draft-ietf-lisp-crypto-00.txt   draft-ietf-lisp-crypto-01.txt 
Internet Engineering Task Force D. Farinacci Internet Engineering Task Force D. Farinacci
Internet-Draft lispers.net Internet-Draft lispers.net
Intended status: Experimental January 12, 2015 Intended status: Experimental B. Weis
Expires: July 16, 2015 Expires: November 2, 2015 cisco Systems
May 1, 2015
LISP Data-Plane Confidentiality LISP Data-Plane Confidentiality
draft-ietf-lisp-crypto-00 draft-ietf-lisp-crypto-01
Abstract Abstract
This document describes a mechanism for encrypting LISP encapsulated This document describes a mechanism for encrypting LISP encapsulated
traffic. The design describes how key exchange is achieved using traffic. The design describes how key exchange is achieved using
existing LISP control-plane mechanisms as well as how to secure the existing LISP control-plane mechanisms as well as how to secure the
LISP data-plane from third-party surveillance attacks. LISP data-plane from third-party surveillance attacks.
Status of This Memo Status of This Memo
skipping to change at page 1, line 33 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 16, 2015. This Internet-Draft will expire on November 2, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 11 skipping to change at page 2, line 11
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 3 3. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 3
4. Encoding and Transmitting Key Material . . . . . . . . . . . 4 4. Encoding and Transmitting Key Material . . . . . . . . . . . 4
5. Data-Plane Operation . . . . . . . . . . . . . . . . . . . . 6 5. Shared Keys used for the Data-Plane . . . . . . . . . . . . . 6
6. Dynamic Rekeying . . . . . . . . . . . . . . . . . . . . . . 7 6. Data-Plane Operation . . . . . . . . . . . . . . . . . . . . 8
7. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. Procedures for Encryption and Decryption . . . . . . . . . . 10
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. Dynamic Rekeying . . . . . . . . . . . . . . . . . . . . . . 11
8.1. SAAG Support . . . . . . . . . . . . . . . . . . . . . . 8 9. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.2. LISP-Crypto Security Threats . . . . . . . . . . . . . . 8 10. Security Considerations . . . . . . . . . . . . . . . . . . . 12
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 10.1. SAAG Support . . . . . . . . . . . . . . . . . . . . . . 12
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10.2. LISP-Crypto Security Threats . . . . . . . . . . . . . . 12
10.1. Normative References . . . . . . . . . . . . . . . . . . 8 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . 9 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 10 12.1. Normative References . . . . . . . . . . . . . . . . . . 13
Appendix B. Document Change Log . . . . . . . . . . . . . . . . 10 12.2. Informative References . . . . . . . . . . . . . . . . . 14
B.1. Changes to draft-ietf-lisp-crypto-00.txt . . . . . . . . 10 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 14
B.2. Changes to draft-farinacci-lisp-crypto-01.txt . . . . . . 10 Appendix B. Document Change Log . . . . . . . . . . . . . . . . 14
B.3. Changes to draft-farinacci-lisp-crypto-00.txt . . . . . . 11 B.1. Changes to draft-ietf-lisp-crypto-01.txt . . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 B.2. Changes to draft-ietf-lisp-crypto-00.txt . . . . . . . . 15
B.3. Changes to draft-farinacci-lisp-crypto-01.txt . . . . . . 15
B.4. Changes to draft-farinacci-lisp-crypto-00.txt . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
The Locator/ID Separation Protocol [RFC6830] defines a set of The Locator/ID Separation Protocol [RFC6830] defines a set of
functions for routers to exchange information used to map from non- functions for routers to exchange information used to map from non-
routable Endpoint Identifiers (EIDs) to routable Routing Locators routable Endpoint Identifiers (EIDs) to routable Routing Locators
(RLOCs). LISP ITRs and PITRs encapsulate packets to ETRs and RTRs. (RLOCs). LISP ITRs and PITRs encapsulate packets to ETRs and RTRs.
Packets that arrive at the ITR or PITR are typically not modified. Packets that arrive at the ITR or PITR are typically not modified.
Which means no protection or privacy of the data is added. If the Which means no protection or privacy of the data is added. If the
source host encrypts the data stream then the encapsulated packets source host encrypts the data stream then the encapsulated packets
can be encrypted but would be redundant. However, when plaintext can be encrypted but would be redundant. However, when plaintext
packets are sent by hosts, this design can encrypt the user payload packets are sent by hosts, this design can encrypt the user payload
to maintain privacy on the path between the encapsulator (the ITR or to maintain privacy on the path between the encapsulator (the ITR or
PITR) to a decapsulator (ETR or RTR). PITR) to a decapsulator (ETR or RTR). The encrypted payload is
unidirectional. However, return traffic uses the same procedures but
with different key values by the same xTRs or potentially different
xTRs when the paths between LISP sites are asymmetric.
This draft has the following requirements for the solution space: This draft has the following requirements for the solution space:
o Do not require a separate Public Key Infrastructure (PKI) that is o Do not require a separate Public Key Infrastructure (PKI) that is
out of scope of the LISP control-plane architecture. out of scope of the LISP control-plane architecture.
o The budget for key exchange MUST be one round-trip time. That is, o The budget for key exchange MUST be one round-trip time. That is,
only a two packet exchange can occur. only a two packet exchange can occur.
o Use symmetric keying so faster cryptography can be performed in o Use symmetric keying so faster cryptography can be performed in
the LISP data plane. the LISP data plane.
o Avoid a third-party trust anchor if possible. o Avoid a third-party trust anchor if possible.
o Provide for rekeying when secret keys are compromised. o Provide for rekeying when secret keys are compromised.
o At this time, encapsulated packet authentication is not a strong o Support Authenticated Encryption with packet integrity checks.
requirement.
o Support multiple cipher suites so new crypto algorithms can be
easily introduced.
2. Overview 2. Overview
The approach proposed in this draft is to not rely on the LISP The approach proposed in this draft is to NOT rely on the LISP
mapping system to store security keys. This will provide for a mapping system (or any other key infrastructure system) to store
simpler and more secure mechanism. Secret shared keys will be security keys. This will provide for a simpler and more secure
negotiated between the ITR and the ETR in Map-Request and Map-Reply mechanism. Secret shared keys will be negotiated between the ITR and
messages. Therefore, when an ITR needs to obtain the RLOC of an ETR, the ETR in Map-Request and Map-Reply messages. Therefore, when an
it will get security material to compute a shared secret with the ITR needs to obtain the RLOC of an ETR, it will get security material
ETR. to compute a shared secret with the ETR.
The ITR can compute 3 shared-secrets per ETR the ITR is encapsulating The ITR can compute 3 shared-secrets per ETR the ITR is encapsulating
to. And when the ITR encrypts a packet before encapsulation, it will to. And when the ITR encrypts a packet before encapsulation, it will
identify the key it used for the crypto calculation so the ETR knows identify the key it used for the crypto calculation so the ETR knows
which key to use for decrypting the packet after decapsulation. By which key to use for decrypting the packet after decapsulation. By
using key-ids in the LISP header, we can also get rekeying using key-ids in the LISP header, we can also get real-time rekeying
functionality. functionality.
3. Diffie-Hellman Key Exchange 3. Diffie-Hellman Key Exchange
LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and
computation for computing a shared secret. The Diffie-Hellman computation for computing a shared secret. The Diffie-Hellman
parameters will be passed in Map-Request and Map-Reply messages. parameters will be passed via Cipher Suite code-points in Map-Request
and Map-Reply messages.
Here is a brief description how Diff-Hellman works: Here is a brief description how Diff-Hellman works:
+----------------------------+---------+----------------------------+ +----------------------------+---------+----------------------------+
| ITR | | ETR | | ITR | | ETR |
+------+--------+------------+---------+------------+---------------+ +------+--------+------------+---------+------------+---------------+
|Secret| Public | Calculates | Sends | Calculates | Public |Secret| |Secret| Public | Calculates | Sends | Calculates | Public |Secret|
+------|--------|------------|---------|------------|--------|------+ +------|--------|------------|---------|------------|--------|------+
| i | p,g | | p,g --> | | | e | | i | p,g | | p,g --> | | | e |
+------|--------|------------|---------|------------|--------|------+ +------|--------|------------|---------|------------|--------|------+
skipping to change at page 4, line 30 skipping to change at page 5, line 12
Map-Reply messages. Diffie-Hellman parameters are encoded in the Map-Reply messages. Diffie-Hellman parameters are encoded in the
LISP Security Type LCAF [LCAF]. LISP Security Type LCAF [LCAF].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AFI = 16387 | Rsvd1 | Flags | | AFI = 16387 | Rsvd1 | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 11 | Rsvd2 | 6 + n | | Type = 11 | Rsvd2 | 6 + n |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Count | Rsvd3 | Key Algorithm | Rsvd4 |R| | Key Count | Rsvd3 |A| Cipher Suite| Rsvd4 |R|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Length | Key Material ... | | Key Length | Public Key Material ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... Key Material | | ... Public Key Material |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AFI = x | Locator Address ... | | AFI = x | Locator Address ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Diffie-Hellman parameters encoded in Key Material field Cipher Suite field contains DH Key Exchange and Cipher/Hash Functions
The 'Key Count' field encodes the number of {'Key-Length', 'Key- The 'Key Count' field encodes the number of {'Key-Length', 'Key-
Material'} fields included in the encoded LCAF. A maximum number of Material'} fields included in the encoded LCAF. The maximum number
keys that can be encoded are 3 keys, each identified by key-id 1, of keys that can be encoded are 3, each identified by key-id 1,
followed by key-id 2, an finally key-id 3. followed by key-id 2, an finally key-id 3.
The 'R' bit is not used for this use-case of the Security Type LCAF The 'R' bit is not used for this use-case of the Security Type LCAF
but is reserved for [LISP-DDT] security. but is reserved for [LISP-DDT] security.
The 'Key Algorithm' encodes the cryptographic algorithm used. The When the A-bit is set, it indicates that Authentication only is
following values are defined: performed according to the Integrity hash function defined in the
Cipher Suites. That is an encapsulator will perform an Integrity
Null: 0 computation over an unencrypted packet and include an ICV value.
Group-ID: 1 Since the packet contains no ciphertext, there is no IV value
AES: 2 included in the message. The 7-bit 'Cipher Suite' field defines the
3DES: 3 following code-points:
SHA-256: 4
When the 'Key Algorithm' value is 1 (Group-ID), the 'Key Material'
field is encoded as:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Group ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Public Key ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Points to Key Material values from IANA Registry Cipher Suite 0:
Reserved
The Group-ID values are defined in [RFC2409] and [RFC3526] which Cipher Suite 1:
describe the Diffie Hellman parameters used for key exchange. Diffie-Hellman Group: 1024-bit Modular Exponential (MODP) [RFC2409]
Encryption: AES with 128-bit keys in CBC mode [AES-CBC]
Integrity: HMAC-SHA1-96 [RFC2404]
When the 'Key Algorithm' value is not 1 (Group-ID), the 'Key Cipher Suite 2:
Material' field is encoded as: Diffie-Hellman Group: 2048-bit MODP [RFC3526]
Encryption: AES with 128-bit keys in CBC mode [AES-CBC]
Integrity: HMAC-SHA1-96 [RFC2404]
0 1 2 3 Cipher Suite 3:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Diffie-Hellman Group: 3072-bit MODP [RFC3526]
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Encryption: AES with 128-bit keys in CBC mode [AES-CBC]
| g-length | g-value ... | Integrity: HMAC-SHA1-96 [RFC2404]
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| p-length | p-value ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Public Key ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Key Length describes the length of the Key Material field The "Public Key Material" field contains the public key generated by
one of the Cipher Suites defined above. The length of the key in
octets is encoded in the "Key Length" field.
When an ITR or PITR sends a Map-Request, they will encode their own When an ITR or PITR send a Map-Request, they will encode their own
RLOC in Security Type LCAF format within the ITR-RLOCs field. When a RLOC in the Security Type LCAF format within the ITR-RLOCs field.
ETR or RTR sends a Map-Reply, they will encode their RLOCs in When a ETR or RTR sends a Map-Reply, they will encode their RLOCs in
Security Type LCAF format within the RLOC-record field of each EID- Security Type LCAF format within the RLOC-record field of each EID-
record supplied. record supplied.
If an ITR or PITR sends a Map-Request with a Security Type LCAF If an ITR or PITR sends a Map-Request with the Security Type LCAF
included and the ETR or RTR does not want to have encapsulated included and the ETR or RTR does not want to have encapsulated
traffic encrypted, they will return a Map-Reply with no RLOC records traffic encrypted, they will return a Map-Reply with no RLOC records
encoded with the Security Type LCAF. This signals to the ITR or PITR encoded with the Security Type LCAF. This signals to the ITR or PITR
that it should not encrypt traffic (it cannot encrypt traffic anyways that it should not encrypt traffic (it cannot encrypt traffic anyways
since no ETR public-key was returned). since no ETR public-key was returned).
Likewise, if an ITR or PITR wish to include multiple key-ids in the Likewise, if an ITR or PITR wish to include multiple key-ids in the
Map-Request but the ETR or RTR wish to use some but not all of the Map-Request but the ETR or RTR wish to use some but not all of the
key-ids, they return a Map-Reply only for those key-ids they wish to key-ids, they return a Map-Reply only for those key-ids they wish to
use. use.
5. Data-Plane Operation 5. Shared Keys used for the Data-Plane
When an ITR or PITR receives a Map-Reply accepting the Cipher Suite
sent in the Map-Request, it is ready to create data plane keys. The
same process is followed by the ETR or RTR returning the Map-Reply.
The first step is to create a shared secret, using the peer's shared
Diffie-Hellman Public Key Material combined with device's own private
keying material as described in Section 3. The Diffie-Hellman group
used is defined in the Cipher Suite sent in the Map-Request and
copied into the Map-Reply.
The resulting shared secret is used to compute Encryption and
Integrity keys for the algorithms specified in the Cipher Suite. A
Key Derivation Function (KDF) in counter mode as specified by
[NIST-SP800-108] is used to generate the data-plane keys. The amount
of keying material that is derived depends on the algorithms in the
cipher suite.
The inputs to the KDF are as follows:
o KDF function. This is HMAC-SHA-256.
o A key for the KDF function. This is the most significant 16
octets of the computed Diffie-Hellman shared secret.
o Context that binds the use of the data-plane keys to this session.
The context is made up of the following fields, which are
concatenated and provided as the data to be acted upon by the KDF
function.
Context:
o A counter, represented as a two-octet value in network-byte order.
o The null-terminated string "lisp-crypto".
o The ITR's nonce from the the Map-Request the Cipher Suite was
included in.
o The number of bits of keying material required (L), represented as
a two-octet value in network byte order.
The counter value in the context is first set to 1. When the amount
of keying material exceeds the number of bits returned by the KDF
function, then the KDF function is called again with the same inputs
except that the counter increments for each call. When enough keying
material is returned, it is concatenated and used to create keys.
For example, AES with 128-bit keys requires 16 octets (128 bits) of
keying material, and HMAC-SHA1-96 requires another 16 octets (128
bits) of keying material in order to maintain a consistent 128-bits
of security. Since 32 octets (256 bits) of keying material are
required, and the KDF function HMAC-SHA-256 outputs 256 bits, only
one call is required. The inputs are as follows:
key-material = HMAC-SHA-256(dh-shared-secret, context)
where: context = 0x0001 || "lisp-crypto" || <itr-nonce> || 0x0100
In contrast, a cipher suite specifying AES with 256-bit keys requires
32 octets (256 bits) of keying material, and HMAC-SHA256-128 requires
another 32 octets (256 bits) of keying material in order to maintain
a consistent 256-bits of security. Since 64 octets (512 bits) of
keying material are required, and the KDF function HMAC-SHA-256
outputs 256 bits, two calls are required.
key-material-1 = HMAC-SHA-256(dh-shared-secret, context)
where: context = 0x0001 || "lisp-crypto" || <itr-nonce> || 0x0200
key-material-2 = HMAC-SHA-256(dh-shared-secret, context)
where: context = 0x0002 || "lisp-crypto" || <itr-nonce> || 0x0200
key-material = key-material-1 || key-material-2
If the key-material is longer than the required number of bits (L),
then only the most significant L bits are used.
From the derived key-material, the most significant bits are used for
the Encryption key, and least significant bits are used for the
Integrity key. For example, if the Cipher Suite contains both AES
with 128-bit keys and HMAC-SHA1-96, the most significant 128 bits
become the ITR's data-plane encryption key, and the next 128-bit
become the ITR's Integrity key.
6. Data-Plane Operation
The LISP encapsulation header [RFC6830] requires changes to encode The LISP encapsulation header [RFC6830] requires changes to encode
the key-id for the key being used for encryption. the key-id for the key being used for encryption.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ | Source Port = xxxx | Dest Port = 4341 | / | Source Port = xxxx | Dest Port = 4341 |
UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ | UDP Length | UDP Checksum | \ | UDP Length | UDP Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
L |N|L|E|V|I|P|K|K| Nonce/Map-Version | L / |N|L|E|V|I|P|K|K| Nonce/Map-Version | \
I \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
S / | Instance ID/Locator-Status-Bits | S \ | Instance ID/Locator-Status-Bits | |
P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Initialization Vector (IV) | I
E +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C
n / | | V
c | | |
r | Packet Payload with EID Header ... | |
y | | |
p \ | | /
t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Integrity Check Value (ICV) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
K-bits indicate when packet is encrypted and which key used K-bits indicate when packet is encrypted and which key used
When the KK bits are 00, the encapsulated packet is not encrypted. When the KK bits are 00, the encapsulated packet is not encrypted.
When the value of the KK bits is 1, 2, or 3, it encodes the key-id of When the value of the KK bits are 1, 2, or 3, it encodes the key-id
the secret keys computed during the Diffie-Hellman Map-Request/Map- of the secret keys computed during the Diffie-Hellman Map-Request/
Reply exchange. Map-Reply exchange. When the KK bits are not 0, the payload is
prepended with an Initialization Vector (IV) and appended with an
Integrity Check Value (ICV). The length of the IV and ICV fields
depend on the Cipher Suite negotiated in the control-plane.
When an ITR or PITR receives a packet to be encapsulated, they will When an ITR or PITR receives a packet to be encapsulated, they will
first decide what key to use, encode the key-id into the LISP header, first decide what key to use, encode the key-id into the LISP header,
and use that key to encrypt all packet data that follows the LISP and use that key to encrypt all packet data that follows the LISP
header. Therefore, the outer header, UDP header, and LISP header header. Therefore, the outer header, UDP header, and LISP header
travel as plaintext. travel as plaintext.
There is an open working group item to discuss if the data There is an open working group item to discuss if the data
encapsulation header needs change for encryption or any new encapsulation header needs change for encryption or any new
applications. This draft proposes changes to the existing header so applications. This draft proposes changes to the existing header so
experimentation can continue without making large changes to the experimentation can continue without making large changes to the
data-plane at this time. data-plane at this time.
6. Dynamic Rekeying 7. Procedures for Encryption and Decryption
When an ITR, PITR, or RTR encapsulate a packet and have already
computed an encryption-key and integrity-key (detailed in section
Section 5) that is associated with a destination RLOC, the following
encryption and encapsulation procedures are performed:
1. The encapsulator creates a random number used as the IV.
Prepends the IV value to the packet being encapsulated. The IV
is incremented for every packet sent to the destination RLOC.
2. Next encrypt with cipher function AES-CBC using the encryption-
key over the packet payload. This does not include the IV. The
IV must be transmitted as plaintext so the decrypter can use it
as input to the decryption cipher. The payload should be padded
to an integral number of bytes a block cipher may require.
3. Prepend the LISP header. The key-id field of the LISP header is
set to the key-id value that corresponds to key-pair used for the
encryption cipher and for the ICV hash.
4. Next compute the ICV value by hashing the packet (which includes
the LISP header, the IV, and the packet payload) with the HMAC-
SHA1 function using the integrity-key. The resulting ICV value
is appended to the packet. The ICV is not ciphertext so a fast
integrity check can be performed without decryption at the
receiver.
5. Lastly, prepend the UDP header and outer IP header onto the
encrypted packet and send packet to destination RLOC.
When an ETR, PETR, or RTR receive an encapsulated packet, the
following decapsulation and decryption procedures are performed:
1. The outer IP header and UDP header are stripped from the start of
the packet and the ICV is stripped from the end of the packet.
2. Next the ICV is computed by running the Integrity function from
the cipher suite using the integrity-key over the packet (which
includes the LISP header, the IV and packet payload) using the
integrity-key. If the result does not match the ICV value from
the packet, the packet was been tampered with, and is dropped,
and an optional log message may be issued. The integrity-key is
obtained from a local-cache associated with the key-id value from
the LISP header.
3. If the hashed result matches the ICV value from the packet, then
the LISP header is stripped and decryption occurs over the packet
payload using the plaintext IV in the packet.
4. The IV is stripped from the packet.
5. The packet is decrypted using the encryption-key and the IV from
the packet. The encryption-key is obtained from a local-cache
associated with the key-id value from the LISP header. The
result of the decryption function is a plaintext packet payload.
6. The resulting packet is forwarded to the destination EID.
8. Dynamic Rekeying
Since multiple keys can be encoded in both control and data messages, Since multiple keys can be encoded in both control and data messages,
an ITR can encapsulate and encrypt with a specific key while it is an ITR can encapsulate and encrypt with a specific key while it is
negotiating other keys with the same ETR. Soon as an ETR or RTR negotiating other keys with the same ETR. Soon as an ETR or RTR
returns a Map-Reply, it should be prepared to decapsulate and decrypt returns a Map-Reply, it should be prepared to decapsulate and decrypt
using the new keys computed with the new Diffie-Hellman parameters using the new keys computed with the new Diffie-Hellman parameters
received in the Map-Request and returned in the Map-Reply. received in the Map-Request and returned in the Map-Reply.
RLOC-probing can be used to change keys by the ITR at any time. And RLOC-probing can be used to change keys or cipher suites by the ITR
when an initial Map-Request is sent to populate the ITR's map-cache, at any time. And when an initial Map-Request is sent to populate the
the Map-Requests flows across the mapping system where a single ETR ITR's map-cache, the Map-Request flows across the mapping system
from the Map-Reply RLOC-set will respond. If the ITR decides to use where a single ETR from the Map-Reply RLOC-set will respond. If the
the other RLOCs in the RLOC-set, it MUST send a Map-Request directly ITR decides to use the other RLOCs in the RLOC-set, it MUST send a
to key negotiate with the ETR. This process may be used to test Map-Request directly to negotiate security parameters with the ETR.
reachability from an ITR to an ETR initially when a map-cache entry This process may be used to test reachability from an ITR to an ETR
is added for the first time, so an ITR can get both reachability initially when a map-cache entry is added for the first time, so an
status and keys negotiated with one Map-Request/Map-Reply exchange. ITR can get both reachability status and keys negotiated with one
Map-Request/Map-Reply exchange.
A rekeying event is defined to be when an ITR or PITR changes the p, A rekeying event is defined to be when an ITR or PITR changes the
g, or the public-key in a Map-Request. The ETR or RTR compares the cipher suite or public-key in the Map-Request. The ETR or RTR
p, g, and public-key it last received from the ITR for the key-id, compares the cipher suite and public-key it last received from the
and if any value has changed, it computes a new public-key of its own ITR for the key-id, and if any value has changed, it computes a new
with the new p and g values from the Map-Request and returns it in public-key and cipher suite requested by the ITR from the Map-Request
the Map-Reply. Now a new shared secret is computed and can be used and returns it in the Map-Reply. Now a new shared secret is computed
for the key-id for encryption by the ITR and decryption by the ETR. and can be used for the key-id for encryption by the ITR and
When the ITR or PITR starts this process of negotiating a new key, it decryption by the ETR. When the ITR or PITR starts this process of
must not use the corresponding key-id in encapsulated packets until negotiating a new key, it must not use the corresponding key-id in
it receives a Map-Reply from the ETR with the p and g values it encapsulated packets until it receives a Map-Reply from the ETR with
expects (the values it sent in a Map-Request). the same cipher suite value it expects (the values it sent in a Map-
Request).
Note when RLOC-probing continues to maintain RLOC reachability and Note when RLOC-probing continues to maintain RLOC reachability and
rekeying is not desirable, the ITR or RTR can either not include the rekeying is not desirable, the ITR or RTR can either not include the
Security Type LCAF in the Map-Request or supply the same key material Security Type LCAF in the Map-Request or supply the same key material
as it recieved from the last Map-Reply from the ETR or RTR. This as it received from the last Map-Reply from the ETR or RTR. This
approach signals to the ETR or RTR that no rekeying event is approach signals to the ETR or RTR that no rekeying event is
requested. requested.
7. Future Work 9. Future Work
By using AES-GCM [RFC5116], or HMAC-CBC [AES-CBC], it has been For performance considerations, newer Elliptic-Curve Diffie-Hellman
suggested that encapsulated packet authentication (through encryption (ECDH) groups can be used as specified in [RFC4492] and [RFC6090] to
[RFC4106]) could be supported. There is current work in progress to reduce CPU cycles required to compute shared secret keys.
investigate these techniques for the LISP data-plane. However, it
will require encapsulation header changes to LISP.
For performance considerations, Elliptic-Curve Diffie Hellman (ECDH) For better security considerations as well as to be able to build
can be used as specified in [RFC4492] to reduce CPU cycles required faster software implementations, newer approaches to ciphers and
to compute shared secret keys. authentication methods will be researched and tested. Some examples
are chacha20 and poly1305 [CHACHA-POLY].
8. Security Considerations 10. Security Considerations
8.1. SAAG Support 10.1. SAAG Support
The LISP working group will seek help from the SAAG working group for The LISP working group has and will continue to seek help from the
security advice. The SAAG will be involved early in the design SAAG working group for security advice. The SAAG has been involved
process so they have early input and review. early in the design process so they have early input and review.
8.2. LISP-Crypto Security Threats 10.2. LISP-Crypto Security Threats
Since ITRs and ETRs participate in key exchange over a public non- Since ITRs and ETRs participate in key exchange over a public non-
secure network, a man-in-the-middle (MITM) could circumvent the key secure network, a man-in-the-middle (MITM) could circumvent the key
exhange and compromise data-plane confidentiality. This can happen exchange and compromise data-plane confidentiality. This can happen
when the MITM is acting as a Map-Replier, provides its own public key when the MITM is acting as a Map-Replier, provides its own public key
so the ITR and the MITM generate a shared secret key among each so the ITR and the MITM generate a shared secret key among each
other. If the MITM is in the data path between the ITR and ETR, it other. If the MITM is in the data path between the ITR and ETR, it
can use the shared secret key to decrypt traffic from the ITR. can use the shared secret key to decrypt traffic from the ITR.
Since LISP can secure Map-Replies by the authentication process Since LISP can secure Map-Replies by the authentication process
specified in [LISP-SEC], the ITR can detect when a MITM has signed a specified in [LISP-SEC], the ITR can detect when a MITM has signed a
Map-Reply for an EID-prefix it is not authoritative for. When an ITR Map-Reply for an EID-prefix it is not authoritative for. When an ITR
determines the signature verification fails, it discards and does not determines the signature verification fails, it discards and does not
reuse the key exchange parameters, avoids using the ETR for reuse the key exchange parameters, avoids using the ETR for
encapsulation, and issues a severe log message to the network encapsulation, and issues a severe log message to the network
adminstrator. Optionally, the ITR can send RLOC-probes to the administrator. Optionally, the ITR can send RLOC-probes to the
compromised RLOC to determine if can reach the authoriative ETR. And compromised RLOC to determine if can reach the authoritative ETR.
when the ITR validates the signature of a Map-Reply, it can begin And when the ITR validates the signature of a Map-Reply, it can begin
encrypting and encapsulating packets to the RLOC of ETR. encrypting and encapsulating packets to the RLOC of ETR.
9. IANA Considerations 11. IANA Considerations
This draft requires the use of the registry that selects Diffie This draft may require the use of the registry that selects Security
Hellman parameters. Rather than convey the key exchange parameters parameters. Rather than convey the key exchange parameters and
directly in LISP control packets, a Group-ID from the registry will crypto functions directly in LISP control packets, the cipher suite
be used. The Group-ID values are defined in [RFC2409] and [RFC3526]. values can be assigned and defined in a registry. For example,
Diffie-Hellman group-id values can be used from [RFC2409] and
[RFC3526].
10. References This draft specifies how the 7-bit cipher suite values from the
Security Type LCAF are partitioned. The partitions are:
10.1. Normative References 0: Reserved
1-96: Allocated by registry, but first 3 values defined in this document
97-127: Private use
12. References
12.1. Normative References
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998. (IKE)", RFC 2409, November 1998.
[RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC
2631, June 1999. 2631, June 1999.
[RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)", Diffie-Hellman groups for Internet Key Exchange (IKE)",
RFC 3526, May 2003. RFC 3526, May 2003.
skipping to change at page 9, line 23 skipping to change at page 13, line 46
(GCM) in IPsec Encapsulating Security Payload (ESP)", RFC (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC
4106, June 2005. 4106, June 2005.
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)", RFC 4492, May 2006. for Transport Layer Security (TLS)", RFC 4492, May 2006.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, January 2008. Encryption", RFC 5116, January 2008.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
Curve Cryptography Algorithms", RFC 6090, February 2011.
[RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
Locator/ID Separation Protocol (LISP)", RFC 6830, January Locator/ID Separation Protocol (LISP)", RFC 6830, January
2013. 2013.
10.2. Informative References 12.2. Informative References
[AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated [AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated
Encryption with AES-CBC and HMAC-SHA", draft-mcgrew-aead- Encryption with AES-CBC and HMAC-SHA", draft-mcgrew-aead-
aes-cbc-hmac-sha2-03.txt (work in progress), . aes-cbc-hmac-sha2-05.txt (work in progress).
[CHACHA-POLY]
Langley, A., "ChaCha20 and Poly1305 based Cipher Suites
for TLS", draft-agl-tls-chacha20poly1305-00 (work in
progress).
[DH] "Diffie-Hellman key exchange", Wikipedia [DH] "Diffie-Hellman key exchange", Wikipedia
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange, http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange.
.
[LCAF] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical [LCAF] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical
Address Format", draft-ietf-lisp-lcaf-04.txt (work in Address Format", draft-ietf-lisp-lcaf-04.txt (work in
progress), . progress).
[LISP-DDT] [LISP-DDT]
Fuller, V., Lewis, D., Ermaagan, V., and A. Jain, "LISP Fuller, V., Lewis, D., Ermaagan, V., and A. Jain, "LISP
Delegated Database Tree", draft-fuller-lisp-ddt-03 (work Delegated Database Tree", draft-fuller-lisp-ddt-03 (work
in progress), . in progress).
[LISP-SEC] [LISP-SEC]
Maino, F., Ermagan, V., Cabellos, A., and D. Saucez, Maino, F., Ermagan, V., Cabellos, A., and D. Saucez,
"LISP-Secuirty (LISP-SEC)", draft-ietf-lisp-sec-06 (work "LISP-Secuirty (LISP-SEC)", draft-ietf-lisp-sec-06 (work
in progress), . in progress).
[NIST-SP800-108]
"National Institute of Standards and Technology,
"Recommendation for Key Derivation Using Pseudorandom
Functions NIST SP800-108"", NIST SP 800-108, October 2009.
Appendix A. Acknowledgments Appendix A. Acknowledgments
The author would like to thank Dan Harkins, Brian Weis, Joel Halpern, The author would like to thank Dan Harkins, Joel Halpern, Fabio
Fabio Maino, Ed Lopez, and Roger Jorgensen for their interest, Maino, Ed Lopez, Roger Jorgensen, Watson Ladd, and Ilari Liusvaara
suggestions, and discussions about LISP data-plane security. for their interest, suggestions, and discussions about LISP data-
plane security.
In addition, the support and suggestions from the SAAG working group In addition, the support and suggestions from the SAAG working group
were helpful and appreciative. were helpful and appreciative.
Appendix B. Document Change Log Appendix B. Document Change Log
B.1. Changes to draft-ietf-lisp-crypto-01.txt
B.1. Changes to draft-ietf-lisp-crypto-00.txt o Posted May 2015.
o Create cipher suites and encode them in the Security LCAF.
o Add IV to beginning of packet header and ICV to end of packet.
o AEAD procedures are now part of encrpytion process.
B.2. Changes to draft-ietf-lisp-crypto-00.txt
o Posted January 2015. o Posted January 2015.
o Changing draft-farinacci-lisp-crypto-01 to draft-ietf-lisp-crypto- o Changing draft-farinacci-lisp-crypto-01 to draft-ietf-lisp-crypto-
00. This draft has become a working group document 00. This draft has become a working group document
o Add text to indicate the working group may work on a new data o Add text to indicate the working group may work on a new data
encapsulation header format for data-plane encryption. encapsulation header format for data-plane encryption.
B.2. Changes to draft-farinacci-lisp-crypto-01.txt B.3. Changes to draft-farinacci-lisp-crypto-01.txt
o Posted July 2014. o Posted July 2014.
o Add Group-ID to the encoding format of Key Material in a Security o Add Group-ID to the encoding format of Key Material in a Security
Type LCAF and modify the IANA Considerations so this draft can use Type LCAF and modify the IANA Considerations so this draft can use
key exchange parameters from the IANA registry. key exchange parameters from the IANA registry.
o Indicate that the R-bit in the Security Type LCAF is not used by o Indicate that the R-bit in the Security Type LCAF is not used by
lisp-crypto. lisp-crypto.
skipping to change at page 11, line 5 skipping to change at page 16, line 5
process. process.
o Add text indicating that when RLOC-probing is used for RLOC o Add text indicating that when RLOC-probing is used for RLOC
reachability purposes and rekeying is not desired, that the same reachability purposes and rekeying is not desired, that the same
key exchange parameters should be used so a reallocation of a key exchange parameters should be used so a reallocation of a
pubic key does not happen at the ETR. pubic key does not happen at the ETR.
o Add text to indicate that ECDH can be used to reduce CPU o Add text to indicate that ECDH can be used to reduce CPU
requirements for computing shared secret-keys. requirements for computing shared secret-keys.
B.3. Changes to draft-farinacci-lisp-crypto-00.txt B.4. Changes to draft-farinacci-lisp-crypto-00.txt
o Initial draft posted February 2014. o Initial draft posted February 2014.
Author's Address Authors' Addresses
Dino Farinacci Dino Farinacci
lispers.net lispers.net
San Jose, California San Jose, California 95120
USA USA
Phone: 408-718-2001 Phone: 408-718-2001
Email: farinacci@gmail.com Email: farinacci@gmail.com
Brian Weis
cisco Systems
170 West Tasman Drive
San Jose, California 95124-1706
USA
Phone: 408-526-4796
Email: bew@cisco.com
 End of changes. 57 change blocks. 
154 lines changed or deleted 345 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/