| draft-ietf-lisp-sec-21.txt | draft-ietf-lisp-sec-22.txt | |||
|---|---|---|---|---|
| Network Working Group F. Maino | Network Working Group F. Maino | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Intended status: Standards Track V. Ermagan | Intended status: Standards Track V. Ermagan | |||
| Expires: January 8, 2021 Google | Expires: July 16, 2021 Google | |||
| A. Cabellos | A. Cabellos | |||
| Universitat Politecnica de Catalunya | Universitat Politecnica de Catalunya | |||
| D. Saucez | D. Saucez | |||
| INRIA | INRIA | |||
| July 7, 2020 | January 12, 2021 | |||
| LISP-Security (LISP-SEC) | LISP-Security (LISP-SEC) | |||
| draft-ietf-lisp-sec-21 | draft-ietf-lisp-sec-22 | |||
| Abstract | Abstract | |||
| This memo specifies LISP-SEC, a set of security mechanisms that | This memo specifies LISP-SEC, a set of security mechanisms that | |||
| provides origin authentication, integrity and anti-replay protection | provides origin authentication, integrity and anti-replay protection | |||
| to LISP's EID-to-RLOC mapping data conveyed via mapping lookup | to LISP's EID-to-RLOC mapping data conveyed via mapping lookup | |||
| process. LISP-SEC also enables verification of authorization on EID- | process. LISP-SEC also enables verification of authorization on EID- | |||
| prefix claims in Map-Reply messages. | prefix claims in Map-Reply messages. | |||
| Requirements Language | Requirements Language | |||
| skipping to change at page 1, line 47 ¶ | skipping to change at page 1, line 47 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 8, 2021. | This Internet-Draft will expire on July 16, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 16, line 10 ¶ | skipping to change at page 16, line 10 ¶ | |||
| Processing of the Map-Request MUST proceed in the order described in | Processing of the Map-Request MUST proceed in the order described in | |||
| the table below, applying the processing corresponding to the first | the table below, applying the processing corresponding to the first | |||
| rule that matches the conditions indicated in the first column: | rule that matches the conditions indicated in the first column: | |||
| +----------------+--------------------------------------------------+ | +----------------+--------------------------------------------------+ | |||
| | Matching | Processing | | | Matching | Processing | | |||
| | Condition | | | | Condition | | | |||
| +----------------+--------------------------------------------------+ | +----------------+--------------------------------------------------+ | |||
| | 1. At least | The Map-Server MUST generate a LISP-SEC | | | 1. At least | The Map-Server MUST generate a LISP-SEC | | |||
| | one of the | protected Map-Reply as specified in Section | | | one of the | protected Map-Reply as specified in | | |||
| | ETRs | 5.7.2. The ETR-Cant-Sign E-bit in the EID | | | ETRs | Section 5.7.2. The ETR-Cant-Sign E-bit in the | | |||
| | authoritative | Authentication Data (EID-AD) MUST be set to 0. | | | authoritative | EID Authentication Data (EID-AD) MUST be set to | | |||
| | for the EID | | | | for the EID | 0. | | |||
| | prefix | | | | prefix | | | |||
| | included in | | | | included in | | | |||
| | the Map- | | | | the Map- | | | |||
| | Request | | | | Request | | | |||
| | registered | | | | registered | | | |||
| | with the P-bit | | | | with the P-bit | | | |||
| | set to 1 | | | | set to 1 | | | |||
| | | | | | | | | |||
| | 2. At least | The Map-Server MUST generate a LISP-SEC | | | 2. At least | The Map-Server MUST generate a LISP-SEC | | |||
| | one of the | protected Encapsulated Map-Request (as specified | | | one of the | protected Encapsulated Map-Request (as specified | | |||
| skipping to change at page 16, line 36 ¶ | skipping to change at page 16, line 36 ¶ | |||
| | for the EID | S-bit set to 1 (and the P-bit set to 0). If | | | for the EID | S-bit set to 1 (and the P-bit set to 0). If | | |||
| | prefix | there is at least one ETR that registered with | | | prefix | there is at least one ETR that registered with | | |||
| | included in | the S-bit set to 0, the ETR-Cant-Sign E-bit of | | | included in | the S-bit set to 0, the ETR-Cant-Sign E-bit of | | |||
| | the Map- | the EID-AD MUST be set to 1 to signal the ITR | | | the Map- | the EID-AD MUST be set to 1 to signal the ITR | | |||
| | Request | that a non LISP-SEC Map-Request might reach | | | Request | that a non LISP-SEC Map-Request might reach | | |||
| | registered | additional ETRs that have LISP-SEC disabled. | | | registered | additional ETRs that have LISP-SEC disabled. | | |||
| | with the S-bit | | | | with the S-bit | | | |||
| | set to 1 | | | | set to 1 | | | |||
| | | | | | | | | |||
| | 3. All the | The Map-Server MUST send a Negative Map-Reply | | | 3. All the | The Map-Server MUST send a Negative Map-Reply | | |||
| | ETRs | protected with LISP-SEC, as described in Section | | | ETRs | protected with LISP-SEC, as described in | | |||
| | authoritative | 5.7.2. The ETR-Cant-Sign E-bit MUST be set to 1 | | | authoritative | Section 5.7.2. The ETR-Cant-Sign E-bit MUST be | | |||
| | for the EID | to signal the ITR that a non LISP-SEC Map- | | | for the EID | set to 1 to signal the ITR that a non LISP-SEC | | |||
| | prefix | Request might reach additional ETRs that have | | | prefix | Map-Request might reach additional ETRs that | | |||
| | included in | LISP-SEC disabled. | | | included in | have LISP-SEC disabled. | | |||
| | the Map- | | | | the Map- | | | |||
| | Request | | | | Request | | | |||
| | registered | | | | registered | | | |||
| | with the S-bit | | | | with the S-bit | | | |||
| | set to 0 | | | | set to 0 | | | |||
| +----------------+--------------------------------------------------+ | +----------------+--------------------------------------------------+ | |||
| In this way the ITR that sent a LISP-SEC protected Map-Request always | In this way the ITR that sent a LISP-SEC protected Map-Request always | |||
| receives a LISP-SEC protected Map-Reply. However, the ETR-Cant-Sign | receives a LISP-SEC protected Map-Reply. However, the ETR-Cant-Sign | |||
| E-bit set to 1 specifies that a non LISP-SEC Map-Request might reach | E-bit set to 1 specifies that a non LISP-SEC Map-Request might reach | |||
| skipping to change at page 25, line 37 ¶ | skipping to change at page 25, line 37 ¶ | |||
| Noll for their valuable suggestions provided during the preparation | Noll for their valuable suggestions provided during the preparation | |||
| of this document. | of this document. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [I-D.ietf-lisp-rfc6833bis] | [I-D.ietf-lisp-rfc6833bis] | |||
| Farinacci, D., Maino, F., Fuller, V., and A. Cabellos- | Farinacci, D., Maino, F., Fuller, V., and A. Cabellos- | |||
| Aparicio, "Locator/ID Separation Protocol (LISP) Control- | Aparicio, "Locator/ID Separation Protocol (LISP) Control- | |||
| Plane", draft-ietf-lisp-rfc6833bis-27 (work in progress), | Plane", draft-ietf-lisp-rfc6833bis-30 (work in progress), | |||
| January 2020. | November 2020. | |||
| [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | |||
| Hashing for Message Authentication", RFC 2104, | Hashing for Message Authentication", RFC 2104, | |||
| DOI 10.17487/RFC2104, February 1997, | DOI 10.17487/RFC2104, February 1997, | |||
| <https://www.rfc-editor.org/info/rfc2104>. | <https://www.rfc-editor.org/info/rfc2104>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| skipping to change at page 27, line 10 ¶ | skipping to change at page 27, line 10 ¶ | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [I-D.ietf-lisp-rfc6830bis] | [I-D.ietf-lisp-rfc6830bis] | |||
| Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A. | Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A. | |||
| Cabellos-Aparicio, "The Locator/ID Separation Protocol | Cabellos-Aparicio, "The Locator/ID Separation Protocol | |||
| (LISP)", draft-ietf-lisp-rfc6830bis-32 (work in progress), | (LISP)", draft-ietf-lisp-rfc6830bis-36 (work in progress), | |||
| March 2020. | November 2020. | |||
| Authors' Addresses | Authors' Addresses | |||
| Fabio Maino | Fabio Maino | |||
| Cisco Systems | Cisco Systems | |||
| 170 Tasman Drive | 170 Tasman Drive | |||
| San Jose, California 95134 | San Jose, California 95134 | |||
| USA | USA | |||
| Email: fmaino@cisco.com | Email: fmaino@cisco.com | |||
| End of changes. 9 change blocks. | ||||
| 18 lines changed or deleted | 18 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||