draft-ietf-lisp-crypto-04.txt   draft-ietf-lisp-crypto-05.txt 
Internet Engineering Task Force D. Farinacci Internet Engineering Task Force D. Farinacci
Internet-Draft lispers.net Internet-Draft lispers.net
Intended status: Experimental B. Weis Intended status: Experimental B. Weis
Expires: December 2, 2016 cisco Systems Expires: December 29, 2016 cisco Systems
May 31, 2016 June 27, 2016
LISP Data-Plane Confidentiality LISP Data-Plane Confidentiality
draft-ietf-lisp-crypto-04 draft-ietf-lisp-crypto-05
Abstract Abstract
This document describes a mechanism for encrypting LISP encapsulated This document describes a mechanism for encrypting LISP encapsulated
traffic. The design describes how key exchange is achieved using traffic. The design describes how key exchange is achieved using
existing LISP control-plane mechanisms as well as how to secure the existing LISP control-plane mechanisms as well as how to secure the
LISP data-plane from third-party surveillance attacks. LISP data-plane from third-party surveillance attacks.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 2, 2016. This Internet-Draft will expire on December 29, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3
3. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 3 3. Definition of Terms . . . . . . . . . . . . . . . . . . . . . 3
4. Encoding and Transmitting Key Material . . . . . . . . . . . 4 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. Shared Keys used for the Data-Plane . . . . . . . . . . . . . 7 5. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 4
6. Data-Plane Operation . . . . . . . . . . . . . . . . . . . . 9 6. Encoding and Transmitting Key Material . . . . . . . . . . . 4
7. Procedures for Encryption and Decryption . . . . . . . . . . 10 7. Shared Keys used for the Data-Plane . . . . . . . . . . . . . 7
8. Dynamic Rekeying . . . . . . . . . . . . . . . . . . . . . . 11 8. Data-Plane Operation . . . . . . . . . . . . . . . . . . . . 9
9. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 12 9. Procedures for Encryption and Decryption . . . . . . . . . . 10
10. Security Considerations . . . . . . . . . . . . . . . . . . . 12 10. Dynamic Rekeying . . . . . . . . . . . . . . . . . . . . . . 11
10.1. SAAG Support . . . . . . . . . . . . . . . . . . . . . . 12 11. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 12
10.2. LISP-Crypto Security Threats . . . . . . . . . . . . . . 12 12. Security Considerations . . . . . . . . . . . . . . . . . . . 12
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 12.1. SAAG Support . . . . . . . . . . . . . . . . . . . . . . 12
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 12.2. LISP-Crypto Security Threats . . . . . . . . . . . . . . 12
12.1. Normative References . . . . . . . . . . . . . . . . . . 13 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
12.2. Informative References . . . . . . . . . . . . . . . . . 14 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
14.1. Normative References . . . . . . . . . . . . . . . . . . 13
14.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 15 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 15
Appendix B. Document Change Log . . . . . . . . . . . . . . . . 15 Appendix B. Document Change Log . . . . . . . . . . . . . . . . 16
B.1. Changes to draft-ietf-lisp-crypto-04.txt . . . . . . . . 15 B.1. Changes to draft-ietf-lisp-crypto-05.txt . . . . . . . . 16
B.2. Changes to draft-ietf-lisp-crypto-03.txt . . . . . . . . 15 B.2. Changes to draft-ietf-lisp-crypto-04.txt . . . . . . . . 16
B.3. Changes to draft-ietf-lisp-crypto-02.txt . . . . . . . . 16 B.3. Changes to draft-ietf-lisp-crypto-03.txt . . . . . . . . 16
B.4. Changes to draft-ietf-lisp-crypto-01.txt . . . . . . . . 16 B.4. Changes to draft-ietf-lisp-crypto-02.txt . . . . . . . . 17
B.5. Changes to draft-ietf-lisp-crypto-00.txt . . . . . . . . 16 B.5. Changes to draft-ietf-lisp-crypto-01.txt . . . . . . . . 17
B.6. Changes to draft-farinacci-lisp-crypto-01.txt . . . . . . 17 B.6. Changes to draft-ietf-lisp-crypto-00.txt . . . . . . . . 17
B.7. Changes to draft-farinacci-lisp-crypto-00.txt . . . . . . 17 B.7. Changes to draft-farinacci-lisp-crypto-01.txt . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 B.8. Changes to draft-farinacci-lisp-crypto-00.txt . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
The Locator/ID Separation Protocol [RFC6830] defines a set of The Locator/ID Separation Protocol [RFC6830] defines a set of
functions for routers to exchange information used to map from non- functions for routers to exchange information used to map from non-
routable Endpoint Identifiers (EIDs) to routable Routing Locators routable Endpoint Identifiers (EIDs) to routable Routing Locators
(RLOCs). LISP ITRs and PITRs encapsulate packets to ETRs and RTRs. (RLOCs). LISP ITRs and PITRs encapsulate packets to ETRs and RTRs.
Packets that arrive at the ITR or PITR are typically not modified. Packets that arrive at the ITR or PITR are typically not modified.
Which means no protection or privacy of the data is added. If the Which means no protection or privacy of the data is added. If the
source host encrypts the data stream then the encapsulated packets source host encrypts the data stream then the encapsulated packets
can be encrypted but would be redundant. However, when plaintext can be encrypted but would be redundant. However, when plaintext
packets are sent by hosts, this design can encrypt the user payload packets are sent by hosts, this design can encrypt the user payload
to maintain privacy on the path between the encapsulator (the ITR or to maintain privacy on the path between the encapsulator (the ITR or
PITR) to a decapsulator (ETR or RTR). The encrypted payload is PITR) to a decapsulator (ETR or RTR). The encrypted payload is
unidirectional. However, return traffic uses the same procedures but unidirectional. However, return traffic uses the same procedures but
with different key values by the same xTRs or potentially different with different key values by the same xTRs or potentially different
xTRs when the paths between LISP sites are asymmetric. xTRs when the paths between LISP sites are asymmetric.
This draft has the following requirements for the solution space: This document has the following requirements for the solution space:
o Do not require a separate Public Key Infrastructure (PKI) that is o Do not require a separate Public Key Infrastructure (PKI) that is
out of scope of the LISP control-plane architecture. out of scope of the LISP control-plane architecture.
o The budget for key exchange MUST be one round-trip time. That is, o The budget for key exchange MUST be one round-trip time. That is,
only a two packet exchange can occur. only a two packet exchange can occur.
o Use symmetric keying so faster cryptography can be performed in o Use symmetric keying so faster cryptography can be performed in
the LISP data plane. the LISP data plane.
o Avoid a third-party trust anchor if possible. o Avoid a third-party trust anchor if possible.
o Provide for rekeying when secret keys are compromised. o Provide for rekeying when secret keys are compromised.
o Support Authenticated Encryption with packet integrity checks. o Support Authenticated Encryption with packet integrity checks.
o Support multiple cipher suites so new crypto algorithms can be o Support multiple cipher suites so new crypto algorithms can be
easily introduced. easily introduced.
2. Overview 2. Requirements Notation
The approach proposed in this draft is to NOT rely on the LISP The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Definition of Terms
AEAD: Authenticated Encryption with Additional Data.
ICV: Integrity Check Value.
4. Overview
The approach proposed in this document is to NOT rely on the LISP
mapping system (or any other key infrastructure system) to store mapping system (or any other key infrastructure system) to store
security keys. This will provide for a simpler and more secure security keys. This will provide for a simpler and more secure
mechanism. Secret shared keys will be negotiated between the ITR and mechanism. Secret shared keys will be negotiated between the ITR and
the ETR in Map-Request and Map-Reply messages. Therefore, when an the ETR in Map-Request and Map-Reply messages. Therefore, when an
ITR needs to obtain the RLOC of an ETR, it will get security material ITR needs to obtain the RLOC of an ETR, it will get security material
to compute a shared secret with the ETR. to compute a shared secret with the ETR.
The ITR can compute 3 shared-secrets per ETR the ITR is encapsulating The ITR can compute 3 shared-secrets per ETR the ITR is encapsulating
to. And when the ITR encrypts a packet before encapsulation, it will to. When the ITR encrypts a packet before encapsulation, it will
identify the key it used for the crypto calculation so the ETR knows identify the key it used for the crypto calculation so the ETR knows
which key to use for decrypting the packet after decapsulation. By which key to use for decrypting the packet after decapsulation. By
using key-ids in the LISP header, we can also get real-time rekeying using key-ids in the LISP header, we can also get fast rekeying
functionality. functionality.
When an ETR (when it is also an ITR) encapsulates packets to this ITR When an ETR (when it is also an ITR) encapsulates packets to this ITR
(when it is also an ETR), a separate key exchange and shared-secret (when it is also an ETR), a separate key exchange and shared-secret
computation is performed. The key management described in this computation is performed. The key management described in this
documemnt is unidirectional from the ITR (the encapsulator) to the documemnt is unidirectional from the ITR (the encapsulator) to the
ETR (the decapsultor). ETR (the decapsultor).
3. Diffie-Hellman Key Exchange 5. Diffie-Hellman Key Exchange
LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and
computation for computing a shared secret. The Diffie-Hellman computation for computing a shared secret. The Diffie-Hellman
parameters will be passed via Cipher Suite code-points in Map-Request parameters will be passed via Cipher Suite code-points in Map-Request
and Map-Reply messages. and Map-Reply messages.
Here is a brief description how Diff-Hellman works: Here is a brief description how Diff-Hellman works:
+----------------------------+---------+----------------------------+ +----------------------------+---------+----------------------------+
| ITR | | ETR | | ITR | | ETR |
skipping to change at page 4, line 33 skipping to change at page 4, line 46
Diffie-Hellman parameters 'p' and 'g' must be the same values used by Diffie-Hellman parameters 'p' and 'g' must be the same values used by
the ITR and ETR. The ITR computes public-key 'I' and transmits 'I' the ITR and ETR. The ITR computes public-key 'I' and transmits 'I'
in a Map-Request packet. When the ETR receives the Map-Request, it in a Map-Request packet. When the ETR receives the Map-Request, it
uses parameters 'p' and 'g' to compute the ETR's public key 'E'. The uses parameters 'p' and 'g' to compute the ETR's public key 'E'. The
ETR transmits 'E' in a Map-Reply message. At this point, the ETR has ETR transmits 'E' in a Map-Reply message. At this point, the ETR has
enough information to compute 's', the shared secret, by using 'I' as enough information to compute 's', the shared secret, by using 'I' as
the base and the ETR's private key 'e' as the exponent. When the ITR the base and the ETR's private key 'e' as the exponent. When the ITR
receives the Map-Reply, it uses the ETR's public-key 'E' with the receives the Map-Reply, it uses the ETR's public-key 'E' with the
ITR's private key 'i' to compute the same 's' shared secret the ETR ITR's private key 'i' to compute the same 's' shared secret the ETR
computed. The value 'p' is used as a modulus to create the width of computed. The value 'p' is used as a modulus to create the width of
the shared secret 's'. the shared secret 's' (see Section 6).
4. Encoding and Transmitting Key Material 6. Encoding and Transmitting Key Material
The Diffie-Hellman key material is transmitted in Map-Request and The Diffie-Hellman key material is transmitted in Map-Request and
Map-Reply messages. Diffie-Hellman parameters are encoded in the Map-Reply messages. Diffie-Hellman parameters are encoded in the
LISP Security Type LCAF [LCAF]. LISP Security Type LCAF [LCAF].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AFI = 16387 | Rsvd1 | Flags | | AFI = 16387 | Rsvd1 | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 5, line 29 skipping to change at page 5, line 29
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cipher Suite field contains DH Key Exchange and Cipher/Hash Functions Cipher Suite field contains DH Key Exchange and Cipher/Hash Functions
The 'Key Count' field encodes the number of {'Key-Length', 'Key- The 'Key Count' field encodes the number of {'Key-Length', 'Key-
Material'} fields included in the encoded LCAF. The maximum number Material'} fields included in the encoded LCAF. The maximum number
of keys that can be encoded are 3, each identified by key-id 1, of keys that can be encoded are 3, each identified by key-id 1,
followed by key-id 2, an finally key-id 3. followed by key-id 2, an finally key-id 3.
The 'R' bit is not used for this use-case of the Security Type LCAF The 'R' bit is not used for this use-case of the Security Type LCAF
but is reserved for [LISP-DDT] security. but is reserved for [LISP-DDT] security. Therefore, the R bit is
transmitted as 0 and ignored on receipt.
Cipher Suite 0: Cipher Suite 0:
Reserved Reserved
Cipher Suite 1: Cipher Suite 1:
Diffie-Hellman Group: 2048-bit MODP [RFC3526] Diffie-Hellman Group: 2048-bit MODP [RFC3526]
Encryption: AES with 128-bit keys in CBC mode [AES-CBC] Encryption: AES with 128-bit keys in CBC mode [AES-CBC]
Integrity: Integrated with [AES-CBC] AEAD [RFC5116] encryption Integrity: Integrated with [AES-CBC] AEAD AEAD_AES_128_CBC_HMAC_SHA_256
IV length: 16 bytes IV length: 16 bytes
Cipher Suite 2: Cipher Suite 2:
Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
Encryption: AES with 128-bit keys in CBC mode [AES-CBC] Encryption: AES with 128-bit keys in CBC mode [AES-CBC]
Integrity: HMAC-SHA1-96 [RFC2404] Integrity: Integrated with [AES-CBC] AEAD AEAD_AES_128_CBC_HMAC_SHA_256
IV length: 16 bytes IV length: 16 bytes
Cipher Suite 3: Cipher Suite 3:
Diffie-Hellman Group: 2048-bit MODP [RFC3526] Diffie-Hellman Group: 2048-bit MODP [RFC3526]
Encryption: AES with 128-bit keys in GCM mode [AES-GCM] Encryption: AES with 128-bit keys in GCM mode [AES-GCM]
Integrity: Integrated with [AES-GCM] AEAD [RFC5116] encryption Integrity: Integrated with [AES-GCM] AEAD [RFC5116] encryption
IV length: 12 bytes IV length: 12 bytes
Cipher Suite 4: Cipher Suite 4:
Diffie-Hellman Group: 3072-bit MODP [RFC3526] Diffie-Hellman Group: 3072-bit MODP [RFC3526]
Encryption: AES with 128-bit keys in GCM mode [AES-GCM] Encryption: AES with 128-bit keys in GCM mode [AES-GCM]
Integrity: Integrated with [AES-GCM] AEAD [RFC5116] encryption Integrity: Integrated with [AES-GCM] AEAD [RFC5116] encryption
IV length: 12 bytes IV length: 12 bytes
Cipher Suite 5: Cipher Suite 5:
Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
Encryption: AES with 128-bit keys in GCM mode [AES-GCM] Encryption: AES with 128-bit keys in GCM mode [AES-GCM]
Integrity: Integrated with [AES-GCM] AEAD [RFC5116] encryption Integrity: Integrated with [AES-GCM] AEAD [RFC5116] encryption
IV length: 12 bytes IV length: 12 bytes
Cipher Suite 6: Cipher Suite 6:
Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
Encryption/Integrity: Chacha20-Poly1305 [CHACHA-POLY] [RFC7539] Encryption: Chacha20-Poly1305 [CHACHA-POLY] [RFC7539]
Integrity: Integrated with Chacha20-Poly1305 AEAD [RFC1116] encryption Integrity: Integrated with [CHACHA-POLY] AEAD AEAD_CHACHA20_POLY1305
IV length: 8 bytes IV length: 8 bytes
The "Public Key Material" field contains the public key generated by The "Public Key Material" field contains the public key generated by
one of the Cipher Suites defined above. The length of the key in one of the Cipher Suites defined above. The length of the key in
octets is encoded in the "Key Length" field. octets is encoded in the "Key Length" field.
When an ITR or PITR send a Map-Request, they will encode their own When an ITR, PITR, or RTR sends a Map-Request, they will encode their
RLOC in the Security Type LCAF format within the ITR-RLOCs field. own RLOC in the Security Type LCAF format within the ITR-RLOCs field.
When a ETR or RTR sends a Map-Reply, they will encode their RLOCs in When a ETR or RTR sends a Map-Reply, they will encode their RLOCs in
Security Type LCAF format within the RLOC-record field of each EID- Security Type LCAF format within the RLOC-record field of each EID-
record supplied. record supplied.
If an ITR or PITR sends a Map-Request with the Security Type LCAF If an ITR, PITR, or RTR sends a Map-Request with the Security Type
included and the ETR or RTR does not want to have encapsulated LCAF included and the ETR or RTR does not want to have encapsulated
traffic encrypted, they will return a Map-Reply with no RLOC records traffic encrypted, they will return a Map-Reply with no RLOC records
encoded with the Security Type LCAF. This signals to the ITR or PITR encoded with the Security Type LCAF. This signals to the ITR, PITR
that it should not encrypt traffic (it cannot encrypt traffic anyways or RTR not to encrypt traffic (it cannot encrypt traffic anyways
since no ETR public-key was returned). since no ETR public-key was returned).
Likewise, if an ITR or PITR wish to include multiple key-ids in the Likewise, if an ITR or PITR wish to include multiple key-ids in the
Map-Request but the ETR or RTR wish to use some but not all of the Map-Request but the ETR or RTR wish to use some but not all of the
key-ids, they return a Map-Reply only for those key-ids they wish to key-ids, they return a Map-Reply only for those key-ids they wish to
use. use.
5. Shared Keys used for the Data-Plane 7. Shared Keys used for the Data-Plane
When an ITR or PITR receives a Map-Reply accepting the Cipher Suite When an ITR or PITR receives a Map-Reply accepting the Cipher Suite
sent in the Map-Request, it is ready to create data plane keys. The sent in the Map-Request, it is ready to create data plane keys. The
same process is followed by the ETR or RTR returning the Map-Reply. same process is followed by the ETR or RTR returning the Map-Reply.
The first step is to create a shared secret, using the peer's shared The first step is to create a shared secret, using the peer's shared
Diffie-Hellman Public Key Material combined with device's own private Diffie-Hellman Public Key Material combined with device's own private
keying material as described in Section 3. The Diffie-Hellman group keying material as described in Section 5. The Diffie-Hellman group
used is defined in the cipher suite sent in the Map-Request and used is defined in the cipher suite sent in the Map-Request and
copied into the Map-Reply. copied into the Map-Reply.
The resulting shared secret is used to compute an AEAD-key for the The resulting shared secret is used to compute an AEAD-key for the
algorithms specified in the cipher suite. A Key Derivation Function algorithms specified in the cipher suite. A Key Derivation Function
(KDF) in counter mode as specified by [NIST-SP800-108] is used to (KDF) in counter mode as specified by [NIST-SP800-108] is used to
generate the data-plane keys. The amount of keying material that is generate the data-plane keys. The amount of keying material that is
derived depends on the algorithms in the cipher suite. derived depends on the algorithms in the cipher suite.
The inputs to the KDF are as follows: The inputs to the KDF are as follows:
skipping to change at page 9, line 7 skipping to change at page 9, line 7
key-material = key-material-1 || key-material-2 key-material = key-material-1 || key-material-2
If the key-material is longer than the required number of bits (L), If the key-material is longer than the required number of bits (L),
then only the most significant L bits are used. then only the most significant L bits are used.
From the derived key-material, the most significant 256 bits are used From the derived key-material, the most significant 256 bits are used
for the AEAD-key by AEAD ciphers. The 256-bit AEAD-key is divided for the AEAD-key by AEAD ciphers. The 256-bit AEAD-key is divided
into a 128-bit encryption key and a 128-bit integrity-check key into a 128-bit encryption key and a 128-bit integrity-check key
internal to the cipher used by the ITR. internal to the cipher used by the ITR.
6. Data-Plane Operation 8. Data-Plane Operation
The LISP encapsulation header [RFC6830] requires changes to encode The LISP encapsulation header [RFC6830] requires changes to encode
the key-id for the key being used for encryption. the key-id for the key being used for encryption.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ | Source Port = xxxx | Dest Port = 4341 | / | Source Port = xxxx | Dest Port = 4341 |
UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ | UDP Length | UDP Checksum | \ | UDP Length | UDP Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
L / |N|L|E|V|I|P|K|K| Nonce/Map-Version | \ \ L / |N|L|E|V|I|P|K|K| Nonce/Map-Version |\ \
I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AD I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |A
S \ | Instance ID/Locator-Status-Bits | | / S \ | Instance ID/Locator-Status-Bits | |D
P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |/
| Initialization Vector (IV) | I | Initialization Vector (IV) | I
E +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C E +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C
n / | | V n / | | V
c | | | c | | |
r | Packet Payload with EID Header ... | | r | Packet Payload with EID Header ... | |
y | | | y | | |
p \ | | / p \ | |/
t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
K-bits indicate when packet is encrypted and which key used K-bits indicate when packet is encrypted and which key used
When the KK bits are 00, the encapsulated packet is not encrypted. When the KK bits are 00, the encapsulated packet is not encrypted.
When the value of the KK bits are 1, 2, or 3, it encodes the key-id When the value of the KK bits are 1, 2, or 3, it encodes the key-id
of the secret keys computed during the Diffie-Hellman Map-Request/ of the secret keys computed during the Diffie-Hellman Map-Request/
Map-Reply exchange. When the KK bits are not 0, the payload is Map-Reply exchange. When the KK bits are not 0, the payload is
prepended with an Initialization Vector (IV). The length of the IV prepended with an Initialization Vector (IV). The length of the IV
field is based on the cipher suite used. Since all cipher suites field is based on the cipher suite used. Since all cipher suites
skipping to change at page 10, line 7 skipping to change at page 10, line 7
payload. payload.
When an ITR or PITR receives a packet to be encapsulated, they will When an ITR or PITR receives a packet to be encapsulated, they will
first decide what key to use, encode the key-id into the LISP header, first decide what key to use, encode the key-id into the LISP header,
and use that key to encrypt all packet data that follows the LISP and use that key to encrypt all packet data that follows the LISP
header. Therefore, the outer header, UDP header, and LISP header header. Therefore, the outer header, UDP header, and LISP header
travel as plaintext. travel as plaintext.
There is an open working group item to discuss if the data There is an open working group item to discuss if the data
encapsulation header needs change for encryption or any new encapsulation header needs change for encryption or any new
applications. This draft proposes changes to the existing header so applications. This document proposes changes to the existing header
experimentation can continue without making large changes to the so experimentation can continue without making large changes to the
data-plane at this time. data-plane at this time. This document allocates the previously 2
unused flag bits to be used as the KK bits.
7. Procedures for Encryption and Decryption 9. Procedures for Encryption and Decryption
When an ITR, PITR, or RTR encapsulate a packet and have already When an ITR, PITR, or RTR encapsulate a packet and have already
computed an AEAD-key (detailed in section Section 5) that is computed an AEAD-key (detailed in section Section 7) that is
associated with a destination RLOC, the following encryption and associated with a destination RLOC, the following encryption and
encapsulation procedures are performed: encapsulation procedures are performed:
1. The encapsulator creates an IV and prepends the IV value to the 1. The encapsulator creates an IV and prepends the IV value to the
packet being encapsulated. For GCM and Chacha cipher suites, the packet being encapsulated. For GCM and Chacha cipher suites, the
IV is incremented for every packet (beginning with a value of 1 IV is incremented for every packet (beginning with a value of 1
in the first packet) and sent to the destination RLOC. For CBC in the first packet) and sent to the destination RLOC. For CBC
cipher suites, the IV is a new random number for every packet cipher suites, the IV is a new random number for every packet
sent to the destination RLOC. For the Chacha cipher suite, the sent to the destination RLOC. For the Chacha cipher suite, the
IV is an 8-byte random value that is appended to a 4-byte counter IV is an 8-byte random value that is appended to a 4-byte counter
skipping to change at page 11, line 12 skipping to change at page 11, line 12
1. The outer IP header, UDP header, LISP header, and IV field are 1. The outer IP header, UDP header, LISP header, and IV field are
stripped from the start of the packet. The LISP header and IV stripped from the start of the packet. The LISP header and IV
are retained and given to the AEAD decryption operation as the are retained and given to the AEAD decryption operation as the
"associated data" argument. "associated data" argument.
2. The packet is decrypted using the AEAD-key and the IV from the 2. The packet is decrypted using the AEAD-key and the IV from the
packet. The AEAD-key is obtained from a local-cache associated packet. The AEAD-key is obtained from a local-cache associated
with the key-id value from the LISP header. The result of the with the key-id value from the LISP header. The result of the
decryption function is a plaintext packet payload if the cipher decryption function is a plaintext packet payload if the cipher
returned a verified ICV. Otherwise, the packet has been tampered returned a verified ICV. Otherwise, the packet has been tampered
with, is dropped, and an optional log message may be issued. If with and is discarded. If the AEAD specification included an
the AEAD specification included an ICV, the AEAD decryption ICV, the AEAD decryption function will locate the ICV in the
function will locate the ICV in the ciphertext and compare it to ciphertext and compare it to a version of the ICV that the AEAD
a version of the ICV that the AEAD decryption function computes. decryption function computes. If the computed ICV is different
If the computed ICV is different than the ICV located in the than the ICV located in the ciphertext, then it will be
ciphertext, then it will be considered tampered. considered tampered.
3. If the packet was not tampered with, the decrypted packet is 3. If the packet was not tampered with, the decrypted packet is
forwarded to the destination EID. forwarded to the destination EID.
8. Dynamic Rekeying 10. Dynamic Rekeying
Since multiple keys can be encoded in both control and data messages, Since multiple keys can be encoded in both control and data messages,
an ITR can encapsulate and encrypt with a specific key while it is an ITR can encapsulate and encrypt with a specific key while it is
negotiating other keys with the same ETR. Soon as an ETR or RTR negotiating other keys with the same ETR. Soon as an ETR or RTR
returns a Map-Reply, it should be prepared to decapsulate and decrypt returns a Map-Reply, it should be prepared to decapsulate and decrypt
using the new keys computed with the new Diffie-Hellman parameters using the new keys computed with the new Diffie-Hellman parameters
received in the Map-Request and returned in the Map-Reply. received in the Map-Request and returned in the Map-Reply.
RLOC-probing can be used to change keys or cipher suites by the ITR RLOC-probing can be used to change keys or cipher suites by the ITR
at any time. And when an initial Map-Request is sent to populate the at any time. And when an initial Map-Request is sent to populate the
skipping to change at page 12, line 14 skipping to change at page 12, line 14
the same cipher suite value it expects (the values it sent in a Map- the same cipher suite value it expects (the values it sent in a Map-
Request). Request).
Note when RLOC-probing continues to maintain RLOC reachability and Note when RLOC-probing continues to maintain RLOC reachability and
rekeying is not desirable, the ITR or RTR can either not include the rekeying is not desirable, the ITR or RTR can either not include the
Security Type LCAF in the Map-Request or supply the same key material Security Type LCAF in the Map-Request or supply the same key material
as it received from the last Map-Reply from the ETR or RTR. This as it received from the last Map-Reply from the ETR or RTR. This
approach signals to the ETR or RTR that no rekeying event is approach signals to the ETR or RTR that no rekeying event is
requested. requested.
9. Future Work 11. Future Work
For performance considerations, newer Elliptic-Curve Diffie-Hellman For performance considerations, newer Elliptic-Curve Diffie-Hellman
(ECDH) groups can be used as specified in [RFC4492] and [RFC6090] to (ECDH) groups can be used as specified in [RFC4492] and [RFC6090] to
reduce CPU cycles required to compute shared secret keys. reduce CPU cycles required to compute shared secret keys.
For better security considerations as well as to be able to build For better security considerations as well as to be able to build
faster software implementations, newer approaches to ciphers and faster software implementations, newer approaches to ciphers and
authentication methods will be researched and tested. Some examples authentication methods will be researched and tested. Some examples
are Chacha20 and Poly1305 [CHACHA-POLY] [RFC7539]. are Chacha20 and Poly1305 [CHACHA-POLY] [RFC7539].
10. Security Considerations 12. Security Considerations
10.1. SAAG Support 12.1. SAAG Support
The LISP working group has and will continue to seek help from the The LISP working group received security advice and guidance from the
SAAG working group for security advice. The SAAG has been involved Security Area Advisory Group (SAAG). The SAAG has been involved
early in the design process so they have early input and review. early in the design process and their input and reviews have been
included in this document.
10.2. LISP-Crypto Security Threats 12.2. LISP-Crypto Security Threats
Since ITRs and ETRs participate in key exchange over a public non- Since ITRs and ETRs participate in key exchange over a public non-
secure network, a man-in-the-middle (MITM) could circumvent the key secure network, a man-in-the-middle (MITM) could circumvent the key
exchange and compromise data-plane confidentiality. This can happen exchange and compromise data-plane confidentiality. This can happen
when the MITM is acting as a Map-Replier, provides its own public key when the MITM is acting as a Map-Replier, provides its own public key
so the ITR and the MITM generate a shared secret key among each so the ITR and the MITM generate a shared secret key among each
other. If the MITM is in the data path between the ITR and ETR, it other. If the MITM is in the data path between the ITR and ETR, it
can use the shared secret key to decrypt traffic from the ITR. can use the shared secret key to decrypt traffic from the ITR.
Since LISP can secure Map-Replies by the authentication process Since LISP can secure Map-Replies by the authentication process
skipping to change at page 13, line 8 skipping to change at page 13, line 8
Map-Reply for an EID-prefix it is not authoritative for. When an ITR Map-Reply for an EID-prefix it is not authoritative for. When an ITR
determines the signature verification fails, it discards and does not determines the signature verification fails, it discards and does not
reuse the key exchange parameters, avoids using the ETR for reuse the key exchange parameters, avoids using the ETR for
encapsulation, and issues a severe log message to the network encapsulation, and issues a severe log message to the network
administrator. Optionally, the ITR can send RLOC-probes to the administrator. Optionally, the ITR can send RLOC-probes to the
compromised RLOC to determine if can reach the authoritative ETR. compromised RLOC to determine if can reach the authoritative ETR.
And when the ITR validates the signature of a Map-Reply, it can begin And when the ITR validates the signature of a Map-Reply, it can begin
encrypting and encapsulating packets to the RLOC of ETR. encrypting and encapsulating packets to the RLOC of ETR.
11. IANA Considerations 13. IANA Considerations
This draft may require the use of the registry that selects Security This document describes a mechanism for encrypting LISP encapsulated
parameters. Rather than convey the key exchange parameters and packets based on Diffie-Hellman key exchange procedures. During the
crypto functions directly in LISP control packets, the cipher suite exchange the devices have to agree on a Cipher Suite used (i.e. the
values can be assigned and defined in a registry. For example, cipher and hash functions used to encrypt/decrypt and to sign/verify
Diffie-Hellman group-id values can be used from [RFC2409] and packets). The 8-bit Cipher Suite field is reserved for such purpose
[RFC3526]. in the security material section of the Map-Request and Map-Reply
messages.
This draft specifies how the 7-bit cipher suite values from the This document requests IANA to create and maintain a new registry (as
Security Type LCAF are partitioned. The partitions are: outlined in [RFC5226]) entitled "LISP Crypto Cipher Suite". Initial
values for the registry are provided below. Future assignments are
to be made on a First Come First Served Basis.
0: Reserved +-----+--------------------------------------------+------------+
1-96: Allocated by registry, but first 3 values defined in this document |Value| Suite | Definition |
97-127: Private use +-----+--------------------------------------------+------------+
| 0 | Reserved | Section 6 |
+-----+--------------------------------------------+------------+
| 1 | LISP_2048MODP_AES128_CBC_SHA256 | Section 6 |
+-----+--------------------------------------------+------------+
| 2 | LISP_EC25519_AES128_CBC_SHA256 | Section 6 |
+-----+--------------------------------------------+------------+
| 3 | LISP_2048MODP_AES128_GCM | Section 6 |
+-----+--------------------------------------------+------------+
| 4 | LISP_3072MODP_AES128_GCM M-3072 | Section 6 |
+-----+--------------------------------------------+------------+
| 5 | LISP_256_EC25519_AES128_GCM | Section 6 |
+-----+--------------------------------------------+------------+
| 6 | LISP_256_EC25519_CHACHA20_POLY1305 | Section 6 |
+-----+--------------------------------------------+------------+
12. References LISP Crypto Cipher Suites
12.1. Normative References 14. References
14.1. Normative References
[LCAF] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical
Address Format", draft-ietf-lisp-lcaf-13.txt (work in
progress).
[NIST-SP800-108]
"National Institute of Standards and Technology,
"Recommendation for Key Derivation Using Pseudorandom
Functions NIST SP800-108"", NIST SP 800-108, October 2009.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998,
<http://www.rfc-editor.org/info/rfc2409>. <http://www.rfc-editor.org/info/rfc2409>.
[RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method",
RFC 2631, DOI 10.17487/RFC2631, June 1999, RFC 2631, DOI 10.17487/RFC2631, June 1999,
<http://www.rfc-editor.org/info/rfc2631>. <http://www.rfc-editor.org/info/rfc2631>.
[RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)", Diffie-Hellman groups for Internet Key Exchange (IKE)",
RFC 3526, DOI 10.17487/RFC3526, May 2003, RFC 3526, DOI 10.17487/RFC3526, May 2003,
<http://www.rfc-editor.org/info/rfc3526>. <http://www.rfc-editor.org/info/rfc3526>.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)",
RFC 4106, DOI 10.17487/RFC4106, June 2005,
<http://www.rfc-editor.org/info/rfc4106>.
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)", RFC 4492, for Transport Layer Security (TLS)", RFC 4492,
DOI 10.17487/RFC4492, May 2006, DOI 10.17487/RFC4492, May 2006,
<http://www.rfc-editor.org/info/rfc4492>. <http://www.rfc-editor.org/info/rfc4492>.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
<http://www.rfc-editor.org/info/rfc5116>. <http://www.rfc-editor.org/info/rfc5116>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
Curve Cryptography Algorithms", RFC 6090, Curve Cryptography Algorithms", RFC 6090,
DOI 10.17487/RFC6090, February 2011, DOI 10.17487/RFC6090, February 2011,
<http://www.rfc-editor.org/info/rfc6090>. <http://www.rfc-editor.org/info/rfc6090>.
[RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
Locator/ID Separation Protocol (LISP)", RFC 6830, Locator/ID Separation Protocol (LISP)", RFC 6830,
DOI 10.17487/RFC6830, January 2013, DOI 10.17487/RFC6830, January 2013,
<http://www.rfc-editor.org/info/rfc6830>. <http://www.rfc-editor.org/info/rfc6830>.
[RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015,
<http://www.rfc-editor.org/info/rfc7539>. <http://www.rfc-editor.org/info/rfc7539>.
12.2. Informative References 14.2. Informative References
[AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated [AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated
Encryption with AES-CBC and HMAC-SHA", draft-mcgrew-aead- Encryption with AES-CBC and HMAC-SHA", draft-mcgrew-aead-
aes-cbc-hmac-sha2-05.txt (work in progress). aes-cbc-hmac-sha2-05.txt (work in progress).
[CHACHA-POLY] [CHACHA-POLY]
Langley, A., "ChaCha20 and Poly1305 based Cipher Suites Langley, A., "ChaCha20 and Poly1305 based Cipher Suites
for TLS", draft-agl-tls-chacha20poly1305-00 (work in for TLS", draft-agl-tls-chacha20poly1305-04 (work in
progress). progress).
[CURVE25519] [CURVE25519]
Bernstein, D., "Curve25519: new Diffie-Hellman speed Bernstein, D., "Curve25519: new Diffie-Hellman speed
records", Publication records", Publication
http://www.iacr.org/cryptodb/archive/2006/ http://www.iacr.org/cryptodb/archive/2006/
PKC/3351/3351.pdf. PKC/3351/3351.pdf.
[DH] "Diffie-Hellman key exchange", Wikipedia [DH] "Diffie-Hellman key exchange", Wikipedia
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange. http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange.
[LCAF] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical
Address Format", draft-ietf-lisp-lcaf-13.txt (work in
progress).
[LISP-DDT] [LISP-DDT]
Fuller, V., Lewis, D., Ermaagan, V., and A. Jain, "LISP Fuller, V., Lewis, D., Ermaagan, V., and A. Jain, "LISP
Delegated Database Tree", draft-fuller-lisp-ddt-06 (work Delegated Database Tree", draft-fuller-lisp-ddt-04 (work
in progress). in progress).
[LISP-SEC] [LISP-SEC]
Maino, F., Ermagan, V., Cabellos, A., and D. Saucez, Maino, F., Ermagan, V., Cabellos, A., and D. Saucez,
"LISP-Secuirty (LISP-SEC)", draft-ietf-lisp-sec-10 (work "LISP-Secuirty (LISP-SEC)", draft-ietf-lisp-sec-10 (work
in progress). in progress).
[NIST-SP800-108]
"National Institute of Standards and Technology,
"Recommendation for Key Derivation Using Pseudorandom
Functions NIST SP800-108"", NIST SP 800-108, October 2009.
Appendix A. Acknowledgments Appendix A. Acknowledgments
The authors would like to thank Dan Harkins, Joel Halpern, Fabio The authors would like to thank Dan Harkins, Joel Halpern, Fabio
Maino, Ed Lopez, Roger Jorgensen, and Watson Ladd for their interest, Maino, Ed Lopez, Roger Jorgensen, and Watson Ladd for their interest,
suggestions, and discussions about LISP data-plane security. suggestions, and discussions about LISP data-plane security. An
individual thank you to LISP WG chair Luigi Iannone for shepherding
this document as well as contributing to the IANA Considerations
section.
The authors would like to give a special thank you to Ilari Liusvaara The authors would like to give a special thank you to Ilari Liusvaara
for his extensive commentary and discussion. He has contributed his for his extensive commentary and discussion. He has contributed his
security expertise to make lisp-crypto as secure as the state of the security expertise to make lisp-crypto as secure as the state of the
art in cryptography. art in cryptography.
In addition, the support and suggestions from the SAAG working group In addition, the support and suggestions from the SAAG working group
were helpful and appreciative. were helpful and appreciative.
Appendix B. Document Change Log Appendix B. Document Change Log
B.1. Changes to draft-ietf-lisp-crypto-04.txt [RFC Editor: Please delete this section on publication as RFC.]
B.1. Changes to draft-ietf-lisp-crypto-05.txt
o Posted June 2016.
o Update document which reflects comments Luigi provided as document
shepherd.
B.2. Changes to draft-ietf-lisp-crypto-04.txt
o Posted May 2016. o Posted May 2016.
o Update document timer from expiration. o Update document timer from expiration.
B.2. Changes to draft-ietf-lisp-crypto-03.txt B.3. Changes to draft-ietf-lisp-crypto-03.txt
o Posted December 2015. o Posted December 2015.
o Changed cipher suite allocations. We now have 2 AES-CBC cipher o Changed cipher suite allocations. We now have 2 AES-CBC cipher
suites for compatibility, 3 AES-GCM cipher suites that are faster suites for compatibility, 3 AES-GCM cipher suites that are faster
ciphers that include AE and a Chacha20-Poly1305 cipher suite which ciphers that include AE and a Chacha20-Poly1305 cipher suite which
is the fastest but not totally proven/accepted.. is the fastest but not totally proven/accepted..
o Remove 1024-bit DH keys for key exchange. o Remove 1024-bit DH keys for key exchange.
skipping to change at page 16, line 22 skipping to change at page 17, line 13
endian). endian).
o Remove A-bit from Security Type LCAF. No need to do o Remove A-bit from Security Type LCAF. No need to do
authentication only with the introduction of AEAD ciphers. These authentication only with the introduction of AEAD ciphers. These
ciphers can do authentication. So you get ciphertext for free. ciphers can do authentication. So you get ciphertext for free.
o Remove language that refers to "encryption-key" and "integrity- o Remove language that refers to "encryption-key" and "integrity-
key". Used term "AEAD-key" that is used by the AEAD cipher suites key". Used term "AEAD-key" that is used by the AEAD cipher suites
that do encryption and authenticaiton internal to the cipher. that do encryption and authenticaiton internal to the cipher.
B.3. Changes to draft-ietf-lisp-crypto-02.txt B.4. Changes to draft-ietf-lisp-crypto-02.txt
o Posted September 2015. o Posted September 2015.
o Add cipher suite for Elliptic Curve 25519 DH exchange. o Add cipher suite for Elliptic Curve 25519 DH exchange.
o Add cipher suite for Chacha20/Poly1305 ciphers. o Add cipher suite for Chacha20/Poly1305 ciphers.
B.4. Changes to draft-ietf-lisp-crypto-01.txt B.5. Changes to draft-ietf-lisp-crypto-01.txt
o Posted May 2015. o Posted May 2015.
o Create cipher suites and encode them in the Security LCAF. o Create cipher suites and encode them in the Security LCAF.
o Add IV to beginning of packet header and ICV to end of packet. o Add IV to beginning of packet header and ICV to end of packet.
o AEAD procedures are now part of encrpytion process. o AEAD procedures are now part of encrpytion process.
B.5. Changes to draft-ietf-lisp-crypto-00.txt B.6. Changes to draft-ietf-lisp-crypto-00.txt
o Posted January 2015. o Posted January 2015.
o Changing draft-farinacci-lisp-crypto-01 to draft-ietf-lisp-crypto- o Changing draft-farinacci-lisp-crypto-01 to draft-ietf-lisp-crypto-
00. This draft has become a working group document 00. This draft has become a working group document
o Add text to indicate the working group may work on a new data o Add text to indicate the working group may work on a new data
encapsulation header format for data-plane encryption. encapsulation header format for data-plane encryption.
B.6. Changes to draft-farinacci-lisp-crypto-01.txt B.7. Changes to draft-farinacci-lisp-crypto-01.txt
o Posted July 2014. o Posted July 2014.
o Add Group-ID to the encoding format of Key Material in a Security o Add Group-ID to the encoding format of Key Material in a Security
Type LCAF and modify the IANA Considerations so this draft can use Type LCAF and modify the IANA Considerations so this draft can use
key exchange parameters from the IANA registry. key exchange parameters from the IANA registry.
o Indicate that the R-bit in the Security Type LCAF is not used by o Indicate that the R-bit in the Security Type LCAF is not used by
lisp-crypto. lisp-crypto.
skipping to change at page 17, line 31 skipping to change at page 18, line 20
process. process.
o Add text indicating that when RLOC-probing is used for RLOC o Add text indicating that when RLOC-probing is used for RLOC
reachability purposes and rekeying is not desired, that the same reachability purposes and rekeying is not desired, that the same
key exchange parameters should be used so a reallocation of a key exchange parameters should be used so a reallocation of a
pubic key does not happen at the ETR. pubic key does not happen at the ETR.
o Add text to indicate that ECDH can be used to reduce CPU o Add text to indicate that ECDH can be used to reduce CPU
requirements for computing shared secret-keys. requirements for computing shared secret-keys.
B.7. Changes to draft-farinacci-lisp-crypto-00.txt B.8. Changes to draft-farinacci-lisp-crypto-00.txt
o Initial draft posted February 2014. o Initial draft posted February 2014.
Authors' Addresses Authors' Addresses
Dino Farinacci Dino Farinacci
lispers.net lispers.net
San Jose, California 95120 San Jose, California 95120
USA USA
 End of changes. 60 change blocks. 
146 lines changed or deleted 200 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/