IPPM WG                                              K. Pentikousis, Ed.
Internet-Draft                                                      EICT
Intended status: Standards Track                                  Y. Cui
Expires: April 24, August 18, 2014                                        E. Zhang
                                                     Huawei Technologies
                                                        October 21, 2013
                                                       February 14, 2014

               Network Performance Measurement for IPsec
                        draft-ietf-ippm-ipsec-01
                        draft-ietf-ippm-ipsec-02

Abstract

   IPsec is

   The O/TWAMP security mechanism requires that endpoints (i.e. both the
   client and the server) possess a mature technology with several interoperable
   implementations.  Indeed, shared secret.  Since the use currently-
   standardized O/TWAMP security mechanism only supports a pre-shared
   key mode, large scale deployment of IPsec tunnels O/TWAMP is increasingly
   gaining popularity in several deployment scenarios, not hindered
   significantly.  At the least in
   what used same time, recent trends point to be solely areas of traditional telecommunication
   protocols.  Wider IPsec deployment wider IKEv2
   deployment, which in turn calls for mechanisms and methods that
   enable tunnel end-users, as well as operators, to measure one-
   way one-way and
   two-way network performance in a standardized manner.
   Unfortunately, however, standard IP performance measurement security
   mechanisms cannot be readily used with IPsec.  This document makes
   the case for employing IPsec to protect
   discusses the One-way and Two-Way
   Active Measurement Protocols (O/TWAMP) and proposes a method which
   combines IKEv2 and O/TWAMP use of keys derived from an IKE SA as defined the shared key in RFC 4656 and RFC 5357,
   respectively.  This specification aims, on
   O/TWAMP.  If the one hand, to ensure
   that O/TWAMP shared key can be secured with the best mechanisms we have at our
   disposal today while, on the other hand, it facilitates derived from the
   applicability of IKE SA, O/TWAMP to networks that have already deployed
   IPsec.
   can support cert-based key exchange, which would allow for more
   flexibility and efficiency.  Such key derivation can also facilitate
   automatic key management.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 24, August 18, 2014.

Copyright Notice

   Copyright (c) 2013 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Motivation  . . .  O/TWAMP Security  . . . . . . . . . . . . . . . . . . . . . .   4   3
     3.1.  O/TWAMP-Control Security  . . . . . . . . . . . . . . . .   5   4
     3.2.  O/TWAMP-Test Security . . . . . . . . . . . . . . . . . .   6   5
     3.3.  O/TWAMP Security Root . . . . . . . . . . . . . . . . . .   7
     3.4.  O/TWAMP and IPsec . . . . . . . . . . . . . . . . . . . .   7   6
   4.  O/TWAMP for IPsec Networks  . . . . . . . . . . . . . . . . .   8   6
     4.1.  Shared Key Derivation . . . . . . . . . . . . . . . . . .   8   6
     4.2.  Server Greeting Message Update  . . . . . . . . . . . . .   9   7
     4.3.  Session Key Derivation  . . . . . . . . . . . . . . . . .  11
       4.3.1.  Alternative 1 . . . . . . . . . . . . . . . . . . . .  12
       4.3.2.  Alternative 2 . . .  Set-Up-Response Update  . . . . . . . . . . . . . . . . .  14   9
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  15  10
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  15  10
   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  16  10
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  16  10
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  16  10
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  16  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16  11

1.  Introduction

   The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the
   Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to
   measure network performance parameters, such as latency, bandwidth,
   and packet loss by sending probe packets and monitoring their
   experience in the network.  In order to guarantee the accuracy of
   network measurement results, security aspects must be considered.
   Otherwise, attacks may occur and the authenticity of the measurement
   results may be violated.  For example, if no protection is provided,
   an adversary in the middle may modify packet timestamps, thus
   altering the measurement results.

   Cryptographic

   The currently-standardized O/TWAMP security mechanisms, such as IPsec, have been
   considered during the early stage of the specification of the two
   active measurement protocols mentioned above.  However, due to
   several reasons, it was decided to avoid tying mechanism [RFC4656]
   [RFC5357] requires that endpoints (i.e. both the development client and
   deployment of O/TWAMP to such security mechanisms.  In practice, for
   many networks, the issues listed in [RFC4656], Sec. 6.6 with respect
   to IPsec are still valid.  However, we expect that in
   server) possess a shared secret.  In today's network deployments,
   however, the near future
   IPsec will use of pre-shared keys may not be deployed in many more hosts and networks than today. optimal.  For example, IPsec tunnels may be used to secure wireless channels.
   In this case, what we are interested
   in is measuring wireless infrastructure networks, certain network
   performance specifically for the traffic carried by the secured
   tunnel, not over elements, which
   can be seen as the wireless channel in general. two endpoints from an O/TWAMP perspective, support
   certificate-based security.  This document
   makes is the case that O/TWAMP should be cognizant when IPsec and other
   security mechanisms are in place and can be leveraged upon.  In other
   words, it is now time one wants to specify how O/TWAMP is used in a network
   environment where IPsec is already deployed.  We expect that in such
   an environment, measuring
   measure IP performance over IPsec tunnels with O/
   TWAMP is between an important tool eNB and SeGW, for operators.

   For example, when considering instance.  Since
   the use of currently standardized O/TWAMP in networks with
   IPsec deployed, we can take advantage of the IPsec security mechanism only supports
   pre-shared key exchange
   protocol [RFC5996].  In particular, we note that it mode, large scale deployment of O/TWAMP is not necessary
   to use distinct keys in OWAMP-Control hindered
   significantly.  Furthermore, deployment and OWAMP-Test layers.  One key management of "shared
   secrets" for encryption massive equipment installation consumes a tremendous
   amount of effort and another for authentication is sufficient for both
   Control and Test layers.  This obviates the need prone to generate two human error.

   With IKEv2 widely used, using keys
   for each layer and reduces derived from IKE SA as shared key
   can be considered as a viable alternative.  In mobile
   telecommunication networks, the complexity deployment rate of O/TWAMP protocols in an IPsec environment.  This observation comes from the fact that
   separate session keys in exceeds 95%
   with respect to the OWAMP-Control LTE serving network.  In older-technology
   cellular networks, such as UMTS and OWAMP-Test layers were
   designed for preventing reflection attacks when employing the current
   mechanism.  Once GSM, IPsec use penetration is employed, such a potential threat
   lower, but still quite significant.  If the shared key can be derived
   from the IKE SA, O/TWAMP can support cert-based key exchange and make
   it more flexible in practice and more efficient.  The use of IKEv2
   also makes it easier to extend automatic key management.  In general,
   O/TWAMP measurement packets can be transmitted inside the IPsec
   tunnel, as it occurs with typical user traffic, or transmitted
   outside the IPsec tunnel.  This may depend on the operator's policy
   and is
   alleviated. orthogonal to the mechanism described in this document.

   The remainder of this document is organized as follows.  Section 3
   motivates this work by revisiting the arguments made in [RFC4656]
   against the use of IPsec; this section also
   summarizes O/TWAMP protocol operation with respect to security.
   Section 4 presents a method of binding O/TWAMP and IKEv2 for network
   measurements between a sender the client and a receiver the server which both support IPsec.
   IKEv2.  Finally, Section 5 discusses the security considerations
   arising from the proposed mechanisms.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Motivation

   In order to motivate the solutions proposed  O/TWAMP Security

   Security for O/TWAMP-Control and O/TWAMP-Test are reviewed separately
   in this document, let us
   first revisit Section 6.6 of [RFC4656].  As we explain below, the
   reasons originally listed therein may not apply in many cases today.

   RFC 4656 opts against using IPsec and instead favors the use of "a section.

3.1.  O/TWAMP-Control Security

   O/TWAMP uses a simple cryptographic protocol (based which relies on a block cipher in CBC mode)".
   The first argument justifying this decision in [RFC4656] is that
   partial authentication

   o  AES in OWAMP Cipher Block Chaining (AES-CBC) for confidentiality

   o  HMAC-SHA1 truncated to 128 bits for message authentication mode is not possible
   with IPsec.  IPsec indeed cannot authenticate only a part

   Three modes of a
   packet.  However, operation are supported in an environment where IPsec is already deployed the OWAMP-Control protocol:
   unauthenticated, authenticated, and actively used, partial authentication for OWAMP contradicts encrypted.  Besides the
   operational reasons dictating above
   three modes supported, the use of IPsec.  It TWAMP-Control protocol also increases supports an
   additional mode: mixed mode, i.e. the operational complexity of OWAMP (and TWAMP) TWAMP-Control protocol operates
   in networks where
   IPsec is actively used and may encrypted mode while TWAMP-Test protocol operates in practice limit its applicability.
   unauthenticated mode.  The second argument made authenticated, encrypted and mixed modes
   require that endpoints possess a shared secret, typically a
   passphrase.  The secret key is derived from the need to keep separate deployment
   paths between OWAMP and IPsec.  In several currently deployed types
   of networks IPsec is widely used to protect the data and signaling
   planes.  For example, in mobile telecommunication networks, passphrase using a
   password-based key derivation function PBKDF2 (PKCS#5) [RFC2898].

   In the
   deployment rate of IPsec exceeds 95% with respect to unauthenticated mode, the LTE serving
   network. security parameters are left unused.
   In older technology cellular networks, such as UMTS the authenticated, encrypted and
   GSM, IPsec use penetration is lower, but still quite significant.
   Additionally, there is a great number of IPsec-based VPN applications
   which are widely used in business applications to provide end-to-end mixed modes, the security over, for instance, publicly open or otherwise untrusted
   IEEE 802.11 wireless LANs.  At
   parameters are negotiated during the same time, many IETF-standardized
   protocols make use control connection
   establishment.

   Figure 1 illustrates the initiation stage of IPsec/IKE, including MIPv4/v6, HIP, SCTP, BGP,
   NAT the O/TWAMP-Control
   protocol between a client and SIP, just to name the server.  In short, the client opens
   a few.

   The third argument in [RFC4656] is that, effectively, TCP connection to the adoption of
   IPsec server in OWAMP may order to be problematic for "lightweight embedded devices."
   However, since the publication of RFC 4656, able to send O/TWAMP-
   Control commands.  The server responds with a large number of
   limited-resource and low-cost hardware, such as Ethernet switches,
   DSL modems, set-top boxes Server Greeting, which
   contains the Modes, Challenge, Salt, Count, and other such devices come with support
   for IPsec "out MBZ fields (see
   Section 3.1 of [RFC4656]).  If the box".  Therefore concerns about implementation,
   although likely valid client-preferred mode is
   available, the client responds with a decade ago, are not Set-Up- Response message,
   wherein the selected Mode, as well founded today.

   Finally, everyday use of IPsec applications by field technicians as the KeyID, Token and
   good understanding of Client IV
   are included.  The Token is the IPsec API by many programmers should no
   longer be concatenation of a reason for concern.  On the contrary: By now, IPsec open
   source code is available for anyone who wants to use it.  Therefore,
   although IPsec does need 16-octet
   Challenge, a certain level of expertise to deal with
   it, in practice, most competent technical personnel 16-octet AES Session-key used for encryption, and programmers
   have no problems using it on a daily basis.

   OWAMP and TWAMP actually consist of two inter-related protocols: O/
   TWAMP-Control and O/TWAMP-Test.  With respect to TWAMP, since "TWAMP
   and OWAMP use the same protocol for establishment of Control and Test
   procedures" [RFC5357] (Section 6), IPsec is also not considered.  O/
   TWAMP-Control is used to initiate, start, and stop test sessions and
   to fetch their results, whereas O/TWAMP-Test is
   32-octet HMAC-SHA1 Session-key used to exchange test
   packets between two measurement nodes.

   In the remainder of this section we review security for O/TWAMP-
   Control and O/TWAMP-Test separately and then make the case for authentication.  The Token is
   encrypted using
   them over IPsec.

3.1.  O/TWAMP-Control Security

   O/TWAMP uses a simple cryptographic protocol which relies on

   o  AES in Cipher Block Chaining (AES-CBC) for confidentiality

   o  HMAC-SHA1 truncated to 128 bits for AES-CBC.

   +--------+                  +--------+
   | Client |                  | Server |
   +--------+                  +--------+
       |                           |
       |<---- TCP Connection ----->|
       |                           |
       |<---- Greeting message authentication

   Three modes ----|
       |                           |
       |----- Set-Up-Response ---->|
       |                           |
       |<---- Server-Start --------|
       |                           |

                  Figure 1: Initiation of operation are supported: unauthenticated,
   authenticated, and encrypted.  The authenticated and encrypted modes
   require that endpoints possess a shared secret, typically O/TWAMP-Control

   Encryption uses a
   passphrase.  The secret key is derived from the passphrase using a
   password-based key derivation function PBKDF2 (PKCS#5) [RFC2898].

   In the unauthenticated mode, the security parameters are left unused. shared secret associated with
   KeyID.  In the authenticated and authenticated, encrypted and mixed modes, security parameters are
   negotiated during the control connection establishment.

   Figure 1 illustrates the initiation stage of all further
   communication is encrypted using the O/TWAMP-Control
   protocol between a client AES Session-key and
   authenticated with the server.  In short, the client opens
   a TCP connection to HMAC Session-key.  After receiving Set-Up-
   Response the server in order to be able to send OWAMP-
   Control commands.  The server responds with a Server Greeting, which
   contains the Modes, Challenge, Salt, Count, and MBZ fields (see
   Section 3.1 of [RFC4656]).  If the client-preferred mode is
   available, the client responds with a Set-Up-Response message,
   wherein the selected Mode, as well as the KeyID, Token and Client IV
   are included.  The Token is the concatenation of a 16-octet
   Challenge, a 16-octet AES Session-key used for encryption, and a
   32-octet HMAC-SHA1 Session-key used for authentication.  The Token is
   encrypted using AES-CBC.

   +--------+                  +--------+
   | Client |                  | Server |
   +--------+                  +--------+
       |                           |
       |<---- TCP Connection ----->|
       |                           |
       |<---- Greeting message ----|
       |                           |
       |----- Set-Up-Response ---->|
       |                           |
       |<---- Server-Start --------|
       |                           |

                  Figure 1: Initiation of O/TWAMP-Control

   Encryption uses a key derived from the shared secret associated with
   KeyID.  In the authenticated and encrypted modes, all further
   communication is encrypted using the AES Session-key and
   authenticated with the HMAC Session-key.  The client encrypts
   everything it transmits through Server-Start message containing
   Server-IV.  The client encrypts everything it transmits through the
   just-established O/TWAMP-Control connection using stream encryption
   with Client-IV Client- IV as the IV.  Correspondingly, the server encrypts its
   side of the connection using Server-IV as the IV.  The IVs themselves
   are transmitted in cleartext.  Encryption starts with the block
   immediately following that containing the IV.

   The AES Session-key and HMAC Session-key are generated randomly by
   the client.  The HMAC Session-key is communicated along with the AES
   Session-key during O/TWAMP-Control connection setup.  The HMAC
   Session-key is derived independently of the AES Session-key.

3.2.  O/TWAMP-Test Security

   The O/TWAMP-Test protocol runs over UDP, using the sender client and
   receiver server
   IP and port numbers that were negotiated during the Request-
   Session Request-Session
   exchange.  O/TWAMP-Test  O/TWAMP- Test has the same three modes as mode with O/
   TWAMP-Control (unauthenticated, authenticated, and encrypted) O/TWAMP-Control and
   all O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control
   session mode except when operating in mixed mode.

   The O/TWAMP-Test packet format is the same in authenticated and
   encrypted modes.  The encryption and authentication operations are,
   however, different.  Similarly with the respective O/TWAMP-Control
   session, each O/TWAMP-Test session has two keys: an AES Session-key
   and an HMAC Session-key.  However, there is a difference in how the
   keys are obtained:

   O/TWAMP-Control:  the keys are generated by the client and
           communicated to the server during the control connection
           establishment with the Set-Up-Response message (as part of
           the Token).

   O/TWAMP-Test:  the keys are derived from the O/TWAMP-Control keys and
           the session identifier (SID), which serve as inputs of the
           key derivation function (KDF).  The O/TWAMP-Test AES Session-
           key is generated using the O/TWAMP-Control O/TWAMP- Control AES Session-key,
           with the 16-octet session identifier (SID), for encrypting
           and decrypting the packets of the particular O/TWAMP-Test
           session.  The O/TWAMP-Test HMAC Session-key is generated
           using the O/TWAMP-Control HMAC Session-key, with the 16-octet
           session identifier (SID), for authenticating the packets of
           the particular O/TWAMP-Test session.

3.3.  O/TWAMP Security Root

   As discussed above, the AES Session-key and HMAC Session-key used in
   the O/TWAMP-Test protocol are derived from the AES Session-key and
   HMAC Session-key which are used in O/TWAMP-Control protocol.  The AES
   Session-key and HMAC Session-key used in the O/TWAMP-Control protocol
   are generated randomly by the client, and encrypted with the shared
   secret associated with KeyID.  Therefore, the security root is the
   shared secret key.  Thus, for large deployments, key provision and
   management may become overly complicated.  Comparatively, a
   certificate-based approach using IKEv2/IPsec IKEv2 can automatically manage the
   security root and solve this problem, as we explain in Section 4.

3.4.

4.  O/TWAMP and IPsec

   According to [RFC4656] the "deployment paths of for IPsec and OWAMP could
   be separate if OWAMP does not depend on IPsec."  However, the problem
   that arises in practice is that the security mechanism Networks

   This section presents a method of binding O/TWAMP and
   IPsec cannot coexist at the same time without adding overhead or
   increasing complexity.

   IPsec provides confidentiality and data integrity to IP datagrams.
   Distinct protocols are provided: Authentication Header (AH),
   Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE
   v1/v2).  AH provides only integrity protection, while ESP can also
   provide encryption.  IKE is used IKEv2 for dynamical key negotiation and
   automatic key management.

   When sender
   network measurements between a client and receiver implement O/TWAMP over IPsec, they need to
   agree on a server which both support
   IPsec.  In short, the shared secret key during the IPsec tunnel establishment.
   Subsequently, all IP packets sent by the sender are protected.  If
   the AH protocol used for securing O/TWAMP traffic is used, IP packets are transmitted in plaintext.

   The authentication part covers
   derived using IKEv2 [RFC5996].

4.1.  Shared Key Derivation

   In the entire packet.  So all test
   information, such as UDP port number, authenticated, encrypted and mixed modes, the test results will be
   visible to any attacker, which shared secret
   key can intercept these test packets, and
   introduce errors or forge packets that may be injected during derived from the
   transmission.  In order IKEv2 Security Association (SA).  Note
   that we explicitly opt to avoid this attack, derive the receiver must
   validate shared secret key from the integrity of these packets with IKE
   SA, rather than the negotiated secret
   key.  If ESP is used, IP packets are encrypted, and hence only child SA, since the
   receiver can use case whereby an IKE SA
   can be created without generating any child SA is possible [RFC6023].

   If the IPsec shared secret key to decrypt is derived from the IP packet, IKE SA, SKEYSEED must be
   generated first.  SKEYSEED and
   obtain the test data in order to assess the IP network performance
   based on the measurements.  Both the sender its derivatives are computed as per
   [RFC5996], where prf is a pseudorandom function:

      SKEYSEED = prf( Ni | Nr, g^ir )

   Ni and receiver must support
   IPsec to generate the security secret key of IPsec.

   Currently, after Nr are, respectively, the test packets initiator and responder nonces,
   which are received by negotiated during the receiver, it
   cannot execute active measurement over IPsec.  That initial exchange (see Section 1.2 of
   [RFC5996]).  g^ir is because the
   receiver knows only shared secret from the ephemeral Diffie-
   Hellman exchange and is represented as a string of octets.

   The shared secret key but not can be generated as follows:

      Shared secret key = PRF{ SKEYSEED, "IPPM" }

   The shared secret key is derived in the IPsec key,
   while the test packets are protected by layer.  Thus, the IPsec key ultimately.
   Therefore, it needs to
   keying material is not be considered how exposed to measure IP network
   performance in an IPsec tunnel with O/TWAMP.  Without this
   functionality, the use of OWAMP O/TWAMP client.  Note that
   the interaction between the O/TWAMP and TWAMP over IPsec implementations is hindered.
   outside the scope of this document, which focuses on the interaction
   between the O/TWAMP client and server.  Of course, backward compatibility should be considered as well.  That
   is, extracting the intrinsic security method based on
   shared secret key as specified in from the O/TWAMP standards IPsec layer can also still be suitable for other network
   settings.  There should be no impact depend on the current security
   mechanisms defined in O/TWAMP for other use cases.  This document
   describes
   implementation.  One possible solutions to this problem which take advantage of way could be the secret key derived by IPsec, in order to provision following: at the key needed
   for active network measurements based on [RFC4656] and [RFC5357].

4.  O/TWAMP for IPsec Networks

   This section presents
   client side, the IPSec layer can perform a method lookup in the Security
   Association Database (SAD) using the IP address of binding O/TWAMP and IKEv2 for
   network measurements between a client the server and a
   thus match the corresponding IKE SA.  At the server which both support
   IPsec.  In short, side, the shared key used for securing O/TWAMP traffic is
   derived using IKEv2 [RFC5996].

4.1.  Shared Key Derivation

   If IPSec
   layer can look up the AH protocol is used, corresponding IKE SA by using the IP packets are transmitted in
   plaintext, but all O/TWAMP traffic is integrity-protected SPIs sent by IPsec.
   Therefore, even if
   the peers choose to opt client, and therefore extract the shared secret key.

   If rekeying for the unauthenticated
   mode, IPsec integrity protection is extended to O/TWAMP.  In IKE SA or deletion of the
   authenticated and encrypted modes, IKE SA occurs, the
   corresponding shared secret key generated from the SA can continue to
   be derived
   from used until the IKEv2 Security Association (SA), or IPsec SA.

   If lifetime of the shared secret key is derived from expires.

4.2.  Server Greeting Message Update

   To achieve a binding association between the IKEv2 SA, SKEYSEED must
   be key generated firstly.  SKEYSEED from IKE
   and its derivatives are computed as
   per [RFC5996], where prf is a pseudorandom function:

      SKEYSEED = prf( Ni | Nr, g^ir )

   Ni and Nr are, respectively, the initiator and responder nonces,
   which are negotiated during the initial exchange (see Section 1.2 of
   [RFC5996]).  g^ir is the shared secret from the ephemeral Diffie-
   Hellman exchange and is represented as a string of octets.  Note that
   this SKEYSEED can be used as the O/TWAMP shared secret key directly.

   Alternatively, the shared secret key can be generated as follows:

      Shared secret key = PRF{ SKEYSEED, Session ID }

   wherein the Session ID is the O/TWAMP-Test SID.

   If the shared secret key is derived from the IPsec SA, instead, the
   shared secret key can be equal to KEYMAT, wherein

      KEYMAT = prf+( SK_d, Ni | Nr )

   The term "prf+" stands for a function that outputs a pseudorandom
   stream based on the inputs to a prf, while SK_d is defined in
   [RFC5996] (Sections 2.13 and 1.2, respectively).  The shared secret
   key can alternatively be generated as follows:

      Shared secret key = PRF{ KEYMAT, Session ID }

   wherein the session ID is is the O/TWAMP-Test SID.

   If rekeying for the IKE SA and IPsec SA occurs, the corresponding key
   of the SA is updated.  Generally, ESP and AH SAs always exist in
   pairs, with one SA in each direction.  If the SA is deleted, the key
   generated from the IKE SA or IPsec SA should also be updated.

4.2.  Server Greeting Message Update

   As discussed above, a binding association between the key generated
   from IPsec and the O/TWAMP shared secret key needs to be considered.
   The Security Association (SA) can be identified by the Security
   Parameter Index (SPI) and protocol uniquely for a given sender and
   receiver pair.  Therefore, these parameters should be agreed upon
   during the initiation stage of O/TWAMP-Control.  At the stage that
   the sender and receiver negotiate the integrity key, the IPsec
   protocol and SPI MUST be checked.  Only if the two parameters are
   matched with the IPsec information, MUST the O/TWAMP connection be
   established.

   The Security Parameter Index (SPI) and protocol type (see [RFC4301]
   [RFC5996]) will need to be included in the Server Greeting of the O/
   TWAMP-Control protocol depicted in Figure 1.  After the client
   receives the greeting, it MUST close the connection if it receives a
   greeting with an erroneous SPI and protocol value (Figure 2).
   Otherwise, the client SHOULD generate the shared secret key as
   discussed in Section 4.1 and respond with the server-expected Set-Up-
   Response message.

   The Modes field in Figure 2 will need to allow for support of key
   derivation as discussed in Section 4.1.  As such, pending discussion
   in the IPPM WG, Modes value 8 MUST be supported by compatible
   implementations, indicating support for IPsec.  Server
   implementations compatible with this document MUST set the first 28
   bits of the Modes field to zero.  A client compatible with this
   specification MUST ignore the first 28 bits of the Modes field.  For
   backward compatibility, the server is obviously allowed to indicate
   support for the Modes defined in [RFC4656]

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Protocol                            |
   |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           SPIi                                |
   |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           SPIr                                |
   |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Modes                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                     Challenge (16 octets)                     |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                        Salt (16 octets)                       |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Count (4 octets)                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                        MBZ (12 octets)                        |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                     Figure 2: Server Greeting format

   A compatible O/TWAMP client implementation would then interpret the
   originally unused 12 bits of the Server Greeting (see sec. 3.1 of
   [RFC4656]) as follows: The first 4 octets of the Server Greeting
   message indicate the protocol type, while the following 8 octets
   indicate the initiator (SPIi) and responder (SPIr) SPIs as
   illustrated in Figure 2.  Note that in this case, the remaining
   fields of the Server Greeting message remain as per [RFC4656].

   EDITOR'S NOTE:
         We expect that this implementation option would pose the least
         backwards compatibility problems to existing O/TWAMP clients.
         Robust client implementations of [RFC4656] would disregard that
         the 29th Modes bit in the Server Greeting is set, and should
         ignore the information contained in the newly defined fields
         (Protocol, SPIi, SPIr).  If the server supports other Modes, as
         one would assume, the client would then indicate any of the
         Modes defined in [RFC4656] and effectively indicate that it
         does not support the IPsec mode.  At this point, the Server
         would need to use the Modes defined in [RFC4656] only.

   When using ESP, all IP packets are encrypted, and therefore only the
   receiver can use the IPsec key to decrypt the IP active measurement
   packets.  In this case, the IPsec tunnel between the sender and
   receiver provides additional security: even if the peers choose the
   unauthenticated mode, IPsec encryption and integrity protection is
   provided to O/TWAMP.  If the sender and receiver decide to use the
   authenticated or encrypted mode, the shared secret can also be
   derived from IKE SA or IPsec SA.  The method for key generation and
   binding association is the same discussed above for the AH protocol
   mode.

   There is an encryption-only configuration in ESP, though this is not
   recommended due to its limitations.  Since it does not produce
   integrity key in this case, either encryption-only ESP should be
   prohibited for O/TWAMP, or a decryption failure should be
   distinguished due to possible integrity attack.

4.3.  Session Key Derivation

   Section 4.1 described a method for deriving the shared key for O/
   TWAMP by capitalizing on IPsec.  This is a step forward in terms of
   facilitating O/TWAMP deployment at scale in IPsec networks as it
   allows for greater and secure automation of standardized network
   performance measurements.  We note, however, that the O/TWAMP
   protocol uses distinct encryption and integrity keys for O/TWAMP-
   Control and O/TWAMP-Test.  Consequently, four keys are generated to
   protect O/TWAMP-Control and O/TWAMP-Test messages.

   In fact, once IPsec is employed, one key for encryption and another
   for authentication is sufficient for both the Control and Test
   protocols.  Therefore, in an IPsec environment we can further reduce
   the operational complexity of O/TWAMP protocols in a straightforward
   manner, as discussed below.

   EDITOR'S NOTE:
         We expect that both session key derivation proposals and
         optimization alternatives will be discussed in the IPPM working
         group and we are looking forward to community comments and
         feedback.

4.3.1.  Alternative 1

   If an IPsec SA is established between the server and the client, or
   both server and client support IPsec, the root key for O/TWAMP-based
   active network measurements can be derived from the IKE or IPsec SA.

   If the root key that will be used in O/TWAMP network performance
   measurements is derived from the IKE SA, SKEYSEED must be generated
   first.  SKEYSEED and its derivatives are computed as per [RFC5996].
   SKEYSEED can be used as the root key of O/TWAMP directly; then the
   root key of O/TWAMP is equal to SKEYSEED.  If the root key of O/TWAMP
   is derived from the IPsec SA, the shared secret key can be equal to
   KEYMAT.  KEYMAT and its derivatives are computed as per usual
   [RFC5996].

   Then, the session keys for encryption and authentication can be
   derived from the root key of O/TWAMP, wherein:

   Session key for enc = PRF{ root key of O/TWAMP, "O/TWAMP enc" }

   Session key for auth = PRF{ root key of O/TWAMP, "O/TWAMP auth" }

   The former can provide encryption protection for O/TWAMP-Control and
   O/TWAMP-Test messages, while the latter can provide integrity
   protection.

   Note that there are cases where rekeying the IKE SA and IPsec SA is
   necessary, and after which the corresponding key of SA is updated.
   If the SA is deleted, the O/TWAMP shared key generated from the IKE
   SA or IPsec SA should also be updated.

   EDITOR'S NOTE:

         In addition to optimizing session key derivation, we can also
         reduce the verbosity of the Server Greeting and Set-Up-Response
         messages, as explained below.  Note, however, that such O/TWAMP
         message simplification poses backward compatibility challenges,
         which should be discussed in the IPPM WG.

   In this optimization, the O/TWAMP-Control message exchange flow
   remains as per Figure 1.  However, the optimized Server Greeting
   (Figure 3) can do without the Salt and Count parameters (cf. Figure
   2) since the root key of O/TWAMP is derived from IKE SA or IPsec SA.
   O/TWAMP security can rely on IPsec and the SPI can uniquely identify
   the IPsec SA from which the root key was derived from.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Protocol                            |
   |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           SPIi                                |
   |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           SPIr                                |
   |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Modes                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                     Challenge (16 octets)                     |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                        MBZ (12 octets)                        |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                Figure 3: Optimized the O/TWAMP shared secret key, Server Greeting format

   The format of the Set-Up-Response is illustrated in Figure 4.  The
   Token carried in the Set-Up-Response is calculated Message should be
   updated as follows:

      Token = Enc_root-key( Challenge )

   where Challenge is the value received earlier in the Server Greeting
   (Figure 3) Figure 2.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                            Mode                                                               |
   |                       Unused (12 octets)                      |
   |                                                               |
   |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Modes                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                     Token                     Challenge (16 octets)                     |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                    Client-IV                        Salt (16 octets)                       |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Count (4 octets)                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                        MBZ (12 octets)                        |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                     Figure 4: Set-Up-Response 2: Server Greeting format

   The Modes field in Alternative 1

   If the server authenticates the token successfully, then the O/TWAMP-
   Control message exchange flow can continue.

4.3.2.  Alternative Figure 2

   Another way will need to allow for optimizing support of key
   derivation as discussed in Section 4.1.  As such, pending discussion
   in the IPPM WG, Modes value 8 extension MUST be supported by
   implementations compatible with this document, indicating support for
   deriving shared key use is to set the O/TWAMP
   session keys equal to from IKE SA.  Modes value 16 indicates
   authenticated mode; Modes value 32 indicates encrypted mode; and
   Modes value 64 indicates mixed mode over IKEv2.

   Authenticated mode over IKEv2 means that the keys of client and server
   operate in authenticated mode with the IPsec SA directly, i.e:

   Session key for enc = encryption shared secret key of derived from
   IKE SA.  Encrypted mode over IKEv2 means that the IPsec SA

   Session key for auth = integrity key of client and server
   operate in encrypted mode with the IPsec SA

   The former session shared secret key can provide encryption protection for O/TWAMP-
   Control derived from IKE
   SA.  Mixed mode over IKEv2 means that the client and O/TWAMP-Test messages, while server operate
   in encrypted mode for the latter can provide
   integrity protection.  The point made O/TWAMP-Control protocol while operating in
   unauthenticated mode for the previous subsection
   about rekeying O/TWAMP-Test protocol with shared secret
   key derived from IKE SA.

   Server implementations compatible with this document MUST set the IPsec SA applies here too.

   EDITOR'S NOTE:
         As noted in
   first 25 bits of the previous subsection, here too we can reduce Modes field to zero.  A client compatible with
   this specification MUST ignore the
         verbosity first 25 bits of the Server Greeting and Set-Up-Response messages
         even further, as explained below.  Note, however, that such O/
         TWAMP message simplification poses Modes field.

   For backward compatibility
         challenges, which should be discussed in compatibility, the IPPM WG. server is obviously allowed to
   indicate support for the Modes defined in [RFC4656]

   The choice of this set of Modes values poses the least backwards
   compatibility problems to existing O/TWAMP control message exchange flow remains clients.  Robust client
   implementations of [RFC4656] would disregard that the same (i.e. as
   per Figure 1), while first 29 Modes
   bits in the Server Greeting format is illustrated in
   Figure 5.  The Challenge, Salt, and Count parameters can be
   eliminated since set.  If the session keys of O/TWAMP are equal to server supports other
   Modes, as one would assume, the keys client would then indicate any of
   an IPsec SA directly.  SPI can identify the IPsec SA where
   Modes defined in [RFC4656] and effectively indicate that it does not
   support key derivation from IKE.  At this point, the
   session keys derived from. Server would
   need to use the Modes defined in [RFC4656] only.

4.3.  Set-Up-Response Update

   The similarly optimized Set-Up-Response
   message is illustrated in Figure 6.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Protocol                            |
   |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           SPIi                                |
   |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           SPIr                                |
   |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Modes                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                        MBZ (12 octets)                        |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                Figure 5: Optimized Server Greeting format Message should be updated as in Figure 3.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                            Mode                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                     Key ID (80 octets)                        |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                     Token (16 octets)                         |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                    Client-IV (12 octets)                      |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                     Figure 6: 3: Set-Up-Response Message

   The Security Parameter Index (SPI)(see [RFC4301] [RFC5996]) can
   uniquely identify the Security Association (SA).  If the client
   supports the derivation of shared secret key from IKE SA, it will
   choose the corresponding mode value and carry SPIi and SPIr in Alternative 2 the
   KeyID field.  SPIi and SPIr are included in Key ID field of Set-Up-
   Response Message to indicate the IKE SA which O/TWAMP shared secret
   key derived from.  The length of SPI is 4 octets.  The first 4 octets
   of Key ID field carries SPIi and the second 4 octets carries SPIr.
   The rest bits of the Key ID field is set to zero.

   A server which supports deriving shared secret from an IKE SA can
   obtain the SPIi and SPIr from the first 8 octets and ignore the rest
   octets of the Key ID field.  Then, the client and the server can
   derive the shared secret key based on the mode value and SPI.

   If the server can not find the IKE SA corresponding to the SPIi and
   SPIr, the Accept field of Server-Start message is extended to
   indicate that.  Accept value 6 can be used to indicate that server is
   not willing to conduct further transactions in this OWAMP-Control
   session since it can not find the corresponding IKE SA.

5.  Security Considerations

   As the shared secret key is derived from IPsec, the IKE SA, the key
   derivation algorithm strength and limitations are as per [RFC5996].
   The strength of a key derived from a Diffie-Hellman exchange using
   any of the groups defined here depends on the inherent strength of
   the group, the size of the exponent used, and the entropy provided by
   the random number generator employed.  The strength of all keys and
   implementation vulnerabilities, particularly Denial of Service (DoS)
   attacks are as defined in [RFC5996].

   EDITOR'S NOTE:

   As a more general note, the IPPM community may want to revisit the
   arguments listed in [RFC4656], Sec. 6.6.  Other widely-used Internet
   security mechanisms, such as TLS and DTLS, may also be considered for
   future use over and above of what is already specified in [RFC4656]
   [RFC5357].

6.  IANA Considerations

   IANA may will need to allocate additional values for the Modes options
   presented in this document.  The values of the protocol field may
   need to be assigned from the numbering space.

7.  Acknowledgments

   Emily Bi contributed to an earlier version of this document.

   We thank Eric Chen and Chen, Yakov Stein Stein, and John Mattsson for their comments
   on this draft, and Al Morton for the discussion on related earlier
   work in IPPM WG.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4656]  Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
              Zekauskas, "A One-way Active Measurement Protocol
              (OWAMP)", RFC 4656, September 2006.

   [RFC5357]  Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
              Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
              RFC 5357, October 2008.

   [RFC5996]  Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
              "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC
              5996, September 2010.

8.2.  Informative References

   [RFC2898]  Kaliski, B., "PKCS #5: Password-Based Cryptography
              Specification Version 2.0", RFC 2898, September 2000.

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, December 2005.

   [RFC6023]  Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A
              Childless Initiation of the Internet Key Exchange Version
              2 (IKEv2) Security Association (SA)", RFC 6023, October
              2010.

Authors' Addresses

   Kostas Pentikousis (editor)
   EICT GmbH
   Torgauer Strasse 12-15
   10829 Berlin
   Germany

   Email: k.pentikousis@eict.de

   Yang Cui
   Huawei Technologies
   Otemachi First Square 1-5-1 Otemachi
   Chiyoda-ku, Tokyo   100-0004
   Japan

   Email: cuiyang@huawei.com
   Emma Zhang
   Huawei Technologies
   Huawei Building, Q20, No.156, Rd. BeiQing
   Haidian District , Beijing   100095
   P. R. China

   Email: emma.zhanglijia@huawei.com