< draft-ymbk-lsvr-l3dl-signing-00.txt   draft-ymbk-lsvr-l3dl-signing-01.txt >
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft Arrcus & IIJ Internet-Draft Arrcus & IIJ
Intended status: Standards Track R. Austein Intended status: Standards Track R. Austein
Expires: April 28, 2020 Arrcus Expires: November 7, 2020 Arrcus
October 26, 2019 May 6, 2020
Layer 3 Discovery and Liveness Signing Layer 3 Discovery and Liveness Signing
draft-ymbk-lsvr-l3dl-signing-00 draft-ymbk-lsvr-l3dl-signing-01
Abstract Abstract
The Layer 3 Discovery and Liveness protocol OPEN PDU may contain a The Layer 3 Discovery and Liveness protocol OPEN PDU may contain a
key and a certificate, which can be used to verify signatures on key and a certificate, which can be used to verify signatures on
subsequent PDUs. This document describes two mechanisms based on subsequent PDUs. This document describes two mechanisms based on
digital signatures, one that is Trust On First Use (TOFU), and one digital signatures, one that is Trust On First Use (TOFU), and one
that uses certificates to provide authentication as well as session that uses certificates to provide authentication as well as session
integrity. integrity.
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 28, 2020. This Internet-Draft will expire on November 7, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 45 skipping to change at page 2, line 45
9. Normative References . . . . . . . . . . . . . . . . . . . . 8 9. Normative References . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
This draft is being published without incorporating changes from an This draft is being published without incorporating changes from an
excellent security review. This is being done so a couple of other excellent security review. This is being done so a couple of other
drafts can reference it. While all comments will, of course, be drafts can reference it. While all comments will, of course, be
appreciated, readers may want to wait for the -01 version. appreciated, readers may want to wait for the -01 version.
The Layer 3 Discovery and Liveness protocol [old ref because new The Layer 3 Discovery and Liveness protocol [I-D.ietf-lsvr-l3dl] OPEN
draft not yet pushed] [I-D.ietf-lsvr-l3dl] OPEN PDU contains an PDU contains an algorithm specifier, a key, and a certificate, which
algorithm specifier, a key, and a certificate, which can be used to can be used to verify signatures on subsequent PDUs. This document
verify signatures on subsequent PDUs. This document describes two describes two methods of key generation and signing for use by L3DL,
methods of key generation and signing for use by L3DL, Trust On First Trust On First Use (TOFU) and a PKI-based mechanism to provide
Use (TOFU) and a PKI-based mechanism to provide authentication as authentication as well as session integrity.
well as session integrity.
The Key in the OPEN PDU SHOULD be the public key of an asymmetric key The Key in the OPEN PDU SHOULD be the public key of an asymmetric key
pair. The sender signs with the private key, of course. The device pair. The sender signs with the private key, of course. The device
sending the OPEN may use one key for all links, a different key for sending the OPEN may use one key for all links, a different key for
each link, or some aggregation(s) thereof. each link, or some aggregation(s) thereof.
In the TOFU method the OPEN key is generated on the sending device, In the TOFU method the OPEN key is generated on the sending device,
believed without question by the receiver, and used to verify all believed without question by the receiver, and used to verify all
subsequent PDUs from the same sender with the same Key Type. subsequent PDUs from the same sender with the same Key Type.
skipping to change at page 5, line 31 skipping to change at page 5, line 31
certificate is a signature of the public key to be sent in the Key certificate is a signature of the public key to be sent in the Key
field of the OPEN PDU, signed by the trust anchor private key. field of the OPEN PDU, signed by the trust anchor private key.
Verifying an OPEN PDU using the PKI method requires the public key of Verifying an OPEN PDU using the PKI method requires the public key of
the trust anchor, which the receiver uses to verify the certificate, the trust anchor, which the receiver uses to verify the certificate,
thereby demonstrating that the supplied is represents an authorized thereby demonstrating that the supplied is represents an authorized
L3DL speaker in this administrative domain. L3DL speaker in this administrative domain.
We use the term "certificate" here in the generic sense. These are We use the term "certificate" here in the generic sense. These are
not X.509 certificates: X.509 is much more complicated than we need not X.509 certificates: X.509 is much more complicated than we need
for I3DL. The certificates used here are just signatures of one key for L3DL. The certificates used here are just signatures of one key
(the session key supplied in the Key field of the OPEN PDU) by (the session key supplied in the Key field of the OPEN PDU) by
another key (the trust anchor). another key (the trust anchor).
3.1. Signing OPEN PDU with PKI 3.1. Signing OPEN PDU with PKI
Generating and signing the OPEN PDU with the PKI method is almost the Generating and signing the OPEN PDU with the PKI method is almost the
same as in Section 2.1. The only difference is that the PKI method same as in Section 2.1. The only difference is that the PKI method
MUST supply the appropriate certificate in the Certificate field. MUST supply the appropriate certificate in the Certificate field.
Note that the Auth Type field applies to both the Key and Certificate Note that the Auth Type field applies to both the Key and Certificate
skipping to change at page 8, line 34 skipping to change at page 8, line 34
2 PKI 2 PKI
8. Acknowledgments 8. Acknowledgments
The authors than Russ Housley for advice and review. The authors than Russ Housley for advice and review.
9. Normative References 9. Normative References
[I-D.ietf-lsvr-l3dl] [I-D.ietf-lsvr-l3dl]
Bush, R., Austein, R., and K. Patel, "Layer 3 Discovery Bush, R., Austein, R., and K. Patel, "Layer 3 Discovery
and Liveness", draft-ietf-lsvr-l3dl-02 (work in progress), and Liveness", draft-ietf-lsvr-l3dl-03 (work in progress),
July 2019. November 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <http://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Authors' Addresses Authors' Addresses
Randy Bush Randy Bush
Arrcus & IIJ Arrcus & IIJ
5147 Crystal Springs 5147 Crystal Springs
Bainbridge Island, WA 98110 Bainbridge Island, WA 98110
United States of America United States of America
Email: randy@psg.com Email: randy@psg.com
 End of changes. 9 change blocks. 
17 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/