draft-ietf-ippm-ipsec-05.txt   draft-ietf-ippm-ipsec-06.txt 
IPPM WG K. Pentikousis, Ed. IPPM WG K. Pentikousis, Ed.
Internet-Draft EICT Internet-Draft EICT
Intended status: Standards Track E. Zhang Intended status: Standards Track E. Zhang
Expires: March 23, 2015 Y. Cui Expires: May 14, 2015 Y. Cui
Huawei Technologies Huawei Technologies
September 19, 2014 November 10, 2014
IKEv2-based Shared Secret Key for O/TWAMP IKEv2-based Shared Secret Key for O/TWAMP
draft-ietf-ippm-ipsec-05 draft-ietf-ippm-ipsec-06
Abstract Abstract
The O/TWAMP security mechanism requires that both the client and The O/TWAMP security mechanism requires that both the client and
server endpoints possess a shared secret. Since the currently- server endpoints possess a shared secret. Since the currently-
standardized O/TWAMP security mechanism only supports a pre-shared standardized O/TWAMP security mechanism only supports a pre-shared
key mode, large scale deployment of O/TWAMP is hindered key mode, large scale deployment of O/TWAMP is hindered
significantly. At the same time, recent trends point to wider IKEv2 significantly. At the same time, recent trends point to wider IKEv2
deployment which, in turn, calls for mechanisms and methods that deployment which, in turn, calls for mechanisms and methods that
enable tunnel end-users, as well as operators, to measure one-way and enable tunnel end-users, as well as operators, to measure one-way and
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 23, 2015. This Internet-Draft will expire on May 14, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4 3. Scope and Applicability . . . . . . . . . . . . . . . . . . . 4
3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4 4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4
3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 5 4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4
3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 6 4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6
4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 6 4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7
4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 6 5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7
4.2. Server Greeting Message Update . . . . . . . . . . . . . 7 5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7
4.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9 5.2. Server Greeting Message Update . . . . . . . . . . . . . 8
4.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 10 5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . 11 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . 11 9.1. Normative References . . . . . . . . . . . . . . . . . . 12
9.2. Informative References . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the
Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to
measure network performance parameters, such as latency, bandwidth, measure network performance parameters, such as latency, bandwidth,
and packet loss by sending probe packets and monitoring their and packet loss by sending probe packets and monitoring their
experience in the network. In order to guarantee the accuracy of experience in the network. In order to guarantee the accuracy of
network measurement results, security aspects must be considered. network measurement results, security aspects must be considered.
skipping to change at page 3, line 47 skipping to change at page 3, line 49
traffic using O/TWAMP layer security established using the PSK traffic using O/TWAMP layer security established using the PSK
derived from IKEv2 but bypassing the IPsec tunnel. Protecting derived from IKEv2 but bypassing the IPsec tunnel. Protecting
unauthenticated O/TWAMP control and/or test traffic via AH or ESP unauthenticated O/TWAMP control and/or test traffic via AH or ESP
cannot provide various security options, e.g. it cannot authenticate cannot provide various security options, e.g. it cannot authenticate
part of a O/TWAMP packet as mentioned in [RFC4656]. For measuring part of a O/TWAMP packet as mentioned in [RFC4656]. For measuring
latency, timestamp is carried in O/TWAMP traffic. The sender has to latency, timestamp is carried in O/TWAMP traffic. The sender has to
fetch the timestamp, encrypt it, and send it. In this case, the fetch the timestamp, encrypt it, and send it. In this case, the
middle step can be skipped, potentially improving accuracy as the middle step can be skipped, potentially improving accuracy as the
sequence number can be encrypted and authenticated before the sequence number can be encrypted and authenticated before the
timestamp is fetched. It is the same case for the receiver since it timestamp is fetched. It is the same case for the receiver since it
can obtain the timstamp by skipping the decryption step. In such can obtain the timestamp by skipping the decryption step. In such
cases, protecting O/TWAMP traffic using O/TWAMP layer security but cases, protecting O/TWAMP traffic using O/TWAMP layer security but
bypassing IPsec tunnel has its advantages. This document describes bypassing IPsec tunnel has its advantages. This document describes
how to derive the shared secret key from the IKEv2 SA and employ the how to derive the shared secret key from the IKEv2 SA and employ the
security service at the O/TWAMP layer. This method SHOULD be used security service at the O/TWAMP layer. This method SHOULD be used
when O/TWAMP traffic is bypassing IPsec protection and is running when O/TWAMP traffic is bypassing IPsec protection and is running
over an external network exactly between two IKEv2 systems. over an external network exactly between two IKEv2 systems.
The remainder of this document is organized as follows. Section 3 After clarifying the terminology and scope in the subsequent
summarizes O/TWAMP protocol operation with respect to security. sections, the remainder of this document is organized as follows.
Section 4 presents a method of binding O/TWAMP and IKEv2 for network Section 4 summarizes O/TWAMP protocol operation with respect to
measurements between the client and the server which both support security. Section 5 presents the method for binding TWAMP and IKEv2
IKEv2. Finally, Section 5 discusses the security considerations for network measurements between the client and the server which both
arising from the proposed mechanisms. support IKEv2. Finally, Section 6 discusses the security
considerations arising from the proposed mechanisms.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. O/TWAMP Security 3. Scope and Applicability
This document specifies a method for enabling network measurements
between a TWAMP client and a TWAMP server which both support IPsec.
In short, the shared key used for securing TWAMP traffic is derived
using IKEv2 [RFC7296]. This document reserves from the TWAMP-Modes
registry the Mode value IANA.TBA.TWAMP.IKEv2Derived which MUST be
used by TWAMP implementations compatible with this specification.
Although the control procedures described in this document are
applicable to OWAMP per se, the lack of an established IANA registry
for OWAMP Mode values technically prevents us from extending OWAMP
Mode values. Therefore, independent OWAMP implementations SHOULD be
checked for full compatibility with respect to the use of this Mode
value. Until an IANA registry for OWAMP Mode values is established,
the use this feature in OWAMP implementations MUST be arranged
privately among consenting OWAMP users.
4. O/TWAMP Security
Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in
the following subsections. the following subsections.
3.1. O/TWAMP-Control Security 4.1. O/TWAMP-Control Security
O/TWAMP uses a simple cryptographic protocol which relies on O/TWAMP uses a simple cryptographic protocol which relies on
o AES in Cipher Block Chaining (AES-CBC) for confidentiality o AES in Cipher Block Chaining (AES-CBC) for confidentiality
o HMAC-SHA1 truncated to 128 bits for message authentication o HMAC-SHA1 truncated to 128 bits for message authentication
Three modes of operation are supported in the OWAMP-Control protocol: Three modes of operation are supported in the OWAMP-Control protocol:
unauthenticated, authenticated, and encrypted. In addition to these unauthenticated, authenticated, and encrypted. In addition to these
modes, the TWAMP-Control protocol also supports a mixed mode, i.e. modes, the TWAMP-Control protocol also supports a mixed mode, i.e.
the TWAMP-Control protocol operates in encrypted mode while TWAMP- the TWAMP-Control protocol operates in encrypted mode while TWAMP-
Test protocol operates in unauthenticated mode. The authenticated, Test protocol operates in unauthenticated mode. The authenticated,
encrypted and mixed modes require that endpoints possess a shared encrypted and mixed modes require that endpoints possess a shared
secret, typically a passphrase. The secret key is derived from the secret, typically a passphrase. The secret key is derived from the
passphrase using a password-based key derivation function PBKDF2 passphrase using a password-based key derivation function PBKDF2
skipping to change at page 5, line 45 skipping to change at page 6, line 18
with Client- IV as the IV. Correspondingly, the server encrypts its with Client- IV as the IV. Correspondingly, the server encrypts its
side of the connection using Server-IV as the IV. The IVs themselves side of the connection using Server-IV as the IV. The IVs themselves
are transmitted in cleartext. Encryption starts with the block are transmitted in cleartext. Encryption starts with the block
immediately following that containing the IV. immediately following that containing the IV.
The AES Session-key and HMAC Session-key are generated randomly by The AES Session-key and HMAC Session-key are generated randomly by
the client. The HMAC Session-key is communicated along with the AES the client. The HMAC Session-key is communicated along with the AES
Session-key during O/TWAMP-Control connection setup. The HMAC Session-key during O/TWAMP-Control connection setup. The HMAC
Session-key is derived independently of the AES Session-key. Session-key is derived independently of the AES Session-key.
3.2. O/TWAMP-Test Security 4.2. O/TWAMP-Test Security
The O/TWAMP-Test protocol runs over UDP, using the client and server The O/TWAMP-Test protocol runs over UDP, using the client and server
IP and port numbers that were negotiated during the Request-Session IP and port numbers that were negotiated during the Request-Session
exchange. O/TWAMP- Test has the same mode with O/TWAMP-Control and exchange. O/TWAMP- Test has the same mode with O/TWAMP-Control and
all O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control all O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control
session mode except when operating in mixed mode. session mode except when operating in mixed mode.
The O/TWAMP-Test packet format is the same in authenticated and The O/TWAMP-Test packet format is the same in authenticated and
encrypted modes. The encryption and authentication operations are, encrypted modes. The encryption and authentication operations are,
however, different. Similarly with the respective O/TWAMP-Control however, different. Similarly with the respective O/TWAMP-Control
skipping to change at page 6, line 28 skipping to change at page 7, line 5
the session identifier (SID), which serve as inputs of the the session identifier (SID), which serve as inputs of the
key derivation function (KDF). The O/TWAMP-Test AES Session- key derivation function (KDF). The O/TWAMP-Test AES Session-
key is generated using the O/TWAMP- Control AES Session-key, key is generated using the O/TWAMP- Control AES Session-key,
with the 16-octet session identifier (SID), for encrypting with the 16-octet session identifier (SID), for encrypting
and decrypting the packets of the particular O/TWAMP-Test and decrypting the packets of the particular O/TWAMP-Test
session. The O/TWAMP-Test HMAC Session-key is generated session. The O/TWAMP-Test HMAC Session-key is generated
using the O/TWAMP-Control HMAC Session-key, with the 16-octet using the O/TWAMP-Control HMAC Session-key, with the 16-octet
session identifier (SID), for authenticating the packets of session identifier (SID), for authenticating the packets of
the particular O/TWAMP-Test session. the particular O/TWAMP-Test session.
3.3. O/TWAMP Security Root 4.3. O/TWAMP Security Root
As discussed above, the AES Session-key and HMAC Session-key used by As discussed above, the AES Session-key and HMAC Session-key used by
the O/TWAMP-Test protocol are derived from the AES Session-key and the O/TWAMP-Test protocol are derived from the AES Session-key and
HMAC Session-key which are used in O/TWAMP-Control protocol. The AES HMAC Session-key which are used in O/TWAMP-Control protocol. The AES
Session-key and HMAC Session-key used in the O/TWAMP-Control protocol Session-key and HMAC Session-key used in the O/TWAMP-Control protocol
are generated randomly by the client, and encrypted with the shared are generated randomly by the client, and encrypted with the shared
secret associated with KeyID. Therefore, the security root is the secret associated with KeyID. Therefore, the security root is the
shared secret key. Thus, for large deployments, key provision and shared secret key. Thus, for large deployments, key provision and
management may become overly complicated. Comparatively, a management may become overly complicated. Comparatively, a
certificate-based approach using IKEv2 can automatically manage the certificate-based approach using IKEv2 can automatically manage the
security root and solve this problem, as we explain in Section 4. security root and solve this problem, as we explain in Section 5.
4. O/TWAMP for IPsec Networks 5. O/TWAMP for IPsec Networks
This section presents a method of binding O/TWAMP and IKEv2 for This section presents a method of binding O/TWAMP and IKEv2 for
network measurements between a client and a server which both support network measurements between a client and a server which both support
IPsec. In short, the shared key used for securing O/TWAMP traffic is IPsec. In short, the shared key used for securing O/TWAMP traffic is
derived using IKEv2 [RFC5996]. derived using IKEv2 [RFC7296].
4.1. Shared Key Derivation 5.1. Shared Key Derivation
In the authenticated, encrypted and mixed modes, the shared secret In the authenticated, encrypted and mixed modes, the shared secret
key MUST be derived from the IKEv2 Security Association (SA). Note key MUST be derived from the IKEv2 Security Association (SA). Note
that we explicitly opt to derive the shared secret key from the IKEv2 that we explicitly opt to derive the shared secret key from the IKEv2
SA, rather than the child SA, since the use case whereby an IKEv2 SA SA, rather than the child SA, since the use case whereby an IKEv2 SA
can be created without generating any child SA is possible [RFC6023]. can be created without generating any child SA is possible [RFC6023].
When the shared secret key is derived from the IKEv2 SA, SK_d must be When the shared secret key is derived from the IKEv2 SA, SK_d must be
generated first. SK_d MUST be computed as per [RFC5996]. generated first. SK_d MUST be computed as per [RFC7296].
The shared secret key MUST be generated as follows: The shared secret key MUST be generated as follows:
Shared secret key = PRF( SK_d, "IPPM" ) Shared secret key = PRF( SK_d, "IPPM" )
Wherein the string "IPPM" comprises four ASCII characters and prf is Wherein the string "IPPM" comprises four ASCII characters and prf is
a pseudorandom function. It is recommended that the shared secret a pseudorandom function. It is recommended that the shared secret
key is derived in the IPsec layer. This way, the IPsec keying key is derived in the IPsec layer. This way, the IPsec keying
material is not exposed to the O/TWAMP client. Note, however, that material is not exposed to the O/TWAMP client. Note, however, that
the interaction between the O/TWAMP and IPsec layers is host-internal the interaction between the O/TWAMP and IPsec layers is host-internal
skipping to change at page 7, line 41 skipping to change at page 8, line 18
Alternatively, the O/TWAMP client does not initiate the establishment Alternatively, the O/TWAMP client does not initiate the establishment
of the IKEv2 SA, logs an error for operational management purposes, of the IKEv2 SA, logs an error for operational management purposes,
and proceeds with the modes defined in [RFC4656][RFC5357][RFC5618]. and proceeds with the modes defined in [RFC4656][RFC5357][RFC5618].
Again, although both alternatives are feasible, they are in fact Again, although both alternatives are feasible, they are in fact
implementation-specific. implementation-specific.
If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the
corresponding shared secret key generated from the SA can continue to corresponding shared secret key generated from the SA can continue to
be used until the O/TWAMP session terminates. be used until the O/TWAMP session terminates.
4.2. Server Greeting Message Update 5.2. Server Greeting Message Update
To achieve a binding association between the key generated from IKEv2 To achieve a binding association between the key generated from IKEv2
and the O/TWAMP shared secret key, Server Greeting Message should be and the O/TWAMP shared secret key, Server Greeting Message should be
updated as in Figure 2. updated as in Figure 2.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Unused (12 octets) | | Unused (12 octets) |
skipping to change at page 8, line 34 skipping to change at page 9, line 6
| Count (4 octets) | | Count (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| MBZ (12 octets) | | MBZ (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Server Greeting format Figure 2: Server Greeting format
The Modes field in Figure 2 will need to allow for support of key The Modes field in Figure 2 will need to allow for support of key
derivation as discussed in Section 4.1. As such, the Modes value derivation as discussed in Section 5.1. As such, the Modes value
extension MUST be supported by implementations compatible with this extension MUST be supported by implementations compatible with this
document, indicating support for deriving the shared key from the document, indicating support for deriving the shared key from the
IKEv2 SA. The new Modes value indicating support for this IKEv2 SA. The new Modes value indicating support for this
specification is IANA.TBA.TWAMP.IKEv2Derived (note to IANA: 128 is specification is IANA.TBA.TWAMP.IKEv2Derived (note to IANA: 128 is
preferred, i.e. bit in position 7). Clearly, an implementation preferred, i.e. bit in position 7). Clearly, an implementation
compatible with this specification MUST support the authenticated, compatible with this specification MUST support the authenticated,
encrypted and mixed modes as per [RFC4656][RFC5357][RFC5618]. encrypted and mixed modes as per [RFC4656][RFC5357][RFC5618].
The choice of this set of Modes values poses no backwards The choice of this set of Modes values poses no backwards
compatibility problems to existing O/TWAMP clients. Robust legacy compatibility problems to existing O/TWAMP clients. Robust legacy
client implementations would disregard the fact that the client implementations would disregard the fact that the
IANA.TBA.TWAMP.IKEv2Derived Modes bit in the Server Greeting is set. IANA.TBA.TWAMP.IKEv2Derived Modes bit in the Server Greeting is set.
On the other hand, a client compatible with this specification can On the other hand, a client compatible with this specification can
easily identify that the O/TWAMP server contacted does not support easily identify that the O/TWAMP server contacted does not support
this specification. If the server supports other Modes, as one could this specification. If the server supports other Modes, as one could
assume, the client would then decide which Mode to use and indicate assume, the client would then decide which Mode to use and indicate
such accordingly as per [RFC4656][RFC5357]. A client compatible with such accordingly as per [RFC4656][RFC5357]. A client compatible with
this specification which decides not to employ IKEv2 derivation, can this specification which decides not to employ IKEv2 derivation, can
simply behave as a purely [RFC4656]/[RFC5357] compatible client. simply behave as a purely [RFC4656]/[RFC5357] compatible client.
4.3. Set-Up-Response Update 5.3. Set-Up-Response Update
The Set-Up-Response Message should be updated as in Figure 3. When a The Set-Up-Response Message should be updated as in Figure 3. When a
O/TWAMP client compatible with this specification receives a Server O/TWAMP client compatible with this specification receives a Server
Greeting indicating support for Mode IANA.TBA.TWAMP.IKEv2Derived it Greeting indicating support for Mode IANA.TBA.TWAMP.IKEv2Derived it
SHOULD reply to the O/TWAMP server with a Set-Up response that SHOULD reply to the O/TWAMP server with a Set-Up response that
indicates so. For example, a compatible O/TWAMP client choosing the indicates so. For example, a compatible O/TWAMP client choosing the
authenticated mode with IKEv2 shared secret key derivation should set authenticated mode with IKEv2 shared secret key derivation should set
Mode to 130, i.e. set the bits in positions 1 and 7 (TBD IANA) to Mode to 130, i.e. set the bits in positions 1 and 7 (TBD IANA) to
one. one.
skipping to change at page 9, line 40 skipping to change at page 10, line 27
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Client-IV (12 octets) | | Client-IV (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Set-Up-Response Message Figure 3: Set-Up-Response Message
The Security Parameter Index (SPI)(see [RFC4301] [RFC5996]) can The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) can
uniquely identify the Security Association (SA). If the client uniquely identify the Security Association (SA). If the client
supports the derivation of shared secret key from IKEv2 SA, it will supports the derivation of shared secret key from IKEv2 SA, it will
choose the corresponding mode value and carry SPIi and SPIr in the choose the corresponding mode value and carry SPIi and SPIr in the
Key ID field. SPIi and SPIr MUST be included in the Key ID field of Key ID field. SPIi and SPIr MUST be included in the Key ID field of
Set-Up-Response Message to indicate the IKEv2 SA from which the O/ Set-Up-Response Message to indicate the IKEv2 SA from which the O/
TWAMP shared secret key derived from. The length of SPI is 4 octets. TWAMP shared secret key derived from. The length of SPI is 4 octets.
Therefore, the first 4 octets of Key ID field MUST carry SPIi and the Therefore, the first 4 octets of Key ID field MUST carry SPIi and the
second 4 octets MUST carry SPIr. The remaining bits of the Key ID second 4 octets MUST carry SPIr. The remaining bits of the Key ID
field MUST set to zero. field MUST set to zero.
skipping to change at page 10, line 17 skipping to change at page 11, line 5
remaining octets of the Key ID field. Then, the client and the remaining octets of the Key ID field. Then, the client and the
server can derive the shared secret key based on the mode value and server can derive the shared secret key based on the mode value and
SPI. If the O/TWAMP server cannot find the IKEv2 SA corresponding to SPI. If the O/TWAMP server cannot find the IKEv2 SA corresponding to
the SPIi and SPIr received, it MUST log the event for operational the SPIi and SPIr received, it MUST log the event for operational
management purposes. In addition, the O/TWAMP server SHOULD set the management purposes. In addition, the O/TWAMP server SHOULD set the
Accept field of the Server-Start message to the value 6 to indicate Accept field of the Server-Start message to the value 6 to indicate
that server is not willing to conduct further transactions in this O/ that server is not willing to conduct further transactions in this O/
TWAMP-Control session since it can not find the corresponding IKEv2 TWAMP-Control session since it can not find the corresponding IKEv2
SA. SA.
4.4. O/TWAMP over an IPsec tunnel 5.4. O/TWAMP over an IPsec tunnel
IPsec AH [RFC4302] and ESP [RFC4303] provide confidentiality and IPsec AH [RFC4302] and ESP [RFC4303] provide confidentiality and
data integrity to IP datagrams. Thus an IPsec tunnel can be used to data integrity to IP datagrams. Thus an IPsec tunnel can be used to
provide the protection needed for O/TWAMP Control and Test packets, provide the protection needed for O/TWAMP Control and Test packets,
even if the peers choose the unauthenticated mode of operation. If even if the peers choose the unauthenticated mode of operation. If
the two endpoints are already connected through an IPSec tunnel it is the two endpoints are already connected through an IPSec tunnel it is
RECOMMENDED that the O/TWAMP measurement packets are forwarded over RECOMMENDED that the O/TWAMP measurement packets are forwarded over
the IPSec tunnel if the peers choose the unauthenticated mode in the IPSec tunnel if the peers choose the unauthenticated mode in
order to ensure authenticity and security. order to ensure authenticity and security.
5. Security Considerations 6. Security Considerations
As the shared secret key is derived from the IKEv2 SA, the key As the shared secret key is derived from the IKEv2 SA, the key
derivation algorithm strength and limitations are as per [RFC5996]. derivation algorithm strength and limitations are as per [RFC7296].
The strength of a key derived from a Diffie-Hellman exchange using The strength of a key derived from a Diffie-Hellman exchange using
any of the groups defined here depends on the inherent strength of any of the groups defined here depends on the inherent strength of
the group, the size of the exponent used, and the entropy provided by the group, the size of the exponent used, and the entropy provided by
the random number generator employed. The strength of all keys and the random number generator employed. The strength of all keys and
implementation vulnerabilities, particularly Denial of Service (DoS) implementation vulnerabilities, particularly Denial of Service (DoS)
attacks are as defined in [RFC5996]. attacks are as defined in [RFC7296].
As a more general note, the IPPM community may want to revisit the As a more general note, the IPPM community may want to revisit the
arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet
security mechanisms, such as TLS and DTLS, may also be considered for security mechanisms, such as TLS and DTLS, may also be considered for
future use over and above of what is already specified in [RFC4656] future use over and above of what is already specified in [RFC4656]
[RFC5357]. [RFC5357].
6. IANA Considerations 7. IANA Considerations
IANA is requested to allocate the IANA.TBA.TWAMP.IKEv2Derived Modes IANA is requested to allocate the IANA.TBA.TWAMP.IKEv2Derived Modes
value in the TWAMP-Modes registry. value in the TWAMP-Modes registry.
7. Acknowledgments 8. Acknowledgments
We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John
Mattsson, and Steve Baillargeon for their comments and text Mattsson, and Steve Baillargeon for their comments and text
suggestions. Al Morton deserves a special mention for his text suggestions.
contributions and the good discussion and pointers to earlier related
work in IPPM WG.
8. References Al Morton deserves a special mention for his thorough reviews and
text contributions to this document as well as the constructive
discussions over several IPPM meetings.
8.1. Normative References 9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December
2005. 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
4303, December 2005. 4303, December 2005.
skipping to change at page 11, line 38 skipping to change at page 12, line 27
(OWAMP)", RFC 4656, September 2006. (OWAMP)", RFC 4656, September 2006.
[RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
RFC 5357, October 2008. RFC 5357, October 2008.
[RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the [RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the
Two-Way Active Measurement Protocol (TWAMP)", RFC 5618, Two-Way Active Measurement Protocol (TWAMP)", RFC 5618,
August 2009. August 2009.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
"Internet Key Exchange Protocol Version 2 (IKEv2)", RFC Kivinen, "Internet Key Exchange Protocol Version 2
5996, September 2010. (IKEv2)", STD 79, RFC 7296, October 2014.
8.2. Informative References 9.2. Informative References
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2.0", RFC 2898, September 2000. Specification Version 2.0", RFC 2898, September 2000.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A [RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A
Childless Initiation of the Internet Key Exchange Version Childless Initiation of the Internet Key Exchange Version
2 (IKEv2) Security Association (SA)", RFC 6023, October 2 (IKEv2) Security Association (SA)", RFC 6023, October
 End of changes. 32 change blocks. 
55 lines changed or deleted 75 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/