draft-ietf-ippm-ipsec-02.txt   draft-ietf-ippm-ipsec-03.txt 
IPPM WG K. Pentikousis, Ed. IPPM WG K. Pentikousis, Ed.
Internet-Draft EICT Internet-Draft EICT
Intended status: Standards Track Y. Cui Intended status: Standards Track Y. Cui
Expires: August 18, 2014 E. Zhang Expires: December 7, 2014 E. Zhang
Huawei Technologies Huawei Technologies
February 14, 2014 June 5, 2014
Network Performance Measurement for IPsec Network Performance Measurement for IPsec
draft-ietf-ippm-ipsec-02 draft-ietf-ippm-ipsec-03
Abstract Abstract
The O/TWAMP security mechanism requires that endpoints (i.e. both the The O/TWAMP security mechanism requires that both the client and
client and the server) possess a shared secret. Since the currently- server endpoints possess a shared secret. Since the currently-
standardized O/TWAMP security mechanism only supports a pre-shared standardized O/TWAMP security mechanism only supports a pre-shared
key mode, large scale deployment of O/TWAMP is hindered key mode, large scale deployment of O/TWAMP is hindered
significantly. At the same time, recent trends point to wider IKEv2 significantly. At the same time, recent trends point to wider IKEv2
deployment, which in turn calls for mechanisms and methods that deployment which, in turn, calls for mechanisms and methods that
enable tunnel end-users, as well as operators, to measure one-way and enable tunnel end-users, as well as operators, to measure one-way and
two-way network performance in a standardized manner. This document two-way network performance in a standardized manner. This document
discusses the use of keys derived from an IKE SA as the shared key in discusses the use of keys derived from an IKEv2 SA as the shared key
O/TWAMP. If the shared key can be derived from the IKE SA, O/TWAMP in O/TWAMP. If the shared key can be derived from the IKEv2 SA, O/
can support cert-based key exchange, which would allow for more TWAMP can support certificate-based key exchange, which would allow
flexibility and efficiency. Such key derivation can also facilitate for more operational flexibility and efficiency. The key derivation
automatic key management. presented in this document can also facilitate automatic key
management.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2014. This Internet-Draft will expire on December 7, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 32
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 3 3. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 3
3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4 3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4
3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 5 3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 5
3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 6 3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 6
4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 6 4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 6
4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 6 4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 6
4.2. Server Greeting Message Update . . . . . . . . . . . . . 7 4.2. Server Greeting Message Update . . . . . . . . . . . . . 7
4.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9 4.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9
4.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the
Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to
measure network performance parameters, such as latency, bandwidth, measure network performance parameters, such as latency, bandwidth,
and packet loss by sending probe packets and monitoring their and packet loss by sending probe packets and monitoring their
experience in the network. In order to guarantee the accuracy of experience in the network. In order to guarantee the accuracy of
network measurement results, security aspects must be considered. network measurement results, security aspects must be considered.
Otherwise, attacks may occur and the authenticity of the measurement Otherwise, attacks may occur and the authenticity of the measurement
results may be violated. For example, if no protection is provided, results may be violated. For example, if no protection is provided,
an adversary in the middle may modify packet timestamps, thus an adversary in the middle may modify packet timestamps, thus
altering the measurement results. altering the measurement results.
The currently-standardized O/TWAMP security mechanism [RFC4656] The currently-standardized O/TWAMP security mechanism [RFC4656]
[RFC5357] requires that endpoints (i.e. both the client and the [RFC5357] requires that endpoints (i.e. both the client and the
server) possess a shared secret. In today's network deployments, server) possess a shared secret. In today's network deployments,
however, the use of pre-shared keys may not be optimal. For example, however, the use of pre-shared keys is far from optimal. For
in wireless infrastructure networks, certain network elements, which example, in wireless infrastructure networks, certain network
can be seen as the two endpoints from an O/TWAMP perspective, support elements, which can be seen as the two endpoints from an O/TWAMP
certificate-based security. This is the case when one wants to perspective, support certificate-based security. For instance,
measure IP performance between an eNB and SeGW, for instance. Since consider the case in which one wants to measure IP performance
the currently standardized O/TWAMP security mechanism only supports between an eNB and SeGW. Both eNB and SeGW are 3GPP LTE nodes and
pre-shared key mode, large scale deployment of O/TWAMP is hindered support certificate mode and IKEv2. Since the currently standardized
significantly. Furthermore, deployment and management of "shared O/TWAMP security mechanism only supports pre-shared key mode, large
secrets" for massive equipment installation consumes a tremendous scale deployment of O/TWAMP is hindered significantly. Furthermore,
amount of effort and is prone to human error. deployment and management of "shared secrets" for massive equipment
installation consumes a tremendous amount of effort and is prone to
human error.
With IKEv2 widely used, using keys derived from IKE SA as shared key With IKEv2 widely used, employing keys derived from IKEv2 SA as
can be considered as a viable alternative. In mobile shared key can be considered as a viable alternative. In mobile
telecommunication networks, the deployment rate of IPsec exceeds 95% telecommunication networks, the deployment rate of IPsec exceeds 95%
with respect to the LTE serving network. In older-technology with respect to the LTE serving network. In older-technology
cellular networks, such as UMTS and GSM, IPsec use penetration is cellular networks, such as UMTS and GSM, IPsec use penetration is
lower, but still quite significant. If the shared key can be derived lower, but still quite significant. If the shared key can be derived
from the IKE SA, O/TWAMP can support cert-based key exchange and make from the IKEv2 SA, O/TWAMP can support cert-based key exchange and
it more flexible in practice and more efficient. The use of IKEv2 make it more flexible in practice and more efficient. The use of
also makes it easier to extend automatic key management. In general, IKEv2 also makes it easier to extend automatic key management. In
O/TWAMP measurement packets can be transmitted inside the IPsec general, O/TWAMP measurement packets can be transmitted inside the
tunnel, as it occurs with typical user traffic, or transmitted IPsec tunnel, as it occurs with typical user traffic, or transmitted
outside the IPsec tunnel. This may depend on the operator's policy outside the IPsec tunnel. This may depend on the operator's policy
and is orthogonal to the mechanism described in this document. and is orthogonal to the mechanism described in this document.
The remainder of this document is organized as follows. Section 3 The remainder of this document is organized as follows. Section 3
summarizes O/TWAMP protocol operation with respect to security. summarizes O/TWAMP protocol operation with respect to security.
Section 4 presents a method of binding O/TWAMP and IKEv2 for network Section 4 presents a method of binding O/TWAMP and IKEv2 for network
measurements between the client and the server which both support measurements between the client and the server which both support
IKEv2. Finally, Section 5 discusses the security considerations IKEv2. Finally, Section 5 discusses the security considerations
arising from the proposed mechanisms. arising from the proposed mechanisms.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. O/TWAMP Security 3. O/TWAMP Security
Security for O/TWAMP-Control and O/TWAMP-Test are reviewed separately Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in
in this section. the following subsections.
3.1. O/TWAMP-Control Security 3.1. O/TWAMP-Control Security
O/TWAMP uses a simple cryptographic protocol which relies on O/TWAMP uses a simple cryptographic protocol which relies on
o AES in Cipher Block Chaining (AES-CBC) for confidentiality o AES in Cipher Block Chaining (AES-CBC) for confidentiality
o HMAC-SHA1 truncated to 128 bits for message authentication o HMAC-SHA1 truncated to 128 bits for message authentication
Three modes of operation are supported in the OWAMP-Control protocol: Three modes of operation are supported in the OWAMP-Control protocol:
unauthenticated, authenticated, and encrypted. Besides the above unauthenticated, authenticated, and encrypted. In addition to these
three modes supported, the TWAMP-Control protocol also supports an modes, the TWAMP-Control protocol also supports a mixed mode, i.e.
additional mode: mixed mode, i.e. the TWAMP-Control protocol operates the TWAMP-Control protocol operates in encrypted mode while TWAMP-
in encrypted mode while TWAMP-Test protocol operates in Test protocol operates in unauthenticated mode. The authenticated,
unauthenticated mode. The authenticated, encrypted and mixed modes encrypted and mixed modes require that endpoints possess a shared
require that endpoints possess a shared secret, typically a secret, typically a passphrase. The secret key is derived from the
passphrase. The secret key is derived from the passphrase using a passphrase using a password-based key derivation function PBKDF2
password-based key derivation function PBKDF2 (PKCS#5) [RFC2898]. (PKCS#5) [RFC2898].
In the unauthenticated mode, the security parameters are left unused. In the unauthenticated mode, the security parameters are left unused.
In the authenticated, encrypted and mixed modes, the security In the authenticated, encrypted and mixed modes, the security
parameters are negotiated during the control connection parameters are negotiated during the control connection
establishment. establishment.
Figure 1 illustrates the initiation stage of the O/TWAMP-Control Figure 1 illustrates the initiation stage of the O/TWAMP-Control
protocol between a client and the server. In short, the client opens protocol between a client and the server. In short, the client opens
a TCP connection to the server in order to be able to send O/TWAMP- a TCP connection to the server in order to be able to send O/TWAMP-
Control commands. The server responds with a Server Greeting, which Control commands. The server responds with a Server Greeting, which
skipping to change at page 6, line 23 skipping to change at page 6, line 23
key is generated using the O/TWAMP- Control AES Session-key, key is generated using the O/TWAMP- Control AES Session-key,
with the 16-octet session identifier (SID), for encrypting with the 16-octet session identifier (SID), for encrypting
and decrypting the packets of the particular O/TWAMP-Test and decrypting the packets of the particular O/TWAMP-Test
session. The O/TWAMP-Test HMAC Session-key is generated session. The O/TWAMP-Test HMAC Session-key is generated
using the O/TWAMP-Control HMAC Session-key, with the 16-octet using the O/TWAMP-Control HMAC Session-key, with the 16-octet
session identifier (SID), for authenticating the packets of session identifier (SID), for authenticating the packets of
the particular O/TWAMP-Test session. the particular O/TWAMP-Test session.
3.3. O/TWAMP Security Root 3.3. O/TWAMP Security Root
As discussed above, the AES Session-key and HMAC Session-key used in As discussed above, the AES Session-key and HMAC Session-key used by
the O/TWAMP-Test protocol are derived from the AES Session-key and the O/TWAMP-Test protocol are derived from the AES Session-key and
HMAC Session-key which are used in O/TWAMP-Control protocol. The AES HMAC Session-key which are used in O/TWAMP-Control protocol. The AES
Session-key and HMAC Session-key used in the O/TWAMP-Control protocol Session-key and HMAC Session-key used in the O/TWAMP-Control protocol
are generated randomly by the client, and encrypted with the shared are generated randomly by the client, and encrypted with the shared
secret associated with KeyID. Therefore, the security root is the secret associated with KeyID. Therefore, the security root is the
shared secret key. Thus, for large deployments, key provision and shared secret key. Thus, for large deployments, key provision and
management may become overly complicated. Comparatively, a management may become overly complicated. Comparatively, a
certificate-based approach using IKEv2 can automatically manage the certificate-based approach using IKEv2 can automatically manage the
security root and solve this problem, as we explain in Section 4. security root and solve this problem, as we explain in Section 4.
skipping to change at page 6, line 45 skipping to change at page 6, line 45
This section presents a method of binding O/TWAMP and IKEv2 for This section presents a method of binding O/TWAMP and IKEv2 for
network measurements between a client and a server which both support network measurements between a client and a server which both support
IPsec. In short, the shared key used for securing O/TWAMP traffic is IPsec. In short, the shared key used for securing O/TWAMP traffic is
derived using IKEv2 [RFC5996]. derived using IKEv2 [RFC5996].
4.1. Shared Key Derivation 4.1. Shared Key Derivation
In the authenticated, encrypted and mixed modes, the shared secret In the authenticated, encrypted and mixed modes, the shared secret
key can be derived from the IKEv2 Security Association (SA). Note key can be derived from the IKEv2 Security Association (SA). Note
that we explicitly opt to derive the shared secret key from the IKE that we explicitly opt to derive the shared secret key from the IKEv2
SA, rather than the child SA, since the use case whereby an IKE SA SA, rather than the child SA, since the use case whereby an IKEv2 SA
can be created without generating any child SA is possible [RFC6023]. can be created without generating any child SA is possible [RFC6023].
If the shared secret key is derived from the IKE SA, SKEYSEED must be If the shared secret key is derived from the IKEv2 SA, SKEYSEED must
generated first. SKEYSEED and its derivatives are computed as per be generated first. SKEYSEED and its derivatives MUST be computed as
[RFC5996], where prf is a pseudorandom function: per [RFC5996], where prf is a pseudorandom function:
SKEYSEED = prf( Ni | Nr, g^ir ) SKEYSEED = prf( Ni | Nr, g^ir )
Ni and Nr are, respectively, the initiator and responder nonces, Ni and Nr are, respectively, the initiator and responder nonces,
which are negotiated during the initial exchange (see Section 1.2 of which are negotiated during the initial exchange (see Section 1.2 of
[RFC5996]). g^ir is the shared secret from the ephemeral Diffie- [RFC5996]). g^ir is the shared secret from the ephemeral Diffie-
Hellman exchange and is represented as a string of octets. Hellman exchange and is represented as a string of octets.
The shared secret key can be generated as follows: The shared secret key MUST be generated as follows:
Shared secret key = PRF{ SKEYSEED, "IPPM" } Shared secret key = PRF( SKEYSEED, "IPPM" )
The shared secret key is derived in the IPsec layer. Thus, the IPsec Wherein the string "IPPM" comprises four ASCII characters. It is
keying material is not be exposed to the O/TWAMP client. Note that recommended that the shared secret key is derived in the IPsec layer.
the interaction between the O/TWAMP and IPsec implementations is This way, the IPsec keying material is not exposed to the O/TWAMP
outside the scope of this document, which focuses on the interaction client. Note, however, that the interaction between the O/TWAMP and
between the O/TWAMP client and server. Of course, extracting the IPsec layers is host-internal and implementation-specific.
shared secret key from the IPsec layer can depend on the Therefore, this is clearly outside the scope of this document, which
implementation. One possible way could be the following: at the focuses on the interaction between the O/TWAMP client and server.
client side, the IPSec layer can perform a lookup in the Security That said, one possible way could be the following: at the client
side, the IPSec layer can perform a lookup in the Security
Association Database (SAD) using the IP address of the server and Association Database (SAD) using the IP address of the server and
thus match the corresponding IKE SA. At the server side, the IPSec thus match the corresponding IKEv2 SA. At the server side, the IPSec
layer can look up the corresponding IKE SA by using the SPIs sent by layer can look up the corresponding IKEv2 SA by using the SPIs sent
the client, and therefore extract the shared secret key. by the client, and therefore extract the shared secret key. In case
that both client and server do support IKEv2 but there is no current
IKEv2 SA, two alternative ways could be considered. First, the O/
TWAMP client initiates the establishment of the IKEv2 SA, logs this
operation, and selects the mode which supports IKEv2. Alternatively,
the O/TWAMP client does not initiate the establishment of the IKEv2
SA, logs an error for operational management purposes, and proceeds
with the modes defined in [RFC4656][RFC5618]. Again, although both
alternatives are feasible, they are in fact implementation-specific.
If rekeying for the IKE SA or deletion of the IKE SA occurs, the If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the
corresponding shared secret key generated from the SA can continue to corresponding shared secret key generated from the SA can continue to
be used until the lifetime of the shared secret key expires. be used until the lifetime of the shared secret key expires.
4.2. Server Greeting Message Update 4.2. Server Greeting Message Update
To achieve a binding association between the key generated from IKE To achieve a binding association between the key generated from IKEv2
and the O/TWAMP shared secret key, Server Greeting Message should be and the O/TWAMP shared secret key, Server Greeting Message should be
updated as in Figure 2. updated as in Figure 2.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Unused (12 octets) | | Unused (12 octets) |
| | | |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 8, line 34 skipping to change at page 8, line 34
| Count (4 octets) | | Count (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| MBZ (12 octets) | | MBZ (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Server Greeting format Figure 2: Server Greeting format
The Modes field in Figure 2 will need to allow for support of key The Modes field in Figure 2 will need to allow for support of key
derivation as discussed in Section 4.1. As such, pending discussion derivation as discussed in Section 4.1. As such, the Modes value
in the IPPM WG, Modes value 8 extension MUST be supported by extension MUST be supported by implementations compatible with this
implementations compatible with this document, indicating support for document, indicating support for deriving shared key from IKEv2 SA.
deriving shared key from IKE SA. Modes value 16 indicates Three new Modes including authenticated mode over IKEv2(IANA.TBA.O/
authenticated mode; Modes value 32 indicates encrypted mode; and TWAMP.IKEAuth),encrypted mode over IKEv2(IANA.TBA.O/TWAMP.IKEEnc) and
Modes value 64 indicates mixed mode over IKEv2. mixed mode over IKEv2(IANA.TBA.TWAMP.IKEMix) are proposed.
Authenticated mode over IKEv2 means that the client and server Authenticated mode over IKEv2 means that the client and server
operate in authenticated mode with the shared secret key derived from operate in authenticated mode with the shared secret key derived from
IKE SA. Encrypted mode over IKEv2 means that the client and server IKEv2 SA. Encrypted mode over IKEv2 means that the client and server
operate in encrypted mode with the shared secret key derived from IKE operate in encrypted mode with the shared secret key derived from
SA. Mixed mode over IKEv2 means that the client and server operate IKEv2 SA. Mixed mode over IKEv2 means that the client and server
in encrypted mode for the O/TWAMP-Control protocol while operating in operate in encrypted mode for the O/TWAMP-Control protocol while
unauthenticated mode for the O/TWAMP-Test protocol with shared secret operating in unauthenticated mode for the O/TWAMP-Test protocol with
key derived from IKE SA. shared secret key derived from IKEv2 SA.
Server implementations compatible with this document MUST set the
first 25 bits of the Modes field to zero. A client compatible with
this specification MUST ignore the first 25 bits of the Modes field.
For backward compatibility, the server is obviously allowed to
indicate support for the Modes defined in [RFC4656]
The choice of this set of Modes values poses the least backwards The choice of this set of Modes values poses the least backwards
compatibility problems to existing O/TWAMP clients. Robust client compatibility problems to existing O/TWAMP clients. Robust client
implementations of [RFC4656] would disregard that the first 29 Modes implementations of [RFC4656] would disregard the fact that the first
bits in the Server Greeting is set. If the server supports other 29 Modes bits in the Server Greeting is set. If the server supports
Modes, as one would assume, the client would then indicate any of the other Modes, as one would assume, the client would then indicate any
Modes defined in [RFC4656] and effectively indicate that it does not of the Modes defined in [RFC4656] and effectively indicate that it
support key derivation from IKE. At this point, the Server would does not support key derivation from IKEv2. At this point, the
need to use the Modes defined in [RFC4656] only. Server would need to use the Modes defined in [RFC4656] only.
4.3. Set-Up-Response Update 4.3. Set-Up-Response Update
The Set-Up-Response Message should be updated as in Figure 3. The Set-Up-Response Message should be updated as in Figure 3.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mode | | Mode |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 9, line 45 skipping to change at page 9, line 38
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Client-IV (12 octets) | | Client-IV (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Set-Up-Response Message Figure 3: Set-Up-Response Message
The Security Parameter Index (SPI)(see [RFC4301] [RFC5996]) can The Security Parameter Index (SPI)(see [RFC4301] [RFC5996]) can
uniquely identify the Security Association (SA). If the client uniquely identify the Security Association (SA). If the client
supports the derivation of shared secret key from IKE SA, it will supports the derivation of shared secret key from IKEv2 SA, it will
choose the corresponding mode value and carry SPIi and SPIr in the choose the corresponding mode value and carry SPIi and SPIr in the
KeyID field. SPIi and SPIr are included in Key ID field of Set-Up- Key ID field. SPIi and SPIr are included in the Key ID field of Set-
Response Message to indicate the IKE SA which O/TWAMP shared secret Up- Response Message to indicate the IKEv2 SA from which the O/TWAMP
key derived from. The length of SPI is 4 octets. The first 4 octets shared secret key derived from. The length of SPI is 4 octets.
of Key ID field carries SPIi and the second 4 octets carries SPIr. Therefore, the first 4 octets of Key ID field carry SPIi and the
The rest bits of the Key ID field is set to zero. second 4 octets carry SPIr. The remaining bits of the Key ID field
are set to zero.
A server which supports deriving shared secret from an IKE SA can A O/TWAMP server which supports the specification of this document,
obtain the SPIi and SPIr from the first 8 octets and ignore the rest can obtain the SPIi and SPIr from the first 8 octets and ignore the
octets of the Key ID field. Then, the client and the server can rest octets of the Key ID field. Then, the client and the server can
derive the shared secret key based on the mode value and SPI. derive the shared secret key based on the mode value and SPI. If the
O/TWAMP server cannot find the IKEv2 SA corresponding to the SPIi and
SPIr received, it MUST log the event for operational management
purposes. In addition, the O/TWAMP server SHOULD set the Accept
field of the Server-Start message to the value 6 to indicate that
server is not willing to conduct further transactions in this O/
TWAMP-Control session since it can not find the corresponding IKEv2
SA.
If the server can not find the IKE SA corresponding to the SPIi and 4.4. O/TWAMP over an IPsec tunnel
SPIr, the Accept field of Server-Start message is extended to
indicate that. Accept value 6 can be used to indicate that server is IPsec AH [RFC4302] and ESP [RFC4303] provide confidentiality and
not willing to conduct further transactions in this OWAMP-Control data integrity to IP datagrams. Thus and IPsec tunnel can be used to
session since it can not find the corresponding IKE SA. provide the protection needed for O/TWAMP Control and Test packets,
even if the peers choose the unauthenticated mode of operation. If
the two endpoints are already connected through an IPSec tunnel it is
RECOMMENDED that the O/TWAMP measurement packets are forwarded over
the IPSec tunnel if the peers choose the unauthenticated mode in
order to ensure authenticity and security.
5. Security Considerations 5. Security Considerations
As the shared secret key is derived from the IKE SA, the key As the shared secret key is derived from the IKEv2 SA, the key
derivation algorithm strength and limitations are as per [RFC5996]. derivation algorithm strength and limitations are as per [RFC5996].
The strength of a key derived from a Diffie-Hellman exchange using The strength of a key derived from a Diffie-Hellman exchange using
any of the groups defined here depends on the inherent strength of any of the groups defined here depends on the inherent strength of
the group, the size of the exponent used, and the entropy provided by the group, the size of the exponent used, and the entropy provided by
the random number generator employed. The strength of all keys and the random number generator employed. The strength of all keys and
implementation vulnerabilities, particularly Denial of Service (DoS) implementation vulnerabilities, particularly Denial of Service (DoS)
attacks are as defined in [RFC5996]. attacks are as defined in [RFC5996].
As a more general note, the IPPM community may want to revisit the As a more general note, the IPPM community may want to revisit the
arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet
skipping to change at page 10, line 42 skipping to change at page 10, line 48
6. IANA Considerations 6. IANA Considerations
IANA will need to allocate additional values for the Modes options IANA will need to allocate additional values for the Modes options
presented in this document. presented in this document.
7. Acknowledgments 7. Acknowledgments
Emily Bi contributed to an earlier version of this document. Emily Bi contributed to an earlier version of this document.
We thank Eric Chen, Yakov Stein, and John Mattsson for their comments We thank Eric Chen, Yakov Stein, Brian Trammell, and John Mattsson
on this draft, and Al Morton for the discussion on related earlier for their comments on this draft, and Al Morton for the discussion
work in IPPM WG. and pointers to related earlier work in IPPM WG.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December
2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
4303, December 2005.
[RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
Zekauskas, "A One-way Active Measurement Protocol Zekauskas, "A One-way Active Measurement Protocol
(OWAMP)", RFC 4656, September 2006. (OWAMP)", RFC 4656, September 2006.
[RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
RFC 5357, October 2008. RFC 5357, October 2008.
[RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the
Two-Way Active Measurement Protocol (TWAMP)", RFC 5618,
August 2009.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)", RFC "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC
5996, September 2010. 5996, September 2010.
8.2. Informative References 8.2. Informative References
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2.0", RFC 2898, September 2000. Specification Version 2.0", RFC 2898, September 2000.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
skipping to change at page 11, line 31 skipping to change at page 12, line 4
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A [RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A
Childless Initiation of the Internet Key Exchange Version Childless Initiation of the Internet Key Exchange Version
2 (IKEv2) Security Association (SA)", RFC 6023, October 2 (IKEv2) Security Association (SA)", RFC 6023, October
2010. 2010.
Authors' Addresses Authors' Addresses
Kostas Pentikousis (editor) Kostas Pentikousis (editor)
EICT GmbH EICT GmbH
EUREF-Campus Haus 13
Torgauer Strasse 12-15 Torgauer Strasse 12-15
10829 Berlin 10829 Berlin
Germany Germany
Email: k.pentikousis@eict.de Email: k.pentikousis@eict.de
Yang Cui Yang Cui
Huawei Technologies Huawei Technologies
Otemachi First Square 1-5-1 Otemachi Otemachi First Square 1-5-1 Otemachi
Chiyoda-ku, Tokyo 100-0004 Chiyoda-ku, Tokyo 100-0004
 End of changes. 36 change blocks. 
107 lines changed or deleted 136 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/