One document matched: draft-ietf-ippm-ipsec-02.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC5996 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5996.xml'>
<!ENTITY RFC4656 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4656.xml'>
<!ENTITY RFC5357 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5357.xml'>
<!ENTITY RFC6023 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6023.xml'>
]>
<rfc category="std" ipr="trust200902" docName="draft-ietf-ippm-ipsec-02">
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc comments="yes"?>
<?rfc inline="yes" ?>
<front>
<title abbrev="Network Performance Measurement for IPsec">Network Performance Measurement for IPsec</title>
<author fullname="Kostas Pentikousis" initials="K.P." surname="Pentikousis" role="editor">
<organization abbrev="EICT">EICT GmbH</organization>
<address>
<postal>
<street>Torgauer Strasse 12-15</street>
<city>10829 Berlin</city>
<country>Germany</country>
</postal>
<email>k.pentikousis@eict.de</email>
</address>
</author>
<author initials="Y" surname="Cui" fullname="Yang Cui">
<organization abbrev="Huawei Technologies">Huawei Technologies </organization>
<address>
<postal>
<street>Otemachi First Square 1-5-1 Otemachi </street>
<city>Chiyoda-ku</city>
<region>Tokyo </region>
<code>100-0004</code>
<country>Japan</country>
</postal>
<email> cuiyang@huawei.com </email>
</address>
</author>
<author initials="E" surname="Zhang" fullname="Emma Zhang">
<organization abbrev="Huawei Technologies">Huawei Technologies </organization>
<address>
<postal>
<street>Huawei Building, Q20, No.156, Rd. BeiQing</street>
<city> Haidian District </city>
<region> Beijing </region>
<code> 100095 </code>
<country>P. R. China</country>
</postal>
<email> emma.zhanglijia@huawei.com </email>
</address>
</author>
<date year="2014" />
<area>Transport</area>
<workgroup>IPPM WG</workgroup>
<abstract><t>The O/TWAMP security mechanism requires that endpoints (i.e. both the client and the server)
possess a shared secret. Since the currently-standardized O/TWAMP security
mechanism only supports a pre-shared key mode, large scale deployment of O/TWAMP
is hindered significantly. At the same time, recent trends point to wider IKEv2
deployment, which in turn calls for mechanisms and methods that enable tunnel
end-users, as well as operators, to measure one-way and two-way network
performance in a standardized manner. This document discusses the use of keys
derived from an IKE SA as the shared key in O/TWAMP. If the shared key can be
derived from the IKE SA, O/TWAMP can support cert-based key exchange, which
would allow for more flexibility and efficiency. Such key derivation can also
facilitate automatic key management.</t> </abstract>
</front>
<middle>
<section title="Introduction">
<t>The One-way Active Measurement Protocol (OWAMP) <xref target="RFC4656"/> and
the Two-Way Active Measurement Protocol (TWAMP) <xref target="RFC5357"/> can be
used to measure network performance parameters, such as latency, bandwidth, and
packet loss by sending probe packets and monitoring their experience in the
network. In order to guarantee the accuracy of network measurement results,
security aspects must be considered. Otherwise, attacks may occur and the
authenticity of the measurement results may be violated. For example, if no
protection is provided, an adversary in the middle may modify packet timestamps,
thus altering the measurement results.</t>
<t>The currently-standardized O/TWAMP security mechanism <xref
target="RFC4656"/> <xref target="RFC5357"/> requires that endpoints (i.e. both
the client and the server) possess a shared secret. In today's network
deployments, however, the use of pre-shared keys may not be optimal. For
example, in wireless infrastructure networks, certain network elements, which
can be seen as the two endpoints from an O/TWAMP perspective, support
certificate-based security. This is the case when one wants to measure IP
performance between an eNB and SeGW, for instance. Since the currently
standardized O/TWAMP security mechanism only supports pre-shared key mode, large
scale deployment of O/TWAMP is hindered significantly. Furthermore, deployment
and management of "shared secrets" for massive equipment installation consumes a
tremendous amount of effort and is prone to human error.</t>
<t>With IKEv2 widely used, using keys derived from IKE SA as shared key can be
considered as a viable alternative. In mobile telecommunication networks, the
deployment rate of IPsec exceeds 95% with respect to the LTE serving network. In
older-technology cellular networks, such as UMTS and GSM, IPsec use penetration
is lower, but still quite significant. If the shared key can be derived from the
IKE SA, O/TWAMP can support cert-based key exchange and make it more flexible in
practice and more efficient. The use of IKEv2 also makes it easier to extend
automatic key management. In general, O/TWAMP measurement packets can be transmitted inside the IPsec tunnel, as it occurs with typical user traffic, or transmitted outside the IPsec tunnel. This may depend on the operator's policy and is orthogonal to the mechanism described in this document.</t>
<t>The remainder of this document is organized as follows. <xref
target="Motivation"/> summarizes O/TWAMP protocol operation with respect to
security. <xref target="Solution"/> presents a method of binding O/TWAMP and
IKEv2 for network measurements between the client and the server which both
support IKEv2. Finally, <xref target="Security"/> discusses the security
considerations arising from the proposed mechanisms.</t>
</section>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in <xref target="RFC2119"/>.</t> </section>
<section anchor="Motivation" title="O/TWAMP Security" >
<t>Security for O/TWAMP-Control and O/TWAMP-Test are reviewed separately in this section.</t>
<section title="O/TWAMP-Control Security">
<t>O/TWAMP uses a simple cryptographic protocol which relies on
<list style="symbols">
<t>AES in Cipher Block Chaining (AES-CBC) for confidentiality</t>
<t>HMAC-SHA1 truncated to 128 bits for message authentication</t></list></t>
<t>Three modes of operation are supported in the OWAMP-Control protocol: unauthenticated,
authenticated, and encrypted. Besides the above three modes supported, the TWAMP-Control
protocol also supports an additional mode: mixed mode, i.e. the TWAMP-Control protocol
operates in encrypted mode while TWAMP-Test protocol operates in unauthenticated mode.
The authenticated, encrypted and mixed modes require that endpoints possess a
shared secret, typically a passphrase. The secret key is derived from the
passphrase using a password-based key derivation function PBKDF2 (PKCS#5) <xref
target="RFC2898"/>.</t>
<t>In the unauthenticated mode, the security parameters are left unused. In the
authenticated, encrypted and mixed modes, the security parameters are negotiated
during the control connection establishment.</t>
<t><xref target="MES" /> illustrates the initiation stage of the O/TWAMP-Control
protocol between a client and the server. In short, the client opens a TCP
connection to the server in order to be able to send O/TWAMP-Control commands.
The server responds with a Server Greeting, which contains the Modes, Challenge,
Salt, Count, and MBZ fields (see Section 3.1 of <xref target="RFC4656"/>). If
the client-preferred mode is available, the client responds with a Set-Up-
Response message, wherein the selected Mode, as well as the KeyID, Token and
Client IV are included. The Token is the concatenation of a 16-octet Challenge,
a 16-octet AES Session-key used for encryption, and a 32-octet HMAC-SHA1
Session-key used for authentication. The Token is encrypted using AES-CBC.</t>
<figure anchor="MES" title="Initiation of O/TWAMP-Control"><artwork><![CDATA[
+--------+ +--------+
| Client | | Server |
+--------+ +--------+
| |
|<---- TCP Connection ----->|
| |
|<---- Greeting message ----|
| |
|----- Set-Up-Response ---->|
| |
|<---- Server-Start --------|
| |]]>
</artwork></figure>
<t>Encryption uses a key derived from the shared secret associated with KeyID.
In the authenticated, encrypted and mixed modes, all further communication is
encrypted using the AES Session-key and authenticated with the HMAC Session-key.
After receiving Set-Up-Response the server responds with a Server-Start message
containing Server-IV. The client encrypts everything it transmits through the
just-established O/TWAMP-Control connection using stream encryption with Client-
IV as the IV. Correspondingly, the server encrypts its side of the connection
using Server-IV as the IV. The IVs themselves are transmitted in cleartext.
Encryption starts with the block immediately following that containing the
IV.</t>
<t>The AES Session-key and HMAC Session-key are generated randomly by the
client. The HMAC Session-key is communicated along with the AES Session-key
during O/TWAMP-Control connection setup. The HMAC Session-key is derived
independently of the AES Session-key. </t> </section>
<section title="O/TWAMP-Test Security">
<t>The O/TWAMP-Test protocol runs over UDP, using the client and server IP and
port numbers that were negotiated during the Request-Session exchange. O/TWAMP-
Test has the same mode with O/TWAMP-Control and all O/TWAMP-Test sessions
inherit the corresponding O/TWAMP-Control session mode except when operating in
mixed mode.</t>
<t>The O/TWAMP-Test packet format is the same in authenticated and encrypted
modes. The encryption and authentication operations are, however, different.
Similarly with the respective O/TWAMP-Control session, each O/TWAMP-Test session
has two keys: an AES Session-key and an HMAC Session-key. However, there is a
difference in how the keys are obtained:
<list style="hanging" hangIndent="8"> <t hangText="O/TWAMP-Control:"> the keys
are generated by the client and communicated to the server during the control
connection establishment with the Set-Up-Response message (as part of the
Token).</t>
<t hangText="O/TWAMP-Test:"> the keys are derived from the O/TWAMP-Control keys
and the session identifier (SID), which serve as inputs of the key derivation
function (KDF). The O/TWAMP-Test AES Session-key is generated using the O/TWAMP-
Control AES Session-key, with the 16-octet session identifier (SID), for
encrypting and decrypting the packets of the particular O/TWAMP-Test session.
The O/TWAMP-Test HMAC Session-key is generated using the O/TWAMP-Control HMAC
Session-key, with the 16-octet session identifier (SID), for authenticating the
packets of the particular O/TWAMP-Test session.</t> </list></t>
</section>
<section title="O/TWAMP Security Root">
<t>As discussed above, the AES Session-key and HMAC Session-key used in the
O/TWAMP-Test protocol are derived from the AES Session-key and HMAC Session-key
which are used in O/TWAMP-Control protocol. The AES Session-key and HMAC
Session-key used in the O/TWAMP-Control protocol are generated randomly by the
client, and encrypted with the shared secret associated with KeyID. Therefore,
the security root is the shared secret key. Thus, for large deployments, key
provision and management may become overly complicated. Comparatively, a
certificate-based approach using IKEv2 can automatically manage the
security root and solve this problem, as we explain in <xref
target="Solution"></xref>.</t>
</section>
</section>
<section anchor="Solution" title="O/TWAMP for IPsec Networks" >
<t>This section presents a method of binding O/TWAMP and IKEv2 for network
measurements between a client and a server which both support IPsec. In short,
the shared key used for securing O/TWAMP traffic is derived using IKEv2 <xref
target="RFC5996"/>.</t>
<section anchor="SharedKeyDerivation" title="Shared Key Derivation"> <t>In the
authenticated, encrypted and mixed modes, the shared secret key can be derived
from the IKEv2 Security Association (SA). Note that we explicitly opt to derive
the shared secret key from the IKE SA, rather than the child SA, since the use
case whereby an IKE SA can be created without generating any child SA is
possible <xref target="RFC6023"/>.</t>
<t>If the shared secret key is derived from the IKE SA, SKEYSEED must be
generated first. SKEYSEED and its derivatives are computed as per <xref
target="RFC5996"/>, where prf is a pseudorandom function:</t>
<t><list><t>SKEYSEED = prf( Ni | Nr, g^ir )</t></list></t>
<t>Ni and Nr are, respectively, the initiator and responder nonces, which are
negotiated during the initial exchange (see Section 1.2 of <xref
target="RFC5996"/>). g^ir is the shared secret from the ephemeral Diffie-
Hellman exchange and is represented as a string of octets.</t>
<t>The shared secret key can be generated as follows:</t>
<t><list><t>Shared secret key = PRF{ SKEYSEED, "IPPM" }</t></list></t>
<t>The shared secret key is derived in the IPsec layer. Thus, the IPsec keying
material is not be exposed to the O/TWAMP client. Note that the interaction between the O/TWAMP and IPsec implementations is outside the scope of this document, which focuses on the interaction between the O/TWAMP client and server. Of course, extracting the
shared secret key from the IPsec layer can depend on the implementation. One
possible way could be the following: at the client side, the IPSec layer can
perform a lookup in the Security Association Database (SAD) using the IP address
of the server and thus match the corresponding IKE SA. At the server side,
the IPSec layer can look up the corresponding IKE SA by using the SPIs sent by
the client, and therefore extract the shared secret key.</t>
<t>If rekeying for the IKE SA or deletion of the IKE SA occurs, the
corresponding shared secret key generated from the SA can continue to be used
until the lifetime of the shared secret key expires.</t> </section>
<section anchor="ServerGreetingUpdate" title="Server Greeting Message Update">
<t>To achieve a binding association between the key generated from IKE and the O/TWAMP shared secret key, Server Greeting Message should be updated as in <xref target="ServerGreeting" />.</t>
<figure anchor="ServerGreeting" title="Server Greeting format"><artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Unused (12 octets) |
| |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Modes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Challenge (16 octets) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Salt (16 octets) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Count (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| MBZ (12 octets) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]>
</artwork></figure>
<t>The Modes field in <xref target="ServerGreeting" /> will need to allow for
support of key derivation as discussed in <xref target="SharedKeyDerivation"/>.
As such, pending discussion in the IPPM WG, Modes value 8 extension MUST be
supported by implementations compatible with this document, indicating support for deriving shared key from IKE SA. Modes value 16 indicates authenticated mode; Modes value 32 indicates encrypted mode; and Modes value 64 indicates mixed mode over IKEv2.</t>
<t>Authenticated mode over IKEv2 means that the client and server operate in
authenticated mode with the shared secret key derived from IKE SA. Encrypted
mode over IKEv2 means that the client and server operate in encrypted mode with
the shared secret key derived from IKE SA. Mixed mode over IKEv2 means that the
client and server operate in encrypted mode for the O/TWAMP-Control protocol
while operating in unauthenticated mode for the O/TWAMP-Test protocol with
shared secret key derived from IKE SA.</t>
<t>Server implementations compatible with this document MUST set the first 25
bits of the Modes field to zero. A client compatible with this specification
MUST ignore the first 25 bits of the Modes field. For backward compatibility,
the server is obviously allowed to indicate support for the Modes defined in
<xref target="RFC4656"/> </t>
<t>The choice of this set of Modes values poses the least backwards
compatibility problems to existing O/TWAMP clients. Robust client
implementations of <xref target="RFC4656"/> would disregard that the first 29
Modes bits in the Server Greeting is set. If the server supports other Modes, as
one would assume, the client would then indicate any of the Modes defined in
<xref target="RFC4656"/> and effectively indicate that it does not support key derivation from IKE. At this point, the Server would need to use the Modes defined in <xref
target="RFC4656"/> only.</t>
</section>
<section anchor="SetUpResponseUpdate" title="Set-Up-Response Update">
<t>The Set-Up-Response Message should be updated as in <xref target="Response" />.</t>
<figure anchor="Response" title="Set-Up-Response Message"><artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mode |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Key ID (80 octets) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Token (16 octets) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Client-IV (12 octets) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]>
</artwork></figure>
<t>The Security Parameter Index (SPI)(see <xref target="RFC4301"/> <xref
target="RFC5996"/>) can uniquely identify the Security Association (SA). If the
client supports the derivation of shared secret key from IKE SA, it will choose the
corresponding mode value and carry SPIi and SPIr in the KeyID field. SPIi and SPIr
are included in Key ID field of Set-Up- Response Message to indicate the IKE SA
which O/TWAMP shared secret key derived from. The length of SPI is 4 octets. The
first 4 octets of Key ID field carries SPIi and the second 4 octets carries
SPIr. The rest bits of the Key ID field is set to zero.</t>
<t>A server which supports deriving shared secret from an IKE SA can obtain the
SPIi and SPIr from the first 8 octets and ignore the rest octets of the Key ID
field. Then, the client and the server can derive the shared secret key based on the
mode value and SPI.</t>
<t>If the server can not find the IKE SA corresponding to the SPIi and SPIr,
the Accept field of Server-Start message is extended to indicate that. Accept
value 6 can be used to indicate that server is not willing to conduct further
transactions in this OWAMP-Control session since it can not find the
corresponding IKE SA.</t>
</section>
</section>
<section anchor="Security" title="Security Considerations">
<t>As the shared secret key is derived from the IKE SA, the key derivation
algorithm strength and limitations are as per <xref target="RFC5996"/>. The
strength of a key derived from a Diffie-Hellman exchange using any of the groups
defined here depends on the inherent strength of the group, the size of the
exponent used, and the entropy provided by the random number generator employed.
The strength of all keys and implementation vulnerabilities, particularly Denial
of Service (DoS) attacks are as defined in <xref target="RFC5996"/>.</t>
<t>As a more general note, the IPPM community may want to revisit the arguments listed
in <xref target="RFC4656"/>, Sec. 6.6. Other widely-used Internet security
mechanisms, such as TLS and DTLS, may also be considered for future use over and
above of what is already specified in <xref target="RFC4656"/> <xref
target="RFC5357"/>.</t>
</section>
<section anchor="iana" title="IANA Considerations">
<t>IANA will need to allocate additional values for the Modes options presented in this document.</t>
</section>
<section title="Acknowledgments">
<t>Emily Bi contributed to an earlier version of this document.</t>
<t>We thank Eric Chen, Yakov Stein, and John Mattsson for their comments on this draft, and Al Morton for the discussion on related earlier work in IPPM WG.</t>
</section>
</middle>
<back>
<references title="Normative References">
&RFC5996;
<?rfc include="reference.RFC.4656" ?>
<?rfc include="reference.RFC.5357" ?>
<?rfc include="reference.RFC.2119" ?>
</references>
<references title="Informative References">
<?rfc include="reference.RFC.2898" ?>
<?rfc include="reference.RFC.4301" ?>
<?rfc include="reference.RFC.6023" ?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 12:07:50 |