One document matched: draft-ohba-pcp-pana-00.txt
Network Working Group Y. Ohba
Internet-Draft Y. Tanaka
Intended status: Standards Track Toshiba
Expires: January 8, 2013 S. Das
ACS
July 7, 2012
Provisioning Message Authentication Key for PCP using PANA
draft-ohba-pcp-pana-00
Abstract
This document specifies a mechanism for provisioning PCP (Port
Control Protocol) message authentication key using PANA (Protocol for
carrying Authentication for Network Access).
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 8, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Ohba, et al. Expires January 8, 2013 [Page 1]
Internet-Draft PANA PCP July 2012
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Specification of Requirements . . . . . . . . . . . . . . . 3
2. Establishing a PCP SA . . . . . . . . . . . . . . . . . . . . . 3
3. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.1. Normative References . . . . . . . . . . . . . . . . . . . 5
6.2. Informative References . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5
Ohba, et al. Expires January 8, 2013 [Page 2]
Internet-Draft PANA PCP July 2012
1. Introduction
PCP (Port Control Protocol) [I-D.ietf-pcp-base] is used for an IPv6
or IPv4 host to control how incoming IPv6 or IPv4 packets are
translated and forwarded by a network address translator (NAT) or
simple firewall, and also allows a host to optimize its outgoing NAT
keepalive messages.
In order to provide integrity protection for PCP messages, a message
authentication mechanism for PCP is defined in
[I-D.ietf-pcp-authentication]. A PCP Security Association (SA) used
for PCP message authentication is dynamically established using EAP
authentication where the integrity key associated the PCP SA is
derived from EAP MSK (Master Session Key) [RFC3748]. In
[I-D.ietf-pcp-authentication], two approaches are identified for
establishing a PCP SA. The first approach is separate key management
that is based on running PANA (Protocol for carrying Authentication
for Network Access) [RFC5191] between the end-points to carry out an
EAP authentication process needed for establising a PCP SA. The
second approach is inline key management that is based on running an
EAP authentication process between two PCP devices.
In this document, a complete solution for the first approach is
described.
1.1. Specification of Requirements
In this document, several words are used to signify the requirements
of the specification. These words are often capitalized. The key
words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in [RFC2119].
2. Establishing a PCP SA
A PaC (PANA Client) on a PCP client node initiates PANA
authentication prior to send an authenticated PCP message. The
initiation may be requested by the PCP client. We assume that PAA
(PANA Authentication Agent) is implemented on each PCP server that
support authenticated PCP messages. Therefore, the PCP server's IP
address is used as the address of the PAA . The PANA authentication
for establishing a PCP SA may be conducted as part of network access
authentication or dedicated to the PCP usage.
Upon successful PANA authentication, the message authentication key
for PCP message is derived from the EAP MSK as follows:
Ohba, et al. Expires January 8, 2013 [Page 3]
Internet-Draft PANA PCP July 2012
PCP_AUTH_KEY = prf+(MSK, "IETF PCP" | SID | KID | PCP_Server_ID)
where where | denotes concatenation.
o The prf+ function is defined in IKEv2 [RFC5996]. The pseudo-
random function to be used for the prf+ function is negotiated
using PRF-Algorithm AVP in the initial PANA-Auth-Request and PANA-
Auth-Answer exchange with 'S' (Start) bit set.
o "IETF PCP" is the ASCII code representation of the non-NULL
terminated string (excluding the double quotes around it).
o SID is a four-octet PANA Session Identifier [RFC5191].
o KID is the content of the Key-ID AVP [RFC5191] associated with the
MSK.
o PCP_Server_ID is the IP address of the PCP server. The length of
PCP_Server_ID is 4 octets for IPv4 address and 16 octets for IPv6
address.
The same integrity algorithm used for the PANA session MUST be used
for PCP message authentication.
The PCP_AUTH_KEY and its associated parameters (i.e., the IP
addresses of the PCP client and PCP server, Session ID, Key ID,
message authentication algorithm and lifetime) are passed from the
PAA application to the PCP server application on the same PCP server
device, and also passed from the PaC application to the PCP client
application on the same PCP client device, using an API. The API can
be implementation-specific, and therefore is not specified in this
document.
Once a PCP SA is established, any PCP message that does not contain a
valid Authentication Tag and a fresh Nonce under the current PCP SA
MUST be silently discarded.
The PCP SA MUST be immediately deleted when the corresponding PANA SA
is deleted. The PCP SA SHALL remain as long as the corresponding
PANA SA exists.
3. Security Considerations
The key provisioning mechanism described in this document provides a
cryptographic binding between a PANA session and a PCP SA based on
using the PCP server address, and PANA session identifier and key
identifer in the PCP_AUTH_KEY derivation function.
Ohba, et al. Expires January 8, 2013 [Page 4]
Internet-Draft PANA PCP July 2012
4. IANA Considerations
There is no IANA actions required for this document.
5. Acknowledgments
TBD.
6. References
6.1. Normative References
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)",
RFC 3748, June 2004.
[RFC5191] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A.
Yegin, "Protocol for Carrying Authentication for Network
Access (PANA)", RFC 5191, May 2008.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 5996, September 2010.
[I-D.ietf-pcp-base]
Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)",
draft-ietf-pcp-base-26 (work in progress), June 2012.
[I-D.ietf-pcp-authentication]
Wasserman, M., Hartman, S., and D. Zhang, "Port Control
Protocol (PCP) Authentication Mechanism",
draft-ietf-pcp-authentication-00 (work in progress),
June 2012.
6.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Ohba, et al. Expires January 8, 2013 [Page 5]
Internet-Draft PANA PCP July 2012
Authors' Addresses
Yoshihiro Ohba
Toshiba Corporate Research and Development Center
1 Komukai-Toshiba-cho
Saiwai-ku, Kawasaki, Kanagawa 212-8582
Japan
Phone: +81 44 549 2127
Email: yoshihiro.ohba@toshiba.co.jp
Yasuyuki Tanaka
Toshiba Corporate Research and Development Center
1 Komukai-Toshiba-cho
Saiwai-ku, Kawasaki, Kanagawa 212-8582
Japan
Phone: +81 44 549 2127
Email: yatch@isl.rdc.toshiba.co.jp
Subir Das
Applied Communication Sciences
1 Telcordia Drive
Piscataway, NJ 08854
USA
Email: sdas@appcomsci.com
Ohba, et al. Expires January 8, 2013 [Page 6]
| PAFTECH AB 2003-2026 | 2026-04-22 15:08:26 |