--- 1/draft-ietf-ippm-ipsec-08.txt 2015-02-11 09:14:52.571227534 -0800 +++ 2/draft-ietf-ippm-ipsec-09.txt 2015-02-11 09:14:52.603228317 -0800 @@ -1,54 +1,56 @@ IPPM WG K. Pentikousis, Ed. Internet-Draft EICT Intended status: Standards Track E. Zhang -Expires: July 30, 2015 Y. Cui +Expires: August 15, 2015 Y. Cui Huawei Technologies - January 26, 2015 + February 11, 2015 IKEv2-based Shared Secret Key for O/TWAMP - draft-ietf-ippm-ipsec-08 + draft-ietf-ippm-ipsec-09 Abstract - The O/TWAMP security mechanism requires that both the client and - server endpoints possess a shared secret. Since the currently- - standardized O/TWAMP security mechanism only supports a pre-shared - key mode, large scale deployment of O/TWAMP is hindered - significantly. At the same time, recent trends point to wider IKEv2 - deployment which, in turn, calls for mechanisms and methods that - enable tunnel end-users, as well as operators, to measure one-way and - two- way network performance in a standardized manner. This document - describes the use of keys derived from an IKEv2 SA as the shared key - in O/TWAMP. If the shared key can be derived from the IKEv2 SA, O/ - TWAMP can support certificate-based key exchange, which would allow - for more operational flexibility and efficiency. The key derivation - presented in this document can also facilitate automatic key - management. + The One-way Active Measurement Protocol (OWAMP) and Two-Way Active + Measurement Protocol (TWAMP) security mechanism require that both the + client and server endpoints possess a shared secret. Since the + currently-standardized O/TWAMP security mechanism only supports a + pre-shared key mode, large scale deployment of O/TWAMP is hindered + significantly. At the same time, recent trends point to wider + Internet Key Exchange Protocol Version 2 (IKEv2) deployment which, in + turn, calls for mechanisms and methods that enable tunnel end-users, + as well as operators, to measure one-way and two- way network + performance in a standardized manner. This document describes the + use of keys derived from an IKEv2 security association (SA) as the + shared key in O/TWAMP. If the shared key can be derived from the + IKEv2 SA, O/TWAMP can support certificate-based key exchange, which + would allow for more operational flexibility and efficiency. The key + derivation presented in this document can also facilitate automatic + key management. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on July 30, 2015. + This Internet-Draft will expire on August 15, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -57,31 +59,31 @@ include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Scope and Applicability . . . . . . . . . . . . . . . . . . . 4 4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4 - 4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4 + 4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5 4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6 4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7 5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7 5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7 5.2. Server Greeting Message Update . . . . . . . . . . . . . 8 - 5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9 + 5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 10 5.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 9.2. Informative References . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to measure network performance parameters such as latency, bandwidth, @@ -94,85 +96,90 @@ altering the measurement results. The currently-standardized O/TWAMP security mechanism [RFC4656] [RFC5357] requires that endpoints (i.e. both the client and the server) possess a shared secret. In today's network deployments, however, the use of pre-shared keys is far from optimal. For example, in wireless infrastructure networks, certain network elements, which can be seen as the two endpoints from an O/TWAMP perspective, support certificate-based security. For instance, consider the case in which one wants to measure IP performance - between an eNB and SeGW. Both eNB and SeGW are 3GPP/LTE nodes and - support certificate mode and IKEv2. Since the currently standardized - O/TWAMP security mechanism only supports the pre-shared key mode, - large scale deployment of O/TWAMP is hindered significantly. - Furthermore, deployment and management of "shared secrets" for - massive equipment installation consumes a tremendous amount of effort - and is prone to human error. + between a E-UTRAN Evolved Node B (eNB) and Security Gateway (SeGW). + Both eNB and SeGW are 3GPP Long Term Evolution (LTE) nodes and + support certificate mode and the Internet Key Exchange Protocol + Version 2 (IKEv2). Since the currently standardized O/TWAMP security + mechanism only supports pre-shared key mode, large scale deployment + of O/TWAMP is hindered significantly. Furthermore, deployment and + management of "shared secrets" for massive equipment installation + consumes a tremendous amount of effort and is prone to human error. - With IKEv2 widely used, employing keys derived from IKEv2 SA as - shared key can be considered as a viable alternative. In mobile - telecommunication networks, the deployment rate of IPsec exceeds 95% - with respect to the LTE serving network. In older-technology - cellular networks, such as UMTS and GSM, IPsec use penetration is - lower, but still quite significant. If the shared key can be derived - from the IKEv2 SA, O/TWAMP can support cert-based key exchange and - practically increase flexibility and efficiency. The use of IKEv2 - also makes it easier to extend automatic key management. In general, - O/TWAMP measurement packets can be transmitted inside the IPsec - tunnel, as it occurs with typical user traffic, or transmitted - outside the IPsec tunnel. This may depend on the operator's policy - and is orthogonal to the mechanism described in this document. + With IKEv2 widely used, employing keys derived from IKEv2 security + association (SA) as shared key can be considered as a viable + alternative. In mobile telecommunication networks, the deployment + rate of IPsec exceeds 95% with respect to the LTE serving network. + In older-technology cellular networks, such as UMTS and GSM, IPsec + use penetration is lower, but still quite significant. If the shared + key can be derived from the IKEv2 SA, O/TWAMP can support cert-based + key exchange and practically increase operational flexibility and + efficiency. The use of IKEv2 also makes it easier to extend + automatic key management. In general, O/TWAMP measurement packets + can be transmitted inside the IPsec tunnel, as it occurs with typical + user traffic, or transmitted outside the IPsec tunnel. This may + depend on the operator's policy and is orthogonal to the mechanism + described in this document. When IPsec is deployed, protecting O/TWAMP traffic in unauthenticated mode using IPsec is one option. Another option is to protect O/TWAMP traffic using O/TWAMP layer security established using the PSK derived from IKEv2 but bypassing the IPsec tunnel. Protecting - unauthenticated O/TWAMP control and/or test traffic via AH or ESP - cannot provide various security options, e.g. it cannot authenticate - part of a O/TWAMP packet as mentioned in [RFC4656]. For measuring - latency, the timestamp is carried in O/TWAMP traffic. The sender has - to fetch the timestamp, encrypt it, and send it. In this case, the - middle step can be skipped, potentially improving accuracy as the - sequence number can be encrypted and authenticated before the - timestamp is fetched. It is the same case for the receiver since it - can obtain the timestamp by skipping the decryption step. In such - cases, protecting O/TWAMP traffic using O/TWAMP layer security but - bypassing the IPsec tunnel has its advantages. + unauthenticated O/TWAMP control and/or test traffic via + Authentication Header (AH) [RFC4302] or Encapsulating Security + Payload (ESP) [RFC4303] cannot provide various security options, + e.g. it cannot authenticate part of a O/TWAMP packet as mentioned in + [RFC4656]. For measuring latency, timestamp is carried in O/TWAMP + traffic. The sender has to fetch the timestamp, encrypt it, and send + it. In this case, the middle step can be skipped, potentially + improving accuracy as the sequence number can be encrypted and + authenticated before the timestamp is fetched. It is the same case + for the receiver since it can obtain the timestamp by skipping the + decryption step. In such cases, protecting O/TWAMP traffic using O/ + TWAMP layer security but bypassing IPsec tunnel has its advantages. This document specifies a method for enabling network measurements - between a TWAMP client and a TWAMP server which both support IPsec. + between a TWAMP client and a TWAMP server, as discussed in Section 3. In short, the shared key used for securing TWAMP traffic is derived - using IKEv2 [RFC7296]. This method SHOULD be used when O/TWAMP - traffic is bypassing IPsec protection and is running over an external - network exactly between two IKEv2 systems. + using IKEv2 [RFC7296]. From an operations and management perspective + [RFC5706], the mechanism described in this document requires that + both the TWAMP client and server support IPsec. This method SHOULD + be used when O/TWAMP traffic is bypassing IPsec protection and is + running over an external network exactly between two IKEv2 systems. After clarifying the terminology and scope in the subsequent sections, the remainder of this document is organized as follows. Section 4 summarizes O/TWAMP protocol operation with respect to security. Section 5 presents the method for binding TWAMP and IKEv2 for network measurements between the client and the server which both support IKEv2. Finally, Section 6 discusses the security considerations arising from the proposed mechanisms. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Scope and Applicability This document reserves from the TWAMP-Modes registry the Mode value - IKEv2Derived which is equal to 128 (i.e. bit set in position 7) [NOTE - to IANA: remove before allocation and final publication] and MUST be - used by TWAMP implementations compatible with this specification. + IKEv2Derived which is equal to 128 (i.e. bit set in position 7) and + MUST be used by TWAMP implementations compatible with this + specification. Although the control procedures described in this document are applicable to OWAMP per se, the lack of an established IANA registry for OWAMP Mode values technically prevents us from extending OWAMP Mode values. Therefore, independent OWAMP implementations SHOULD be checked for full compatibility with respect to the use of this Mode value. Until an IANA registry for OWAMP Mode values is established, the use this feature in OWAMP implementations MUST be arranged privately among consenting OWAMP users. @@ -203,25 +211,25 @@ parameters are negotiated during the control connection establishment. Figure 1 illustrates the initiation stage of the O/TWAMP-Control protocol between a client and the server. In short, the client opens a TCP connection to the server in order to be able to send O/TWAMP- Control commands. The server responds with a Server Greeting, which contains the Modes, Challenge, Salt, Count, and MBZ fields (see Section 3.1 of [RFC4656]). If the client-preferred mode is available, the client responds with a Set-Up- Response message, - wherein the selected Mode, as well as the KeyID, Token and Client IV - are included. The Token is the concatenation of a 16-octet - Challenge, a 16-octet AES Session-key used for encryption, and a - 32-octet HMAC-SHA1 Session-key used for authentication. The Token is - encrypted using AES-CBC. + wherein the selected Mode, as well as the KeyID, Token and Client + initialization vector (IV) are included. The Token is the + concatenation of a 16-octet Challenge, a 16-octet AES Session-key + used for encryption, and a 32-octet HMAC-SHA1 Session-key used for + authentication. The Token is encrypted using AES-CBC. +--------+ +--------+ | Client | | Server | +--------+ +--------+ | | |<---- TCP Connection ----->| | | |<---- Greeting message ----| | | |----- Set-Up-Response ---->| @@ -374,22 +382,21 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: Server Greeting format The Modes field in Figure 2 will need to allow for support of key derivation as discussed in Section 5.1. As such, the Modes value extension MUST be supported by implementations compatible with this document, indicating support for deriving the shared key from the IKEv2 SA. The new Modes value indicating support for this specification is IKEv2Derived and is equal to 128 (i.e. bit set in - position 7) [NOTE to IANA: remove before allocation and final - publication]. Clearly, an implementation compatible with this + position 7). Clearly, an implementation compatible with this specification MUST support the authenticated, encrypted and mixed modes as per [RFC4656][RFC5357][RFC5618]. The choice of this set of Modes values poses no backwards compatibility problems to existing O/TWAMP clients. Robust legacy client implementations would disregard the fact that the IKEv2Derived Modes bit in the Server Greeting is set. On the other hand, a client compatible with this specification can easily identify that the O/ TWAMP server contacted does not support this specification. If the server supports other Modes, as one could assume, the client would @@ -399,21 +406,21 @@ purely [RFC4656]/[RFC5357] compatible client. 5.3. Set-Up-Response Update The Set-Up-Response Message should be updated as in Figure 3. When a O/TWAMP client compatible with this specification receives a Server Greeting indicating support for Mode IKEv2Derived it SHOULD reply to the O/TWAMP server with a Set-Up response that indicates so. For example, a compatible O/TWAMP client choosing the authenticated mode with IKEv2 shared secret key derivation should set Mode to 130, i.e. - set the bits in positions 1 and 7 (TBD IANA) to one. + set the bits in positions 1 and 7 to one. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mode | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Key ID (80 octets) | | | | | @@ -429,84 +436,78 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3: Set-Up-Response Message The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) can uniquely identify the Security Association (SA). If the client supports the derivation of shared secret key from IKEv2 SA, it will choose the corresponding mode value and carry SPIi and SPIr in the Key ID field. SPIi and SPIr MUST be included in the Key ID field of Set-Up-Response Message to indicate the IKEv2 SA from which the O/ - TWAMP shared secret key derived from. The length of SPI is 4 octets. - Therefore, the first 4 octets of Key ID field MUST carry SPIi and the - second 4 octets MUST carry SPIr. The remaining bits of the Key ID + TWAMP shared secret key derived from. The length of SPI is 8 octets. + Therefore, the first 8 octets of Key ID field MUST carry SPIi and the + second 8 octets MUST carry SPIr. The remaining bits of the Key ID field MUST set to zero. A O/TWAMP server which supports the specification of this document, - MUST obtain the SPIi and SPIr from the first 8 octets and ignore the + MUST obtain the SPIi and SPIr from the first 16 octets and ignore the remaining octets of the Key ID field. Then, the client and the server can derive the shared secret key based on the mode value and SPI. If the O/TWAMP server cannot find the IKEv2 SA corresponding to the SPIi and SPIr received, it MUST log the event for operational management purposes. In addition, the O/TWAMP server SHOULD set the Accept field of the Server-Start message to the value 6 to indicate that server is not willing to conduct further transactions in this O/ TWAMP-Control session since it can not find the corresponding IKEv2 SA. 5.4. O/TWAMP over an IPsec tunnel - IPsec AH [RFC4302] and ESP [RFC4303] provide confidentiality and - data integrity to IP datagrams. Thus an IPsec tunnel can be used to - provide the protection needed for O/TWAMP Control and Test packets, - even if the peers choose the unauthenticated mode of operation. If - the two endpoints are already connected through an IPSec tunnel it is - RECOMMENDED that the O/TWAMP measurement packets are forwarded over - the IPSec tunnel if the peers choose the unauthenticated mode in - order to ensure authenticity and security. + IPsec Authentication Header (AH) [RFC4302] and Encapsulating Security + Payload (ESP) [RFC4303] provide confidentiality and data integrity to + IP datagrams. An IPsec tunnel can be used to provide the protection + needed for O/TWAMP Control and Test packets, even if the peers choose + the unauthenticated mode of operation. In order to ensure + authenticity and security, the IPsec tunnel SHOULD be configured to + include O/TWAMP measurement packets even when using the + unauthenticated mode. 6. Security Considerations As the shared secret key is derived from the IKEv2 SA, the key derivation algorithm strength and limitations are as per [RFC7296]. The strength of a key derived from a Diffie-Hellman exchange using any of the groups defined here depends on the inherent strength of the group, the size of the exponent used, and the entropy provided by the random number generator employed. The strength of all keys and implementation vulnerabilities, particularly Denial of Service (DoS) attacks are as defined in [RFC7296]. - As a more general note, the IPPM community may want to revisit the - arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet - security mechanisms, such as TLS and DTLS, may also be considered for - future use over and above of what is already specified in [RFC4656] - [RFC5357]. - 7. IANA Considerations IANA is requested to allocate the IKEv2Derived Mode bit that is equal to 128 (i.e. bit set in position 7) in the TWAMP-Modes registry. The TWAMP-Modes registry should be augmented as follows: Value Description Semantics Definition -------------------------------------------------------- 128 IKEv2 Derived This memo, Section 5.2 Mode Capability new bit position 7 Figure 4: IKEv2 Modes Capability 8. Acknowledgments We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John - Mattsson, and Steve Baillargeon for their comments and text - suggestions. We also thank Spencer Dawkins for his AD evaluation of - this document. + Mattsson, Steve Baillargeon, Spencer Dawkins, Tero Kivinen, Fred + Baker, Meral Shirazipour, and Hannes Tschofenig for their reviews, + comments and text suggestions. Al Morton deserves a special mention for his thorough reviews and text contributions to this document as well as the constructive discussions over several IPPM meetings. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate @@ -535,20 +536,24 @@ (IKEv2)", STD 79, RFC 7296, October 2014. 9.2. Informative References [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, September 2000. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. + [RFC5706] Harrington, D., "Guidelines for Considering Operations and + Management of New Protocols and Protocol Extensions", RFC + 5706, November 2009. + [RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)", RFC 6023, October 2010. Authors' Addresses Kostas Pentikousis (editor) EICT GmbH EUREF-Campus Haus 13