--- 1/draft-ietf-ippm-ipsec-07.txt 2015-01-26 04:16:12.006317301 -0800 +++ 2/draft-ietf-ippm-ipsec-08.txt 2015-01-26 04:16:12.038318074 -0800 @@ -1,32 +1,32 @@ IPPM WG K. Pentikousis, Ed. Internet-Draft EICT Intended status: Standards Track E. Zhang -Expires: June 30, 2015 Y. Cui +Expires: July 30, 2015 Y. Cui Huawei Technologies - December 27, 2014 + January 26, 2015 IKEv2-based Shared Secret Key for O/TWAMP - draft-ietf-ippm-ipsec-07 + draft-ietf-ippm-ipsec-08 Abstract The O/TWAMP security mechanism requires that both the client and server endpoints possess a shared secret. Since the currently- standardized O/TWAMP security mechanism only supports a pre-shared key mode, large scale deployment of O/TWAMP is hindered significantly. At the same time, recent trends point to wider IKEv2 deployment which, in turn, calls for mechanisms and methods that enable tunnel end-users, as well as operators, to measure one-way and two-way network performance in a standardized manner. This document - discusses the use of keys derived from an IKEv2 SA as the shared key + describes the use of keys derived from an IKEv2 SA as the shared key in O/TWAMP. If the shared key can be derived from the IKEv2 SA, O/ TWAMP can support certificate-based key exchange, which would allow for more operational flexibility and efficiency. The key derivation presented in this document can also facilitate automatic key management. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. @@ -34,146 +34,145 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on June 30, 2015. + This Internet-Draft will expire on July 30, 2015. Copyright Notice - Copyright (c) 2014 IETF Trust and the persons identified as the + Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Scope and Applicability . . . . . . . . . . . . . . . . . . . 4 4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4 - 4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5 + 4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4 4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6 4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7 5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7 5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7 5.2. Server Greeting Message Update . . . . . . . . . . . . . 8 - 5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 10 + 5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9 5.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 - 9.2. Informative References . . . . . . . . . . . . . . . . . 13 + 9.2. Informative References . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to - measure network performance parameters, such as latency, bandwidth, + measure network performance parameters such as latency, bandwidth, and packet loss by sending probe packets and monitoring their experience in the network. In order to guarantee the accuracy of network measurement results, security aspects must be considered. Otherwise, attacks may occur and the authenticity of the measurement results may be violated. For example, if no protection is provided, an adversary in the middle may modify packet timestamps, thus altering the measurement results. The currently-standardized O/TWAMP security mechanism [RFC4656] [RFC5357] requires that endpoints (i.e. both the client and the server) possess a shared secret. In today's network deployments, however, the use of pre-shared keys is far from optimal. For example, in wireless infrastructure networks, certain network elements, which can be seen as the two endpoints from an O/TWAMP perspective, support certificate-based security. For instance, consider the case in which one wants to measure IP performance - between an eNB and SeGW. Both eNB and SeGW are 3GPP LTE nodes and + between an eNB and SeGW. Both eNB and SeGW are 3GPP/LTE nodes and support certificate mode and IKEv2. Since the currently standardized - O/TWAMP security mechanism only supports pre-shared key mode, large - scale deployment of O/TWAMP is hindered significantly. Furthermore, - deployment and management of "shared secrets" for massive equipment - installation consumes a tremendous amount of effort and is prone to - human error. + O/TWAMP security mechanism only supports the pre-shared key mode, + large scale deployment of O/TWAMP is hindered significantly. + Furthermore, deployment and management of "shared secrets" for + massive equipment installation consumes a tremendous amount of effort + and is prone to human error. With IKEv2 widely used, employing keys derived from IKEv2 SA as shared key can be considered as a viable alternative. In mobile telecommunication networks, the deployment rate of IPsec exceeds 95% with respect to the LTE serving network. In older-technology cellular networks, such as UMTS and GSM, IPsec use penetration is lower, but still quite significant. If the shared key can be derived from the IKEv2 SA, O/TWAMP can support cert-based key exchange and - make it more flexible in practice and more efficient. The use of - IKEv2 also makes it easier to extend automatic key management. In - general, O/TWAMP measurement packets can be transmitted inside the - IPsec tunnel, as it occurs with typical user traffic, or transmitted + practically increase flexibility and efficiency. The use of IKEv2 + also makes it easier to extend automatic key management. In general, + O/TWAMP measurement packets can be transmitted inside the IPsec + tunnel, as it occurs with typical user traffic, or transmitted outside the IPsec tunnel. This may depend on the operator's policy and is orthogonal to the mechanism described in this document. When IPsec is deployed, protecting O/TWAMP traffic in unauthenticated mode using IPsec is one option. Another option is to protect O/TWAMP traffic using O/TWAMP layer security established using the PSK derived from IKEv2 but bypassing the IPsec tunnel. Protecting unauthenticated O/TWAMP control and/or test traffic via AH or ESP cannot provide various security options, e.g. it cannot authenticate part of a O/TWAMP packet as mentioned in [RFC4656]. For measuring - latency, timestamp is carried in O/TWAMP traffic. The sender has to - fetch the timestamp, encrypt it, and send it. In this case, the + latency, the timestamp is carried in O/TWAMP traffic. The sender has + to fetch the timestamp, encrypt it, and send it. In this case, the middle step can be skipped, potentially improving accuracy as the sequence number can be encrypted and authenticated before the timestamp is fetched. It is the same case for the receiver since it can obtain the timestamp by skipping the decryption step. In such cases, protecting O/TWAMP traffic using O/TWAMP layer security but - bypassing IPsec tunnel has its advantages. This document describes - how to derive the shared secret key from the IKEv2 SA and employ the - security service at the O/TWAMP layer. This method SHOULD be used - when O/TWAMP traffic is bypassing IPsec protection and is running - over an external network exactly between two IKEv2 systems. + bypassing the IPsec tunnel has its advantages. + + This document specifies a method for enabling network measurements + between a TWAMP client and a TWAMP server which both support IPsec. + In short, the shared key used for securing TWAMP traffic is derived + using IKEv2 [RFC7296]. This method SHOULD be used when O/TWAMP + traffic is bypassing IPsec protection and is running over an external + network exactly between two IKEv2 systems. After clarifying the terminology and scope in the subsequent sections, the remainder of this document is organized as follows. Section 4 summarizes O/TWAMP protocol operation with respect to security. Section 5 presents the method for binding TWAMP and IKEv2 for network measurements between the client and the server which both support IKEv2. Finally, Section 6 discusses the security considerations arising from the proposed mechanisms. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Scope and Applicability - This document specifies a method for enabling network measurements - between a TWAMP client and a TWAMP server which both support IPsec. - In short, the shared key used for securing TWAMP traffic is derived - using IKEv2 [RFC7296]. This document reserves from the TWAMP-Modes - registry the Mode value IKEv2Derived which is equal to 128 (i.e. bit - set in position 7) [NOTE to IANA: remove before allocation and final - publication] and MUST be used by TWAMP implementations compatible - with this specification. + This document reserves from the TWAMP-Modes registry the Mode value + IKEv2Derived which is equal to 128 (i.e. bit set in position 7) [NOTE + to IANA: remove before allocation and final publication] and MUST be + used by TWAMP implementations compatible with this specification. Although the control procedures described in this document are applicable to OWAMP per se, the lack of an established IANA registry for OWAMP Mode values technically prevents us from extending OWAMP Mode values. Therefore, independent OWAMP implementations SHOULD be checked for full compatibility with respect to the use of this Mode value. Until an IANA registry for OWAMP Mode values is established, the use this feature in OWAMP implementations MUST be arranged privately among consenting OWAMP users. @@ -307,24 +305,24 @@ key MUST be derived from the IKEv2 Security Association (SA). Note that we explicitly opt to derive the shared secret key from the IKEv2 SA, rather than the child SA, since the use case whereby an IKEv2 SA can be created without generating any child SA is possible [RFC6023]. When the shared secret key is derived from the IKEv2 SA, SK_d must be generated first. SK_d MUST be computed as per [RFC7296]. The shared secret key MUST be generated as follows: - Shared secret key = PRF( SK_d, "IPPM" ) + Shared secret key = prf( SK_d, "IPPM" ) - Wherein the string "IPPM" comprises four ASCII characters and prf is - a pseudorandom function. It is recommended that the shared secret + Wherein the string "IPPM" comprises four ASCII characters and "prf" + is a pseudorandom function. It is recommended that the shared secret key is derived in the IPsec layer. This way, the IPsec keying material is not exposed to the O/TWAMP client. Note, however, that the interaction between the O/TWAMP and IPsec layers is host-internal and implementation-specific. Therefore, this is clearly outside the scope of this document, which focuses on the interaction between the O/TWAMP client and server. That said, one possible way could be the following: at the client side, the IPSec layer can perform a lookup in the Security Association Database (SAD) using the IP address of the server and thus match the corresponding IKEv2 SA. At the server side, the IPSec layer can look up the corresponding IKEv2 SA by using @@ -339,22 +337,22 @@ Again, although both alternatives are feasible, they are in fact implementation-specific. If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the corresponding shared secret key generated from the SA can continue to be used until the O/TWAMP session terminates. 5.2. Server Greeting Message Update To achieve a binding association between the key generated from IKEv2 - and the O/TWAMP shared secret key, Server Greeting Message should be - updated as in Figure 2. + and the O/TWAMP shared secret key, Server Greeting Message should + include these extensions, as in Figure 2. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Unused (12 octets) | | | |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Modes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -493,21 +491,22 @@ -------------------------------------------------------- 128 IKEv2 Derived This memo, Section 5.2 Mode Capability new bit position 7 Figure 4: IKEv2 Modes Capability 8. Acknowledgments We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John Mattsson, and Steve Baillargeon for their comments and text - suggestions. + suggestions. We also thank Spencer Dawkins for his AD evaluation of + this document. Al Morton deserves a special mention for his thorough reviews and text contributions to this document as well as the constructive discussions over several IPPM meetings. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate