draft-ietf-ippm-ipsec-11.txt   rfc7717.txt 
IPPM WG K. Pentikousis, Ed. Internet Engineering Task Force (IETF) K. Pentikousis, Ed.
Internet-Draft EICT Request for Comments: 7717 EICT
Updates: 4656, 5357 (if approved) E. Zhang Updates: 4656, 5357 E. Zhang
Intended status: Standards Track Y. Cui Category: Standards Track Y. Cui
Expires: February 27, 2016 Huawei Technologies ISSN: 2070-1721 Huawei Technologies
August 26, 2015 December 2015
IKEv2-derived Shared Secret Key for O/TWAMP IKEv2-Derived Shared Secret Key for
draft-ietf-ippm-ipsec-11 the One-Way Active Measurement Protocol (OWAMP) and
Two-Way Active Measurement Protocol (TWAMP)
Abstract Abstract
The One-way Active Measurement Protocol (OWAMP) and Two-Way Active The One-Way Active Measurement Protocol (OWAMP) and Two-Way Active
Measurement Protocol (TWAMP) security mechanisms require that both Measurement Protocol (TWAMP) security mechanisms require that both
the client and server endpoints possess a shared secret. This the client and server endpoints possess a shared secret. This
document describes the use of keys derived from an IKEv2 security document describes the use of keys derived from an IKEv2 security
association (SA) as the shared key in O/TWAMP. If the shared key can association (SA) as the shared key in OWAMP or TWAMP. If the shared
be derived from the IKEv2 SA, O/TWAMP can support certificate-based key can be derived from the IKEv2 SA, OWAMP or TWAMP can support
key exchange, which would allow for more operational flexibility and certificate-based key exchange; this would allow for more operational
efficiency. The key derivation presented in this document can also flexibility and efficiency. The key derivation presented in this
facilitate automatic key management. document can also facilitate automatic key management.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on February 27, 2016. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7717.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4 4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 5
4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4 4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5
4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6 4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6
4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 6 4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7
5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7 5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7
5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7 5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7
5.2. Server Greeting Message Update . . . . . . . . . . . . . 8 5.2. Server Greeting Message Update . . . . . . . . . . . . . 8
5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9 5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9
5.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 10 5.4. O/TWAMP over an IPsec Tunnel . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 8.1. Normative References . . . . . . . . . . . . . . . . . . 12
9.1. Normative References . . . . . . . . . . . . . . . . . . 12 8.2. Informative References . . . . . . . . . . . . . . . . . 13
9.2. Informative References . . . . . . . . . . . . . . . . . 13 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the The One-Way Active Measurement Protocol (OWAMP) [RFC4656] and the
Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to
measure network performance parameters such as latency, bandwidth, measure network performance parameters such as latency, bandwidth,
and packet loss by sending probe packets and monitoring their and packet loss by sending probe packets and monitoring their
experience in the network. In order to guarantee the accuracy of experience in the network. In order to guarantee the accuracy of
network measurement results, security aspects must be considered. network measurement results, security aspects must be considered.
Otherwise, attacks may occur and the authenticity of the measurement Otherwise, attacks may occur and the authenticity of the measurement
results may be violated. For example, if no protection is provided, results may be violated. For example, if no protection is provided,
an adversary in the middle may modify packet timestamps, thus an adversary in the middle may modify packet timestamps, thus
altering the measurement results. altering the measurement results.
According to [RFC4656] [RFC5357], the O/TWAMP security mechanism According to [RFC4656] and [RFC5357], the OWAMP and TWAMP (O/TWAMP)
requires that endpoints (i.e. both the client and the server) possess security mechanisms require that endpoints (i.e., both the client and
a shared secret. In today's network deployments, however, the use of the server) possess a shared secret. In today's network deployments,
pre-shared keys is far from optimal. For example, in wireless however, the use of pre-shared keys is far from optimal. For
infrastructure networks, certain network elements, which can be seen example, in wireless infrastructure networks, certain network
as the two endpoints from an O/TWAMP perspective, support elements (which can be seen as the two endpoints from an O/TWAMP
certificate-based security. For instance, consider the case in which perspective) support certificate-based security. For instance,
one wants to measure IP performance between a E-UTRAN Evolved Node B consider the case in which one wants to measure IP performance
(eNB) and Security Gateway (SeGW), both of which are 3GPP Long Term between an E-UTRAN Evolved Node B (eNB) and Security Gateway (SeGW),
Evolution (LTE) nodes and support certificate mode and the Internet both of which are 3GPP Long Term Evolution (LTE) nodes and support
Key Exchange Protocol Version 2 (IKEv2). certificate mode and the Internet Key Exchange Protocol version 2
(IKEv2).
The O/TWAMP security mechanism specified in [RFC4656] [RFC5357] The O/TWAMP security mechanism specified in [RFC4656] and [RFC5357]
supports the pre-shared key mode only, hindering large-scale supports the pre-shared key (PSK) mode only, hindering large-scale
deployment of O/TWAMP: provisioning and management of "shared deployment of O/TWAMP: provisioning and management of "shared
secrets" for massive deployments consumes a tremendous amount of secrets" for massive deployments consumes a tremendous amount of
effort and is prone to human error. At the same time, recent trends effort and is prone to human error. At the same time, recent trends
point to wider IKEv2 deployment which, in turn, calls for mechanisms point to wider IKEv2 deployment that, in turn, calls for mechanisms
and methods that enable tunnel end-users, as well as operators, to and methods that enable tunnel end-users, as well as operators, to
measure one-way and two-way network performance in a standardized measure one-way and two-way network performance in a standardized
manner. manner.
With IKEv2 widely deployed, employing shared keys derived from an With IKEv2 widely deployed, employing shared keys derived from an
IKEv2 security association (SA) can be considered a viable IKEv2 security association (SA) can be considered a viable
alternative through the method described in this document. If the alternative through the method described in this document. If the
shared key can be derived from the IKEv2 SA, O/TWAMP can support shared key can be derived from the IKEv2 SA, O/TWAMP can support
certificate-based key exchange and practically increase operational certificate-based key exchange and practically increase operational
flexibility and efficiency. The use of IKEv2 also makes it easier to flexibility and efficiency. The use of IKEv2 also makes it easier to
extend automatic key management. extend automatic key management.
In general, O/TWAMP measurement packets can be transmitted inside the In general, O/TWAMP measurement packets can be transmitted inside the
IPsec tunnel, as it occurs with typical user traffic, or transmitted IPsec tunnel, as typical user traffic is, or transmitted outside the
outside the IPsec tunnel. This may depend on the operator's policy IPsec tunnel. This may depend on the operator's policy and the
and the performance evaluation goal, and is orthogonal to the performance evaluation goal, and it is orthogonal to the mechanism
mechanism described in this document. When IPsec is deployed, described in this document. When IPsec is deployed, protecting
protecting O/TWAMP traffic in unauthenticated mode using IPsec is one O/TWAMP traffic in unauthenticated mode using IPsec is one option.
option. Another option is to protect O/TWAMP traffic using the O/ Another option is to protect O/TWAMP traffic using the O/TWAMP
TWAMP layer security established using the Pre-Shared Key (PSK) security established using the PSK derived from IKEv2 and bypassing
derived from IKEv2 and bypassing the IPsec tunnel. the IPsec tunnel.
Protecting unauthenticated O/TWAMP control and/or test traffic via Protecting unauthenticated O/TWAMP control and/or test traffic via
Authentication Header (AH) [RFC4302] or Encapsulating Security the Authentication Header (AH) [RFC4302] or Encapsulating Security
Payload (ESP) [RFC4303] cannot provide various security options, Payload (ESP) [RFC4303] cannot provide various security options,
e.g. it cannot authenticate part of a O/TWAMP packet as mentioned in e.g., it cannot authenticate part of an O/TWAMP packet as mentioned
[RFC4656]. For measuring latency, a timestamp is carried in O/TWAMP in [RFC4656]. For measuring latency, a timestamp is carried in O/
test traffic. The sender has to fetch the timestamp, encrypt it, and TWAMP test traffic. The sender has to fetch the timestamp, encrypt
send it. When the mechanism described in this document is used, it, and send it. When the mechanism described in this document is
partial authentication of O/TWAMP packets is possible and therefore used, partial authentication of O/TWAMP packets is possible and
the middle step can be skipped, potentially improving accuracy as the therefore the middle step can be skipped, potentially improving
sequence number can be encrypted and authenticated before the accuracy as the sequence number can be encrypted and authenticated
timestamp is fetched. The receiver obtains the timestamp without the before the timestamp is fetched. The receiver obtains the timestamp
need for the corresponding decryption step. In such cases, without the need for the corresponding decryption step. In such
protecting O/TWAMP traffic using O/TWAMP layer security but bypassing cases, protecting O/TWAMP traffic using O/TWAMP security but
the IPsec tunnel has its advantages. bypassing the IPsec tunnel has its advantages.
This document specifies a method for enabling network measurements This document specifies a method for enabling network measurements
between a TWAMP client and a TWAMP server. In short, the shared key between a TWAMP client and a TWAMP server. In short, the shared key
used for securing TWAMP traffic is derived from IKEv2 [RFC7296]. used for securing TWAMP traffic is derived from IKEv2 [RFC7296].
TWAMP implementations signal the use of this method by setting TWAMP implementations signal the use of this method by setting
IKEv2Derived (see Section 7). IKEv2-derived keys SHOULD be used IKEv2Derived (see Section 7). IKEv2-derived keys SHOULD be used
instead of shared secrets when O/TWAMP is employed in a deployment instead of shared secrets when O/TWAMP is employed in a deployment
using IKEv2. From an operations and management perspective using IKEv2. From an operations and management perspective
[RFC5706], the mechanism described in this document requires that [RFC5706], the mechanism described in this document requires that
both the TWAMP Control-Client and Server support IPsec. both the TWAMP Control-Client and Server support IPsec.
The remainder of this document is organized as follows. Section 4 The remainder of this document is organized as follows. Section 4
summarizes O/TWAMP protocol operation with respect to security. summarizes O/TWAMP protocol operation with respect to security.
Section 5 presents the method for binding TWAMP and IKEv2 for network Section 5 presents the method for binding TWAMP and IKEv2 for network
measurements between the client and the server which both support measurements between the client and the server that both support
IKEv2. Finally, Section 6 discusses the security considerations IKEv2. Finally, Section 6 discusses the security considerations
arising from the proposed mechanisms. arising from the proposed mechanisms.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Scope 3. Scope
This document specifies a method using keys derived from an IKEv2 This document specifies a method using keys derived from an IKEv2 SA
security association (SA) as the shared key in O/TWAMP. O/TWAMP as the shared key in O/TWAMP. O/TWAMP implementations signal the use
implementations signal the use of this method by setting IKEv2Derived of this method by setting IKEv2Derived (see Section 7).
(see Section 7).
4. O/TWAMP Security 4. O/TWAMP Security
Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in
the following subsections. the following subsections.
4.1. O/TWAMP-Control Security 4.1. O/TWAMP-Control Security
O/TWAMP uses a simple cryptographic protocol which relies on O/TWAMP uses a simple cryptographic protocol that relies on
o Advanced Encryption Standard (AES) in Cipher Block Chaining (AES- o AES-CBC for confidentiality
CBC) for confidentiality
o Hash-based Message Authentication Code (HMAC)-Secure Hash o HMAC-SHA1 truncated to 128 bits for message authentication
Algorithm1 (SHA1) truncated to 128 bits for message authentication
Three modes of operation are supported in the OWAMP-Control protocol: Three modes of operation are supported in the OWAMP-Control protocol:
unauthenticated, authenticated, and encrypted. In addition to these unauthenticated, authenticated, and encrypted. In addition to these
modes, the TWAMP-Control protocol also supports a mixed mode, i.e. modes, the TWAMP-Control protocol also supports a mixed mode, i.e.,
the TWAMP-Control protocol operates in encrypted mode while TWAMP- the TWAMP-Control protocol operates in encrypted mode while TWAMP-
Test protocol operates in unauthenticated mode. The authenticated, Test protocol operates in unauthenticated mode. The authenticated,
encrypted and mixed modes require that endpoints possess a shared encrypted, and mixed modes require that endpoints possess a shared
secret, typically a passphrase. The secret key is derived from the secret, typically a passphrase. The secret key is derived from the
passphrase using a password-based key derivation function PBKDF2 passphrase using a password-based key derivation function PBKDF2
(PKCS#5) [RFC2898]. (PKCS #5) [RFC2898].
In the unauthenticated mode, the security parameters are left unused. In the unauthenticated mode, the security parameters are left unused.
In the authenticated, encrypted and mixed modes, the security In the authenticated, encrypted, and mixed modes, the security
parameters are negotiated during the control connection parameters are negotiated during the control connection
establishment. establishment.
Figure 1 illustrates the initiation stage of the O/TWAMP-Control Figure 1 illustrates the initiation stage of the O/TWAMP-Control
protocol between a Control-Client and a Server. In short, the protocol between a Control-Client and a Server. In short, the
Control-Client opens a TCP connection to the Server in order to be Control-Client opens a TCP connection to the Server in order to be
able to send O/TWAMP-Control commands. The Server responds with a able to send O/TWAMP-Control commands. The Server responds with a
Server Greeting, which contains the Modes, Challenge, Salt, Count, Server Greeting, which contains the Modes, Challenge, Salt, Count,
and MBZ fields (see Section 3.1 of [RFC4656]). If the Control-Client and MBZ ("MUST be zero") fields (see Section 3.1 of [RFC4656]). If
preferred mode is available, the client responds with a Set-Up- the Control-Client preferred mode is available, the client responds
Response message, wherein the selected Mode, as well as the KeyID, with a Set-Up-Response message, wherein the selected Mode, as well as
Token and Client initialization vector (IV) are included. The Token the KeyID, Token, and Client initialization vector (IV) are included.
is the concatenation of a 16-octet Challenge, a 16-octet AES Session- The Token is the concatenation of a 16-octet Challenge, a 16-octet
key used for encryption, and a 32-octet HMAC-SHA1 Session-key used AES Session-key used for encryption, and a 32-octet HMAC-SHA1
for authentication. The Token is encrypted using AES-CBC. Session-key used for authentication. The Token is encrypted using
AES-CBC.
+----------------+ +--------+ +----------------+ +--------+
| Control-Client | | Server | | Control-Client | | Server |
+----------------+ +--------+ +----------------+ +--------+
| | | |
|<------ TCP Connection-- ----->| |<------ TCP Connection-- ----->|
| | | |
|<------ Greeting message ------| |<------ Greeting message ------|
| | | |
|------- Set-Up-Response ------>| |------- Set-Up-Response ------>|
| | | |
|<------ Server-Start ----------| |<------ Server-Start ----------|
| | | |
Figure 1: Initiation of O/TWAMP-Control Figure 1: Initiation of O/TWAMP-Control
Encryption uses a key derived from the shared secret associated with Encryption uses a key derived from the shared secret associated with
KeyID. In the authenticated, encrypted and mixed modes, all further KeyID. In the authenticated, encrypted, and mixed modes, all further
communication is encrypted using the AES Session-key and communication is encrypted using the AES Session-key and
authenticated with the HMAC Session-key. After receiving the Set-Up- authenticated with the HMAC Session-key. After receiving the Set-Up-
Response the Server responds with a Server-Start message containing Response, the Server responds with a Server-Start message containing
the Server-IV. The Control-Client encrypts everything it transmits the Server-IV. The Control-Client encrypts everything it transmits
through the just-established O/TWAMP-Control connection using stream through the just established O/TWAMP-Control connection using stream
encryption with Client-IV as the IV. Correspondingly, the Server encryption with Client-IV as the IV. Correspondingly, the Server
encrypts its side of the connection using Server-IV as the IV. The encrypts its side of the connection using Server-IV as the IV. The
IVs themselves are transmitted in cleartext. Encryption starts with IVs themselves are transmitted in cleartext. Encryption starts with
the block immediately following that containing the IV. the block immediately following that containing the IV.
The AES Session-key and HMAC Session-key are generated randomly by The AES Session-key and HMAC Session-key are generated randomly by
the Control-Client. The HMAC Session-key is communicated along with the Control-Client. The HMAC Session-key is communicated along with
the AES Session-key during O/TWAMP-Control connection setup. The the AES Session-key during O/TWAMP-Control connection setup. The
HMAC Session-key is derived independently of the AES Session-key. HMAC Session-key is derived independently of the AES Session-key.
4.2. O/TWAMP-Test Security 4.2. O/TWAMP-Test Security
The O/TWAMP-Test protocol runs over UDP, using the Session-Sender and The O/TWAMP-Test protocol runs over UDP, using the Session-Sender and
Session-Reflector IP and port numbers that were negotiated during the Session-Reflector IP and port numbers that were negotiated during the
Request-Session exchange. O/TWAMP-Test has the same mode with O/ Request-Session exchange. O/TWAMP-Test has the same mode with O/
TWAMP-Control and all O/TWAMP-Test sessions inherit the corresponding TWAMP-Control and all O/TWAMP-Test sessions inherit the corresponding
O/TWAMP-Control session mode except when operating in mixed mode. O/TWAMP-Control session mode except when operating in mixed mode.
The O/TWAMP-Test packet format is the same in authenticated and The O/TWAMP-Test packet format is the same in authenticated and
encrypted modes. The encryption and authentication operations are, encrypted modes. The encryption and authentication operations are,
however, different. Similarly with the respective O/TWAMP-Control however, different. Similarly, with the respective O/TWAMP-Control
session, each O/TWAMP-Test session has two keys: an AES Session-key session, each O/TWAMP-Test session has two keys: an AES Session-key
and an HMAC Session-key. However, there is a difference in how the and an HMAC Session-key. However, there is a difference in how the
keys are obtained: keys are obtained:
O/TWAMP-Control: the keys are generated by the Control-Client and O/TWAMP-Control: the keys are generated by the Control-Client and
communicated to the Server during the control connection communicated to the Server during the control connection
establishment with the Set-Up-Response message (as part of establishment with the Set-Up-Response message (as part of
the Token). the Token).
O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and
the session identifier (SID), which serve as inputs to the the session identifier (SID), which serve as inputs to the
key derivation function (KDF). The O/TWAMP-Test AES Session- key derivation function (KDF). The O/TWAMP-Test AES Session-
key is generated using the O/TWAMP-Control AES Session-key, key is generated using the O/TWAMP-Control AES Session-key,
with the 16-octet session identifier (SID), for encrypting with the 16-octet SID, for encrypting and decrypting the
and decrypting the packets of the particular O/TWAMP-Test packets of the particular O/TWAMP-Test session. The O/TWAMP-
session. The O/TWAMP-Test HMAC Session-key is generated Test HMAC Session-key is generated using the O/TWAMP-Control
using the O/TWAMP-Control HMAC Session-key, with the 16-octet HMAC Session-key, with the 16-octet SID, for authenticating
session identifier (SID), for authenticating the packets of the packets of the particular O/TWAMP-Test session.
the particular O/TWAMP-Test session.
4.3. O/TWAMP Security Root 4.3. O/TWAMP Security Root
As discussed above, the O/TWAMP-Test AES Session-key and HMAC As discussed above, the O/TWAMP-Test AES Session-key and HMAC
Session-key are derived, respectively, from the O/TWAMP-Control AES Session-key are derived, respectively, from the O/TWAMP-Control AES
Session-key and HMAC Session-key. The AES Session-key and HMAC Session-key and HMAC Session-key. The AES Session-key and HMAC
Session-key used in the O/TWAMP-Control protocol are generated Session-key used in the O/TWAMP-Control protocol are generated
randomly by the Control-Client, and encrypted with the shared secret randomly by the Control-Client, and encrypted with the shared secret
associated with KeyID. Therefore, the security root is the shared associated with KeyID. Therefore, the security root is the shared
secret key. Thus, for large deployments, key provision and secret key. Thus, for large deployments, key provision and
management may become overly complicated. Comparatively, a management may become overly complicated. Comparatively, a
certificate-based approach using IKEv2 can automatically manage the certificate-based approach using IKEv2 can automatically manage the
security root and solve this problem, as we explain in Section 5. security root and solve this problem, as we explain in Section 5.
5. O/TWAMP for IPsec Networks 5. O/TWAMP for IPsec Networks
This section presents a method of binding O/TWAMP and IKEv2 for This section presents a method of binding O/TWAMP and IKEv2 for
network measurements between a client and a server which both support network measurements between a client and a server that both support
IPsec. In short, the shared key used for securing O/TWAMP traffic is IPsec. In short, the shared key used for securing O/TWAMP traffic is
derived using IKEv2 [RFC7296]. derived using IKEv2 [RFC7296].
5.1. Shared Key Derivation 5.1. Shared Key Derivation
In the authenticated, encrypted and mixed modes, the shared secret In the authenticated, encrypted, and mixed modes, the shared secret
key MUST be derived from the IKEv2 Security Association (SA). Note key MUST be derived from the IKEv2 SA. Note that we explicitly opt
that we explicitly opt to derive the shared secret key from the IKEv2 to derive the shared secret key from the IKEv2 SA, rather than the
SA, rather than the child SA, since it is possible that an IKEv2 SA child SA, since it is possible that an IKEv2 SA is created without
is created without generating any child SA [RFC6023]. generating any child SA [RFC6023].
When the shared secret key is derived from the IKEv2 SA, SK_d must be When the shared secret key is derived from the IKEv2 SA, SK_d must be
generated first. SK_d must be computed as per [RFC7296]. generated first. SK_d must be computed as per [RFC7296].
The shared secret key MUST be generated as follows: The shared secret key MUST be generated as follows:
Shared secret key = prf( SK_d, "IPPM" ) Shared secret key = prf( SK_d, "IPPM" )
Wherein the string "IPPM" is encoded in ASCII and "prf" is a Wherein the string "IPPM" is encoded in ASCII and "prf" is a
pseudorandom function. pseudorandom function.
It is recommended that the shared secret key is derived in the IPsec It is recommended that the shared secret key is derived in the IPsec
layer so that IPsec keying material is not exposed to the O/TWAMP layer so that IPsec keying material is not exposed to the O/TWAMP
client. Note, however, that the interaction between the O/TWAMP and client. Note, however, that the interaction between the O/TWAMP and
IPsec layers is host-internal and implementation-specific. IPsec layers is host internal and implementation specific.
Therefore, this is clearly outside the scope of this document, which Therefore, this is clearly outside the scope of this document, which
focuses on the interaction between the O/TWAMP client and server. focuses on the interaction between the O/TWAMP client and server.
That said, one possible way could be the following: at the Control- That said, one possible way could be the following: at the Control-
Client side, the IPSec layer can perform a lookup in the Security Client side, the IPsec layer can perform a lookup in the Security
Association Database (SAD) using the IP address of the Server and Association Database (SAD) using the IP address of the Server and
thus match the corresponding IKEv2 SA. At the Server side, the IPSec thus match the corresponding IKEv2 SA. At the Server side, the IPsec
layer can look up the corresponding IKEv2 SA by using the Security layer can look up the corresponding IKEv2 SA by using the Security
Parameter Indexes (SPIs) sent by the Control-Client (see Parameter Indexes (SPIs) sent by the Control-Client (see
Section 5.3), and therefore extract the shared secret key. Section 5.3), and therefore extract the shared secret key.
In case that both client and server do support IKEv2 but there is no If both the client and server do support IKEv2 but there is no
current IKEv2 SA, two alternative ways could be considered. First, current IKEv2 SA, two alternative ways could be considered. First,
the O/TWAMP Control-Client initiates the establishment of the IKEv2 the O/TWAMP Control-Client initiates the establishment of the IKEv2
SA, logs this operation, and selects the mode which supports IKEv2. SA, logs this operation, and selects the mode that supports IKEv2.
Alternatively, the O/TWAMP Control-Client does not initiate the Alternatively, the O/TWAMP Control-Client does not initiate the
establishment of the IKEv2 SA, logs an error for operational establishment of the IKEv2 SA, logs an error for operational
management purposes, and proceeds with the modes defined in management purposes, and proceeds with the modes defined in
[RFC4656][RFC5357][RFC5618]. Again, although both alternatives are [RFC4656], [RFC5357], and [RFC5618]. Again, although both
feasible, they are in fact implementation-specific. alternatives are feasible, they are in fact implementation specific.
If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the
corresponding shared secret key generated from the SA MUST continue corresponding shared secret key generated from the SA MUST continue
to be used until the O/TWAMP session terminates. to be used until the O/TWAMP session terminates.
5.2. Server Greeting Message Update 5.2. Server Greeting Message Update
To trigger a binding association between the key generated from IKEv2 To trigger a binding association between the key generated from IKEv2
and the O/TWAMP shared secret key, the Modes field in the Server and the O/TWAMP shared secret key, the Modes field in the Server
Greeting Message (Figure 2) must support key derivation as discussed Greeting Message (Figure 2) must support key derivation as discussed
skipping to change at page 8, line 51 skipping to change at page 9, line 31
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Count (4 octets) | | Count (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| MBZ (12 octets) | | MBZ (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Server Greeting format Figure 2: Server Greeting Format
The choice of this set of Modes values poses no backwards The choice of this set of Modes values poses no backwards-
compatibility problems to existing O/TWAMP clients. Robust legacy compatibility problems to existing O/TWAMP clients. Robust legacy
Control-Client implementations would disregard the fact that the Control-Client implementations would disregard the fact that the
IKEv2Derived Modes bit in the Server Greeting is set. On the other IKEv2Derived Modes bit in the Server Greeting is set. On the other
hand, a Control-Client implementing this method can identify that the hand, a Control-Client implementing this method can identify that the
O/TWAMP Server contacted does not support this specification. If the O/TWAMP Server contacted does not support this specification. If the
Server supports other Modes, as one could assume, the Control-Client Server supports other Modes, as one could assume, the Control-Client
would then decide which Mode to use and indicate such accordingly as would then decide which Mode to use and indicate such accordingly as
per [RFC4656][RFC5357]. A Control-Client implementing this method per [RFC4656] and [RFC5357]. A Control-Client that is implementing
which decides not to employ IKEv2 derivation, can simply behave as a this method and decides not to employ IKEv2 derivation can simply
purely [RFC4656]/[RFC5357] compatible client. behave as a client that is purely compatible with [RFC4656] and
[RFC5357].
5.3. Set-Up-Response Update 5.3. Set-Up-Response Update
The Set-Up-Response Message Figure 3 is updated as follows. When a The Set-Up-Response message Figure 3 is updated as follows. When an
O/TWAMP Control-Client implementing this method receives a Server O/TWAMP Control-Client implementing this method receives a Server
Greeting indicating support for Mode IKEv2Derived it SHOULD reply to Greeting indicating support for Mode IKEv2Derived, it SHOULD reply to
the O/TWAMP Server with a Set-Up response that indicates so. For the O/TWAMP Server with a Set-Up-Response that indicates so. For
example, a compatible O/TWAMP Control-Client choosing the example, a compatible O/TWAMP Control-Client choosing the
authenticated mode with IKEv2 shared secret key derivation should set authenticated mode with IKEv2 shared secret key derivation should set
Mode bits as per Section 7. the Mode bits as per Section 7.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mode | | Mode |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Key ID (80 octets) | | KeyID (80 octets) |
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Token (16 octets) | | Token (16 octets) |
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Client-IV (12 octets) | | Client-IV (12 octets) |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Set-Up-Response Message Figure 3: Set-Up-Response Message
The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) uniquely The Security Parameter Index (SPI), as described in [RFC4301] and
identifies the Security Association (SA). If the Control-Client [RFC7296], uniquely identifies the SA. If the Control-Client
supports IKEv2 SA shared secret key derivation, it will choose the supports shared secret key derivation for the IKEv2 SA, it will
corresponding Mode value and carry SPIi and SPIr in the Key ID field. choose the corresponding Mode value and carry SPIi and SPIr in the
KeyID field. SPIi and SPIr MUST be included in the KeyID field of
SPIi and SPIr MUST be included in the Key ID field of the Set-Up- the Set-Up-Response Message to indicate the IKEv2 SA from which the
Response Message to indicate the IKEv2 SA from which the O/TWAMP O/TWAMP shared secret key was derived. The length of SPI is 8
shared secret key derived from. The length of SPI is 8 octets. octets. Therefore, the first 8 octets of the KeyID field MUST carry
Therefore, the first 8 octets of Key ID field MUST carry SPIi and the SPIi, and the second 8 octets MUST carry SPIr. The remaining bits of
second 8 octets MUST carry SPIr. The remaining bits of the Key ID the KeyID field MUST be set to zero.
field MUST be set to zero.
A O/TWAMP Server implementation MUST obtain the SPIi and SPIr from An O/TWAMP Server implementation MUST obtain the SPIi and SPIr from
the first 16 octets and ignore the remaining octets of the Key ID the first 16 octets and ignore the remaining octets of the KeyID
field. Then, the Control-Client and the Server can derive the shared field. Then, the Control-Client and the Server can derive the shared
secret key based on the Mode value and SPI. If the O/TWAMP Server secret key based on the Mode value and SPI. If the O/TWAMP Server
cannot find the IKEv2 SA corresponding to the SPIi and SPIr received, cannot find the IKEv2 SA corresponding to the SPIi and SPIr received,
it MUST log the event for operational management purposes. In it MUST log the event for operational management purposes. In
addition, the O/TWAMP Server SHOULD set the Accept field of the addition, the O/TWAMP Server SHOULD set the Accept field of the
Server-Start message to the value 6 to indicate that the Server is Server-Start message to the value 6 to indicate that the Server is
not willing to conduct further transactions in this O/TWAMP-Control not willing to conduct further transactions in this O/TWAMP-Control
session since it can not find the corresponding IKEv2 SA. session since it cannot find the corresponding IKEv2 SA.
5.4. O/TWAMP over an IPsec tunnel 5.4. O/TWAMP over an IPsec Tunnel
IPsec Authentication Header (AH) [RFC4302] and Encapsulating Security The IPsec Authentication Header (AH) [RFC4302] and Encapsulating
Payload (ESP) [RFC4303] provide confidentiality and data integrity to Security Payload (ESP) [RFC4303] provide confidentiality and data
IP datagrams. An IPsec tunnel can be used to provide the protection integrity to IP datagrams. An IPsec tunnel can be used to provide
needed for O/TWAMP Control and Test packets, even if the peers choose the protection needed for O/TWAMP Control and Test packets, even if
the unauthenticated mode of operation. In order to ensure the peers choose the unauthenticated mode of operation. In order to
authenticity and security, O/TWAMP packets between two IKEv2 systems ensure authenticity and security, O/TWAMP packets between two IKEv2
SHOULD be configured to use the corresponding IPsec tunnel running systems SHOULD be configured to use the corresponding IPsec tunnel
over an external network even when using the O/TWAMP unauthenticated running over an external network even when using the O/TWAMP
mode. unauthenticated mode.
6. Security Considerations 6. Security Considerations
As the shared secret key is derived from the IKEv2 SA, the key As the shared secret key is derived from the IKEv2 SA, the key
derivation algorithm strength and limitations are as per [RFC7296]. derivation algorithm strength and limitations are as per [RFC7296].
The strength of a key derived from a Diffie-Hellman exchange using The strength of a key derived from a Diffie-Hellman exchange using
any of the groups defined here depends on the inherent strength of any of the groups defined here depends on the inherent strength of
the group, the size of the exponent used, and the entropy provided by the group, the size of the exponent used, and the entropy provided by
the random number generator employed. The strength of all keys and the random number generator employed. The strength of all keys and
implementation vulnerabilities, particularly Denial of Service (DoS) implementation vulnerabilities, particularly denial-of-service (DoS)
attacks are as defined in [RFC7296]. attacks are as defined in [RFC7296].
7. IANA Considerations 7. IANA Considerations
During the production of this document, the authors and reviewers During the production of this document, the authors and reviewers
noticed that the TWAMP-Modes registry should describe a field of noticed that the TWAMP-Modes registry should describe a field of
single bit position flags, rather than the current registry single bit position flags, rather than the existing registry
construction with assignment of integer values. In addition, the construction with assignment of integer values. In addition, the
Semantics Definition column seems to have spurious information in it. Semantics Definition column seemed to have spurious information in
it. The registry has been reformatted to simplify future
The registry should be re-formatted to simplify future assignments. assignments. Thus, the contents of the TWAMP-Modes registry are as
Thus, the current contents of the TWAMP-Modes Registry should appear follows:
as follows:
Bit|Description |Semantics |Reference| Bit|Description |Semantics |Reference
Pos| |Definition | | Pos| |Definition |
---|-------------------------------------------|------------|---------| ---|------------------------------------------|------------|---------
0 Unauthenticated Section 3.1 [RFC4656] 0 Unauthenticated Section 3.1 [RFC4656]
1 Authenticated Section 3.1 [RFC4656] 1 Authenticated Section 3.1 [RFC4656]
2 Encrypted Section 3.1 [RFC4656] 2 Encrypted Section 3.1 [RFC4656]
3 Unauth.TEST protocol,Encrypted CONTROL Section 3.1 [RFC5618] 3 Unauth. TEST protocol, Encrypted CONTROL Section 3.1 [RFC5618]
4 Individual Session Control [RFC5938] 4 Individual Session Control [RFC5938]
5 Reflect Octets Capability [RFC6038] 5 Reflect Octets Capability [RFC6038]
6 Symmetrical Size Sender Test Packet Format [RFC6038] 6 Symmetrical Size Sender Test Packet Format [RFC6038]
Figure 4: TWAMP Modes registry Figure 4: TWAMP Modes
The new description and registry management instructions follow. The new description and registry management instructions follow.
Registry Specification: TWAMP-Modes are specified in TWAMP Server Registry Specification: TWAMP-Modes are specified in TWAMP Server
Greeting messages and Set-up Response messages consistent with Greeting messages and Set-Up-Response messages consistent with
section 3.1 of [RFC5357]. Modes are indicated by setting single bits Section 3.1 of [RFC5357]. Modes are indicated by setting single bits
in the 32-bit Modes Field. in the 32-bit Modes field.
Registry Management: Because the "TWAMP-Modes" are based on only 32 Registry Management: Because the "TWAMP-Modes" are based on only 32
bit positions with each position conveying a unique feature, and bit positions with each position conveying a unique feature, and
because TWAMP is an IETF protocol, this registry must be updated only because TWAMP is an IETF protocol, this registry must be updated only
by "IETF Consensus" as specified in [RFC5226]. IANA SHOULD allocate by "IETF Review" as specified in [RFC5226]. IANA SHOULD allocate
monotonically increasing bit positions when requested. monotonically increasing bit positions when requested.
Experimental Numbers: No experimental bit positions are currently Experimental Numbers: No experimental bit positions are currently
assigned in the Modes Registry, as indicated in the initial contents assigned in the Modes registry, as indicated in the initial contents
above. above.
In addition, this document requests allocation of a new entry in the In addition, per this document, a new entry has been added to the
TWAMP-Modes registry: TWAMP-Modes registry:
Bit|Description |Semantics |Reference| Bit|Description |Semantics |Reference
Pos| |Definition | | Pos| |Definition |
---|-------------------------------------------|------------|---------| ---|------------------------------------------|------------|---------
X IKEv2Derived Mode Capability Section 5 [RFCxxxx] 7 IKEv2Derived Mode Capability Section 5 RFC 7717
where IANA is requested to assign new bit position, X, and RFCxxxx
refers to this memo when published.
Figure 5: TWAMP IKEv2-derived Mode Capability
For the new OWAMP-Modes Registry, see the IANA Considerations in
[I-D.ietf-ippm-owamp-registry].
8. Acknowledgements
We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John
Mattsson, Steve Baillargeon, Spencer Dawkins, Tero Kivinen, Fred
Baker, Meral Shirazipour, Hannes Tschofenig, Ben Campbell, Stephen
Farrell, Brian Haberman, and Barry Leiba for their reviews, comments
and text suggestions.
Al Morton deserves a special mention for his thorough reviews and Figure 5: TWAMP IKEv2-Derived Mode Capability
text contributions to this document as well as the constructive
discussions over several IPPM meetings.
9. References For the new OWAMP-Modes registry, see the IANA Considerations in
[RFC7718].
9.1. Normative References 8. References
[I-D.ietf-ippm-owamp-registry] 8.1. Normative References
Morton, A., "Registries for the One-Way Active Measurement
Protocol - OWAMP", draft-ietf-ippm-owamp-registry-00 (work
in progress), July 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
Zekauskas, "A One-way Active Measurement Protocol Zekauskas, "A One-way Active Measurement Protocol
(OWAMP)", RFC 4656, DOI 10.17487/RFC4656, September 2006, (OWAMP)", RFC 4656, DOI 10.17487/RFC4656, September 2006,
<http://www.rfc-editor.org/info/rfc4656>. <http://www.rfc-editor.org/info/rfc4656>.
skipping to change at page 13, line 25 skipping to change at page 13, line 20
[RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the [RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the
Two-Way Active Measurement Protocol (TWAMP)", RFC 5618, Two-Way Active Measurement Protocol (TWAMP)", RFC 5618,
DOI 10.17487/RFC5618, August 2009, DOI 10.17487/RFC5618, August 2009,
<http://www.rfc-editor.org/info/rfc5618>. <http://www.rfc-editor.org/info/rfc5618>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <http://www.rfc-editor.org/info/rfc7296>. 2014, <http://www.rfc-editor.org/info/rfc7296>.
9.2. Informative References [RFC7718] Morton, A., "Registries for the One-Way Active Measurement
Protocol (OWAMP)", RFC 7718, DOI 10.17487/RFC7718,
December 2015, <http://www.rfc-editor.org/info/rfc7718>.
8.2. Informative References
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2.0", RFC 2898, Specification Version 2.0", RFC 2898,
DOI 10.17487/RFC2898, September 2000, DOI 10.17487/RFC2898, September 2000,
<http://www.rfc-editor.org/info/rfc2898>. <http://www.rfc-editor.org/info/rfc2898>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <http://www.rfc-editor.org/info/rfc4301>. December 2005, <http://www.rfc-editor.org/info/rfc4301>.
skipping to change at page 14, line 16 skipping to change at page 14, line 16
Childless Initiation of the Internet Key Exchange Version Childless Initiation of the Internet Key Exchange Version
2 (IKEv2) Security Association (SA)", RFC 6023, 2 (IKEv2) Security Association (SA)", RFC 6023,
DOI 10.17487/RFC6023, October 2010, DOI 10.17487/RFC6023, October 2010,
<http://www.rfc-editor.org/info/rfc6023>. <http://www.rfc-editor.org/info/rfc6023>.
[RFC6038] Morton, A. and L. Ciavattone, "Two-Way Active Measurement [RFC6038] Morton, A. and L. Ciavattone, "Two-Way Active Measurement
Protocol (TWAMP) Reflect Octets and Symmetrical Size Protocol (TWAMP) Reflect Octets and Symmetrical Size
Features", RFC 6038, DOI 10.17487/RFC6038, October 2010, Features", RFC 6038, DOI 10.17487/RFC6038, October 2010,
<http://www.rfc-editor.org/info/rfc6038>. <http://www.rfc-editor.org/info/rfc6038>.
Acknowledgements
We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John
Mattsson, Steve Baillargeon, Spencer Dawkins, Tero Kivinen, Fred
Baker, Meral Shirazipour, Hannes Tschofenig, Ben Campbell, Stephen
Farrell, Brian Haberman, and Barry Leiba for their reviews, comments,
and text suggestions.
Al Morton deserves a special mention for his thorough reviews and
text contributions to this document as well as the constructive
discussions over several IPPM meetings.
Authors' Addresses Authors' Addresses
Kostas Pentikousis (editor) Kostas Pentikousis (editor)
EICT GmbH EICT GmbH
EUREF-Campus Haus 13 EUREF-Campus Haus 13
Torgauer Strasse 12-15 Torgauer Strasse 12-15
10829 Berlin 10829 Berlin
Germany Germany
Email: k.pentikousis@eict.de Email: k.pentikousis@eict.de
Emma Zhang Emma Zhang
Huawei Technologies Huawei Technologies
Huawei Building, No.3, Rd. XinXi Huawei Building, No.3, Rd. XinXi
Haidian District , Beijing 100095 Haidian District, Beijing 100095
P. R. China China
Email: emma.zhanglijia@huawei.com Email: emma.zhanglijia@huawei.com
Yang Cui Yang Cui
Huawei Technologies Huawei Technologies
Otemachi First Square 1-5-1 Otemachi Otemachi First Square 1-5-1 Otemachi
Chiyoda-ku, Tokyo 100-0004 Chiyoda-ku, Tokyo 100-0004
Japan Japan
Email: cuiyang@huawei.com Email: cuiyang@huawei.com
 End of changes. 70 change blocks. 
212 lines changed or deleted 201 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/