this O/ | |||
| TWAMP-Control session since it can not find the corresponding IKEv2 | TWAMP-Control session since it can not find the corresponding IKEv2 | |||
| SA. | SA. | |||
| 4.4. O/TWAMP over an IPsec tunnel | 5.4. O/TWAMP over an IPsec tunnel | |||
| IPsec AH [RFC4302] and ESP [RFC4303] provide confidentiality and | IPsec AH [RFC4302] and ESP [RFC4303] provide confidentiality and | |||
| data integrity to IP datagrams. Thus an IPsec tunnel can be used to | data integrity to IP datagrams. Thus an IPsec tunnel can be used to | |||
| provide the protection needed for O/TWAMP Control and Test packets, | provide the protection needed for O/TWAMP Control and Test packets, | |||
| even if the peers choose the unauthenticated mode of operation. If | even if the peers choose the unauthenticated mode of operation. If | |||
| the two endpoints are already connected through an IPSec tunnel it is | the two endpoints are already connected through an IPSec tunnel it is | |||
| RECOMMENDED that the O/TWAMP measurement packets are forwarded over | RECOMMENDED that the O/TWAMP measurement packets are forwarded over | |||
| the IPSec tunnel if the peers choose the unauthenticated mode in | the IPSec tunnel if the peers choose the unauthenticated mode in | |||
| order to ensure authenticity and security. | order to ensure authenticity and security. | |||
| 5. Security Considerations | 6. Security Considerations | |||
| As the shared secret key is derived from the IKEv2 SA, the key | As the shared secret key is derived from the IKEv2 SA, the key | |||
| derivation algorithm strength and limitations are as per [RFC5996]. | derivation algorithm strength and limitations are as per [RFC7296]. | |||
| The strength of a key derived from a Diffie-Hellman exchange using | The strength of a key derived from a Diffie-Hellman exchange using | |||
| any of the groups defined here depends on the inherent strength of | any of the groups defined here depends on the inherent strength of | |||
| the group, the size of the exponent used, and the entropy provided by | the group, the size of the exponent used, and the entropy provided by | |||
| the random number generator employed. The strength of all keys and | the random number generator employed. The strength of all keys and | |||
| implementation vulnerabilities, particularly Denial of Service (DoS) | implementation vulnerabilities, particularly Denial of Service (DoS) | |||
| attacks are as defined in [RFC5996]. | attacks are as defined in [RFC7296]. | |||
| As a more general note, the IPPM community may want to revisit the | As a more general note, the IPPM community may want to revisit the | |||
| arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet | arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet | |||
| security mechanisms, such as TLS and DTLS, may also be considered for | security mechanisms, such as TLS and DTLS, may also be considered for | |||
| future use over and above of what is already specified in [RFC4656] | future use over and above of what is already specified in [RFC4656] | |||
| [RFC5357]. | [RFC5357]. | |||
| 6. IANA Considerations | 7. IANA Considerations | |||
| IANA is requested to allocate the IANA.TBA.TWAMP.IKEv2Derived Modes | IANA is requested to allocate the IANA.TBA.TWAMP.IKEv2Derived Modes | |||
| value in the TWAMP-Modes registry. | value in the TWAMP-Modes registry. | |||
| 7. Acknowledgments | 8. Acknowledgments | |||
| We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John | We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John | |||
| Mattsson, and Steve Baillargeon for their comments and text | Mattsson, and Steve Baillargeon for their comments and text | |||
| suggestions. Al Morton deserves a special mention for his text | suggestions. | |||
| contributions and the good discussion and pointers to earlier related | ||||
| work in IPPM WG. | ||||
| 8. References | Al Morton deserves a special mention for his thorough reviews and | |||
| text contributions to this document as well as the constructive | ||||
| discussions over several IPPM meetings. | ||||
| 8.1. Normative References | 9. References | |||
| 9.1. Normative References | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December | [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December | |||
| 2005. | 2005. | |||
| [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC | [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC | |||
| 4303, December 2005. | 4303, December 2005. | |||
| skipping to change at page 11, line 38 | skipping to change at page 12, line 27 | |||
| (OWAMP)", RFC 4656, September 2006. | (OWAMP)", RFC 4656, September 2006. | |||
| [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. | [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. | |||
| Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", | Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", | |||
| RFC 5357, October 2008. | RFC 5357, October 2008. | |||
| [RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the | [RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the | |||
| Two-Way Active Measurement Protocol (TWAMP)", RFC 5618, | Two-Way Active Measurement Protocol (TWAMP)", RFC 5618, | |||
| August 2009. | August 2009. | |||
| [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, | [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | |||
| "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC | Kivinen, "Internet Key Exchange Protocol Version 2 | |||
| 5996, September 2010. | (IKEv2)", STD 79, RFC 7296, October 2014. | |||
| 8.2. Informative References | 9.2. Informative References | |||
| [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography | [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography | |||
| Specification Version 2.0", RFC 2898, September 2000. | Specification Version 2.0", RFC 2898, September 2000. | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, December 2005. | Internet Protocol", RFC 4301, December 2005. | |||
| [RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A | [RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A | |||
| Childless Initiation of the Internet Key Exchange Version | Childless Initiation of the Internet Key Exchange Version | |||
| 2 (IKEv2) Security Association (SA)", RFC 6023, October | 2 (IKEv2) Security Association (SA)", RFC 6023, October | |||
| End of changes. 32 change blocks. | ||||
| 55 lines changed or deleted | 75 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||