draft-ietf-lisp-crypto-10.txt   rfc8061.txt 
Internet Engineering Task Force D. Farinacci Internet Engineering Task Force (IETF) D. Farinacci
Internet-Draft lispers.net Request for Comments: 8061 lispers.net
Intended status: Experimental B. Weis Category: Experimental B. Weis
Expires: April 17, 2017 cisco Systems ISSN: 2070-1721 Cisco Systems
October 14, 2016 February 2017
LISP Data-Plane Confidentiality Locator/ID Separation Protocol (LISP) Data-Plane Confidentiality
draft-ietf-lisp-crypto-10
Abstract Abstract
This document describes a mechanism for encrypting LISP encapsulated This document describes a mechanism for encrypting traffic
traffic. The design describes how key exchange is achieved using encapsulated using the Locator/ID Separation Protocol (LISP). The
existing LISP control-plane mechanisms as well as how to secure the design describes how key exchange is achieved using existing LISP
LISP data-plane from third-party surveillance attacks. control-plane mechanisms as well as how to secure the LISP data plane
from third-party surveillance attacks.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for examination, experimental implementation, and
evaluation.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document defines an Experimental Protocol for the Internet
and may be updated, replaced, or obsoleted by other documents at any community. This document is a product of the Internet Engineering
time. It is inappropriate to use Internet-Drafts as reference Task Force (IETF). It represents the consensus of the IETF
material or to cite them other than as "work in progress." community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on April 17, 2017. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8061.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction ....................................................3
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4 2. Requirements Notation ...........................................4
3. Definition of Terms . . . . . . . . . . . . . . . . . . . . . 4 3. Definition of Terms .............................................4
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Overview ........................................................4
5. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 4 5. Diffie-Hellman Key Exchange .....................................5
6. Encoding and Transmitting Key Material . . . . . . . . . . . 5 6. Encoding and Transmitting Key Material ..........................6
7. Shared Keys used for the Data-Plane . . . . . . . . . . . . . 8 7. Shared Keys Used for the Data Plane .............................8
8. Data-Plane Operation . . . . . . . . . . . . . . . . . . . . 10 8. Data-Plane Operation ...........................................10
9. Procedures for Encryption and Decryption . . . . . . . . . . 11 9. Procedures for Encryption and Decryption .......................11
10. Dynamic Rekeying . . . . . . . . . . . . . . . . . . . . . . 12 10. Dynamic Rekeying ..............................................12
11. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 13 11. Future Work ...................................................13
12. Security Considerations . . . . . . . . . . . . . . . . . . . 13 12. Security Considerations .......................................14
12.1. SAAG Support . . . . . . . . . . . . . . . . . . . . . . 13 12.1. SAAG Support .............................................14
12.2. LISP-Crypto Security Threats . . . . . . . . . . . . . . 14 12.2. LISP-Crypto Security Threats .............................14
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 13. IANA Considerations ...........................................15
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 14. References ....................................................16
14.1. Normative References . . . . . . . . . . . . . . . . . . 15 14.1. Normative References .....................................16
14.2. Informative References . . . . . . . . . . . . . . . . . 16 14.2. Informative References ...................................17
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 17 Acknowledgments ...................................................18
Appendix B. Document Change Log . . . . . . . . . . . . . . . . 17 Authors' Addresses ................................................18
B.1. Changes to draft-ietf-lisp-crypto-10.txt . . . . . . . . 17
B.2. Changes to draft-ietf-lisp-crypto-09.txt . . . . . . . . 18
B.3. Changes to draft-ietf-lisp-crypto-08.txt . . . . . . . . 18
B.4. Changes to draft-ietf-lisp-crypto-07.txt . . . . . . . . 18
B.5. Changes to draft-ietf-lisp-crypto-06.txt . . . . . . . . 18
B.6. Changes to draft-ietf-lisp-crypto-05.txt . . . . . . . . 18
B.7. Changes to draft-ietf-lisp-crypto-04.txt . . . . . . . . 18
B.8. Changes to draft-ietf-lisp-crypto-03.txt . . . . . . . . 18
B.9. Changes to draft-ietf-lisp-crypto-02.txt . . . . . . . . 19
B.10. Changes to draft-ietf-lisp-crypto-01.txt . . . . . . . . 19
B.11. Changes to draft-ietf-lisp-crypto-00.txt . . . . . . . . 19
B.12. Changes to draft-farinacci-lisp-crypto-01.txt . . . . . . 20
B.13. Changes to draft-farinacci-lisp-crypto-00.txt . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction 1. Introduction
This document describes a mechanism for encrypting LISP encapsulated This document describes a mechanism for encrypting LISP-encapsulated
traffic. The design describes how key exchange is achieved using traffic. The design describes how key exchange is achieved using
existing LISP control-plane mechanisms as well as how to secure the existing LISP control-plane mechanisms as well as how to secure the
LISP data-plane from third-party surveillance attacks. LISP data plane from third-party surveillance attacks.
The Locator/ID Separation Protocol [RFC6830] defines a set of The Locator/ID Separation Protocol [RFC6830] defines a set of
functions for routers to exchange information used to map from non- functions for routers to exchange information used to map from
routable Endpoint Identifiers (EIDs) to routable Routing Locators non-routable Endpoint Identifiers (EIDs) to routable Routing Locators
(RLOCs). LISP Ingress Tunnel Routers (ITRs) and Proxy Ingress Tunnel (RLOCs). LISP Ingress Tunnel Routers (ITRs) and Proxy Ingress Tunnel
Routers (PITRs) encapsulate packets to Egress Tunnel Routers (ETRs) Routers (PITRs) encapsulate packets to Egress Tunnel Routers (ETRs)
and Reencapsulating Tunnel Routers (RTRs). Packets that arrive at and Re-encapsulating Tunnel Routers (RTRs). Packets that arrive at
the ITR or PITR may not be encrypted, which means no protection or the ITR or PITR may not be encrypted, which means no protection or
privacy of the data is added. When the source host encrypts the data privacy of the data is added. When the source host encrypts the data
stream, encapsulated packets do not need to be encrypted by LISP. stream, encapsulated packets do not need to be encrypted by LISP.
However, when plaintext packets are sent by hosts, this design can However, when plaintext packets are sent by hosts, this design can
encrypt the user payload to maintain privacy on the path between the encrypt the user payload to maintain privacy on the path between the
encapsulator (the ITR or PITR) to a decapsulator (ETR or RTR). The encapsulator (the ITR or PITR) to a decapsulator (ETR or RTR). The
encrypted payload is unidirectional. However, return traffic uses encrypted payload is unidirectional. However, return traffic uses
the same procedures but with different key values by the same xTRs or the same procedures but with different key values by the same xTRs or
potentially different xTRs when the paths between LISP sites are potentially different xTRs when the paths between LISP sites are
asymmetric. asymmetric.
This document has the following requirements (as well as the general This document has the following requirements (as well as the general
requirements from [RFC6973]) for the solution space: requirements from [RFC6973]) for the solution space:
o Do not require a separate Public Key Infrastructure (PKI) that is o Do not require a separate Public Key Infrastructure (PKI) that is
out of scope of the LISP control-plane architecture. out of scope of the LISP control-plane architecture.
o The budget for key exchange MUST be one round-trip time. That is, o The budget for key exchange MUST be one round-trip time. That is,
only a two packet exchange can occur. only a two-packet exchange can occur.
o Use symmetric keying so faster cryptography can be performed in o Use symmetric keying so faster cryptography can be performed in
the LISP data plane. the LISP data plane.
o Avoid a third-party trust anchor if possible. o Avoid a third-party trust anchor if possible.
o Provide for rekeying when secret keys are compromised. o Provide for rekeying when secret keys are compromised.
o Support Authenticated Encryption with packet integrity checks. o Support Authenticated Encryption with packet integrity checks.
o Support multiple cipher suites so new crypto algorithms can be o Support multiple Cipher Suites so new crypto algorithms can be
easily introduced. easily introduced.
Satisfying the above requirements provides the following benefits: Satisfying the above requirements provides the following benefits:
o Avoiding a PKI reduces the operational cost of managing a secure o Avoiding a PKI reduces the operational cost of managing a secure
network. Key management is distributed and independent from any network. Key management is distributed and independent from any
other infrastructure. other infrastructure.
o Packet transport is optimized due to less packet headers. Packet o Packet transport is optimized due to fewer packet headers. Packet
loss is reduced by a more efficient key exchange. loss is reduced by a more efficient key exchange.
o Authentication and privacy are provided with a single mechanism o Authentication and privacy are provided with a single mechanism
thereby providing less per packet overhead and therefore more thereby providing less per-packet overhead and therefore more
resource efficiency. resource efficiency.
2. Requirements Notation 2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Definition of Terms 3. Definition of Terms
AEAD: Authenticated Encryption with Additional Data [RFC5116]. AEAD: Authenticated Encryption with Associated Data [RFC5116]
ICV: Integrity Check Value. ICV: Integrity Check Value
LCAF: LISP Canonical Address Format ([LCAF]). LCAF: LISP Canonical Address Format [RFC8060]
xTR: A general reference to ITRs, ETRs, RTRs, and PxTRs. xTR: A general reference to ITRs, ETRs, RTRs, and PxTRs
4. Overview 4. Overview
The approach proposed in this document is to NOT rely on the LISP The approach proposed in this document is NOT to rely on the LISP
mapping system (or any other key infrastructure system) to store mapping system (or any other key-infrastructure system) to store
security keys. This will provide for a simpler and more secure security keys. This will provide for a simpler and more secure
mechanism. Secret shared keys will be negotiated between the ITR and mechanism. Secret shared keys will be negotiated between the ITR and
the ETR in Map-Request and Map-Reply messages. Therefore, when an the ETR in Map-Request and Map-Reply messages. Therefore, when an
ITR needs to obtain the RLOC of an ETR, it will get security material ITR needs to obtain the RLOC of an ETR, it will get security material
to compute a shared secret with the ETR. to compute a shared secret with the ETR.
The ITR can compute 3 shared-secrets per ETR the ITR is encapsulating The ITR can compute three shared secrets per ETR the ITR is
to. When the ITR encrypts a packet before encapsulation, it will encapsulating to. When the ITR encrypts a packet before
identify the key it used for the crypto calculation so the ETR knows encapsulation, it will identify the key it used for the crypto
which key to use for decrypting the packet after decapsulation. By calculation so the ETR knows which key to use for decrypting the
using key-ids in the LISP header, we can also get fast rekeying packet after decapsulation. By using key-ids in the LISP header, we
functionality. can also get fast rekeying functionality.
The key management described in this documemnt is unidirectional from The key management described in this document is unidirectional from
the ITR (the encapsulator) to the ETR (the decapsultor). the ITR (the encapsulator) to the ETR (the decapsultor).
5. Diffie-Hellman Key Exchange 5. Diffie-Hellman Key Exchange
LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and
computation for computing a shared secret. The Diffie-Hellman computation for computing a shared secret. The Diffie-Hellman
parameters will be passed via Cipher Suite code-points in Map-Request parameters will be passed via Cipher Suite code-points in Map-Request
and Map-Reply messages. and Map-Reply messages.
Here is a brief description how Diff-Hellman works: Here is a brief description how Diffie-Hellman works:
+----------------------------+---------+----------------------------+ +----------------------------+---------+----------------------------+
| ITR | | ETR | | ITR | | ETR |
+------+--------+------------+---------+------------+---------------+ +------+--------+------------+---------+------------+---------------+
|Secret| Public | Calculates | Sends | Calculates | Public |Secret| |Secret| Public | Calculates | Sends | Calculates | Public |Secret|
+------|--------|------------|---------|------------|--------|------+ +------|--------|------------|---------|------------|--------|------+
| i | p,g | | p,g --> | | | e | | i | p,g | | p,g --> | | | e |
+------|--------|------------|---------|------------|--------|------+ +------|--------|------------|---------|------------|--------|------+
| i | p,g,I |g^i mod p=I | I --> | | p,g,I | e | | i | p,g,I |g^i mod p=I | I --> | | p,g,I | e |
+------|--------|------------|---------|------------|--------|------+ +------|--------|------------|---------|------------|--------|------+
| i | p,g,I | | <-- E |g^e mod p=E | p,g | e | | i | p,g,I | | <-- E |g^e mod p=E | p,g | e |
+------|--------|------------|---------|------------|--------|------+ +------|--------|------------|---------|------------|--------|------+
| i,s |p,g,I,E |E^i mod p=s | |I^e mod p=s |p,g,I,E | e,s | | i,s |p,g,I,E |E^i mod p=s | |I^e mod p=s |p,g,I,E | e,s |
+------|--------|------------|---------|------------|--------|------+ +------|--------|------------|---------|------------|--------|------+
Public-key exchange for computing a shared private key [DH] Public-Key Exchange for Computing a Shared Private Key [DH]
Diffie-Hellman parameters 'p' and 'g' must be the same values used by Diffie-Hellman parameters 'p' and 'g' must be the same values used by
the ITR and ETR. The ITR computes public-key 'I' and transmits 'I' the ITR and ETR. The ITR computes public key 'I' and transmits 'I'
in a Map-Request packet. When the ETR receives the Map-Request, it in a Map-Request packet. When the ETR receives the Map-Request, it
uses parameters 'p' and 'g' to compute the ETR's public key 'E'. The uses parameters 'p' and 'g' to compute the ETR's public key 'E'. The
ETR transmits 'E' in a Map-Reply message. At this point, the ETR has ETR transmits 'E' in a Map-Reply message. At this point, the ETR has
enough information to compute 's', the shared secret, by using 'I' as enough information to compute 's', the shared secret, by using 'I' as
the base and the ETR's private key 'e' as the exponent. When the ITR the base and the ETR's private key 'e' as the exponent. When the ITR
receives the Map-Reply, it uses the ETR's public-key 'E' with the receives the Map-Reply, it uses the ETR's public key 'E' with the
ITR's private key 'i' to compute the same 's' shared secret the ETR ITR's private key 'i' to compute the same 's' shared secret the ETR
computed. The value 'p' is used as a modulus to create the width of computed. The value 'p' is used as a modulus to create the width of
the shared secret 's' (see Section 6). the shared secret 's' (see Section 6).
6. Encoding and Transmitting Key Material 6. Encoding and Transmitting Key Material
The Diffie-Hellman key material is transmitted in Map-Request and The Diffie-Hellman key material is transmitted in Map-Request and
Map-Reply messages. Diffie-Hellman parameters are encoded in the Map-Reply messages. Diffie-Hellman parameters are encoded in the
LISP Security Type LCAF [LCAF]. LISP Security Key LCAF Type [RFC8060].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AFI = 16387 | Rsvd1 | Flags | | AFI = 16387 | Rsvd1 | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 11 | Rsvd2 | 6 + n | | Type = 11 | Rsvd2 | 6 + n |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Count | Rsvd3 | Cipher Suite | Rsvd4 |R| | Key Count | Rsvd3 | Cipher Suite | Rsvd4 |R|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Length | Public Key Material ... | | Key Length | Public Key Material ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... Public Key Material | | ... Public Key Material |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AFI = x | Locator Address ... | | AFI = x | Locator Address ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cipher Suite field contains DH Key Exchange and Cipher/Hash Functions Cipher Suite Field Contains DH Key Exchange and Cipher/Hash Functions
The 'Key Count' field encodes the number of {'Key-Length', 'Key- The Key Count field encodes the number of {'Key-Length',
Material'} fields included in the encoded LCAF. The maximum number 'Key-Material'} fields included in the encoded LCAF. The maximum
of keys that can be encoded are 3, each identified by key-id 1, number of keys that can be encoded is three, each identified by
followed by key-id 2, and finally key-id 3. key-id 1, followed by key-id 2, and finally key-id 3.
The 'R' bit is not used for this use-case of the Security Type LCAF The R bit is not used for this use case of the Security Key LCAF Type
but is reserved for [LISP-DDT] security. Therefore, the R bit SHOULD but is reserved for [LISP-DDT] security. Therefore, the R bit SHOULD
be transmitted as 0 and MUST be ignored on receipt. be transmitted as 0 and MUST be ignored on receipt.
Cipher Suite 0: Cipher Suite 0:
Reserved Reserved
Cipher Suite 1: Cipher Suite 1 (LISP_2048MODP_AES128_CBC_SHA256):
Diffie-Hellman Group: 2048-bit MODP [RFC3526] Diffie-Hellman Group: 2048-bit MODP [RFC3526]
Encryption: AES with 128-bit keys in CBC mode [AES-CBC] Encryption: AES with 128-bit keys in CBC mode [AES-CBC]
Integrity: Integrated with [AES-CBC] AEAD_AES_128_CBC_HMAC_SHA_256 Integrity: Integrated with AEAD_AES_128_CBC_HMAC_SHA_256 [AES-CBC]
IV length: 16 bytes IV length: 16 bytes
KDF: HMAC-SHA-256 KDF: HMAC-SHA-256
Cipher Suite 2: Cipher Suite 2 (LISP_EC25519_AES128_CBC_SHA256):
Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
Encryption: AES with 128-bit keys in CBC mode [AES-CBC] Encryption: AES with 128-bit keys in CBC mode [AES-CBC]
Integrity: Integrated with [AES-CBC] AEAD_AES_128_CBC_HMAC_SHA_256 Integrity: Integrated with AEAD_AES_128_CBC_HMAC_SHA_256 [AES-CBC]
IV length: 16 bytes IV length: 16 bytes
KDF: HMAC-SHA-256 KDF: HMAC-SHA-256
Cipher Suite 3: Cipher Suite 3 (LISP_2048MODP_AES128_GCM):
Diffie-Hellman Group: 2048-bit MODP [RFC3526] Diffie-Hellman Group: 2048-bit MODP [RFC3526]
Encryption: AES with 128-bit keys in GCM mode [RFC5116] Encryption: AES with 128-bit keys in GCM mode [RFC5116]
Integrity: Integrated with [RFC5116] AEAD_AES_128_GCM Integrity: Integrated with AEAD_AES_128_GCM [RFC5116]
IV length: 12 bytes IV length: 12 bytes
KDF: HMAC-SHA-256 KDF: HMAC-SHA-256
Cipher Suite 4: Cipher Suite 4 (LISP_3072MODP_AES128_GCM):
Diffie-Hellman Group: 3072-bit MODP [RFC3526] Diffie-Hellman Group: 3072-bit MODP [RFC3526]
Encryption: AES with 128-bit keys in GCM mode [RFC5116] Encryption: AES with 128-bit keys in GCM mode [RFC5116]
Integrity: Integrated with [RFC5116] AEAD_AES_128_GCM Integrity: Integrated with AEAD_AES_128_GCM [RFC5116]
IV length: 12 bytes IV length: 12 bytes
KDF: HMAC-SHA-256 KDF: HMAC-SHA-256
Cipher Suite 5: Cipher Suite 5 (LISP_256_EC25519_AES128_GCM):
Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
Encryption: AES with 128-bit keys in GCM mode [RFC5116] Encryption: AES with 128-bit keys in GCM mode [RFC5116]
Integrity: Integrated with [RFC5116] AEAD_AES_128_GCM Integrity: Integrated with AEAD_AES_128_GCM [RFC5116]
IV length: 12 bytes IV length: 12 bytes
KDF: HMAC-SHA-256 KDF: HMAC-SHA-256
Cipher Suite 6: Cipher Suite 6 (LISP_256_EC25519_CHACHA20_POLY1305):
Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
Encryption: Chacha20-Poly1305 [CHACHA-POLY] [RFC7539] Encryption: Chacha20-Poly1305 [CHACHA-POLY] [RFC7539]
Integrity: Integrated with [CHACHA-POLY] AEAD_CHACHA20_POLY1305 Integrity: Integrated with AEAD_CHACHA20_POLY1305 [CHACHA-POLY]
IV length: 8 bytes IV length: 8 bytes
KDF: HMAC-SHA-256 KDF: HMAC-SHA-256
The "Public Key Material" field contains the public key generated by The Public Key Material field contains the public key generated by
one of the Cipher Suites defined above. The length of the key in one of the Cipher Suites defined above. The length of the key, in
octets is encoded in the "Key Length" field. octets, is encoded in the Key Length field.
When an ITR, PITR, or RTR sends a Map-Request, they will encode their When an ITR, PITR, or RTR sends a Map-Request, they will encode their
own RLOC in the Security Type LCAF format within the ITR-RLOCs field. own RLOC in the Security Key LCAF Type format within the ITR-RLOCs
When a ETR or RTR sends a Map-Reply, they will encode their RLOCs in field. When an ETR or RTR sends a Map-Reply, they will encode their
Security Type LCAF format within the RLOC-record field of each EID- RLOCs in Security Key LCAF Type format within the RLOC-record field
record supplied. of each EID-record supplied.
If an ITR, PITR, or RTR sends a Map-Request with the Security Type If an ITR, PITR, or RTR sends a Map-Request with the Security Key
LCAF included and the ETR or RTR does not want to have encapsulated LCAF Type included and the ETR or RTR does not want to have
traffic encrypted, they will return a Map-Reply with no RLOC records encapsulated traffic encrypted, they will return a Map-Reply with no
encoded with the Security Type LCAF. This signals to the ITR, PITR RLOC-records encoded with the Security Key LCAF Type. This signals
or RTR not to encrypt traffic (it cannot encrypt traffic anyways to the ITR, PITR, or RTR not to encrypt traffic (it cannot encrypt
since no ETR public-key was returned). traffic anyway since no ETR public key was returned).
Likewise, if an ITR or PITR wish to include multiple key-ids in the Likewise, if an ITR or PITR wishes to include multiple key-ids in the
Map-Request but the ETR or RTR wish to use some but not all of the Map-Request, but the ETR or RTR wishes to use some but not all of the
key-ids, they return a Map-Reply only for those key-ids they wish to key-ids, it returns a Map-Reply only for those key-ids it wishes to
use. use.
7. Shared Keys used for the Data-Plane 7. Shared Keys Used for the Data Plane
When an ITR or PITR receives a Map-Reply accepting the Cipher Suite When an ITR or PITR receives a Map-Reply accepting the Cipher Suite
sent in the Map-Request, it is ready to create data plane keys. The sent in the Map-Request, it is ready to create data-plane keys. The
same process is followed by the ETR or RTR returning the Map-Reply. same process is followed by the ETR or RTR returning the Map-Reply.
The first step is to create a shared secret, using the peer's shared The first step is to create a shared secret, using the peer's shared
Diffie-Hellman Public Key Material combined with device's own private Diffie-Hellman Public Key Material combined with the device's own
keying material as described in Section 5. The Diffie-Hellman private keying material, as described in Section 5. The Diffie-
parameters used is defined in the cipher suite sent in the Map- Hellman parameters used are defined in the Cipher Suite sent in the
Request and copied into the Map-Reply. Map-Request and copied into the Map-Reply.
The resulting shared secret is used to compute an AEAD-key for the The resulting shared secret is used to compute an AEAD-key for the
algorithms specified in the cipher suite. A Key Derivation Function algorithms specified in the Cipher Suite. A Key Derivation Function
(KDF) in counter mode as specified by [NIST-SP800-108] is used to (KDF) in counter mode, as specified by [NIST-SP800-108], is used to
generate the data-plane keys. The amount of keying material that is generate the data-plane keys. The amount of keying material that is
derived depends on the algorithms in the cipher suite. derived depends on the algorithms in the Cipher Suite.
The inputs to the KDF are as follows: The inputs to the KDF are as follows:
o KDF function. This is HMAC-SHA-256 in this document but generally o KDF function. This is HMAC-SHA-256 in this document, but
specified in each Cipher Suite definition. generally specified in each Cipher Suite definition.
o A key for the KDF function. This is the computed Diffie-Hellman o A key for the KDF function. This is the computed Diffie-Hellman
shared secret. shared secret.
o Context that binds the use of the data-plane keys to this session. o Context that binds the use of the data-plane keys to this session.
The context is made up of the following fields, which are The context is made up of the following fields, which are
concatenated and provided as the data to be acted upon by the KDF concatenated and provided as the data to be acted upon by the KDF
function. function. A Context is made up of the following components:
Context:
o A counter, represented as a two-octet value in network byte order. * A counter, represented as a two-octet value in network byte
order.
o The null-terminated string "lisp-crypto". * The null-terminated string "lisp-crypto".
o The ITR's nonce from the Map-Request the cipher suite was included * The ITR's nonce from the Map-Request the Cipher Suite was
in. included in.
o The number of bits of keying material required (L), represented as * The number of bits of keying material required (L), represented
a two-octet value in network byte order. as a two-octet value in network byte order.
The counter value in the context is first set to 1. When the amount The counter value in the context is first set to 1. When the amount
of keying material exceeds the number of bits returned by the KDF of keying material exceeds the number of bits returned by the KDF
function, then the KDF function is called again with the same inputs function, then the KDF function is called again with the same inputs
except that the counter increments for each call. When enough keying except that the counter increments for each call. When enough keying
material is returned, it is concatenated and used to create keys. material is returned, it is concatenated and used to create keys.
For example, AES with 128-bit keys requires 16 octets (128 bits) of For example, AES with 128-bit keys requires 16 octets (128 bits) of
keying material, and HMAC-SHA1-96 requires another 16 octets (128 keying material, and HMAC-SHA1-96 requires another 16 octets (128
bits) of keying material in order to maintain a consistent 128-bits bits) of keying material in order to maintain a consistent 128 bits
of security. Since 32 octets (256 bits) of keying material are of security. Since 32 octets (256 bits) of keying material are
required, and the KDF function HMAC-SHA-256 outputs 256 bits, only required, and the KDF function HMAC-SHA-256 outputs 256 bits, only
one call is required. The inputs are as follows: one call is required. The inputs are as follows:
key-material = HMAC-SHA-256(dh-shared-secret, context) key-material = HMAC-SHA-256(dh-shared-secret, context)
where: context = 0x0001 || "lisp-crypto" || <itr-nonce> || 0x0100 where: context = 0x0001 || "lisp-crypto" || <itr-nonce> || 0x0100
In contrast, a cipher suite specifying AES with 256-bit keys requires In contrast, a Cipher Suite specifying AES with 256-bit keys requires
32 octets (256 bits) of keying material, and HMAC-SHA256-128 requires 32 octets (256 bits) of keying material, and HMAC-SHA256-128 requires
another 32 octets (256 bits) of keying material in order to maintain another 32 octets (256 bits) of keying material in order to maintain
a consistent 256-bits of security. Since 64 octets (512 bits) of a consistent 256 bits of security. Since 64 octets (512 bits) of
keying material are required, and the KDF function HMAC-SHA-256 keying material are required, and the KDF function HMAC-SHA-256
outputs 256 bits, two calls are required. outputs 256 bits, two calls are required.
key-material-1 = HMAC-SHA-256(dh-shared-secret, context) key-material-1 = HMAC-SHA-256(dh-shared-secret, context)
where: context = 0x0001 || "lisp-crypto" || <itr-nonce> || 0x0200 where: context = 0x0001 || "lisp-crypto" || <itr-nonce> || 0x0200
key-material-2 = HMAC-SHA-256(dh-shared-secret, context) key-material-2 = HMAC-SHA-256(dh-shared-secret, context)
where: context = 0x0002 || "lisp-crypto" || <itr-nonce> || 0x0200 where: context = 0x0002 || "lisp-crypto" || <itr-nonce> || 0x0200
skipping to change at page 10, line 48 skipping to change at page 10, line 48
P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |/ P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |/
| Initialization Vector (IV) | I | Initialization Vector (IV) | I
E +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C E +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C
n / | | V n / | | V
c | | | c | | |
r | Packet Payload with EID Header ... | | r | Packet Payload with EID Header ... | |
y | | | y | | |
p \ | |/ p \ | |/
t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
K-bits indicate when packet is encrypted and which key used K-bits Indicate When a Packet Is Encrypted and Which Key Is Used
When the KK bits are 00, the encapsulated packet is not encrypted. When the KK bits are 00, the encapsulated packet is not encrypted.
When the value of the KK bits are 1, 2, or 3, it encodes the key-id When the value of the KK bits is 1, 2, or 3, it encodes the key-id of
of the secret keys computed during the Diffie-Hellman Map-Request/ the secret keys computed during the Diffie-Hellman
Map-Reply exchange. When the KK bits are not 0, the payload is Map-Request/Map-Reply exchange. When the KK bits are not 0, the
prepended with an Initialization Vector (IV). The length of the IV payload is prepended with an Initialization Vector (IV). The length
field is based on the cipher suite used. Since all cipher suites of the IV field is based on the Cipher Suite used. Since all Cipher
defined in this document do Authenticated Encryption (AEAD), an ICV Suites defined in this document do Authenticated Encryption with
field does not need to be present in the packet since it is included Associated Data (AEAD), an ICV field does not need to be present in
in the ciphertext. The Additional Data (AD) used for the ICV is the packet since it is included in the ciphertext. The Additional
shown above and includes the LISP header, the IV field and the packet Data (AD) used for the ICV is shown above and includes the LISP
payload. header, the IV field, and the packet payload.
When an ITR or PITR receives a packet to be encapsulated, the device When an ITR or PITR receives a packet to be encapsulated, the device
will first decide what key to use, encode the key-id into the LISP will first decide what key to use, encode the key-id into the LISP
header, and use that key to encrypt all packet data that follows the header, and use that key to encrypt all packet data that follows the
LISP header. Therefore, the outer header, UDP header, and LISP LISP header. Therefore, the outer header, UDP header, and LISP
header travel as plaintext. header travel as plaintext.
There is an open working group item to discuss if the data At the time of writing, there is an open working group item to
encapsulation header needs change for encryption or any new discuss if the data encapsulation header needs change for encryption
applications. This document proposes changes to the existing header or any new applications. This document proposes changes to the
so experimentation can continue without making large changes to the existing header so experimentation can continue without making large
data-plane at this time. This document allocates 2 bits of the changes to the data plane at this time. This document allocates two
previously unused 3 flag bits (note the R-bit above is still a bits of the previously unused three flag bits (note the R-bit above
reserved flag bit as documented in [RFC6830]) for the KK bits. is still a reserved flag bit, as documented in [RFC6830]) for the KK
bits.
9. Procedures for Encryption and Decryption 9. Procedures for Encryption and Decryption
When an ITR, PITR, or RTR encapsulate a packet and have already When an ITR, PITR, or RTR encapsulates a packet and has already
computed an AEAD-key (detailed in section Section 7) that is computed an AEAD-key (detailed in Section 7) that is associated with
associated with a destination RLOC, the following encryption and a destination RLOC, the following encryption and encapsulation
encapsulation procedures are performed: procedures are performed:
1. The encapsulator creates an IV and prepends the IV value to the 1. The encapsulator creates an IV and prepends the IV value to the
packet being encapsulated. For GCM and Chacha cipher suites, the packet being encapsulated. For GCM and ChaCha20 Cipher Suites,
IV is incremented for every packet (beginning with a value of 1 the IV is incremented for every packet (beginning with a value of
in the first packet) and sent to the destination RLOC. For CBC 1 in the first packet) and sent to the destination RLOC. For CBC
cipher suites, the IV is a new random number for every packet Cipher Suites, the IV is a new random number for every packet
sent to the destination RLOC. For the Chacha cipher suite, the sent to the destination RLOC. For the ChaCha20 Cipher Suite, the
IV is an 8-byte random value that is appended to a 4-byte counter IV is an 8-byte random value that is appended to a 4-byte counter
that is incremented for every packet (beginning with a value of 1 that is incremented for every packet (beginning with a value of 1
in the first packet). in the first packet).
2. Next encrypt with cipher function AES or Chacha20 using the AEAD- 2. Next encrypt with cipher function AES or ChaCha20 using the AEAD-
key over the packet payload following the AEAD specification key over the packet payload following the AEAD specification
referenced in the cipher suite definition. This does not include referenced in the Cipher Suite definition. This does not include
the IV. The IV must be transmitted as plaintext so the decrypter the IV. The IV must be transmitted as plaintext so the decrypter
can use it as input to the decryption cipher. The payload should can use it as input to the decryption cipher. The payload should
be padded to an integral number of bytes a block cipher may be padded to an integral number of bytes a block cipher may
require. The result of the AEAD operation may contain an ICV, require. The result of the AEAD operation may contain an ICV,
the size of which is defined by the referenced AEAD the size of which is defined by the referenced AEAD
specification. Note that the AD (i.e. the LISP header exactly as specification. Note that the AD (i.e., the LISP header exactly
will be prepended in the next step and the IV) must be given to as will be prepended in the next step and the IV) must be given
the AEAD encryption function as the "associated data" argument. to the AEAD encryption function as the "associated data"
argument.
3. Prepend the LISP header. The key-id field of the LISP header is 3. Prepend the LISP header. The key-id field of the LISP header is
set to the key-id value that corresponds to key-pair used for the set to the key-id value that corresponds to key-pair used for the
encryption cipher. encryption cipher.
4. Lastly, prepend the UDP header and outer IP header onto the 4. Lastly, prepend the UDP header and outer IP header onto the
encrypted packet and send packet to destination RLOC. encrypted packet and send packet to destination RLOC.
When an ETR, PETR, or RTR receive an encapsulated packet, the When an ETR, PETR, or RTR receives an encapsulated packet, the
following decapsulation and decryption procedures are performed: following decapsulation and decryption procedures are performed:
1. The outer IP header, UDP header, LISP header, and IV field are 1. The outer IP header, UDP header, LISP header, and IV field are
stripped from the start of the packet. The LISP header and IV stripped from the start of the packet. The LISP header and IV
are retained and given to the AEAD decryption operation as the are retained and given to the AEAD decryption operation as the
"associated data" argument. "associated data" argument.
2. The packet is decrypted using the AEAD-key and the IV from the 2. The packet is decrypted using the AEAD-key and the IV from the
packet. The AEAD-key is obtained from a local-cache associated packet. The AEAD-key is obtained from a local-cache associated
with the key-id value from the LISP header. The result of the with the key-id value from the LISP header. The result of the
skipping to change at page 12, line 46 skipping to change at page 13, line 5
10. Dynamic Rekeying 10. Dynamic Rekeying
Since multiple keys can be encoded in both control and data messages, Since multiple keys can be encoded in both control and data messages,
an ITR can encapsulate and encrypt with a specific key while it is an ITR can encapsulate and encrypt with a specific key while it is
negotiating other keys with the same ETR. As soon as an ETR or RTR negotiating other keys with the same ETR. As soon as an ETR or RTR
returns a Map-Reply, it should be prepared to decapsulate and decrypt returns a Map-Reply, it should be prepared to decapsulate and decrypt
using the new keys computed with the new Diffie-Hellman parameters using the new keys computed with the new Diffie-Hellman parameters
received in the Map-Request and returned in the Map-Reply. received in the Map-Request and returned in the Map-Reply.
RLOC-probing can be used to change keys or cipher suites by the ITR RLOC-probing can be used to change keys or Cipher Suites by the ITR
at any time. And when an initial Map-Request is sent to populate the at any time. And when an initial Map-Request is sent to populate the
ITR's map-cache, the Map-Request flows across the mapping system ITR's map-cache, the Map-Request flows across the mapping system
where a single ETR from the Map-Reply RLOC-set will respond. If the where a single ETR from the Map-Reply RLOC-set will respond. If the
ITR decides to use the other RLOCs in the RLOC-set, it MUST send a ITR decides to use the other RLOCs in the RLOC-set, it MUST send a
Map-Request directly to negotiate security parameters with the ETR. Map-Request directly to negotiate security parameters with the ETR.
This process may be used to test reachability from an ITR to an ETR This process may be used to test reachability from an ITR to an ETR
initially when a map-cache entry is added for the first time, so an initially when a map-cache entry is added for the first time, so an
ITR can get both reachability status and keys negotiated with one ITR can get both reachability status and keys negotiated with one
Map-Request/Map-Reply exchange. Map-Request/Map-Reply exchange.
A rekeying event is defined to be when an ITR or PITR changes the A rekeying event is defined to be when an ITR or PITR changes the
cipher suite or public-key in the Map-Request. The ETR or RTR Cipher Suite or public key in the Map-Request. The ETR or RTR
compares the cipher suite and public-key it last received from the compares the Cipher Suite and public key it last received from the
ITR for the key-id, and if any value has changed, it computes a new ITR for the key-id, and if any value has changed, it computes a new
public-key and cipher suite requested by the ITR from the Map-Request public key and Cipher Suite requested by the ITR from the Map-Request
and returns it in the Map-Reply. Now a new shared secret is computed and returns it in the Map-Reply. Now a new shared secret is computed
and can be used for the key-id for encryption by the ITR and and can be used for the key-id for encryption by the ITR and
decryption by the ETR. When the ITR or PITR starts this process of decryption by the ETR. When the ITR or PITR starts this process of
negotiating a new key, it must not use the corresponding key-id in negotiating a new key, it must not use the corresponding key-id in
encapsulated packets until it receives a Map-Reply from the ETR with encapsulated packets until it receives a Map-Reply from the ETR with
the same cipher suite value it expects (the values it sent in a Map- the same Cipher Suite value it expects (the values it sent in a Map-
Request). Request).
Note when RLOC-probing continues to maintain RLOC reachability and Note when RLOC-probing continues to maintain RLOC reachability and
rekeying is not desirable, the ITR or RTR can either not include the rekeying is not desirable, the ITR or RTR can either not include the
Security Type LCAF in the Map-Request or supply the same key material Security Key LCAF Type in the Map-Request or supply the same key
as it received from the last Map-Reply from the ETR or RTR. This material as it received from the last Map-Reply from the ETR or RTR.
approach signals to the ETR or RTR that no rekeying event is This approach signals to the ETR or RTR that no rekeying event is
requested. requested.
11. Future Work 11. Future Work
For performance considerations, newer Elliptic-Curve Diffie-Hellman For performance considerations, newer Elliptic-Curve Diffie-Hellman
(ECDH) groups can be used as specified in [RFC4492] and [RFC6090] to (ECDH) groups can be used as specified in [RFC4492] and [RFC6090] to
reduce CPU cycles required to compute shared secret keys. reduce CPU cycles required to compute shared secret keys.
For better security considerations as well as to be able to build For better security considerations as well as to be able to build
faster software implementations, newer approaches to ciphers and faster software implementations, newer approaches to ciphers and
authentication methods will be researched and tested. Some examples authentication methods will be researched and tested. Some examples
are Chacha20 and Poly1305 [CHACHA-POLY] [RFC7539]. are ChaCha20 and Poly1305 [CHACHA-POLY] [RFC7539].
12. Security Considerations 12. Security Considerations
12.1. SAAG Support 12.1. SAAG Support
The LISP working group received security advice and guidance from the The LISP working group received security advice and guidance from the
Security Area Advisory Group (SAAG). The SAAG has been involved Security Area Advisory Group (SAAG). The SAAG has been involved
early in the design process and their input and reviews have been early in the design process, and their input and reviews have been
included in this document. included in this document.
Comments from the SAAG included: Comments from the SAAG included:
1. Do not use asymmetric ciphers in the data-plane. 1. Do not use asymmetric ciphers in the data plane.
2. Consider adding ECDH early in the design. 2. Consider adding ECDH early in the design.
3. Add cipher suites because ciphers are created more frequently 3. Add Cipher Suites because ciphers are created more frequently
than protocols that use them. than protocols that use them.
4. Consider the newer AEAD technology so authentication comes with 4. Consider the newer AEAD technology so authentication comes with
doing encryption. doing encryption.
12.2. LISP-Crypto Security Threats 12.2. LISP-Crypto Security Threats
Since ITRs and ETRs participate in key exchange over a public non- Since ITRs and ETRs participate in key exchange over a public
secure network, a man-in-the-middle (MITM) could circumvent the key non-secure network, a man in the middle (MITM) could circumvent the
exchange and compromise data-plane confidentiality. This can happen key exchange and compromise data-plane confidentiality. This can
when the MITM is acting as a Map-Replier, provides its own public key happen when the MITM is acting as a Map-Replier and provides its own
so the ITR and the MITM generate a shared secret key among each public key so the ITR and the MITM generate a shared secret key
other. If the MITM is in the data path between the ITR and ETR, it between them. If the MITM is in the data path between the ITR and
can use the shared secret key to decrypt traffic from the ITR. ETR, it can use the shared secret key to decrypt traffic from the
ITR.
Since LISP can secure Map-Replies by the authentication process Since LISP can secure Map-Replies by the authentication process
specified in [LISP-SEC], the ITR can detect when a MITM has signed a specified in [LISP-SEC], the ITR can detect when a MITM has signed a
Map-Reply for an EID-prefix it is not authoritative for. When an ITR Map-Reply for an EID-prefix for which it is not authoritative. When
determines the signature verification fails, it discards and does not an ITR determines that the signature verification fails, it discards
reuse the key exchange parameters, avoids using the ETR for and does not reuse the key exchange parameters, avoids using the ETR
encapsulation, and issues a severe log message to the network for encapsulation, and issues a severe log message to the network
administrator. Optionally, the ITR can send RLOC-probes to the administrator. Optionally, the ITR can send RLOC-probes to the
compromised RLOC to determine if can reach the authoritative ETR. compromised RLOC to determine if the authoritative ETR is reachable.
And when the ITR validates the signature of a Map-Reply, it can begin And when the ITR validates the signature of a Map-Reply, it can begin
encrypting and encapsulating packets to the RLOC of ETR. encrypting and encapsulating packets to the RLOC of ETR.
13. IANA Considerations 13. IANA Considerations
This document describes a mechanism for encrypting LISP encapsulated This document describes a mechanism for encrypting LISP-encapsulated
packets based on Diffie-Hellman key exchange procedures. During the packets based on Diffie-Hellman key exchange procedures. During the
exchange the devices have to agree on a Cipher Suite used (i.e. the exchange, the devices have to agree on a Cipher Suite to be used
cipher and hash functions used to encrypt/decrypt and to sign/verify (i.e., the cipher and hash functions used to encrypt/decrypt and to
packets). The 8-bit Cipher Suite field is reserved for such purpose sign/verify packets). The 8-bit Cipher Suite field is reserved for
in the security material section of the Map-Request and Map-Reply such purpose in the security material section of the Map-Request and
messages. Map-Reply messages.
This document requests IANA to create and maintain a new registry (as IANA has created a new registry (as outlined in [RFC5226]) titled
outlined in [RFC5226]) entitled "LISP Crypto Cipher Suite". Initial "LISP Crypto Cipher Suite". Initial values for the registry are
values for the registry are provided below. Future assignments are provided below. Future assignments are to be made on a "First Come,
to be made on a First Come First Served Basis. First Served" basis [RFC5226].
+-----+--------------------------------------------+------------+ +-----+--------------------------------------------+------------+
|Value| Suite | Definition | |Value| Suite | Reference |
+-----+--------------------------------------------+------------+ +-----+--------------------------------------------+------------+
| 0 | Reserved | Section 6 | | 0 | Reserved | Section 6 |
+-----+--------------------------------------------+------------+ +-----+--------------------------------------------+------------+
| 1 | LISP_2048MODP_AES128_CBC_SHA256 | Section 6 | | 1 | LISP_2048MODP_AES128_CBC_SHA256 | Section 6 |
+-----+--------------------------------------------+------------+ +-----+--------------------------------------------+------------+
| 2 | LISP_EC25519_AES128_CBC_SHA256 | Section 6 | | 2 | LISP_EC25519_AES128_CBC_SHA256 | Section 6 |
+-----+--------------------------------------------+------------+ +-----+--------------------------------------------+------------+
| 3 | LISP_2048MODP_AES128_GCM | Section 6 | | 3 | LISP_2048MODP_AES128_GCM | Section 6 |
+-----+--------------------------------------------+------------+ +-----+--------------------------------------------+------------+
| 4 | LISP_3072MODP_AES128_GCM M-3072 | Section 6 | | 4 | LISP_3072MODP_AES128_GCM | Section 6 |
+-----+--------------------------------------------+------------+ +-----+--------------------------------------------+------------+
| 5 | LISP_256_EC25519_AES128_GCM | Section 6 | | 5 | LISP_256_EC25519_AES128_GCM | Section 6 |
+-----+--------------------------------------------+------------+ +-----+--------------------------------------------+------------+
| 6 | LISP_256_EC25519_CHACHA20_POLY1305 | Section 6 | | 6 | LISP_256_EC25519_CHACHA20_POLY1305 | Section 6 |
+-----+--------------------------------------------+------------+ +-----+--------------------------------------------+------------+
LISP Crypto Cipher Suites LISP Crypto Cipher Suites
14. References 14. References
14.1. Normative References 14.1. Normative References
[LCAF] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical
Address Format", draft-ietf-lisp-lcaf-13.txt (work in
progress).
[NIST-SP800-108] [NIST-SP800-108]
"National Institute of Standards and Technology, National Institute of Standards and Technology,
"Recommendation for Key Derivation Using Pseudorandom "Recommendation for Key Derivation Using Pseudorandom
Functions NIST SP800-108"", NIST SP 800-108, October 2009. Functions", NIST Special Publication SP 800-108,
DOI 10.6028/NIST.SP.800-108, October 2009.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method",
RFC 2631, DOI 10.17487/RFC2631, June 1999, RFC 2631, DOI 10.17487/RFC2631, June 1999,
<http://www.rfc-editor.org/info/rfc2631>. <http://www.rfc-editor.org/info/rfc2631>.
skipping to change at page 16, line 40 skipping to change at page 17, line 15
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, Considerations for Internet Protocols", RFC 6973,
DOI 10.17487/RFC6973, July 2013, DOI 10.17487/RFC6973, July 2013,
<http://www.rfc-editor.org/info/rfc6973>. <http://www.rfc-editor.org/info/rfc6973>.
[RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015,
<http://www.rfc-editor.org/info/rfc7539>. <http://www.rfc-editor.org/info/rfc7539>.
[RFC8060] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical
Address Format (LCAF)", RFC 8060, DOI 10.17487/RFC8060,
February 2017, <http://www.rfc-editor.org/info/rfc8060>.
14.2. Informative References 14.2. Informative References
[AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated [AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated
Encryption with AES-CBC and HMAC-SHA", draft-mcgrew-aead- Encryption with AES-CBC and HMAC-SHA", Work in Progress,
aes-cbc-hmac-sha2-05.txt (work in progress). draft-mcgrew-aead-aes-cbc-hmac-sha2-05, July 2014.
[CHACHA-POLY] [CHACHA-POLY]
Langley, A., "ChaCha20 and Poly1305 based Cipher Suites Langley, A. and W. Chang, "ChaCha20 and Poly1305 based
for TLS", draft-agl-tls-chacha20poly1305-04 (work in Cipher Suites for TLS", Work in Progress,
progress). draft-agl-tls-chacha20poly1305-04, November 2013.
[CURVE25519] [CURVE25519]
Bernstein, D., "Curve25519: new Diffie-Hellman speed Bernstein, D., "Curve25519: new Diffie-Hellman speed
records", Publication records", DOI 10.1007/11745853_14,
http://www.iacr.org/cryptodb/archive/2006/ <http://www.iacr.org/cryptodb/archive/2006/
PKC/3351/3351.pdf. PKC/3351/3351.pdf>.
[DH] "Diffie-Hellman key exchange", Wikipedia [DH] Wikipedia, "Diffie-Hellman key exchange", January 2017,
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange. <https://en.wikipedia.org/w/index.php?title=Diffie%E2%80%9
3Hellman_key_exchange&oldid=759611604>.
[LISP-DDT] [LISP-DDT] Fuller, V., Lewis, D., Ermagan, V., Jain, A., and A.
Fuller, V., Lewis, D., Ermaagan, V., and A. Jain, "LISP Smirnov, "LISP Delegated Database Tree", Work in
Delegated Database Tree", draft-fuller-lisp-ddt-04 (work Progress, draft-ietf-lisp-ddt-08, September 2016.
in progress).
[LISP-SEC] [LISP-SEC] Maino, F., Ermagan, V., Cabellos, A., and D. Saucez,
Maino, F., Ermagan, V., Cabellos, A., and D. Saucez, "LISP-Security (LISP-SEC)", Work in Progress,
"LISP-Secuirty (LISP-SEC)", draft-ietf-lisp-sec-10 (work draft-ietf-lisp-sec-12, November 2016.
in progress).
Appendix A. Acknowledgments Acknowledgments
The authors would like to thank Dan Harkins, Joel Halpern, Fabio The authors would like to thank Dan Harkins, Joel Halpern, Fabio
Maino, Ed Lopez, Roger Jorgensen, and Watson Ladd for their interest, Maino, Ed Lopez, Roger Jorgensen, and Watson Ladd for their interest,
suggestions, and discussions about LISP data-plane security. An suggestions, and discussions about LISP data-plane security. An
individual thank you to LISP WG chair Luigi Iannone for shepherding individual thank you to LISP WG Chair Luigi Iannone for shepherding
this document as well as contributing to the IANA Considerations this document as well as contributing to the IANA Considerations
section. section.
The authors would like to give a special thank you to Ilari Liusvaara The authors would like to give a special thank you to Ilari Liusvaara
for his extensive commentary and discussion. He has contributed his for his extensive commentary and discussion. He has contributed his
security expertise to make lisp-crypto as secure as the state of the security expertise to make lisp-crypto as secure as the state of the
art in cryptography. art in cryptography.
In addition, the support and suggestions from the SAAG working group In addition, the support and suggestions from the SAAG working group
were helpful and appreciative. were helpful and appreciated.
Appendix B. Document Change Log
[RFC Editor: Please delete this section on publication as RFC.]
B.1. Changes to draft-ietf-lisp-crypto-10.txt
o Posted October 2016 after October 13th telechat.
o Addressed comments from Kathleen Moriarty, Stephen Farrel, and
Pete Resnick.
B.2. Changes to draft-ietf-lisp-crypto-09.txt
o Posted October 2016.
o Addressed comments from OPs Directorate reviewer Susan Hares.
B.3. Changes to draft-ietf-lisp-crypto-08.txt
o Posted September 2016.
o Addressed comments from Security Directorate reviewer Chris
Lonvick.
B.4. Changes to draft-ietf-lisp-crypto-07.txt
o Posted September 2016.
o Addressed comments from Routing Directorate reviewer Danny
McPherson.
B.5. Changes to draft-ietf-lisp-crypto-06.txt
o Posted June 2016.
o Fixed IDnits errors.
B.6. Changes to draft-ietf-lisp-crypto-05.txt
o Posted June 2016.
o Update document which reflects comments Luigi provided as document
shepherd.
B.7. Changes to draft-ietf-lisp-crypto-04.txt
o Posted May 2016.
o Update document timer from expiration.
B.8. Changes to draft-ietf-lisp-crypto-03.txt
o Posted December 2015.
o Changed cipher suite allocations. We now have 2 AES-CBC cipher
suites for compatibility, 3 AES-GCM cipher suites that are faster
ciphers that include AE and a Chacha20-Poly1305 cipher suite which
is the fastest but not totally proven/accepted..
o Remove 1024-bit DH keys for key exchange.
o Make clear that AES and chacha20 ciphers use AEAD so part of
encrytion/decryption does authentication.
o Make it more clear that separate key pairs are used in each
direction between xTRs.
o Indicate that the IV length is different per cipher suite.
o Use a counter based IV for every packet for AEAD ciphers.
Previously text said to use a random number. But CBC ciphers, use
a random number.
o Indicate that key material is sent in network byte order (big
endian).
o Remove A-bit from Security Type LCAF. No need to do
authentication only with the introduction of AEAD ciphers. These
ciphers can do authentication. So you get ciphertext for free.
o Remove language that refers to "encryption-key" and "integrity-
key". Used term "AEAD-key" that is used by the AEAD cipher suites
that do encryption and authenticaiton internal to the cipher.
B.9. Changes to draft-ietf-lisp-crypto-02.txt
o Posted September 2015.
o Add cipher suite for Elliptic Curve 25519 DH exchange.
o Add cipher suite for Chacha20/Poly1305 ciphers.
B.10. Changes to draft-ietf-lisp-crypto-01.txt
o Posted May 2015.
o Create cipher suites and encode them in the Security LCAF.
o Add IV to beginning of packet header and ICV to end of packet.
o AEAD procedures are now part of encrpytion process.
B.11. Changes to draft-ietf-lisp-crypto-00.txt
o Posted January 2015.
o Changing draft-farinacci-lisp-crypto-01 to draft-ietf-lisp-crypto-
00. This draft has become a working group document
o Add text to indicate the working group may work on a new data
encapsulation header format for data-plane encryption.
B.12. Changes to draft-farinacci-lisp-crypto-01.txt
o Posted July 2014.
o Add Group-ID to the encoding format of Key Material in a Security
Type LCAF and modify the IANA Considerations so this draft can use
key exchange parameters from the IANA registry.
o Indicate that the R-bit in the Security Type LCAF is not used by
lisp-crypto.
o Add text to indicate that ETRs/RTRs can negotiate less number of
keys from which the ITR/PITR sent in a Map-Request.
o Add text explaining how LISP-SEC solves the problem when a man-in-
the-middle becomes part of the Map-Request/Map-Reply key exchange
process.
o Add text indicating that when RLOC-probing is used for RLOC
reachability purposes and rekeying is not desired, that the same
key exchange parameters should be used so a reallocation of a
pubic key does not happen at the ETR.
o Add text to indicate that ECDH can be used to reduce CPU
requirements for computing shared secret-keys.
B.13. Changes to draft-farinacci-lisp-crypto-00.txt
o Initial draft posted February 2014.
Authors' Addresses Authors' Addresses
Dino Farinacci Dino Farinacci
lispers.net lispers.net
San Jose, California 95120 San Jose, California 95120
USA United States of America
Phone: 408-718-2001 Phone: 408-718-2001
Email: farinacci@gmail.com Email: farinacci@gmail.com
Brian Weis Brian Weis
cisco Systems Cisco Systems
170 West Tasman Drive 170 West Tasman Drive
San Jose, California 95124-1706 San Jose, California 95124-1706
USA United States of America
Phone: 408-526-4796 Phone: 408-526-4796
Email: bew@cisco.com Email: bew@cisco.com
 End of changes. 105 change blocks. 
384 lines changed or deleted 231 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/