| < draft-ietf-lsvr-l3dl-signing-02.txt | draft-ietf-lsvr-l3dl-signing-03.txt > | |||
|---|---|---|---|---|
| Network Working Group R. Bush | Network Working Group R. Bush | |||
| Internet-Draft Arrcus & IIJ | Internet-Draft Arrcus & IIJ | |||
| Intended status: Standards Track R. Housley | Intended status: Standards Track R. Housley | |||
| Expires: August 16, 2021 Vigil Security | Expires: 17 April 2022 Vigil Security | |||
| R. Austein | R. Austein | |||
| Arrcus | Arrcus | |||
| February 12, 2021 | 14 October 2021 | |||
| Layer-3 Discovery and Liveness Signing | Layer-3 Discovery and Liveness Signing | |||
| draft-ietf-lsvr-l3dl-signing-02 | draft-ietf-lsvr-l3dl-signing-03 | |||
| Abstract | Abstract | |||
| The Layer-3 Discovery and Liveness protocol OPEN PDU may contain a | The Layer-3 Discovery and Liveness protocol OPEN PDU may contain a | |||
| public key and a certificate, which can be used to verify signatures | public key and a certificate, which can be used to verify signatures | |||
| on subsequent PDUs. This document describes two mechanisms based on | on subsequent PDUs. This document describes two mechanisms based on | |||
| digital signatures, one that is Trust On First Use (TOFU), and one | digital signatures, one that is Trust On First Use (TOFU), and one | |||
| that uses a trust anchor signture over the public key to provide | that uses a trust anchor signture over the public key to provide | |||
| authentication as well as session integrity. | authentication as well as session integrity. | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 46 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 16, 2021. | This Internet-Draft will expire on 17 April 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | license-info) in effect on the date of publication of this document. | |||
| publication of this document. Please review these documents | Please review these documents carefully, as they describe your rights | |||
| carefully, as they describe your rights and restrictions with respect | and restrictions with respect to this document. Code Components | |||
| to this document. Code Components extracted from this document must | extracted from this document must include Simplified BSD License text | |||
| include Simplified BSD License text as described in Section 4.e of | as described in Section 4.e of the Trust Legal Provisions and are | |||
| the Trust Legal Provisions and are provided without warranty as | provided without warranty as described in the Simplified BSD License. | |||
| described in the Simplified BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Signature Algorithm Identifiers . . . . . . . . . . . . . . . 3 | 2. Signature Algorithm Identifiers . . . . . . . . . . . . . . . 3 | |||
| 3. Trust On First Use Method . . . . . . . . . . . . . . . . . . 3 | 3. Trust On First Use Method . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Signing a PDU . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Signing a PDU . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.2. Verifying the OPEN PDU . . . . . . . . . . . . . . . . . 4 | 3.2. Verifying the OPEN PDU . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. Verifying Other PDUs . . . . . . . . . . . . . . . . . . 5 | 3.3. Verifying Other PDUs . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Public Key Infrastructure Method . . . . . . . . . . . . . . 5 | 4. Public Key Infrastructure Method . . . . . . . . . . . . . . 5 | |||
| 4.1. Signing OPEN PDU with PKI . . . . . . . . . . . . . . . . 6 | 4.1. Signing OPEN PDU with PKI . . . . . . . . . . . . . . . . 6 | |||
| 4.2. Verifying OPEN PDU with PKI . . . . . . . . . . . . . . . 6 | 4.2. Verifying OPEN PDU with PKI . . . . . . . . . . . . . . . 6 | |||
| 5. Local Policy . . . . . . . . . . . . . . . . . . . . . . . . 6 | 5. Local Policy . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. NEWKEY, Key Roll . . . . . . . . . . . . . . . . . . . . . . 6 | 6. NEWKEY, Key Roll . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 9 | 9.2. Informative References . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| The Layer-3 Discovery and Liveness protocol [I-D.ietf-lsvr-l3dl] OPEN | The Layer-3 Discovery and Liveness protocol [I-D.ietf-lsvr-l3dl] OPEN | |||
| PDU contains an algorithm identifier, a key, and a L3DL certificate, | PDU contains an algorithm identifier, a key, and a L3DL certificate, | |||
| which can be used to verify signatures on subsequent PDUs. This | which can be used to verify signatures on subsequent PDUs. This | |||
| document describes two methods of key generation and signing for use | document describes two methods of key generation and signing for use | |||
| by L3DL, Trust On First Use (TOFU) and a PKI-based mechanism to | by L3DL, Trust On First Use (TOFU) and a PKI-based mechanism to | |||
| skipping to change at page 3, line 40 ¶ | skipping to change at page 3, line 40 ¶ | |||
| 2. Signature Algorithm Identifiers | 2. Signature Algorithm Identifiers | |||
| To avoid the creation of yet another IANA registry for digital | To avoid the creation of yet another IANA registry for digital | |||
| signature algorithm identifiers, this specification makes use of the | signature algorithm identifiers, this specification makes use of the | |||
| existing IANA registry for "DNS Security Algorithm Numbers" [IANA]. | existing IANA registry for "DNS Security Algorithm Numbers" [IANA]. | |||
| In this registry, each signature algorithm is identified by an 8-bit | In this registry, each signature algorithm is identified by an 8-bit | |||
| value. The entries in this registry with "Y" in the "Zone Signing" | value. The entries in this registry with "Y" in the "Zone Signing" | |||
| column are appropriate for use with this protocol. | column are appropriate for use with this protocol. | |||
| For interoperability, all implementations of this protocol MUST | For interoperability, all implementations of this protocol MUST | |||
| support the RSASHA256 algorithm (identified by the value 8). | support the RSASHA256 algorithm (identified by the value 0x08). | |||
| Implementation MAY support any other registered "Zone Signing" | Implementation MAY support any other registered "Zone Signing" | |||
| signature algorithms. | signature algorithms. | |||
| 3. Trust On First Use Method | 3. Trust On First Use Method | |||
| There are three parts to using a key: signing PDUs, verifying the | There are three parts to using a key: signing PDUs, verifying the | |||
| OPEN PDU, and verifying subsequent PDUs. | OPEN PDU, and verifying subsequent PDUs. | |||
| 3.1. Signing a PDU | 3.1. Signing a PDU | |||
| All signed PDUs are generated in the same way: | All signed PDUs are generated in the same way: | |||
| o Compose the PDU, with all fields including "Sig Algo" and | * Compose the PDU, with all fields including "Sig Algo" and | |||
| "Signature Length" set, but omitting the trailing "Signature" | "Signature Length" set, but omitting the trailing "Signature" | |||
| field itself. The Certificate Length should be zero and the | field itself. The Certificate Length should be zero and the | |||
| Certificate field should be empty. This is the "message to be | Certificate field should be empty. This is the "message to be | |||
| signed" for purposes of the signature algorithm. | signed" for purposes of the signature algorithm. | |||
| o Generate the signature as specified for the chosen algorithm, | * Generate the signature as specified for the chosen algorithm, | |||
| using the private key of the asymmetric key pair. In general, | using the private key of the asymmetric key pair. In general, | |||
| this will involve first hashing the "message to be signed" then | this will involve first hashing the "message to be signed" then | |||
| signing the hash, but the precise details may vary with the | signing the hash, but the precise details may vary with the | |||
| specific signature algorithm. The result will be a sequence of | specific signature algorithm. The result will be a sequence of | |||
| octets, the length of which MUST be equal to the value in the | octets, the length of which MUST be equal to the value in the | |||
| "Signature Length" field. | "Signature Length" field. | |||
| o Construct the complete message by appending the signature octets | * Construct the complete message by appending the signature octets | |||
| to the otherwise complete message composed above. | to the otherwise complete message composed above. | |||
| In the case of the OPEN PDU, the message to be signed will include | In the case of the OPEN PDU, the message to be signed will include | |||
| the public member of the asymmetric keypair, but as far as the | the public member of the asymmetric keypair, but as far as the | |||
| signature algorithm is concerned that's just payload, no different | signature algorithm is concerned that's just payload, no different | |||
| from any other PDU content. | from any other PDU content. | |||
| 3.2. Verifying the OPEN PDU | 3.2. Verifying the OPEN PDU | |||
| The process for verifying an OPEN PDU is slightly different from the | The process for verifying an OPEN PDU is slightly different from the | |||
| process for verifying other PDU types, because the OPEN PDU also | process for verifying other PDU types, because the OPEN PDU also | |||
| establishes the session key. | establishes the session key. | |||
| o Verify that the PDU is syntactically correct, and extract the Auth | * Verify that the PDU is syntactically correct, and extract the Auth | |||
| Type, Key, Sig Type, and Signature fields. | Type, Key, Sig Type, and Signature fields. | |||
| o Verify that Auth Type and Sig Type refer to the same algorithm | * Verify that Auth Type and Sig Type refer to the same algorithm | |||
| suite, and that said algorithm suite is one that the | suite, and that said algorithm suite is one that the | |||
| implementation understands. | implementation understands. | |||
| o Construct the "message to be verified" by truncating the PDU to | * Construct the "message to be verified" by truncating the PDU to | |||
| remove the Signature field (in practice this should not require | remove the Signature field (in practice this should not require | |||
| copying any data, just subtract the signature length from the PDU | copying any data, just subtract the signature length from the PDU | |||
| length). | length). | |||
| o Verify the message constructed above against the public key using | * Verify the message constructed above against the public key using | |||
| the rules for the specific signature suite. | the rules for the specific signature suite. | |||
| o Record Auth Type and Key as this sessions's authentication type | * Record Auth Type and Key as this sessions's authentication type | |||
| and session key, for use in verifying subseuqent PDUs. | and session key, for use in verifying subseuqent PDUs. | |||
| If any of the above verification steps fail, generate an error using | If any of the above verification steps fail, generate an error using | |||
| error code 2 ("Authorization failure in OPEN"). | error code 2 ("Authorization failure in OPEN"). | |||
| 3.3. Verifying Other PDUs | 3.3. Verifying Other PDUs | |||
| The process for verifying non-OPEN PDUs is slightly simpler, but | The process for verifying non-OPEN PDUs is slightly simpler, but | |||
| follows the same basic pattern as for OPEN PDUs. | follows the same basic pattern as for OPEN PDUs. | |||
| o Verify that the PDU is syntactically correct, and extract the Sig | * Verify that the PDU is syntactically correct, and extract the Sig | |||
| Type and Signature fields. | Type and Signature fields. | |||
| o Verify that Sig Type refers to the same algorithm suite as the | * Verify that Sig Type refers to the same algorithm suite as the | |||
| Auth Type recorded during verification of the OPEN PDU. | Auth Type recorded during verification of the OPEN PDU. | |||
| o Construct the "message to be verified" by truncating the PDU to | * Construct the "message to be verified" by truncating the PDU to | |||
| remove the Signature field. | remove the Signature field. | |||
| o Verify the message constructed above against the recorded session | * Verify the message constructed above against the recorded session | |||
| key using the rules for the specific signature suite. | key using the rules for the specific signature suite. | |||
| If any of the above verification steps fail, generate an error using | If any of the above verification steps fail, generate an error using | |||
| error code 3 ("Signature failure in PDU"). | error code 3 ("Signature failure in PDU"). | |||
| 4. Public Key Infrastructure Method | 4. Public Key Infrastructure Method | |||
| Using a PKI is almost the same as using TOFU, but with one additional | Using a PKI is almost the same as using TOFU, but with one additional | |||
| step: during verification of an OPEN PDU, after extracting the Key | step: during verification of an OPEN PDU, after extracting the Key | |||
| field from the PDU but before attempting to use it to verify the OPEN | field from the PDU but before attempting to use it to verify the OPEN | |||
| skipping to change at page 6, line 35 ¶ | skipping to change at page 6, line 33 ¶ | |||
| Certificate is a valid signature of the Key field, according to the | Certificate is a valid signature of the Key field, according to the | |||
| rules for the signature suite specified by Auth Type. If this step | rules for the signature suite specified by Auth Type. If this step | |||
| fails, handle as in Section 3.2. | fails, handle as in Section 3.2. | |||
| 5. Local Policy | 5. Local Policy | |||
| Whether to use TOFU, PKI, or no signatures at all is a matter of | Whether to use TOFU, PKI, or no signatures at all is a matter of | |||
| local policy, to be decided by the operator. The useful policy | local policy, to be decided by the operator. The useful policy | |||
| combinations for Key and Certificate are probably: | combinations for Key and Certificate are probably: | |||
| o Not signing: sender need not sign, receiver does not check. | * Not signing: sender need not sign, receiver does not check. | |||
| o Require TOFU: sender MUST supply key and receiver MUST check, but | * Require TOFU: sender MUST supply key and receiver MUST check, but | |||
| L3DL certificates not needed and ignored if sent. | L3DL certificates not needed and ignored if sent. | |||
| o Allow TOFU: sender MUST supply key and receiver MUST check, | * Allow TOFU: sender MUST supply key and receiver MUST check, | |||
| receiver SHOULD check certificate if supplyed by sender. | receiver SHOULD check certificate if supplyed by sender. | |||
| o Require PKI: sender MUST supply key and L3DL certificate, receiver | * Require PKI: sender MUST supply key and L3DL certificate, receiver | |||
| MUST check signature and verify the L3DL certificate. | MUST check signature and verify the L3DL certificate. | |||
| 6. NEWKEY, Key Roll | 6. NEWKEY, Key Roll | |||
| Modern key management allows for agility in 'rolling' to a new key or | Modern key management allows for agility in 'rolling' to a new key or | |||
| even algorithm in case of key expiry, key compromise, or merely | even algorithm in case of key expiry, key compromise, or merely | |||
| prudence. Declaring a new key with an L3DL OPEN PDU would cause | prudence. Declaring a new key with an L3DL OPEN PDU would cause | |||
| serious churn in topology as a new OPEN PDU may cause a withdraw of | serious churn in topology as a new OPEN PDU may cause a withdraw of | |||
| previously announced encapsulations. Therefore, a gentler rekeying | previously announced encapsulations. Therefore, a gentler rekeying | |||
| is needed. | is needed. | |||
| skipping to change at page 9, line 11 ¶ | skipping to change at page 9, line 7 ¶ | |||
| ------ ------------------- | ------ ------------------- | |||
| 1 TOFU - Trust On First Use | 1 TOFU - Trust On First Use | |||
| 2 PKI | 2 PKI | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [I-D.ietf-lsvr-l3dl] | [I-D.ietf-lsvr-l3dl] | |||
| Bush, R., Austein, R., and K. Patel, "Layer 3 Discovery | Bush, R., Austein, R., and K. Patel, "Layer 3 Discovery | |||
| and Liveness", draft-ietf-lsvr-l3dl-07 (work in progress), | and Liveness", Work in Progress, Internet-Draft, draft- | |||
| January 2021. | ietf-lsvr-l3dl-07, 26 January 2021, | |||
| <https://www.ietf.org/archive/id/draft-ietf-lsvr-l3dl- | ||||
| 07.txt>. | ||||
| [IANA] "DNS Security Algorithm Numbers", | [IANA] "DNS Security Algorithm Numbers", | |||
| <https://www.iana.org/assignments/dns-sec-alg-numbers/dns- | <https://www.iana.org/assignments/dns-sec-alg-numbers/dns- | |||
| sec-alg-numbers.xhtml>. | sec-alg-numbers.xhtml>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| skipping to change at page 9, line 40 ¶ | skipping to change at page 9, line 38 ¶ | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Randy Bush | Randy Bush | |||
| Arrcus & IIJ | Arrcus & IIJ | |||
| 5147 Crystal Springs | 5147 Crystal Springs | |||
| Bainbridge Island, WA 98110 | Bainbridge Island, WA 98110 | |||
| United States of America | United States of America | |||
| Email: randy@psg.com | Email: randy@psg.com | |||
| Russ Housley | Russ Housley | |||
| Vigil Security, LLC | Vigil Security, LLC | |||
| 516 Dranesville Road | 516 Dranesville Road | |||
| Herndon, VA 20170 | Herndon, VA 20170 | |||
| USA | United States of America | |||
| Email: housley@vigilsec.com | Email: housley@vigilsec.com | |||
| Rob Austein | Rob Austein | |||
| Arrcus, Inc. | Arrcus, Inc. | |||
| Email: sra@hactrn.net | Email: sra@hactrn.net | |||
| End of changes. 27 change blocks. | ||||
| 37 lines changed or deleted | 38 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||