draft-ietf-ippm-ipsec-00.txt   draft-ietf-ippm-ipsec-01.txt 
IPPM WG K. Pentikousis, Ed. IPPM WG K. Pentikousis, Ed.
Internet-Draft Y. Cui Internet-Draft EICT
Intended status: Standards Track E. Zhang Intended status: Standards Track Y. Cui
Expires: January 06, 2014 Huawei Technologies Expires: April 24, 2014 E. Zhang
July 05, 2013 Huawei Technologies
October 21, 2013
Network Performance Measurement for IPsec Network Performance Measurement for IPsec
draft-ietf-ippm-ipsec-00 draft-ietf-ippm-ipsec-01
Abstract Abstract
IPsec is a mature technology with several interoperable IPsec is a mature technology with several interoperable
implementations. Indeed, the use of IPsec tunnels is increasingly implementations. Indeed, the use of IPsec tunnels is increasingly
gaining popularity in several deployment scenarios, not the least in gaining popularity in several deployment scenarios, not the least in
what used to be solely areas of traditional telecommunication what used to be solely areas of traditional telecommunication
protocols. Wider deployment calls for mechanisms and methods that protocols. Wider IPsec deployment calls for mechanisms and methods
enable tunnel end-users, as well as operators, to measure one-way and that enable tunnel end-users, as well as operators, to measure one-
two-way network performance. Unfortunately, however, standard IP way and two-way network performance in a standardized manner.
performance measurement security mechanisms cannot be readily used Unfortunately, however, standard IP performance measurement security
with IPsec. This document makes the case for employing IPsec to mechanisms cannot be readily used with IPsec. This document makes
protect the One-way and Two-Way Active Measurement Protocols (O/ the case for employing IPsec to protect the One-way and Two-Way
TWAMP) and proposes a method which combines IKEv2 and O/TWAMP as Active Measurement Protocols (O/TWAMP) and proposes a method which
defined in RFC 4656 and RFC 5357, respectively. This specification combines IKEv2 and O/TWAMP as defined in RFC 4656 and RFC 5357,
aims, on the one hand, to ensure that O/TWAMP can be secured with the respectively. This specification aims, on the one hand, to ensure
best mechanisms we have at our disposal today while, on the other that O/TWAMP can be secured with the best mechanisms we have at our
hand, it facilitates the applicability of O/TWAMP to networks that disposal today while, on the other hand, it facilitates the
have already deployed IPsec. applicability of O/TWAMP to networks that have already deployed
IPsec.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 06, 2014. This Internet-Draft will expire on April 24, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
skipping to change at page 2, line 24 skipping to change at page 2, line 27
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5 3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5
3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6 3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6
3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 6 3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7
3.4. O/TWAMP and IPsec . . . . . . . . . . . . . . . . . . . . 7 3.4. O/TWAMP and IPsec . . . . . . . . . . . . . . . . . . . . 7
4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 8 4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 8
4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 8 4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 8
4.2. Optimizations . . . . . . . . . . . . . . . . . . . . . . 10 4.2. Server Greeting Message Update . . . . . . . . . . . . . 9
4.2.1. Alternative 1 . . . . . . . . . . . . . . . . . . . . 11 4.3. Session Key Derivation . . . . . . . . . . . . . . . . . 11
4.2.2. Alternative 2 . . . . . . . . . . . . . . . . . . . . 13 4.3.1. Alternative 1 . . . . . . . . . . . . . . . . . . . . 12
5. Security Considerations . . . . . . . . . . . . . . . . . . . 14 4.3.2. Alternative 2 . . . . . . . . . . . . . . . . . . . . 14
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16
8.1. Normative References . . . . . . . . . . . . . . . . . . 14 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
8.2. Informative References . . . . . . . . . . . . . . . . . 15 8.1. Normative References . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 8.2. Informative References . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the
Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to
measure network performance parameters, such as latency, bandwidth, measure network performance parameters, such as latency, bandwidth,
and packet loss by sending probe packets and monitoring their and packet loss by sending probe packets and monitoring their
experience in the network. In order to guarantee the accuracy of experience in the network. In order to guarantee the accuracy of
network measurement results, security aspects must be considered. network measurement results, security aspects must be considered.
Otherwise, attacks may occur and the authenticity of the measurement Otherwise, attacks may occur and the authenticity of the measurement
skipping to change at page 3, line 15 skipping to change at page 3, line 17
Cryptographic security mechanisms, such as IPsec, have been Cryptographic security mechanisms, such as IPsec, have been
considered during the early stage of the specification of the two considered during the early stage of the specification of the two
active measurement protocols mentioned above. However, due to active measurement protocols mentioned above. However, due to
several reasons, it was decided to avoid tying the development and several reasons, it was decided to avoid tying the development and
deployment of O/TWAMP to such security mechanisms. In practice, for deployment of O/TWAMP to such security mechanisms. In practice, for
many networks, the issues listed in [RFC4656], Sec. 6.6 with respect many networks, the issues listed in [RFC4656], Sec. 6.6 with respect
to IPsec are still valid. However, we expect that in the near future to IPsec are still valid. However, we expect that in the near future
IPsec will be deployed in many more hosts and networks than today. IPsec will be deployed in many more hosts and networks than today.
For example, IPsec tunnels may be used to secure wireless channels. For example, IPsec tunnels may be used to secure wireless channels.
In this case, what we are interested in is measuring network In this case, what we are interested in is measuring network
performance specifically for the traffic carried by the tunnel, not performance specifically for the traffic carried by the secured
in general over the wireless channel. This document makes the case tunnel, not over the wireless channel in general. This document
that O/TWAMP should be cognizant when IPsec and other security makes the case that O/TWAMP should be cognizant when IPsec and other
mechanisms are in place and can be leveraged upon. In other words, security mechanisms are in place and can be leveraged upon. In other
it is now time to specify how O/TWAMP is used in a network words, it is now time to specify how O/TWAMP is used in a network
environment where IPsec is already deployed. We expect that in such environment where IPsec is already deployed. We expect that in such
an environment, measuring IP performance over IPsec tunnels with O/ an environment, measuring IP performance over IPsec tunnels with O/
TWAMP is an important tool for operators. TWAMP is an important tool for operators.
For example, when considering the use of O/TWAMP in networks with For example, when considering the use of O/TWAMP in networks with
IPsec deployed, we can take advantage of the IPsec key exchange IPsec deployed, we can take advantage of the IPsec key exchange
protocol [RFC5996]. In particular, we note that it is not necessary protocol [RFC5996]. In particular, we note that it is not necessary
to use distinct keys in OWAMP-Control and OWAMP-Test layers. One key to use distinct keys in OWAMP-Control and OWAMP-Test layers. One key
for encryption and another for authentication is sufficient for both for encryption and another for authentication is sufficient for both
Control and Test layers. This obviates the need to generate two keys Control and Test layers. This obviates the need to generate two keys
skipping to change at page 3, line 42 skipping to change at page 3, line 44
separate session keys in the OWAMP-Control and OWAMP-Test layers were separate session keys in the OWAMP-Control and OWAMP-Test layers were
designed for preventing reflection attacks when employing the current designed for preventing reflection attacks when employing the current
mechanism. Once IPsec is employed, such a potential threat is mechanism. Once IPsec is employed, such a potential threat is
alleviated. alleviated.
The remainder of this document is organized as follows. Section 3 The remainder of this document is organized as follows. Section 3
motivates this work by revisiting the arguments made in [RFC4656] motivates this work by revisiting the arguments made in [RFC4656]
against the use of IPsec; this section also summarizes protocol against the use of IPsec; this section also summarizes protocol
operation with respect to security. Section 4 presents a method of operation with respect to security. Section 4 presents a method of
binding O/TWAMP and IKEv2 for network measurements between a sender binding O/TWAMP and IKEv2 for network measurements between a sender
and a receiver which both support IPsec. Finally, Section 3 and a receiver which both support IPsec. Finally, Section 5
discusses the security considerations arising from the proposed discusses the security considerations arising from the proposed
mechanisms. mechanisms.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Motivation 3. Motivation
In order to motivate the solutions proposed in this document, let us In order to motivate the solutions proposed in this document, let us
first revisit Section 6.6 of [RFC4656]. As we explain below, the first revisit Section 6.6 of [RFC4656]. As we explain below, the
reasons originally listed therein may not apply in many cases today. reasons originally listed therein may not apply in many cases today.
skipping to change at page 4, line 29 skipping to change at page 4, line 32
the operational complexity of OWAMP (and TWAMP) in networks where the operational complexity of OWAMP (and TWAMP) in networks where
IPsec is actively used and may in practice limit its applicability. IPsec is actively used and may in practice limit its applicability.
The second argument made is the need to keep separate deployment The second argument made is the need to keep separate deployment
paths between OWAMP and IPsec. In several currently deployed types paths between OWAMP and IPsec. In several currently deployed types
of networks IPsec is widely used to protect the data and signaling of networks IPsec is widely used to protect the data and signaling
planes. For example, in mobile telecommunication networks, the planes. For example, in mobile telecommunication networks, the
deployment rate of IPsec exceeds 95% with respect to the LTE serving deployment rate of IPsec exceeds 95% with respect to the LTE serving
network. In older technology cellular networks, such as UMTS and network. In older technology cellular networks, such as UMTS and
GSM, IPsec use penetration is lower, but still quite significant. GSM, IPsec use penetration is lower, but still quite significant.
Additionally, there is a great number of IPSec-based VPN applications Additionally, there is a great number of IPsec-based VPN applications
which are widely used in business applications to provide end-to-end which are widely used in business applications to provide end-to-end
security over untrusted IEEE 802.11 wireless LANs. At the same time, security over, for instance, publicly open or otherwise untrusted
many IETF-standardized protocols make use of IPsec/IKE, including IEEE 802.11 wireless LANs. At the same time, many IETF-standardized
MIPv4/v6, HIP, SCTP, BGP, NAT and SIP, just to name a few. protocols make use of IPsec/IKE, including MIPv4/v6, HIP, SCTP, BGP,
NAT and SIP, just to name a few.
The third argument in [RFC4656] is that, effectively, the adoption of The third argument in [RFC4656] is that, effectively, the adoption of
IPsec in OWAMP may be problematic for "lightweight embedded devices". IPsec in OWAMP may be problematic for "lightweight embedded devices."
However, since the publication of RFC 4656, a large number of However, since the publication of RFC 4656, a large number of
limited-resource and low-cost hardware, such as Ethernet switches, limited-resource and low-cost hardware, such as Ethernet switches,
DSL modems, and other such devices come with support for IPsec "out DSL modems, set-top boxes and other such devices come with support
of the box". Therefore concerns about implementation, although for IPsec "out of the box". Therefore concerns about implementation,
likely valid a decade ago, are not well founded today. although likely valid a decade ago, are not well founded today.
Finally, everyday use of IPsec applications by field technicians and Finally, everyday use of IPsec applications by field technicians and
good understanding of the IPsec API by many programmers should no good understanding of the IPsec API by many programmers should no
longer be a reason for concern. On the contrary: By now, IPsec open longer be a reason for concern. On the contrary: By now, IPsec open
source code is available for anyone who wants to use it. Therefore, source code is available for anyone who wants to use it. Therefore,
although IPsec does need a certain level of expertise to deal with although IPsec does need a certain level of expertise to deal with
it, in practice, most competent technical personnel and programmers it, in practice, most competent technical personnel and programmers
have no problems using it on a daily basis. have no problems using it on a daily basis.
OWAMP and TWAMP actually consist of two inter-related protocols: O/ OWAMP and TWAMP actually consist of two inter-related protocols: O/
skipping to change at page 5, line 30 skipping to change at page 5, line 35
o HMAC-SHA1 truncated to 128 bits for message authentication o HMAC-SHA1 truncated to 128 bits for message authentication
Three modes of operation are supported: unauthenticated, Three modes of operation are supported: unauthenticated,
authenticated, and encrypted. The authenticated and encrypted modes authenticated, and encrypted. The authenticated and encrypted modes
require that endpoints possess a shared secret, typically a require that endpoints possess a shared secret, typically a
passphrase. The secret key is derived from the passphrase using a passphrase. The secret key is derived from the passphrase using a
password-based key derivation function PBKDF2 (PKCS#5) [RFC2898]. password-based key derivation function PBKDF2 (PKCS#5) [RFC2898].
In the unauthenticated mode, the security parameters are left unused. In the unauthenticated mode, the security parameters are left unused.
In the authenticated and encrypted modes, security parameters are In the authenticated and encrypted modes, security parameters are
negotiated during the control connection establishment. In short, negotiated during the control connection establishment.
the client opens a TCP connection to the server in order to be able
to send OWAMP-Control commands. The server responds with a server Figure 1 illustrates the initiation stage of the O/TWAMP-Control
greeting, which contains the Challenge, Mode, Salt and Count. If the protocol between a client and the server. In short, the client opens
client-requested mode is available, the client responds with a Set- a TCP connection to the server in order to be able to send OWAMP-
Up-Response message, wherein the KeyID, Token and Client IV are Control commands. The server responds with a Server Greeting, which
included. The Token is the concatenation of a 16-octet challenge, a contains the Modes, Challenge, Salt, Count, and MBZ fields (see
16-octet AES Session-key used for encryption, and a 32-octet HMAC- Section 3.1 of [RFC4656]). If the client-preferred mode is
SHA1 Session-key used for authentication. The Token is encrypted available, the client responds with a Set-Up-Response message,
using AES-CBC. wherein the selected Mode, as well as the KeyID, Token and Client IV
are included. The Token is the concatenation of a 16-octet
Challenge, a 16-octet AES Session-key used for encryption, and a
32-octet HMAC-SHA1 Session-key used for authentication. The Token is
encrypted using AES-CBC.
+--------+ +--------+
| Client | | Server |
+--------+ +--------+
| |
|<---- TCP Connection ----->|
| |
|<---- Greeting message ----|
| |
|----- Set-Up-Response ---->|
| |
|<---- Server-Start --------|
| |
Figure 1: Initiation of O/TWAMP-Control
Encryption uses a key derived from the shared secret associated with Encryption uses a key derived from the shared secret associated with
KeyID. In the authenticated and encrypted modes, all further KeyID. In the authenticated and encrypted modes, all further
communication is encrypted using the AES Session-key and communication is encrypted using the AES Session-key and
authenticated with the HMAC Session-key. The client encrypts authenticated with the HMAC Session-key. The client encrypts
everything it transmits through the just-established O/TWAMP-Control everything it transmits through the just-established O/TWAMP-Control
connection using stream encryption with Client-IV as the IV. connection using stream encryption with Client-IV as the IV.
Correspondingly, the server encrypts its side of the connection using Correspondingly, the server encrypts its side of the connection using
Server-IV as the IV. The IVs themselves are transmitted in Server-IV as the IV. The IVs themselves are transmitted in
cleartext. Encryption starts with the block immediately following cleartext. Encryption starts with the block immediately following
skipping to change at page 6, line 27 skipping to change at page 7, line 6
session mode. session mode.
The O/TWAMP-Test packet format is the same in authenticated and The O/TWAMP-Test packet format is the same in authenticated and
encrypted modes. The encryption and authentication operations are, encrypted modes. The encryption and authentication operations are,
however, different. Similarly with the respective O/TWAMP-Control however, different. Similarly with the respective O/TWAMP-Control
session, each O/TWAMP-Test session has two keys: an AES Session-key session, each O/TWAMP-Test session has two keys: an AES Session-key
and an HMAC Session-key. However, there is a difference in how the and an HMAC Session-key. However, there is a difference in how the
keys are obtained: keys are obtained:
O/TWAMP-Control: the keys are generated by the client and O/TWAMP-Control: the keys are generated by the client and
communicated (as part of the Token) during connection communicated to the server during the control connection
establishment with the Set-Up-Response message. establishment with the Set-Up-Response message (as part of
the Token).
O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and
the session identifier (SID), which serve as inputs of the the session identifier (SID), which serve as inputs of the
key derivation function (KDF). The O/TWAMP-Test AES Session- key derivation function (KDF). The O/TWAMP-Test AES Session-
key is generated using the O/TWAMP-Control AES Session-key, key is generated using the O/TWAMP-Control AES Session-key,
with the 16-octet session identifier (SID), for encrypting with the 16-octet session identifier (SID), for encrypting
and decrypting the packets of the particular O/TWAMP-Test and decrypting the packets of the particular O/TWAMP-Test
session. The O/TWAMP-Test HMAC Session-key is generated session. The O/TWAMP-Test HMAC Session-key is generated
using the O/TWAMP-Control HMAC Session-key, with the 16-octet using the O/TWAMP-Control HMAC Session-key, with the 16-octet
session identifier (SID), for authenticating the packets of session identifier (SID), for authenticating the packets of
the particular O/TWAMP-Test session. the particular O/TWAMP-Test session.
3.3. O/TWAMP Security Root 3.3. O/TWAMP Security Root
As discussed above, the AES Session-key and HMAC Session-key used in As discussed above, the AES Session-key and HMAC Session-key used in
the O/TWAMP-Test protocol are derived from the AES Session-key and the O/TWAMP-Test protocol are derived from the AES Session-key and
HMAC Session-key which are used in O/TWAMP-Control protocol. The AES HMAC Session-key which are used in O/TWAMP-Control protocol. The AES
Session-key and HMAC Session-key used in the O/TWAMP-Control protocol Session-key and HMAC Session-key used in the O/TWAMP-Control protocol
are generated randomly by the client, and encrypted with the shared are generated randomly by the client, and encrypted with the shared
secret associated with KeyID. Therefore, the security root is the secret associated with KeyID. Therefore, the security root is the
shared secret key. Thus, key provision and management may become shared secret key. Thus, for large deployments, key provision and
overly complicated. Comparatively, a certificate-based approach management may become overly complicated. Comparatively, a
using IKEv2/IPsec can automatically manage the security root and certificate-based approach using IKEv2/IPsec can automatically manage
solve this problem, as we explain in Section 4. the security root and solve this problem, as we explain in Section 4.
3.4. O/TWAMP and IPsec 3.4. O/TWAMP and IPsec
According to RFC 4656 the "deployment paths of IPsec and OWAMP could According to [RFC4656] the "deployment paths of IPsec and OWAMP could
be separate if OWAMP does not depend on IPsec." However, the problem be separate if OWAMP does not depend on IPsec." However, the problem
that arises in practice is that the security mechanism of O/TWAMP and that arises in practice is that the security mechanism of O/TWAMP and
IPsec cannot coexist at the same time without adding overhead or IPsec cannot coexist at the same time without adding overhead or
increasing complexity. increasing complexity.
IPsec provides confidentiality and data integrity to IP datagrams. IPsec provides confidentiality and data integrity to IP datagrams.
Distinct protocols are provided: Authentication Header (AH), Distinct protocols are provided: Authentication Header (AH),
Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE
v1/v2). AH provides only integrity protection, while ESP can also v1/v2). AH provides only integrity protection, while ESP can also
provide encryption. IKE is used for dynamical key negotiation and provide encryption. IKE is used for dynamical key negotiation and
skipping to change at page 7, line 51 skipping to change at page 8, line 32
performance in an IPsec tunnel with O/TWAMP. Without this performance in an IPsec tunnel with O/TWAMP. Without this
functionality, the use of OWAMP and TWAMP over IPsec is hindered. functionality, the use of OWAMP and TWAMP over IPsec is hindered.
Of course, backward compatibility should be considered as well. That Of course, backward compatibility should be considered as well. That
is, the intrinsic security method based on shared key as specified in is, the intrinsic security method based on shared key as specified in
the O/TWAMP standards can also still be suitable for other network the O/TWAMP standards can also still be suitable for other network
settings. There should be no impact on the current security settings. There should be no impact on the current security
mechanisms defined in O/TWAMP for other use cases. This document mechanisms defined in O/TWAMP for other use cases. This document
describes possible solutions to this problem which take advantage of describes possible solutions to this problem which take advantage of
the secret key derived by IPsec, in order to provision the key needed the secret key derived by IPsec, in order to provision the key needed
for active network measurements based on RFC 4656 and RFC 5357. for active network measurements based on [RFC4656] and [RFC5357].
4. O/TWAMP for IPsec Networks 4. O/TWAMP for IPsec Networks
This section presents a method of binding O/TWAMP and IKEv2 for This section presents a method of binding O/TWAMP and IKEv2 for
network measurements between a sender and a receiver which both network measurements between a client and a server which both support
support IPsec. In short, the shared key used for securing O/TWAMP IPsec. In short, the shared key used for securing O/TWAMP traffic is
traffic is derived using IKEv2 [RFC5996]. derived using IKEv2 [RFC5996].
4.1. Shared Key Derivation 4.1. Shared Key Derivation
If the AH protocol is used, the IP packets are transmitted in If the AH protocol is used, the IP packets are transmitted in
plaintext, but all O/TWAMP traffic is integrity-protected by IPsec. plaintext, but all O/TWAMP traffic is integrity-protected by IPsec.
Therefore, even if the peers choose to opt for the unauthenticated Therefore, even if the peers choose to opt for the unauthenticated
mode, IPsec integrity protection is extended to O/TWAMP. mode, IPsec integrity protection is extended to O/TWAMP. In the
authenticated and encrypted modes, the shared secret can be derived
In the authenticated and encrypted modes, the shared secret can be from the IKEv2 Security Association (SA), or IPsec SA.
derived from the IKEv2 Security Association (SA), or IPsec SA. If
the shared secret key is derived from the IKEv2 SA, SKEYSEED must be
generated firstly.
SKEYSEED and its derivatives are computed as per [RFC5996], where prf If the shared secret key is derived from the IKEv2 SA, SKEYSEED must
is a pseudorandom function: be generated firstly. SKEYSEED and its derivatives are computed as
per [RFC5996], where prf is a pseudorandom function:
SKEYSEED = prf( Ni | Nr, g^ir ) SKEYSEED = prf( Ni | Nr, g^ir )
Ni and Nr are nonces negotiated during the initial exchange. g^ir is Ni and Nr are, respectively, the initiator and responder nonces,
the shared secret from the ephemeral Diffie-Hellman exchange and is which are negotiated during the initial exchange (see Section 1.2 of
represented as a string of octets. Note that this SKEYSEED can be [RFC5996]). g^ir is the shared secret from the ephemeral Diffie-
used as the O/TWAMP shared secret key directly. Hellman exchange and is represented as a string of octets. Note that
this SKEYSEED can be used as the O/TWAMP shared secret key directly.
Alternatively, the shared secret key can be generated as follows: Alternatively, the shared secret key can be generated as follows:
Shared secret key = PRF{ SKEYSEED, Session ID } Shared secret key = PRF{ SKEYSEED, Session ID }
wherein the Session ID is the O/TWAMP-Test SID. wherein the Session ID is the O/TWAMP-Test SID.
If the shared secret key is derived from the IPsec SA, the shared If the shared secret key is derived from the IPsec SA, instead, the
secret key can be equal to KEYMAT, wherein shared secret key can be equal to KEYMAT, wherein
KEYMAT = prf+( SK_d, Ni | Nr ) KEYMAT = prf+( SK_d, Ni | Nr )
The term "prf+" stands for a function that outputs a pseudorandom The term "prf+" stands for a function that outputs a pseudorandom
stream based on the inputs to a prf, while SK_d is defined in stream based on the inputs to a prf, while SK_d is defined in
[RFC5996] (Sections 2.13 and 1.2, respectively). The shared secret [RFC5996] (Sections 2.13 and 1.2, respectively). The shared secret
key can alternatively be generated as follows: key can alternatively be generated as follows:
Shared secret key = PRF{ KEYMAT, Session ID } Shared secret key = PRF{ KEYMAT, Session ID }
wherein the session ID is is the O/TWAMP-Test SID. wherein the session ID is is the O/TWAMP-Test SID.
If rekeying for the IKE SA and IPsec SA occurs, the corresponding key If rekeying for the IKE SA and IPsec SA occurs, the corresponding key
of the SA is updated. Generally, ESP and AH SAs always exist in of the SA is updated. Generally, ESP and AH SAs always exist in
pairs, with one SA in each direction. If the SA is deleted, the key pairs, with one SA in each direction. If the SA is deleted, the key
generated from the IKE SA or IPsec SA should also be updated. generated from the IKE SA or IPsec SA should also be updated.
4.2. Server Greeting Message Update
As discussed above, a binding association between the key generated As discussed above, a binding association between the key generated
from IPsec and the O/TWAMP shared secret key needs to be considered. from IPsec and the O/TWAMP shared secret key needs to be considered.
The Security Association can be identified by the Security Parameter The Security Association (SA) can be identified by the Security
Index (SPI) and protocol uniquely for a given sender and receiver Parameter Index (SPI) and protocol uniquely for a given sender and
pair. So these parameters should be agreed upon during the receiver pair. Therefore, these parameters should be agreed upon
initiation of O/TWAMP. At the stage that the sender and receiver during the initiation stage of O/TWAMP-Control. At the stage that
negotiate the integrity key, the IPsec protocol and SPI SHOULD be the sender and receiver negotiate the integrity key, the IPsec
checked. Only if the two parameters are matched with the IPsec protocol and SPI MUST be checked. Only if the two parameters are
information, should the O/TWAMP connection be established. matched with the IPsec information, MUST the O/TWAMP connection be
established.
The SPI and protocol type are included in the Server Greeting of the
O/TWAMP-Control protocol (Figure 1). After the client receives the
greeting, it MUST close the connection if it receives a greeting with
an erroneous SPI and protocol value (Figure 2). Otherwise, the
client SHOULD respond with the following Set-Up-Response message and
generates the shared secret key.
+--------+ +--------+
| Client | | Server |
+--------+ +--------+
| |
|<---- TCP Connection ----->|
| |
|<---- Greeting message ----|
| |
|----- Set-Up-Response ---->|
| |
|<---- Server-Start --------|
| |
Figure 1: Initiation of O/TWAMP-Control The Security Parameter Index (SPI) and protocol type (see [RFC4301]
[RFC5996]) will need to be included in the Server Greeting of the O/
TWAMP-Control protocol depicted in Figure 1. After the client
receives the greeting, it MUST close the connection if it receives a
greeting with an erroneous SPI and protocol value (Figure 2).
Otherwise, the client SHOULD generate the shared secret key as
discussed in Section 4.1 and respond with the server-expected Set-Up-
Response message.
When using ESP, all IP packets are encrypted, and therefore only the The Modes field in Figure 2 will need to allow for support of key
receiver can use the IPsec key to decrypt the IP active measurement derivation as discussed in Section 4.1. As such, pending discussion
packets. In this case, the IPsec tunnel between the sender and in the IPPM WG, Modes value 8 MUST be supported by compatible
receiver provides additional security: even if the peers choose the implementations, indicating support for IPsec. Server
unauthenticated mode, IPsec encryption and integrity protection is implementations compatible with this document MUST set the first 28
provided to O/TWAMP. If the sender and receiver decide to use the bits of the Modes field to zero. A client compatible with this
authenticated or encrypted mode, the shared secret can also be specification MUST ignore the first 28 bits of the Modes field. For
derived from IKE SA or IPsec SA. The method for key generation and backward compatibility, the server is obviously allowed to indicate
binding association is the same discussed above for the AH protocol support for the Modes defined in [RFC4656]
mode.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | | Protocol |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPIi | | SPIi |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPIr | | SPIr |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mode | | Modes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Challenge (16 octets) | | Challenge (16 octets) |
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Salt (16 octets) | | Salt (16 octets) |
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Count (4 octets) | | Count (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| MBZ (12 octets) | | MBZ (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Server Greeting format Figure 2: Server Greeting format
A compatible O/TWAMP client implementation would then interpret the
originally unused 12 bits of the Server Greeting (see sec. 3.1 of
[RFC4656]) as follows: The first 4 octets of the Server Greeting
message indicate the protocol type, while the following 8 octets
indicate the initiator (SPIi) and responder (SPIr) SPIs as
illustrated in Figure 2. Note that in this case, the remaining
fields of the Server Greeting message remain as per [RFC4656].
EDITOR'S NOTE:
We expect that this implementation option would pose the least
backwards compatibility problems to existing O/TWAMP clients.
Robust client implementations of [RFC4656] would disregard that
the 29th Modes bit in the Server Greeting is set, and should
ignore the information contained in the newly defined fields
(Protocol, SPIi, SPIr). If the server supports other Modes, as
one would assume, the client would then indicate any of the
Modes defined in [RFC4656] and effectively indicate that it
does not support the IPsec mode. At this point, the Server
would need to use the Modes defined in [RFC4656] only.
When using ESP, all IP packets are encrypted, and therefore only the
receiver can use the IPsec key to decrypt the IP active measurement
packets. In this case, the IPsec tunnel between the sender and
receiver provides additional security: even if the peers choose the
unauthenticated mode, IPsec encryption and integrity protection is
provided to O/TWAMP. If the sender and receiver decide to use the
authenticated or encrypted mode, the shared secret can also be
derived from IKE SA or IPsec SA. The method for key generation and
binding association is the same discussed above for the AH protocol
mode.
There is an encryption-only configuration in ESP, though this is not There is an encryption-only configuration in ESP, though this is not
recommended due to its limitations. Since it does not produce recommended due to its limitations. Since it does not produce
integrity key in this case, either encryption-only ESP should be integrity key in this case, either encryption-only ESP should be
prohibited for O/TWAMP, or a decryption failure should be prohibited for O/TWAMP, or a decryption failure should be
distinguished due to possible integrity attack. distinguished due to possible integrity attack.
4.2. Optimizations 4.3. Session Key Derivation
The previous subsection described a method for deriving the shared Section 4.1 described a method for deriving the shared key for O/
key for O/TWAMP by capitalizing on IPsec. We note, however, that the TWAMP by capitalizing on IPsec. This is a step forward in terms of
O/TWAMP protocol uses distinct encryption and integrity keys for O/ facilitating O/TWAMP deployment at scale in IPsec networks as it
TWAMP-Control and O/TWAMP-Test. Consequently, four keys are allows for greater and secure automation of standardized network
generated to protect O/TWAMP-Control and O/TWAMP-Test messages. performance measurements. We note, however, that the O/TWAMP
protocol uses distinct encryption and integrity keys for O/TWAMP-
Control and O/TWAMP-Test. Consequently, four keys are generated to
protect O/TWAMP-Control and O/TWAMP-Test messages.
In fact, once IPsec is employed, one key for encryption and another In fact, once IPsec is employed, one key for encryption and another
for authentication is sufficient for both the Control and Test for authentication is sufficient for both the Control and Test
protocols. Therefore, in an IPsec environment we can reduce the protocols. Therefore, in an IPsec environment we can further reduce
operational complexity of O/TWAMP protocols in a straightforward the operational complexity of O/TWAMP protocols in a straightforward
manner, as discussed below. manner, as discussed below.
EDITOR'S NOTE: EDITOR'S NOTE:
We expect that both optimization alternatives will be discussed We expect that both session key derivation proposals and
in the IPPM working group and we are looking forward to optimization alternatives will be discussed in the IPPM working
community comments and feedback. group and we are looking forward to community comments and
feedback.
4.2.1. Alternative 1 4.3.1. Alternative 1
If an IPsec SA is established between the server and the client, or If an IPsec SA is established between the server and the client, or
both server and client support IPsec, the root key for O/TWAMP-based both server and client support IPsec, the root key for O/TWAMP-based
active network measurements can be derived from the IKE or IPsec SA. active network measurements can be derived from the IKE or IPsec SA.
If the root key that will be used in O/TWAMP network performance If the root key that will be used in O/TWAMP network performance
measurements is derived from the IKE SA, SKEYSEED must be generated measurements is derived from the IKE SA, SKEYSEED must be generated
first. SKEYSEED and its derivatives are computed as per [RFC5996]. first. SKEYSEED and its derivatives are computed as per [RFC5996].
SKEYSEED can be used as the root key of O/TWAMP directly; then the SKEYSEED can be used as the root key of O/TWAMP directly; then the
root key of O/TWAMP is equal to SKEYSEED. root key of O/TWAMP is equal to SKEYSEED. If the root key of O/TWAMP
is derived from the IPsec SA, the shared secret key can be equal to
KEYMAT. KEYMAT and its derivatives are computed as per usual
[RFC5996].
If the root key of O/TWAMP is derived from the IPsec SA, the shared Then, the session keys for encryption and authentication can be
secret key can be equal to KEYMAT. KEYMAT and its derivatives are derived from the root key of O/TWAMP, wherein:
computed as per usual [RFC5996]. Then, the session keys for
encryption and authentication can be derived from the root key of O/
TWAMP, wherein:
Session key for enc = PRF{ root key of O/TWAMP, "O/TWAMP enc" } Session key for enc = PRF{ root key of O/TWAMP, "O/TWAMP enc" }
Session key for auth = PRF{ root key of O/TWAMP, "O/TWAMP auth" } Session key for auth = PRF{ root key of O/TWAMP, "O/TWAMP auth" }
The former can provide encryption protection for O/TWAMP-Control and The former can provide encryption protection for O/TWAMP-Control and
O/TWAMP-Test messages, while the latter can provide integrity O/TWAMP-Test messages, while the latter can provide integrity
protection. protection.
Note that there are cases where rekeying the IKE SA and IPsec SA is Note that there are cases where rekeying the IKE SA and IPsec SA is
necessary, and after which the corresponding key of SA is updated. necessary, and after which the corresponding key of SA is updated.
If the SA is deleted, the O/TWAMP shared key generated from the IKE If the SA is deleted, the O/TWAMP shared key generated from the IKE
SA or IPsec SA should also be updated. SA or IPsec SA should also be updated.
EDITOR'S NOTE:
In addition to optimizing session key derivation, we can also
reduce the verbosity of the Server Greeting and Set-Up-Response
messages, as explained below. Note, however, that such O/TWAMP
message simplification poses backward compatibility challenges,
which should be discussed in the IPPM WG.
In this optimization, the O/TWAMP-Control message exchange flow In this optimization, the O/TWAMP-Control message exchange flow
remains as per Figure 1. However, the optimized Server Greeting remains as per Figure 1. However, the optimized Server Greeting
(Figure 3) can do without the Salt and Count parameters (cf. Figure (Figure 3) can do without the Salt and Count parameters (cf. Figure
2) since the root key of O/TWAMP is derived from IKE SA or IPsec SA. 2) since the root key of O/TWAMP is derived from IKE SA or IPsec SA.
O/TWAMP security can rely on IPsec and the SPI can uniquely identify O/TWAMP security can rely on IPsec and the SPI can uniquely identify
the IPsec SA from which the root key was derived from. the IPsec SA from which the root key was derived from.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | | Protocol |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPIi | | SPIi |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPIr | | SPIr |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mode | | Modes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Challenge (16 octets) | | Challenge (16 octets) |
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| MBZ (12 octets) | | MBZ (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 13, line 8 skipping to change at page 14, line 20
| | | |
| Client-IV (12 octets) | | Client-IV (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Set-Up-Response in Alternative 1 Figure 4: Set-Up-Response in Alternative 1
If the server authenticates the token successfully, then the O/TWAMP- If the server authenticates the token successfully, then the O/TWAMP-
Control message exchange flow can continue. Control message exchange flow can continue.
4.2.2. Alternative 2 4.3.2. Alternative 2
Another way for optimizing the shared key use is to set the O/TWAMP Another way for optimizing the shared key use is to set the O/TWAMP
session keys equal to the keys of the IPsec SA directly, i.e: session keys equal to the keys of the IPsec SA directly, i.e:
Session key for enc = encryption key of the IPsec SA Session key for enc = encryption key of the IPsec SA
Session key for auth = integrity key of the IPsec SA Session key for auth = integrity key of the IPsec SA
The former session key can provide encryption protection for O/TWAMP- The former session key can provide encryption protection for O/TWAMP-
Control and O/TWAMP-Test messages, while the latter can provide Control and O/TWAMP-Test messages, while the latter can provide
integrity protection. The point made in the previous subsection integrity protection. The point made in the previous subsection
about rekeying the IPsec SA applies here too. about rekeying the IPsec SA applies here too.
EDITOR'S NOTE:
As noted in the previous subsection, here too we can reduce the
verbosity of the Server Greeting and Set-Up-Response messages
even further, as explained below. Note, however, that such O/
TWAMP message simplification poses backward compatibility
challenges, which should be discussed in the IPPM WG.
The O/TWAMP control message exchange flow remains the same (i.e. as
per Figure 1), while the Server Greeting format is illustrated in
Figure 5. The Challenge, Salt, and Count parameters can be
eliminated since the session keys of O/TWAMP are equal to the keys of
an IPsec SA directly. SPI can identify the IPsec SA where the
session keys derived from. The similarly optimized Set-Up-Response
message is illustrated in Figure 6.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | | Protocol |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPIi | | SPIi |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPIr | | SPIr |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mode | | Modes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| MBZ (12 octets) | | MBZ (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Optimized Server Greeting format Figure 5: Optimized Server Greeting format
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mode | | Mode |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Client-IV (12 octets) | | Client-IV (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: Set-Up-Response in Alternative 2 Figure 6: Set-Up-Response in Alternative 2
The O/TWAMP control message exchange flow is the same (Figure 1),
while the Server Greeting format is illustrated in Figure 5. The
Salt, Count and Challenge parameters can be eliminated since the
session keys of O/TWAMP are equal to keys of an IPsec SA directly.
SPI can identify the IPsec SA where the session keys derived from.
The Set-Up-Response is illustrated in Figure 6.
5. Security Considerations 5. Security Considerations
As the shared secret key is derived from IPsec, the key derivation As the shared secret key is derived from IPsec, the key derivation
algorithm strength and limitations are as per [RFC5996]. The algorithm strength and limitations are as per [RFC5996]. The
strength of a key derived from a Diffie-Hellman exchange using any of strength of a key derived from a Diffie-Hellman exchange using any of
the groups defined here depends on the inherent strength of the the groups defined here depends on the inherent strength of the
group, the size of the exponent used, and the entropy provided by the group, the size of the exponent used, and the entropy provided by the
random number generator employed. The strength of all keys and random number generator employed. The strength of all keys and
implementation vulnerabilities, particularly Denial of Service (DoS) implementation vulnerabilities, particularly Denial of Service (DoS)
attacks are as defined in [RFC5996]. attacks are as defined in [RFC5996].
EDITOR'S NOTE: EDITOR'S NOTE:
The IPPM community may want to revisit the arguments listed in As a general note, the IPPM community may want to revisit the
[RFC4656], Sec. 6.6. Other widely-used Internet security arguments listed in [RFC4656], Sec. 6.6. Other widely-used
mechanisms, such as TLS and DTLS, may also be considered for Internet security mechanisms, such as TLS and DTLS, may also be
future use over and above of what is already specified in considered for future use over and above of what is already
[RFC4656] [RFC5357]. specified in [RFC4656] [RFC5357].
6. IANA Considerations 6. IANA Considerations
IANA may need to allocate additional values for the Modes options
IANA may need to allocate additional values for the options presented presented in this document. The values of the protocol field may
in this document. The values of the protocol field needed to be need to be assigned from the numbering space.
assigned from the numbering space.
7. Acknowledgments 7. Acknowledgments
Emily Bi contributed to an earlier version of this document. Emily Bi contributed to an earlier version of this document.
We thank Eric Chen and Yakov Stein for their comments on this draft, We thank Eric Chen and Yakov Stein for their comments on this draft,
and Al Morton for the discussion on related earlier work in IPPM WG. and Al Morton for the discussion on related earlier work in IPPM WG.
8. References 8. References
skipping to change at page 15, line 18 skipping to change at page 16, line 39
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)", RFC "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC
5996, September 2010. 5996, September 2010.
8.2. Informative References 8.2. Informative References
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2.0", RFC 2898, September 2000. Specification Version 2.0", RFC 2898, September 2000.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
Authors' Addresses Authors' Addresses
Kostas Pentikousis (editor) Kostas Pentikousis (editor)
Huawei Technologies EICT GmbH
Carnotstrasse 4 Torgauer Strasse 12-15
10587 Berlin 10829 Berlin
Germany Germany
Email: k.pentikousis@huawei.com Email: k.pentikousis@eict.de
Yang Cui Yang Cui
Huawei Technologies Huawei Technologies
Huawei Building, Q20, No.156, Rd. BeiQing Otemachi First Square 1-5-1 Otemachi
Haidian District , Beijing 100095 Chiyoda-ku, Tokyo 100-0004
P. R. China Japan
Email: cuiyang@huawei.com Email: cuiyang@huawei.com
Emma Zhang Emma Zhang
Huawei Technologies Huawei Technologies
Huawei Building, Q20, No.156, Rd. BeiQing Huawei Building, Q20, No.156, Rd. BeiQing
Haidian District , Beijing 100095 Haidian District , Beijing 100095
P. R. China P. R. China
Email: emma.zhanglijia@huawei.com Email: emma.zhanglijia@huawei.com
 End of changes. 50 change blocks. 
164 lines changed or deleted 228 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/