One document matched: draft-manral-mpls-tp-oam-security-tlv-00.txt
Internet Engineering Task Force Vishwas Manral
Internet-Draft IP Infusion Inc.
Intended status: Standards Track
Expires: December 30, 2009
June 30, 2009
MPLS-TP General Authentication TLV for G-ACH
draft-manral-mpls-tp-oam-auth-tlv-00
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 1, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Manral Expires July 30, 2008 [Page 1]
Internet-Draft Authentication TLV for ACH December 2009
Abstract
This document defines a new generalized authentication TLV, to be used
in the ACH header RFC5586 [2]. This can be used for both the MPLS and
MPLS-TP networks.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in RFC 2119 [1].
1. Introduction
The Generic Associated Channel (G-ACh) has been defined as a
generalization of the pseudowire (PW) associated control channel to
enable the realization of a control/communication channel associated
with Multiprotocol Label Switching (MPLS) Label Switched Paths
(LSPs), MPLS PWs, MPLS LSP segments, and MPLS sections between
adjacent MPLS-capable devices.
The G-ACH header is defined in [RFC5586] to augent maintainance
functions in MPLS networks especially when they are used for
packet transport services and transport network operations.
Examples of these functions include performance monitoring,
automatic protection switching, and support for management and
signaling communication channels.
The OAM requirements document states that
"OAM messages MAY be authenticated to prove their origin and
to make sure that they are destined for the receiving node".
This document describes a generic way to provide origin
authentication of application packets by defining a new G-ACH TLV.
Manral Expires July 30, 2008 [Page 2]
Internet-Draft Authentication TLV for ACH December 2009
2. Procedures
The location of the ACH Authentication TLV in the ACH header is
shown. The TLV can be located anywhere in the ACH TLV header
(preceded or proceded by other).
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0 0 0 1|Version| Reserved | Channel Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ACH TLV Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ACH Authnetication TLV |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ zero or more other ACH TLVs ~
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Any Application Message |
~ (i.e. Y.1731, BFD etc) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The structure of the ACH authentication TLV is as follows
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Auth TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Auth Type | Auth Len | Auth Key ID | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Auth Key/Digest... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This is similar to the BFD Authentication defined in [3]. This section
will be filled in a future version of the draft.
Different applications based on the Channel type may process the ACH
Authentication TLV. Each document which defines the channel type
needs to define the behavior on processing the same (optional/
mandatory) and the required action.
An application not supporting data origin authentication can use
this mechanism for the purpose instead of defining its own proprietery
mechanism.
Manral Expires July 30, 2008 [Page 3]
Internet-Draft Authentication TLV for ACH December 2009
3. Example Application
[IEEE 802.1ag] and [ITU-T Y.1731] define OAM PDU's and procedures
for Ethernet OAM. However they do not provide any data origin
authentication mechanism.
The OAM extensions [4] use the mechanism for MPLS-TP networks. However
no origin authentiction mechanism to is defined. The ACH Authentication
TLV can be used for the purpose.
4. Security Considerations
The extensions defined in this document allows an application using the
ACH header to provide data origin authentication. This can improve the
security of packets in the network.
Manral Expires July 30, 2008 [Page 4]
Internet-Draft Authentication TLV for ACH December 2009
5. IANA Considerations
ACH TLV type field for the G-ACH TLV header is required.
IANA is requested to allocate the TLV type
xxxx Generic Security TLV.
6. Acknowledgements
TBD.
7. References
7.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[2] Bocci, M., Vigoureux, M. and S. Bryant, "MPLS
Generic Associated Channel", RFC5586, June 2009
[3] Katz, D. and D. Ward, "Bidirectional Forwarding Detection",
draft-ietf-bfd-base, August 2009
7.2. Informative References
[4] Vigoureux, M., Ward, D. and M. Betts, "Requirements for
OAM in MPLS Transport Networks",
draft-vigoureux-mpls-tp-oam-requirements, April 2009
Manral Expires July 30, 2008 [Page 5]
Internet-Draft Authentication TLV for ACH December 2009
Authors' Addresses
Vishwas Manral
IP Infusion Inc.,
Bamankhola,
Bansgali,
Almora,
Uttaranchal - 263601
India
| PAFTECH AB 2003-2026 | 2026-04-23 15:02:39 |