One document matched: draft-paasch-mptcp-tls-authentication-00.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- Convert to HTML and Text with xml2rfc: http://xml2rfc.ietf.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY MPTCP SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.draft-ietf-mptcp-rfc6824bis-05">
<!ENTITY RFC0793 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.0793">
<!ENTITY RFC2119 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119">
<!ENTITY RFC5246 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5246">
<!ENTITY RFC5705 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5705">
<!ENTITY RFC6181 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6181">
<!ENTITY RFC6824 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6824">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="no" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="4"?>
<?rfc symrefs="no"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc rfcedstyle="yes"?>
<rfc category="exp" docName="draft-paasch-mptcp-tls-authentication-00" ipr="trust200902">
<front>
<title abbrev="TLS Authentication for MPTCP">TLS Authentication for MPTCP</title>
<author fullname="Christoph Paasch" initials="C." surname="Paasch">
<organization abbrev="Apple, Inc.">Apple, Inc.</organization>
<address>
<postal>
<street></street>
<city>Cupertino</city>
<country>US</country>
</postal>
<email>cpaasch@apple.com</email>
</address>
</author>
<author fullname="Alan Ford" initials="A." surname="Ford">
<organization>Pexip</organization>
<address>
<!-- <postal>
<street>Beech Court</street>
<city>Hurst</city>
<region>Berkshire</region>
<code>RG10 0RQ</code>
<country>UK</country>
</postal> -->
<email>alan.ford@gmail.com</email>
</address>
</author>
<date year="2016" />
<area>General</area>
<workgroup>Internet Engineering Task Force</workgroup>
<keyword>mptcp authentication tls</keyword>
<abstract>
<t>Multipath TCP (MPTCP), described in <xref target="I-D.ietf-mptcp-rfc6824bis"/>, is an extension to TCP to provide the ability to simultaneously use multiple paths between peers.</t>
<t>draft-paasch-mptcp-application-authentication specifies "application layer authentication" for Multipath TCP, an alternatively negotiated keying mechanism for MPTCP. This allows keying material to be sourced from an application layer protocol in order to secure MP_JOIN handshakes.</t>
<t>This document explains how to use the proposed application-layer authentication extension with TLS <xref target="RFC5246"/>, in order to leverage securely exchanged keys for MPTCP security, whilst simultaneously freeing the MPTCP token to be used as a channel for additional information.</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="sec_intro">
<t>As described in draft-paasch-mptcp-application-authentication, the use of "application-layer authentication" allows the Key used in MPTCP authentication to be provided by the application layer, thus permitting the use of existing secure communication channels for exchanging keying material. Furthermore, this decouples the key from the token and thus allows the token to be used for conveying additional semantics, such as helping front-end proxies route traffic to appropriate back-end servers.</t>
<t>TLS <xref target="RFC5246"/> provides a secure authentication channel between end hosts, where keys are not transmitted in the clear. The protocol generates a master secret for a connection, and a method is described in <xref target="RFC5705"/> for exporting a key generated from this and other properties which can then be used by the application layer. This document shows how to use this exported key, along with the method in draft-paasch-mptcp-application-authentication, for providing alternative keying mechanisms for MPTCP.</t>
</section>
<section title="Technical Implementation">
<t>As described in draft-paasch-mptcp-application-authentication, the initial MP_CAPABLE handshake will exchange an arbitrary token for identifying an MPTCP connection. Whilst it is RECOMMENDED that the token is hard to guess, it can be used to carry any data, such as arbitrary routing information, and the security provided by the application-layer security will mitigate any risks of an attacker guessing tokens.</t>
<t>When an MPTCP end host wishes to open a new subflow, it will follow the same exchange as described in <xref target="I-D.ietf-mptcp-rfc6824bis"/>, however the keying material (Key-A and Key-B) will be derived from the TLS handshake, as described in <xref target="RFC5705"/>. The "label" field MUST be "EXPORTER-MPTCP". The length used in the key-derivation, following <xref target="RFC5705"/> is 16. Key-A are the 64 most-significant bits, while Key-B are the 64 remaining bits. This requires the key exchange to have completed before subflows can be created. Other than the source of the keys, the exchange remains the same. The MP_CAPABLE and MP_JOIN exchange therefore looks like this:</t>
<?rfc needLines='24'?>
<figure align="center" anchor="fig_tokens" title="Example Use of MPTCP Authentication">
<artwork align="left"><![CDATA[
Host A Host B
------------------------ ----------
Address A1 Address A2 Address B1
---------- ---------- ----------
| | |
| | SYN + MP_CAPABLE |
|--------------------------------------------->|
|<---------------------------------------------|
| SYN/ACK + MP_CAPABLE(Token-B) |
| | |
| ACK + MP_CAPABLE(Token-A, Token-B) |
|--------------------------------------------->|
| | |
| | SYN + MP_JOIN(Token-B, R-A) |
| |------------------------------->|
| |<-------------------------------|
| | SYN/ACK + MP_JOIN(HMAC-B, R-B) |
| | |
| | ACK + MP_JOIN(HMAC-A) |
| |------------------------------->|
| |<-------------------------------|
| | ACK |
HMAC-A = HMAC(Key=(Key-A+Key-B), Msg=(R-A+R-B))
HMAC-B = HMAC(Key=(Key-B+Key-A), Msg=(R-B+R-A))
]]></artwork>
</figure>
</section>
<section title="Security Considerations" anchor="sec_security">
<t>This draft relies on the security provided by TLS <xref target="RFC5246"/> and the key export mechanism of <xref target="RFC5705"/> to provide additional security for the MPTCP handshake mechanism. These changes remove lingering risks, originally identified in <xref target="RFC6824"/>, where an intercept of the initial MPTCP handshake could allow session hijack.</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>IANA would be requested to add a value to the TLS Exporter Label registry as described in <xref target="RFC5705"/>. The label is "EXPORTER-MPTCP".</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<references title="Normative References">
&RFC0793;
&RFC2119;
&RFC5705;
&MPTCP;
<reference anchor='sha1' target="http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf"><front><title abbrev="Secure Hash Standard">Secure Hash Standard</title><author><organization>National Institute of Science and Technology</organization></author><date month="October" year="2008"/></front><seriesInfo name="Federal Information Processing Standard (FIPS)" value="180-3"/></reference>
</references>
<references title="Informative References">
&RFC5246;
&RFC6824;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:58:22 |