PANA Working Group Internet Draft M. Parthasarathy Document: draft-ietf-pana-ipsec-02.txt Nokia Expires: August 2004 February 2004 PANA enabling IPsec based Access Control Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 [i]. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 except that the right to produce derivative works is not granted. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract The PANA (Protocol for carrying Authentication for Network Access) working group is developing protocol for authenticating clients to the access network using IP based protocols. The PANA protocol authenticates the client and also establishes a PANA security association between the PANA client and PANA authentication agent at the end of a successful authentication. This document discusses the details for establishing an IPsec security association using the PANA security association for enabling IPsec based access control. Expires August 2004 [Page 1] PANA enabling IPsec based Access Control February 2004 Table of Contents 1.0 Introduction..................................................2 2.0 Keywords......................................................3 3.0 Pre-requisites for IPsec SA establisment......................3 4.0 IP Address Configuration......................................3 5.0 IKE Pre-shared key derivation.................................4 6.0 IKE and IPsec details.........................................5 7.0 Packet Formats................................................6 8.0 IPsec SPD entries.............................................7 9.0 Double IPsec..................................................9 10.0 Security considerations.....................................10 11.0 Normative References........................................10 12.0 Informative References......................................11 13.0 Acknowledgments.............................................12 14.0 Revision log................................................12 15.0 Author's Addresses..........................................12 16.0 Full Copyright Statement....................................12 1.0 Introduction The PANA (Protocol for carrying Authentication for Network Access) working group is developing protocol for authenticating clients to the access network using IP based protocols. The PANA protocol authenticates the client and also establishes a PANA security association between the PANA client and PANA authentication agent at the end of successful authentication. The PANA authentication agent (PAA) indicates the results of the authentication using the PANA- Bind-Request message wherein it can indicate the access control method enforced by the access network. The PANA protocol [PANA-PROT] does not discuss any details of IPsec [IPSEC] SA establishment, when IPsec is used for access control. This document discusses the details of establishing an IPsec security association between PANA client and the enforcement point. When the IPsec SA is successfully established, it can be used for access control and specifically used to prevent the service theft mentioned in [PANA-THREATS]. Please refer to [PANAREQ] for terminology and definitions of terms used in this document. The following picture illustrates what is being protected with IPsec. As shown in Figure 1, Enforcement Point (EP) and the Access Router (AR) are co-located. PAA is not shown in the figure. It may or may not be co-located with EP. The IPsec security association protects the traffic between PaC and EP. In IPsec terms, EP is a security gateway (therefore a router) and forwards packets coming from the PaC to other nodes. Expires August 2004 [Page 2] PANA enabling IPsec based Access Control February 2004 PaC ----------------------+ [D1] | +------EP/AR | PaC ----------------------+ [D2] |------IPsec------| Figure 1 First, this document discusses some of the pre-requisites for IPsec SA establishment. Next, it gives details on what should be communicated between PAA and EP. Then, it gives the details of IKE/IPsec exchange with packet formats and SPD entries. Finally, it discusses the issues when IPsec is used for remote access together with local access. 2.0 Keywords The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS]. 3.0 Pre-requisites for IPsec SA establisment This document assumes that the following have already happened before the IKE exchange starts. 1) PANA client (PaC) and PAA mutually authenticate each other using EAP methods that derive AAA-key [EAP-KEY]. 2) PaC learns the IP address of the Enforcement point (EP) during the PANA exchange. 3) PaC learns that the network uses IPsec [IPSEC] for securing the link between PaC and EP during the PANA exchange. 4) PaC configures a routable or global address as discussed in section 4 of this document. 4.0 IP Address Configuration Expires August 2004 [Page 3] PANA enabling IPsec based Access Control February 2004 PaC configures a link-local address [IPV4-LINK] [IPV6-CONF] before the PANA protocol begins. If IPv4 is being used, it may even configure a private address [IPV4-PRIV] using a DHCP server provided by the Network Access provider. See [PANA-FRAME] for more details. After a successful authentication, the client configures a routable or global address using [DHCP][DHCPV6] before running [IKE][IKEv2] or running address auto-configuration methods available within [IKE] or [IKEv2] by using a configuration payload or running DHCP over a special IPsec tunnel mode SA [RFC3456] or auto-configures an address using stateless auto-configuration [IPv6-ND] before running [IKE] or [IKEv2] if IPv6 is being used. In the case of IPV4, the link-local address or private address SHOULD be un-configured when the global address is configured, to prevent using the link-local address or private address as the source address for communicating with the external nodes [IPV4-LINK]. Some implementations may be able to choose the right address, where the IPsec tunnel mode SAs are modeled as interfaces. But this document does not make any such assumptions. In IPv4, all packets are tunneled using IPsec tunnel mode SA with the inner and outer source address same as the routable address. In the case of IPv6, such restrictions don't exist. The link-local address is used for the outer header and global address is used for the inner header for the tunnel. 5.0 IKE Pre-shared key derivation If the network chooses IPsec to secure the link between PaC and EP, PAA should communicate the IKE pre-shared key, the link-local address of the PaC (in IPv6 only), routable address of the PaC and the PANA session ID to EP before the IKE exchange begins. The IKE exchange between PaC and PAA is equivalent to the 4-way handshake in [IEEE80211i] following the EAP exchange. The IKE exchange establishes the IPsec SA similar to the pair-wise transient keys (PTK) established in [IEEE80211i]. The IKE exchange provides both key confirmation and protected cipher-suite negotiation. IKE pre-shared key is derived as follows. IKE Pre-shared Key = HMAC-SHA-1 (AAA-key, "IKE-preshared key" | Session ID | Key-ID | EP-address) The values have the following meaning: AAA-key: A key derived by the peer and EAP server and transported to the authenticator [EAP-KEY]. Session ID: The value as defined in the PANA protocol [PANA-PROT], identifies a particular session of a client. Expires August 2004 [Page 4] PANA enabling IPsec based Access Control February 2004 Key-ID: This identifies the AAA-key within a given session [PANA- PROT]. During the lifetime of the PANA session, there could be multiple EAP re-authentications. As EAP re-authentication changes the AAA-key, key-ID is used to identify the right AAA-key. EP-address: This is the address of the enforcement point with which the IKE exchange is being performed. When PAA is controlling multiple EPs, this provides a different pre-shared key for each of the EPs. The character "|" denotes concatenation as defined in [IKE]. During EAP re-authentication, the AAA-key changes. Whenever the AAA- key changes, a new value of Key-ID is established between the PaC and PAA/EP as defined in [PANA-PROT]. If there is already an IKE SA or IPsec SA established, it MUST continue to be used till it expires. A change in the value of AAA-key MUST NOT result in re-negotiating a new IKE SA or IPsec SA immediately. But any new negotiation of IKE SA or IPsec SA MUST use the new pre-shared key derived from the latest AAA-key and is indicated by the Key-ID in the above equation. 6.0 IKE and IPsec details IKE [IKE] MUST be used for establishing the IPsec SA. The details specified in this document would work with IKEv2 [IKEV2] also. Any difference between them would be explicitly noted. PANA authenticates the client and derives the keys to protect the traffic. Hence, manual keying cannot be used. Aggressive mode with pre-shared key MUST be supported. PaC and EP SHOULD use its PANA session ID [PANA-PROT] as the payload of ID_KEY_ID in aggressive mode for establishing the phase I SA. IP addresses cannot be used as identifier as the PaC may be re-authenticated multiple times and hence may not uniquely identify the pre-shared key. For the same reason, main mode of IKE cannot be used as it requires addresses to be used as identifiers. After Phase I SA is established, quick mode exchange is performed to establish an ESP tunnel mode IPsec SA for protecting the traffic between PaC and EP. The identities used during Phase II are explained in the next section. As mentioned in section 4, there are multiple ways by which the PaC may configure the address before the IKE exchange starts. Most of the IKE implementations assume that they can consult the SPD during the IKE exchange for policy checks. In the case of address configuration using [RFC3456] or [IKE] [IKEV2] or [DHCP] [DHCPV6], EP can learn the address allocated to the client and hence setup the SPD before the IKE exchange starts. In the case of auto-configuration (which includes global address or addresses configured as in [PRIV]), EP may Expires August 2004 [Page 5] PANA enabling IPsec based Access Control February 2004 not know the address assigned to the PaC. Thus, it may not be able to setup the SPD entries appropriately before IKE exchange starts. As most of the IKE implementations assume that the SPD can be consulted during the SA negotiation, it may require slightly a different behavior from IKE in the auto-configuration case. In the case of auto-configuration, IKE should be able to setup the SAs for the traffic selectors (which contains the PaC auto-configured address) specified by the PaC without requiring a corresponding entry in the SPD. If there is already an SA for the same address used by a different session as specified in the ID_KEY_ID payload, then the SA request MUST be rejected with INVALID-ID-INFORMATION [IKE]. If PaC establishes the IKE and IPsec SA successfully, EP should add the SPD entry for protecting the subsequent data packets. 7.0 Packet Formats Following acronyms are used throughout this document. PaC's link-local address is denoted by PAC-LINK-LOCAL. PaC's routable or global address is denoted by PAC-GLOBAL-ADDR. EP's link-local address is denoted by EP-LINK-LOCAL. The node with which the PaC is communicating is denoted by END-ADDR. In IPv4, the global address is used as both inner and outer source address of the tunneled packet. In IPv6, the link-local address is used as the outer header and the global address is used as the inner header of the tunneled packet. Following is the IPv4 packet format on the wire for packets sent from PaC to EP: IPv4 header (source = PAC-GLOBAL-ADDR, destination = EP-LINK-LOCAL) ESP header IPv4 header (source = PAC-GLOBAL-ADDR, destination = END-ADDR) Following is the IPv6 packet format on the wire for packets sent from PaC to EP: IPv6 header (source = PAC-LINK-LOCAL, destination = EP-LINK-LOCAL) ESP header IPv6 header (source = PAC-GLOBAL-ADDR, destination = END-ADDR) Expires August 2004 [Page 6] PANA enabling IPsec based Access Control February 2004 Following is the IPv4 packet format on the wire for packets sent from EP to PaC: IPv4 header (source = EP-LINK-LOCAL, destination = PAC-GLOBAL-ADDR) ESP header IPv4 header (source = END-ADDR, destination = PAC-GLOBAL-ADDR) Following is the IPv6 packet format on the wire for packets sent from EP to PaC: IPv6 header (source = EP-LINK-LOCAL, destination = PAC-LINK-LOCAL) ESP header IPv6 header (source = END-ADDR, destination = PAC-GLOBAL-ADDR) 8.0 IPsec SPD entries The SPD entries for IPv4 and IPv6 are specified separately as they are different. 8.1 IPv4 SPD entries PaC's SPD OUT: IF source = PAC-GLOBAL-ADDR & destination = any THEN USE ESP TUNNEL MODE SA: outer source = PAC-GLOBAL-ADDR outer destination = EP-LINK-LOCAL PaC's SPD IN: IF source = any & destination = PAC-GLOBAL-ADDR THEN USE ESP TUNNEL MODE SA: outer source = EP-LINK-LOCAL outer destination = PAC-GLOBAL-ADDR EP's SPD OUT: IF source = any & destination = PAC-GLOBAL-ADDR THEN USE ESP TUNEL MODE SA: outer source = EP-LINK-LOCAL outer destination = PAC-GLOBAL-ADDR EP's SPD IN: IF source = PAC-GLOBAL-ADDR & destination = any THEN USE ESP TUNNEL MODE SA: outer source = PAC-GLOBAL-ADDR outer destination = EP-LINK-LOCAL Expires August 2004 [Page 7] PANA enabling IPsec based Access Control February 2004 During the IPsec SA setup, PaC uses PAC-GLOBAL-ADDR as its phase 2 identity (IDci) and EP uses ID_IPV4_ADDR_RANGE or ID_IPV4_ADDR_SUBNET as its phase 2 identity. The starting address is zero IP address and the end address is all ones for ID_IPV4_ADDR_RANGE. The starting address is zero IP address and the end address is all zeroes for ID_IPV4_ADDR_SUBNET. 8.2 IPv6 SPD entries The IPv6 SPD entries are slightly different from IPv4 to prevent the neighbor and router discovery [IPV6-ND] packets from being protected with IPsec. The first three entries of the following SPD tables bypass IPsec protection for neighbor and router discovery packets. The latest version of the IPsec [IPSEC-BIS] document allows traffic selectors to be based on ICMPv6 type and code values. In that case, the first three entries can be based on ICMPv6 type and code values. All traffic destined to global address is always sent to the default router (EP) i.e, the global prefix is not considered to be on-link. This can be achieved by turning off the "L" bit in the router advertisement. Pac's SPD OUT: IF source = ::/128 & destination = any THEN BYPASS IF source = fe80::/10 & destination = any THEN BYPASS IF source = any & destination = fe80::/10 THEN BYPASS IF source = PAC-GLOBAL-ADDR & destination = any THEN USE ESP TUNNEL MODE SA: outer source = PAC-LINK-LOCAL outer destination = EP-LINK-LOCAL PaC's SPD IN: IF source = ::/128 & destination = any THEN BYPASS IF source = fe80::/10 & destination = any THEN BYPASS IF source = any & destination = fe80::/10 THEN BYPASS Expires August 2004 [Page 8] PANA enabling IPsec based Access Control February 2004 IF source = any & destination = PAC-GLOBAL-ADDR THEN USE ESP TUNNEL MODE SA: outer source = EP-LINK-LOCAL outer destination = PAC-LINK-LOCAL EP's SPD OUT: IF source = ::/128 & destination = any THEN BYPASS IF source = fe80::/10 & destination = any THEN BYPASS IF source = any & destination = fe80::/10 THEN BYPASS IF source = any & destination = PAC-GLOBAL-ADDR THEN USE ESP TUNNEL MODE SA: outer source = EP-LINK-LOCAL outer destination = PAC-LINK-LOCAL EP's SPD IN: IF source = ::/128 & destination = any THEN BYPASS IF source = fe80::/10 & destination = any THEN BYPASS IF source = any & destination = fe80::/10 THEN BYPASS IF source = PAC-GLOBAL-ADDR & destination = any THEN USE ESP TUNNEL MODE SA: outer source = PAC-LINK-LOCAL outer destination = EP-LINK-LOCAL During the IPsec SA setup, PaC uses PAC-GLOBAL-ADDR as its phase 2 identity (IDci) and EP uses ID_IPV6_ADDR_RANGE or ID_IPV6_ADDR_SUBNET as its phase 2 identity. The starting address is zero IP address and the end address is all ones for ID_IPV6_ADDR_RANGE. The starting address is zero IP address and the end address is all zeroes for ID_IPV6_ADDR_SUBNET. 9.0 Double IPsec Expires August 2004 [Page 9] PANA enabling IPsec based Access Control February 2004 If the PaC uses IPsec for secure remote access e.g., Corporate VPN access, there will be separate SPD entries protecting the traffic to or from the remote network. In this case, IPsec may need to be applied twice, once for protecting the remote access and once for protecting the local access. This is the same as the iterative tunneling discussed in [IPSEC]. When the IPsec SA is established with the remote security gateway, the IKE packets from the PaC to the remote security gateway may or may not need IPsec protection on the local link depending on the configuration at the EP. If EP requires IPsec protection for all packets, then the PaC should configure SPD entries appropriately so that IKE packets destined to EP are bypassed whereas IKE packets to the remote SG are protected. If EP does not require IPsec protection for IKE packets destined to remote security gateway, it needs to configure SPD entries that would bypass them. 10.0 Security considerations This document discusses the use of IPsec for access control when PANA is used for authenticating the clients to the access network. If the PAA does not verify whether PaC is authorized to use an IP address, it is possible for the PaC to steal the traffic destined to some other PaC. Although section 6 describes an inner address verification method based on SPD consulting, it is still possible for an authenticated PaC to launch this attack. PAA may use other mechanisms to prevent this attack [SEND]. When IPv6 is used, the SPD entries bypass all link-local traffic without applying IPsec. This should not be a limitation as the link- local address is used only by link-local services e.g. neighbor/router discovery, which uses a different mechanism to protect their traffic. Moreover, this limitation may not be there in the future if IPsec extends the SPD selectors to specify ICMP types. 11.0 Normative References Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. [IPSEC] S. Kent et al., "Security Architecture for the Internet Protocol", RFC 2401, November 1998 [PANA-PROT] D. Fosberg et al., "Protocol for Carrying Authentication for Network Access", draft-ietf-pana-03.txt Expires August 2004 [Page 10] PANA enabling IPsec based Access Control February 2004 [PANA-THREATS] M. Parthasarathy, "PANA Threat analysis and security requirements", draft-ietf-pana-threats-eval-04.txt 12.0 Informative References [PANAREQ] A. Yegin et al., "Protocol for Carrying Authentication for Network Access (PANA) Requirements and Terminology", draft-ietf- pana-requirements-04.txt [PANA-FRAME] P. Jayaraman et al., "PANA Framework", draft-ohba-pana- framework-00.txt [KEYWORDS] S. Bradner, "Key words for use in RFCS to indicate requirement levels", RFC 2119, March 1997 [IKE] D. Harkins et al., "Internet Key Exchange", RFC 2409, November 1998 [IKEV2] C. Kauffman et al., "Internet Key Exchange(IKEv2) Protocol", draft-ietf-ipsec-ikev2-11.txt [IPSEC-BIS] S. Kent, "Security Architecture for the Internet Protocol", draft-ietf-ipsec-rfc2401bis-00.txt [DHCP] R. Droms, "Dynamic Host Configuration Protocol", RFC 2131, March 1997 [RFC3456] B. Patel et al., "Dynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel Mode", RFC 3456, January 2003 [DHCPV6] R. Droms et. al, "Dynamic Host Configuration Protocol for IPv6", RFC 3315, July 2003 [IPV6-ND] T. Narten et al., "Neighbor Discovery for IP version 6 (IPv6) ", RFC 2461, December 1998 [IPV6-CONF] S. Thomson et. al, "IPv6 Stateless Address Autoconfiguration", RFC 2462, December 1998 [PRIV] T. Narten et al., "Privacy Extensions for Stateless Address Autoconfiguration in IPv6", RFC 3041, January 2001 [EAP-KEY] D. Simon et al., "EAP Key Management Framework", draft- ietf-eap-keying-01.txt [SEND] J. Arkko et al., "Secure Neighbor Discovery", draft-ietf-send- ndopt-03.txt Expires August 2004 [Page 11] PANA enabling IPsec based Access Control February 2004 [IPV4-LINK] B. Aboba et al., "Dynamic configuration of Link-local IPv4 addresses", draft-ietf-zeroconf-ipv4-linklocal-12.txt [IPV4-PRIV] Y. Rekhter et al., "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996 [IEEE80211i] IEEE Draft 802.11I/D5.0, "Draft Supplement to STANDARD FOR Telecommunications and Information Exchange between Systems – LAN/MAN Specific Requirements - Part 11: Wireless Medium Access Control (MAC) and physical layer specifications: Specification for Enhanced Security", August 2003. 13.0 Acknowledgments The author would like to thank Francis Dupont, Pasi Eronen, Yoshihiro Ohba, Jari Arkko, Hannes Tschofenig and other PANA WG members for their valuable comments and discussions. 14.0 Revision log Changes between revision 01 and 02 -Updated the draft with the fixes for all open issues -Added the IP configuration section -Modified the IKE pre-shared key derivation to handle PAA controlling multiple EPs -Clarification regarding DHCP usage and RFC3456 usage. -Only aggressive mode to be supported. Main mode not needed anymore. Changes between revision 00 and 01 -Specified the use of ESP tunnel mode SA instead of IP-IP transport mode SA after working group discussion. -Specified the IKE pre-shared key derivation. 15.0 Author's Addresses Mohan Parthasarathy 313 Fairchild Drive Mountain View CA-94043 Phone: 408-734-8820 Email: mohanp@sbcglobal.net 16.0 Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. Expires August 2004 [Page 12] PANA enabling IPsec based Access Control February 2004 This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Expires August 2004 [Page 13]