| < draft-ietf-dime-e2e-sec-req-01.txt | draft-ietf-dime-e2e-sec-req-02.txt > | |||
|---|---|---|---|---|
| DIME H. Tschofenig, Ed. | DIME H. Tschofenig | |||
| Internet-Draft Nokia Solutions and Networks | Internet-Draft | |||
| Intended status: Informational J. Korhonen | Intended status: Informational J. Korhonen | |||
| Expires: April 24, 2014 Broadcom | Expires: July 30, 2015 Broadcom | |||
| G. Zorn | G. Zorn | |||
| Network Zen | Network Zen | |||
| K. Pillay | K. Pillay | |||
| Oracle Communications | Oracle Communications | |||
| October 21, 2013 | January 26, 2015 | |||
| Diameter AVP Level Security: Scenarios and Requirements | Diameter AVP Level Security End-to-End Security: Scenarios and | |||
| draft-ietf-dime-e2e-sec-req-01.txt | Requirements | |||
| draft-ietf-dime-e2e-sec-req-02.txt | ||||
| Abstract | Abstract | |||
| This specification discusses requirements for providing Diameter | This specification discusses requirements for providing Diameter | |||
| security at the level of individual Attribute Value Pairs. | security at the level of individual Attribute Value Pairs. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 24, 2014. | This Internet-Draft will expire on July 30, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Security Threats . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Security Threats . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Scenarios for Diameter AVP-Level Protection . . . . . . . . . 4 | 4. Scenarios for Diameter AVP-Level Protection . . . . . . . . . 5 | |||
| 5. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6 | 5. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 | 9.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 8 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| The Diameter Base specification [2] offers security protection | The Diameter Base specification [2] offers security protection | |||
| between neighboring Diameter peers and mandates that either TLS (for | between neighboring Diameter peers and mandates that either TLS (for | |||
| TCP), DTLS (for SCTP), or IPsec is used. These security protocols | TCP), DTLS (for SCTP), or IPsec is used. These security protocols | |||
| offer a wide range of security properties, including entity | offer a wide range of security properties, including entity | |||
| authentication, data-origin authentication, integrity, | authentication, data-origin authentication, integrity, | |||
| confidentiality protection and replay protection. They also support | confidentiality protection and replay protection. They also support | |||
| skipping to change at page 7, line 37 ¶ | skipping to change at page 8, line 16 ¶ | |||
| provide different security services. Asymmetric algorithms, | provide different security services. Asymmetric algorithms, | |||
| for example, allow non-repudiation services to be offered. | for example, allow non-repudiation services to be offered. | |||
| Requirement #8: A solution for dynamic key management MUST be | Requirement #8: A solution for dynamic key management MUST be | |||
| included in the overall solution framework. However, it is | included in the overall solution framework. However, it is | |||
| assumed that no "new" key management protocol needs to be | assumed that no "new" key management protocol needs to be | |||
| developed; instead existing ones are re-used, if at all possible. | developed; instead existing ones are re-used, if at all possible. | |||
| Rekeying could be triggered by (a) management actions and (b) | Rekeying could be triggered by (a) management actions and (b) | |||
| expiring keying material. | expiring keying material. | |||
| Requirement #9: The ability to statically provisioned keys | 6. Security Considerations | |||
| (symmetric as well as asymmetric keys) has to be supported to | ||||
| simplify management for small-scale deployments that typically do | ||||
| not have a back-end network management infrastructure. | ||||
| 6. Open Issues | ||||
| Open Issue #1: Capability/Policy Discovery: This document talks | ||||
| about selectively protecting Diameter AVPs between different | ||||
| Diameter nodes. A Diameter node has to be configured such that it | ||||
| applies security protection to a certain number of AVPs. A number | ||||
| of policy related questions arise: What keying material should be | ||||
| used so that the intended recipient is also able to verify it? | ||||
| What AVPs shall be protected so that the result is not rejected by | ||||
| the recipient? In case of confidentiality protection the Diameter | ||||
| node encrypting AVPs needs to know ahead of time what other node | ||||
| is intended to decrypt them. Should the list of integrity | ||||
| protected AVP be indicated in the protected payload itself (or is | ||||
| it known based on out-of-band information)? Is this policy / | ||||
| capability information assumed to be established out-of-band | ||||
| (manually) or is there a protocol mechanism to distribute this | ||||
| information? | ||||
| Open Issue #2: Command-Line Support: Should solutions allow the | ||||
| provisioning of long-term shared symmetric credentials via a | ||||
| command-line interface / text file? This allows easier management | ||||
| for small-scale deployments. | ||||
| 7. Security Considerations | ||||
| This entire document focused on the discussion of new functionality | This entire document focused on the discussion of new functionality | |||
| for securing Diameter AVPs selectively between non-neighboring nodes. | for securing Diameter AVPs selectively between non-neighboring nodes. | |||
| 8. IANA Considerations | 7. IANA Considerations | |||
| This document does not require actions by IANA. | This document does not require actions by IANA. | |||
| 9. Acknowledgments | 8. Acknowledgments | |||
| We would like to thank Guenther Horn, Martin Dolly, for his review | We would like to thank Guenther Horn, Martin Dolly, for his review | |||
| comments. | comments. | |||
| 10. References | 9. References | |||
| 10.1. Normative References | 9.1. Normative References | |||
| [1] Bradner, S., "Key words for use in RFCs to Indicate | [1] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [2] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, | [2] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, | |||
| "Diameter Base Protocol", RFC 6733, October 2012. | "Diameter Base Protocol", RFC 6733, October 2012. | |||
| 10.2. Informative References | 9.2. Informative References | |||
| [3] Calhoun, P., Farrell, S., and W. Bulley, "Diameter CMS | [3] Calhoun, P., Farrell, S., and W. Bulley, "Diameter CMS | |||
| Security Application", draft-ietf-aaa-diameter-cms-sec-04 | Security Application", draft-ietf-aaa-diameter-cms-sec-04 | |||
| (work in progress), March 2002. | (work in progress), March 2002. | |||
| [4] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible | [4] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible | |||
| Authentication Protocol (EAP) Application", RFC 4072, | Authentication Protocol (EAP) Application", RFC 4072, | |||
| August 2005. | August 2005. | |||
| Authors' Addresses | Authors' Addresses | |||
| Hannes Tschofenig (editor) | Hannes Tschofenig | |||
| Nokia Solutions and Networks | Hall in Tirol 6060 | |||
| Linnoitustie 6 | Austria | |||
| Espoo 02600 | ||||
| Finland | ||||
| Phone: +358 (50) 4871445 | Email: Hannes.tschofenig@gmx.net | |||
| Email: Hannes.Tschofenig@gmx.net | ||||
| URI: http://www.tschofenig.priv.at | URI: http://www.tschofenig.priv.at | |||
| Jouni Korhonen | Jouni Korhonen | |||
| Broadcom | Broadcom | |||
| Porkkalankatu 24 | Porkkalankatu 24 | |||
| Helsinki 00180 | Helsinki 00180 | |||
| Finland | Finland | |||
| Email: jouni.nospam@gmail.com | Email: jouni.nospam@gmail.com | |||
| End of changes. 15 change blocks. | ||||
| 58 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||