draft-ietf-ippm-ipsec-09.txt   draft-ietf-ippm-ipsec-10.txt 
IPPM WG K. Pentikousis, Ed. IPPM WG K. Pentikousis, Ed.
Internet-Draft EICT Internet-Draft EICT
Intended status: Standards Track E. Zhang Intended status: Standards Track E. Zhang
Expires: August 15, 2015 Y. Cui Expires: November 30, 2015 Y. Cui
Huawei Technologies Huawei Technologies
February 11, 2015 May 29, 2015
IKEv2-based Shared Secret Key for O/TWAMP IKEv2-derived Shared Secret Key for O/TWAMP
draft-ietf-ippm-ipsec-09 draft-ietf-ippm-ipsec-10
Abstract Abstract
The One-way Active Measurement Protocol (OWAMP) and Two-Way Active The One-way Active Measurement Protocol (OWAMP) and Two-Way Active
Measurement Protocol (TWAMP) security mechanism require that both the Measurement Protocol (TWAMP) security mechanisms require that both
client and server endpoints possess a shared secret. Since the the client and server endpoints possess a shared secret. This
currently-standardized O/TWAMP security mechanism only supports a document describes the use of keys derived from an IKEv2 security
pre-shared key mode, large scale deployment of O/TWAMP is hindered association (SA) as the shared key in O/TWAMP. If the shared key can
significantly. At the same time, recent trends point to wider be derived from the IKEv2 SA, O/TWAMP can support certificate-based
Internet Key Exchange Protocol Version 2 (IKEv2) deployment which, in key exchange, which would allow for more operational flexibility and
turn, calls for mechanisms and methods that enable tunnel end-users, efficiency. The key derivation presented in this document can also
as well as operators, to measure one-way and two- way network facilitate automatic key management.
performance in a standardized manner. This document describes the
use of keys derived from an IKEv2 security association (SA) as the
shared key in O/TWAMP. If the shared key can be derived from the
IKEv2 SA, O/TWAMP can support certificate-based key exchange, which
would allow for more operational flexibility and efficiency. The key
derivation presented in this document can also facilitate automatic
key management.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 15, 2015. This Internet-Draft will expire on November 30, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 23
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Scope and Applicability . . . . . . . . . . . . . . . . . . . 4 3. Scope and Applicability . . . . . . . . . . . . . . . . . . . 4
4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4 4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4
4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5 4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5
4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6 4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6
4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7 4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7
5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7 5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7
5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7 5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7
5.2. Server Greeting Message Update . . . . . . . . . . . . . 8 5.2. Server Greeting Message Update . . . . . . . . . . . . . 8
5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 10 5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9
5.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 11 5.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. Normative References . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . 12
9.2. Informative References . . . . . . . . . . . . . . . . . 12 9.2. Informative References . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the
Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to
measure network performance parameters such as latency, bandwidth, measure network performance parameters such as latency, bandwidth,
and packet loss by sending probe packets and monitoring their and packet loss by sending probe packets and monitoring their
experience in the network. In order to guarantee the accuracy of experience in the network. In order to guarantee the accuracy of
network measurement results, security aspects must be considered. network measurement results, security aspects must be considered.
skipping to change at page 3, line 18 skipping to change at page 3, line 9
[RFC5357] requires that endpoints (i.e. both the client and the [RFC5357] requires that endpoints (i.e. both the client and the
server) possess a shared secret. In today's network deployments, server) possess a shared secret. In today's network deployments,
however, the use of pre-shared keys is far from optimal. For however, the use of pre-shared keys is far from optimal. For
example, in wireless infrastructure networks, certain network example, in wireless infrastructure networks, certain network
elements, which can be seen as the two endpoints from an O/TWAMP elements, which can be seen as the two endpoints from an O/TWAMP
perspective, support certificate-based security. For instance, perspective, support certificate-based security. For instance,
consider the case in which one wants to measure IP performance consider the case in which one wants to measure IP performance
between a E-UTRAN Evolved Node B (eNB) and Security Gateway (SeGW). between a E-UTRAN Evolved Node B (eNB) and Security Gateway (SeGW).
Both eNB and SeGW are 3GPP Long Term Evolution (LTE) nodes and Both eNB and SeGW are 3GPP Long Term Evolution (LTE) nodes and
support certificate mode and the Internet Key Exchange Protocol support certificate mode and the Internet Key Exchange Protocol
Version 2 (IKEv2). Since the currently standardized O/TWAMP security Version 2 (IKEv2).
mechanism only supports pre-shared key mode, large scale deployment
of O/TWAMP is hindered significantly. Furthermore, deployment and
management of "shared secrets" for massive equipment installation
consumes a tremendous amount of effort and is prone to human error.
With IKEv2 widely used, employing keys derived from IKEv2 security The O/TWAMP security mechanism specified in [RFC4656] [RFC5357] only
association (SA) as shared key can be considered as a viable supports the pre-shared key mode hindering large scale deployment of
alternative. In mobile telecommunication networks, the deployment O/TWAMP. Furthermore, deployment and management of "shared secrets"
rate of IPsec exceeds 95% with respect to the LTE serving network. for massive equipment installation consumes a tremendous amount of
In older-technology cellular networks, such as UMTS and GSM, IPsec effort and is prone to human error. At the same time, recent trends
use penetration is lower, but still quite significant. If the shared point to wider Internet Key Exchange Protocol Version 2 (IKEv2)
key can be derived from the IKEv2 SA, O/TWAMP can support cert-based deployment which, in turn, calls for mechanisms and methods that
enable tunnel end-users, as well as operators, to measure one-way and
two-way network performance in a standardized manner.
With IKEv2 widely deployed, employing shared keys derived from IKEv2
security association (SA) can be considered as a viable alternative
through the method described in this document. If the shared key can
be derived from the IKEv2 SA, O/TWAMP can support certificate-based
key exchange and practically increase operational flexibility and key exchange and practically increase operational flexibility and
efficiency. The use of IKEv2 also makes it easier to extend efficiency. The use of IKEv2 also makes it easier to extend
automatic key management. In general, O/TWAMP measurement packets automatic key management.
can be transmitted inside the IPsec tunnel, as it occurs with typical
user traffic, or transmitted outside the IPsec tunnel. This may
depend on the operator's policy and is orthogonal to the mechanism
described in this document.
When IPsec is deployed, protecting O/TWAMP traffic in unauthenticated In general, O/TWAMP measurement packets can be transmitted inside the
mode using IPsec is one option. Another option is to protect O/TWAMP IPsec tunnel, as it occurs with typical user traffic, or transmitted
traffic using O/TWAMP layer security established using the PSK outside the IPsec tunnel. This may depend on the operator's policy
and the performance evaluation goal, and is orthogonal to the
mechanism described in this document. When IPsec is deployed,
protecting O/TWAMP traffic in unauthenticated mode using IPsec is one
option. Another option is to protect O/TWAMP traffic using the O/
TWAMP layer security established using the Pre-Shared Key (PSK)
derived from IKEv2 but bypassing the IPsec tunnel. Protecting derived from IKEv2 but bypassing the IPsec tunnel. Protecting
unauthenticated O/TWAMP control and/or test traffic via unauthenticated O/TWAMP control and/or test traffic via
Authentication Header (AH) [RFC4302] or Encapsulating Security Authentication Header (AH) [RFC4302] or Encapsulating Security
Payload (ESP) [RFC4303] cannot provide various security options, Payload (ESP) [RFC4303] cannot provide various security options,
e.g. it cannot authenticate part of a O/TWAMP packet as mentioned in e.g. it cannot authenticate part of a O/TWAMP packet as mentioned in
[RFC4656]. For measuring latency, timestamp is carried in O/TWAMP [RFC4656].
For measuring latency, a timestamp is carried in O/TWAMP test
traffic. The sender has to fetch the timestamp, encrypt it, and send traffic. The sender has to fetch the timestamp, encrypt it, and send
it. In this case, the middle step can be skipped, potentially it. When the mechanism described in this document is used, partial
improving accuracy as the sequence number can be encrypted and authentication of O/TWAMP packets is possible and therefore the
authenticated before the timestamp is fetched. It is the same case middle step can be skipped, potentially improving accuracy as the
for the receiver since it can obtain the timestamp by skipping the sequence number can be encrypted and authenticated before the
decryption step. In such cases, protecting O/TWAMP traffic using O/ timestamp is fetched. The receiver obtains the timestamp without the
TWAMP layer security but bypassing IPsec tunnel has its advantages. need for the corresponding decryption step. In such cases,
protecting O/TWAMP traffic using O/TWAMP layer security but bypassing
the IPsec tunnel has its advantages.
This document specifies a method for enabling network measurements This document specifies a method for enabling network measurements
between a TWAMP client and a TWAMP server, as discussed in Section 3. between a TWAMP client and a TWAMP server, as discussed in Section 3.
In short, the shared key used for securing TWAMP traffic is derived In short, the shared key used for securing TWAMP traffic is derived
using IKEv2 [RFC7296]. From an operations and management perspective from IKEv2 [RFC7296]. From an operations and management perspective
[RFC5706], the mechanism described in this document requires that [RFC5706], the mechanism described in this document requires that
both the TWAMP client and server support IPsec. This method SHOULD both the TWAMP Control-Client and Server support IPsec.
be used when O/TWAMP traffic is bypassing IPsec protection and is IKEv2-derived keys SHOULD be used instead of shared secrets when O/
running over an external network exactly between two IKEv2 systems. TWAMP is employed in a deployment using IKEv2.
After clarifying the terminology and scope in the subsequent After clarifying the terminology and scope in the subsequent
sections, the remainder of this document is organized as follows. sections, the remainder of this document is organized as follows.
Section 4 summarizes O/TWAMP protocol operation with respect to Section 4 summarizes O/TWAMP protocol operation with respect to
security. Section 5 presents the method for binding TWAMP and IKEv2 security. Section 5 presents the method for binding TWAMP and IKEv2
for network measurements between the client and the server which both for network measurements between the client and the server which both
support IKEv2. Finally, Section 6 discusses the security support IKEv2. Finally, Section 6 discusses the security
considerations arising from the proposed mechanisms. considerations arising from the proposed mechanisms.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Scope and Applicability 3. Scope and Applicability
This document reserves from the TWAMP-Modes registry the Mode value TWAMP implementations signal the use of this method by setting
IKEv2Derived which is equal to 128 (i.e. bit set in position 7) and IKEv2Derived (see Section 7)
MUST be used by TWAMP implementations compatible with this
specification.
Although the control procedures described in this document are Although the control procedures described in this document are
applicable to OWAMP per se, the lack of an established IANA registry applicable to OWAMP per se, the lack of an established IANA registry
for OWAMP Mode values technically prevents us from extending OWAMP for OWAMP Mode values akin to that listed in Section 7 technically
Mode values. Therefore, independent OWAMP implementations SHOULD be prevents us from extending OWAMP Mode values. Therefore, independent
checked for full compatibility with respect to the use of this Mode OWAMP implementations SHOULD be checked for full compatibility with
value. Until an IANA registry for OWAMP Mode values is established, respect to the use of this Mode value. Until an IANA registry for
the use this feature in OWAMP implementations MUST be arranged OWAMP Mode values is established, the use of this feature in OWAMP
privately among consenting OWAMP users. implementations MUST be arranged privately among consenting OWAMP
users.
4. O/TWAMP Security 4. O/TWAMP Security
Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in
the following subsections. the following subsections.
4.1. O/TWAMP-Control Security 4.1. O/TWAMP-Control Security
O/TWAMP uses a simple cryptographic protocol which relies on O/TWAMP uses a simple cryptographic protocol which relies on
o AES in Cipher Block Chaining (AES-CBC) for confidentiality o Advanced Encryption Standard (AES) in Cipher Block Chaining (AES-
CBC) for confidentiality
o HMAC-SHA1 truncated to 128 bits for message authentication o Hash-based Message Authentication Code (HMAC)-Secure Hash
Algorithm1 (SHA1) truncated to 128 bits for message authentication
Three modes of operation are supported in the OWAMP-Control protocol: Three modes of operation are supported in the OWAMP-Control protocol:
unauthenticated, authenticated, and encrypted. In addition to these unauthenticated, authenticated, and encrypted. In addition to these
modes, the TWAMP-Control protocol also supports a mixed mode, i.e. modes, the TWAMP-Control protocol also supports a mixed mode, i.e.
the TWAMP-Control protocol operates in encrypted mode while TWAMP- the TWAMP-Control protocol operates in encrypted mode while TWAMP-
Test protocol operates in unauthenticated mode. The authenticated, Test protocol operates in unauthenticated mode. The authenticated,
encrypted and mixed modes require that endpoints possess a shared encrypted and mixed modes require that endpoints possess a shared
secret, typically a passphrase. The secret key is derived from the secret, typically a passphrase. The secret key is derived from the
passphrase using a password-based key derivation function PBKDF2 passphrase using a password-based key derivation function PBKDF2
(PKCS#5) [RFC2898]. (PKCS#5) [RFC2898].
In the unauthenticated mode, the security parameters are left unused. In the unauthenticated mode, the security parameters are left unused.
In the authenticated, encrypted and mixed modes, the security In the authenticated, encrypted and mixed modes, the security
parameters are negotiated during the control connection parameters are negotiated during the control connection
establishment. establishment.
Figure 1 illustrates the initiation stage of the O/TWAMP-Control Figure 1 illustrates the initiation stage of the O/TWAMP-Control
protocol between a client and the server. In short, the client opens protocol between a Control-Client and a Server. In short, the
a TCP connection to the server in order to be able to send O/TWAMP- Control-Client opens a TCP connection to the Server in order to be
Control commands. The server responds with a Server Greeting, which able to send O/TWAMP-Control commands. The Server responds with a
contains the Modes, Challenge, Salt, Count, and MBZ fields (see Server Greeting, which contains the Modes, Challenge, Salt, Count,
Section 3.1 of [RFC4656]). If the client-preferred mode is and MBZ fields (see Section 3.1 of [RFC4656]). If the Control-Client
available, the client responds with a Set-Up- Response message, preferred mode is available, the client responds with a Set-Up-
wherein the selected Mode, as well as the KeyID, Token and Client Response message, wherein the selected Mode, as well as the KeyID,
initialization vector (IV) are included. The Token is the Token and Client initialization vector (IV) are included. The Token
concatenation of a 16-octet Challenge, a 16-octet AES Session-key is the concatenation of a 16-octet Challenge, a 16-octet AES Session-
used for encryption, and a 32-octet HMAC-SHA1 Session-key used for key used for encryption, and a 32-octet HMAC-SHA1 Session-key used
authentication. The Token is encrypted using AES-CBC. for authentication. The Token is encrypted using AES-CBC.
+--------+ +--------+ +----------------+ +--------+
| Client | | Server | | Control-Client | | Server |
+--------+ +--------+ +----------------+ +--------+
| | | |
|<---- TCP Connection ----->| |<------ TCP Connection-- ----->|
| | | |
|<---- Greeting message ----| |<------ Greeting message ------|
| | | |
|----- Set-Up-Response ---->| |------- Set-Up-Response ------>|
| | | |
|<---- Server-Start --------| |<------ Server-Start ----------|
| | | |
Figure 1: Initiation of O/TWAMP-Control Figure 1: Initiation of O/TWAMP-Control
Encryption uses a key derived from the shared secret associated with Encryption uses a key derived from the shared secret associated with
KeyID. In the authenticated, encrypted and mixed modes, all further KeyID. In the authenticated, encrypted and mixed modes, all further
communication is encrypted using the AES Session-key and communication is encrypted using the AES Session-key and
authenticated with the HMAC Session-key. After receiving Set-Up- authenticated with the HMAC Session-key. After receiving the Set-Up-
Response the server responds with a Server-Start message containing Response the Server responds with a Server-Start message containing
Server-IV. The client encrypts everything it transmits through the the Server-IV. The Control-Client encrypts everything it transmits
just-established O/TWAMP-Control connection using stream encryption through the just-established O/TWAMP-Control connection using stream
with Client- IV as the IV. Correspondingly, the server encrypts its encryption with Client- IV as the IV. Correspondingly, the Server
side of the connection using Server-IV as the IV. The IVs themselves encrypts its side of the connection using Server-IV as the IV. The
are transmitted in cleartext. Encryption starts with the block IVs themselves are transmitted in cleartext. Encryption starts with
immediately following that containing the IV. the block immediately following that containing the IV.
The AES Session-key and HMAC Session-key are generated randomly by The AES Session-key and HMAC Session-key are generated randomly by
the client. The HMAC Session-key is communicated along with the AES the Control-Client. The HMAC Session-key is communicated along with
Session-key during O/TWAMP-Control connection setup. The HMAC the AES Session-key during O/TWAMP-Control connection setup. The
Session-key is derived independently of the AES Session-key. HMAC Session-key is derived independently of the AES Session-key.
4.2. O/TWAMP-Test Security 4.2. O/TWAMP-Test Security
The O/TWAMP-Test protocol runs over UDP, using the client and server The O/TWAMP-Test protocol runs over UDP, using the Session-Sender and
IP and port numbers that were negotiated during the Request-Session Session-Reflector IP and port numbers that were negotiated during the
exchange. O/TWAMP- Test has the same mode with O/TWAMP-Control and Request-Session exchange. O/TWAMP- Test has the same mode with O/
all O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control TWAMP-Control and all O/TWAMP-Test sessions inherit the corresponding
session mode except when operating in mixed mode. O/TWAMP-Control session mode except when operating in mixed mode.
The O/TWAMP-Test packet format is the same in authenticated and The O/TWAMP-Test packet format is the same in authenticated and
encrypted modes. The encryption and authentication operations are, encrypted modes. The encryption and authentication operations are,
however, different. Similarly with the respective O/TWAMP-Control however, different. Similarly with the respective O/TWAMP-Control
session, each O/TWAMP-Test session has two keys: an AES Session-key session, each O/TWAMP-Test session has two keys: an AES Session-key
and an HMAC Session-key. However, there is a difference in how the and an HMAC Session-key. However, there is a difference in how the
keys are obtained: keys are obtained:
O/TWAMP-Control: the keys are generated by the client and O/TWAMP-Control: the keys are generated by the Control-Client and
communicated to the server during the control connection communicated to the Server during the control connection
establishment with the Set-Up-Response message (as part of establishment with the Set-Up-Response message (as part of
the Token). the Token).
O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and
the session identifier (SID), which serve as inputs of the the session identifier (SID), which serve as inputs of the
key derivation function (KDF). The O/TWAMP-Test AES Session- key derivation function (KDF). The O/TWAMP-Test AES Session-
key is generated using the O/TWAMP- Control AES Session-key, key is generated using the O/TWAMP- Control AES Session-key,
with the 16-octet session identifier (SID), for encrypting with the 16-octet session identifier (SID), for encrypting
and decrypting the packets of the particular O/TWAMP-Test and decrypting the packets of the particular O/TWAMP-Test
session. The O/TWAMP-Test HMAC Session-key is generated session. The O/TWAMP-Test HMAC Session-key is generated
using the O/TWAMP-Control HMAC Session-key, with the 16-octet using the O/TWAMP-Control HMAC Session-key, with the 16-octet
session identifier (SID), for authenticating the packets of session identifier (SID), for authenticating the packets of
the particular O/TWAMP-Test session. the particular O/TWAMP-Test session.
4.3. O/TWAMP Security Root 4.3. O/TWAMP Security Root
As discussed above, the AES Session-key and HMAC Session-key used by As discussed above, the AES Session-key and HMAC Session-key used by
the O/TWAMP-Test protocol are derived from the AES Session-key and the O/TWAMP-Test protocol are derived from the AES Session-key and
HMAC Session-key which are used in O/TWAMP-Control protocol. The AES HMAC Session-key which are used in the O/TWAMP-Control protocol. The
Session-key and HMAC Session-key used in the O/TWAMP-Control protocol AES Session-key and HMAC Session-key used in the O/TWAMP-Control
are generated randomly by the client, and encrypted with the shared protocol are generated randomly by the Control-Client, and encrypted
secret associated with KeyID. Therefore, the security root is the with the shared secret associated with KeyID. Therefore, the
shared secret key. Thus, for large deployments, key provision and security root is the shared secret key. Thus, for large deployments,
management may become overly complicated. Comparatively, a key provision and management may become overly complicated.
certificate-based approach using IKEv2 can automatically manage the Comparatively, a certificate-based approach using IKEv2 can
security root and solve this problem, as we explain in Section 5. automatically manage the security root and solve this problem, as we
explain in Section 5.
5. O/TWAMP for IPsec Networks 5. O/TWAMP for IPsec Networks
This section presents a method of binding O/TWAMP and IKEv2 for This section presents a method of binding O/TWAMP and IKEv2 for
network measurements between a client and a server which both support network measurements between a client and a server which both support
IPsec. In short, the shared key used for securing O/TWAMP traffic is IPsec. In short, the shared key used for securing O/TWAMP traffic is
derived using IKEv2 [RFC7296]. derived using IKEv2 [RFC7296].
5.1. Shared Key Derivation 5.1. Shared Key Derivation
In the authenticated, encrypted and mixed modes, the shared secret In the authenticated, encrypted and mixed modes, the shared secret
key MUST be derived from the IKEv2 Security Association (SA). Note key MUST be derived from the IKEv2 Security Association (SA). Note
that we explicitly opt to derive the shared secret key from the IKEv2 that we explicitly opt to derive the shared secret key from the IKEv2
SA, rather than the child SA, since the use case whereby an IKEv2 SA SA, rather than the child SA, since the use case whereby an IKEv2 SA
can be created without generating any child SA is possible [RFC6023]. can be created without generating any child SA is possible [RFC6023].
When the shared secret key is derived from the IKEv2 SA, SK_d must be When the shared secret key is derived from the IKEv2 SA, SK_d must be
generated first. SK_d MUST be computed as per [RFC7296]. generated first. SK_d must be computed as per [RFC7296].
The shared secret key MUST be generated as follows: The shared secret key MUST be generated as follows:
Shared secret key = prf( SK_d, "IPPM" ) Shared secret key = prf( SK_d, "IPPM" )
Wherein the string "IPPM" comprises four ASCII characters and "prf" Wherein the string "IPPM" is encoded in ASCII and "prf" is a
is a pseudorandom function. It is recommended that the shared secret pseudorandom function.
key is derived in the IPsec layer. This way, the IPsec keying
material is not exposed to the O/TWAMP client. Note, however, that It is recommended that the shared secret key is derived in the IPsec
the interaction between the O/TWAMP and IPsec layers is host-internal layer so that IPsec keying material is not exposed to the O/TWAMP
and implementation-specific. Therefore, this is clearly outside the client. Note, however, that the interaction between the O/TWAMP and
scope of this document, which focuses on the interaction between the IPsec layers is host-internal and implementation-specific.
O/TWAMP client and server. That said, one possible way could be the Therefore, this is clearly outside the scope of this document, which
following: at the client side, the IPSec layer can perform a lookup focuses on the interaction between the O/TWAMP client and server.
in the Security Association Database (SAD) using the IP address of That said, one possible way could be the following: at the Control-
the server and thus match the corresponding IKEv2 SA. At the server Client side, the IPSec layer can perform a lookup in the Security
side, the IPSec layer can look up the corresponding IKEv2 SA by using Association Database (SAD) using the IP address of the Server and
the SPIs sent by the client, and therefore extract the shared secret thus match the corresponding IKEv2 SA. At the Server side, the IPSec
key. In case that both client and server do support IKEv2 but there layer can look up the corresponding IKEv2 SA by using the Security
is no current IKEv2 SA, two alternative ways could be considered. Parameter Indexes (SPIs) sent by the Control-Client (see
First, the O/TWAMP client initiates the establishment of the IKEv2 Section 5.3), and therefore extract the shared secret key.
In case that both client and server do support IKEv2 but there is no
current IKEv2 SA, two alternative ways could be considered. First,
the O/TWAMP Control-Client initiates the establishment of the IKEv2
SA, logs this operation, and selects the mode which supports IKEv2. SA, logs this operation, and selects the mode which supports IKEv2.
Alternatively, the O/TWAMP client does not initiate the establishment Alternatively, the O/TWAMP Control-Client does not initiate the
of the IKEv2 SA, logs an error for operational management purposes, establishment of the IKEv2 SA, logs an error for operational
and proceeds with the modes defined in [RFC4656][RFC5357][RFC5618]. management purposes, and proceeds with the modes defined in
Again, although both alternatives are feasible, they are in fact [RFC4656][RFC5357][RFC5618]. Again, although both alternatives are
implementation-specific. feasible, they are in fact implementation-specific.
If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the
corresponding shared secret key generated from the SA can continue to corresponding shared secret key generated from the SA MUST continue
be used until the O/TWAMP session terminates. to be used until the O/TWAMP session terminates.
5.2. Server Greeting Message Update 5.2. Server Greeting Message Update
To achieve a binding association between the key generated from IKEv2 To trigger a binding association between the key generated from IKEv2
and the O/TWAMP shared secret key, Server Greeting Message should and the O/TWAMP shared secret key, the Modes field in the Server
include these extensions, as in Figure 2. Greeting Message (Figure 2) will need to allow for support of key
derivation as discussed in Section 5.1. Therefore, when this method
is used, the Modes value extension MUST be supported. Support for
deriving the shared key from the IKEv2 SA is indicated by setting
IKEv2Derived (see Section 7).
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Unused (12 octets) | | Unused (12 octets) |
| | | |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Modes | | Modes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 9, line 33 skipping to change at page 9, line 33
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Count (4 octets) | | Count (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| MBZ (12 octets) | | MBZ (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Server Greeting format Figure 2: Server Greeting format
The Modes field in Figure 2 will need to allow for support of key
derivation as discussed in Section 5.1. As such, the Modes value
extension MUST be supported by implementations compatible with this
document, indicating support for deriving the shared key from the
IKEv2 SA. The new Modes value indicating support for this
specification is IKEv2Derived and is equal to 128 (i.e. bit set in
position 7). Clearly, an implementation compatible with this
specification MUST support the authenticated, encrypted and mixed
modes as per [RFC4656][RFC5357][RFC5618].
The choice of this set of Modes values poses no backwards The choice of this set of Modes values poses no backwards
compatibility problems to existing O/TWAMP clients. Robust legacy compatibility problems to existing O/TWAMP clients. Robust legacy
client implementations would disregard the fact that the IKEv2Derived Control-Client implementations would disregard the fact that the
Modes bit in the Server Greeting is set. On the other hand, a client IKEv2Derived Modes bit in the Server Greeting is set. On the other
compatible with this specification can easily identify that the O/ hand, a Control-Client implementing this method can identify that the
TWAMP server contacted does not support this specification. If the O/TWAMP Server contacted does not support this specification. If the
server supports other Modes, as one could assume, the client would Server supports other Modes, as one could assume, the Control-Client
then decide which Mode to use and indicate such accordingly as per would then decide which Mode to use and indicate such accordingly as
[RFC4656][RFC5357]. A client compatible with this specification per [RFC4656][RFC5357]. A Control-Client implementing this method
which decides not to employ IKEv2 derivation, can simply behave as a which decides not to employ IKEv2 derivation, can simply behave as a
purely [RFC4656]/[RFC5357] compatible client. purely [RFC4656]/[RFC5357] compatible client.
5.3. Set-Up-Response Update 5.3. Set-Up-Response Update
The Set-Up-Response Message should be updated as in Figure 3. When a The Set-Up-Response Message Figure 3 is updated as follows. When a
O/TWAMP client compatible with this specification receives a Server O/TWAMP Control-Client implementing this method receives a Server
Greeting indicating support for Mode IKEv2Derived it SHOULD reply to Greeting indicating support for Mode IKEv2Derived it SHOULD reply to
the O/TWAMP server with a Set-Up response that indicates so. For the O/TWAMP Server with a Set-Up response that indicates so. For
example, a compatible O/TWAMP client choosing the authenticated mode example, a compatible O/TWAMP Control-Client choosing the
with IKEv2 shared secret key derivation should set Mode to 130, i.e. authenticated mode with IKEv2 shared secret key derivation should set
set the bits in positions 1 and 7 to one. Mode to 130, i.e. set the bits in positions 1 and 7 to one (see
Section 7).
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mode | | Mode |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Key ID (80 octets) | | Key ID (80 octets) |
| | | |
| | | |
skipping to change at page 10, line 39 skipping to change at page 10, line 29
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Client-IV (12 octets) | | Client-IV (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Set-Up-Response Message Figure 3: Set-Up-Response Message
The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) can The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) uniquely
uniquely identify the Security Association (SA). If the client identifies the Security Association (SA). If the Control-Client
supports the derivation of shared secret key from IKEv2 SA, it will supports the derivation of shared secret key from IKEv2 SA, it will
choose the corresponding mode value and carry SPIi and SPIr in the choose the corresponding mode value and carry SPIi and SPIr in the
Key ID field. SPIi and SPIr MUST be included in the Key ID field of Key ID field. SPIi and SPIr MUST be included in the Key ID field of
Set-Up-Response Message to indicate the IKEv2 SA from which the O/ the Set-Up-Response Message to indicate the IKEv2 SA from which the
TWAMP shared secret key derived from. The length of SPI is 8 octets. O/TWAMP shared secret key derived from. The length of SPI is 8
Therefore, the first 8 octets of Key ID field MUST carry SPIi and the octets. Therefore, the first 8 octets of Key ID field MUST carry
second 8 octets MUST carry SPIr. The remaining bits of the Key ID SPIi and the second 8 octets MUST carry SPIr. The remaining bits of
field MUST set to zero. the Key ID field MUST be set to zero.
A O/TWAMP server which supports the specification of this document, A O/TWAMP Server implementation of this method, MUST obtain the SPIi
MUST obtain the SPIi and SPIr from the first 16 octets and ignore the and SPIr from the first 16 octets and ignore the remaining octets of
remaining octets of the Key ID field. Then, the client and the the Key ID field. Then, the Control-Client and the Server can derive
server can derive the shared secret key based on the mode value and the shared secret key based on the Mode value and SPI. If the O/
SPI. If the O/TWAMP server cannot find the IKEv2 SA corresponding to TWAMP Server cannot find the IKEv2 SA corresponding to the SPIi and
the SPIi and SPIr received, it MUST log the event for operational SPIr received, it MUST log the event for operational management
management purposes. In addition, the O/TWAMP server SHOULD set the purposes. In addition, the O/TWAMP Server SHOULD set the Accept
Accept field of the Server-Start message to the value 6 to indicate field of the Server-Start message to the value 6 to indicate that the
that server is not willing to conduct further transactions in this O/ Server is not willing to conduct further transactions in this O/
TWAMP-Control session since it can not find the corresponding IKEv2 TWAMP-Control session since it can not find the corresponding IKEv2
SA. SA.
5.4. O/TWAMP over an IPsec tunnel 5.4. O/TWAMP over an IPsec tunnel
IPsec Authentication Header (AH) [RFC4302] and Encapsulating Security IPsec Authentication Header (AH) [RFC4302] and Encapsulating Security
Payload (ESP) [RFC4303] provide confidentiality and data integrity to Payload (ESP) [RFC4303] provide confidentiality and data integrity to
IP datagrams. An IPsec tunnel can be used to provide the protection IP datagrams. An IPsec tunnel can be used to provide the protection
needed for O/TWAMP Control and Test packets, even if the peers choose needed for O/TWAMP Control and Test packets, even if the peers choose
the unauthenticated mode of operation. In order to ensure the unauthenticated mode of operation. In order to ensure
authenticity and security, the IPsec tunnel SHOULD be configured to authenticity and security, O/TWAMP packets between two IKEv2 systems
include O/TWAMP measurement packets even when using the SHOULD be configured to use the corresponding IPsec tunnel running
unauthenticated mode. over an external network even when using the O/TWAMP unauthenticated
mode.
6. Security Considerations 6. Security Considerations
As the shared secret key is derived from the IKEv2 SA, the key As the shared secret key is derived from the IKEv2 SA, the key
derivation algorithm strength and limitations are as per [RFC7296]. derivation algorithm strength and limitations are as per [RFC7296].
The strength of a key derived from a Diffie-Hellman exchange using The strength of a key derived from a Diffie-Hellman exchange using
any of the groups defined here depends on the inherent strength of any of the groups defined here depends on the inherent strength of
the group, the size of the exponent used, and the entropy provided by the group, the size of the exponent used, and the entropy provided by
the random number generator employed. The strength of all keys and the random number generator employed. The strength of all keys and
implementation vulnerabilities, particularly Denial of Service (DoS) implementation vulnerabilities, particularly Denial of Service (DoS)
attacks are as defined in [RFC7296]. attacks are as defined in [RFC7296].
7. IANA Considerations 7. IANA Considerations
IANA is requested to allocate the IKEv2Derived Mode bit that is equal During the production of this document, the authors and reviewers
to 128 (i.e. bit set in position 7) in the TWAMP-Modes registry. The noticed that the TWAMP-Modes registry, which should describe a
TWAMP-Modes registry should be augmented as follows: bitfield of flags, instead is defined as a registry of integer
values. In addition, the Semantics Definition column seems to have
spurious information in it. The registry should be changed to
correct these issues, as follows:
Value Description Semantics Definition Bit|Description |Semantics |Reference|
-------------------------------------------------------- | |Definition | |
128 IKEv2 Derived This memo, Section 5.2 ---|-------------------------------------------|------------|---------|
Mode Capability new bit position 7 0 Unauthenticated Section 3.1 [RFC4656]
1 Authenticated Section 3.1 [RFC4656]
2 Encrypted Section 3.1 [RFC4656]
3 Unauth.TEST protocol,Encrypted CONTROL Section 3.1 [RFC5618]
4 Individual Session Control [RFC5938]
5 Reflect Octets Capability [RFC6038]
6 Symmetrical Size Sender Test Packet Format [RFC6038]
Figure 4: IKEv2 Modes Capability Figure 4: TWAMP Modes registry
In addition, this document adds a new entry to this registry:
Bit|Description |Semantics |Reference|
| |Definition | |
---|-------------------------------------------|------------|---------|
7 IKEv2Derived Mode Capability Section 5 [RFCxxxx]
(where RFCxxxx refers to draft-ietf-ippm-ipsec).
Figure 5: IKEv2 Derived Mode Capability
8. Acknowledgments 8. Acknowledgments
We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John
Mattsson, Steve Baillargeon, Spencer Dawkins, Tero Kivinen, Fred Mattsson, Steve Baillargeon, Spencer Dawkins, Tero Kivinen, Fred
Baker, Meral Shirazipour, and Hannes Tschofenig for their reviews, Baker, Meral Shirazipour, Hannes Tschofenig, Ben Campbell, Stephen
comments and text suggestions. Farrell, Brian Haberman, and Barry Leiba for their reviews, comments
and text suggestions.
Al Morton deserves a special mention for his thorough reviews and Al Morton deserves a special mention for his thorough reviews and
text contributions to this document as well as the constructive text contributions to this document as well as the constructive
discussions over several IPPM meetings. discussions over several IPPM meetings.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
 End of changes. 43 change blocks. 
193 lines changed or deleted 217 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/