idnits 2.17.1 draft-ietf-ippm-ipsec-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 21, 2013) is 3811 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5996 (Obsoleted by RFC 7296) -- Obsolete informational reference (is this intentional?): RFC 2898 (Obsoleted by RFC 8018) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPPM WG K. Pentikousis, Ed. 3 Internet-Draft EICT 4 Intended status: Standards Track Y. Cui 5 Expires: April 24, 2014 E. Zhang 6 Huawei Technologies 7 October 21, 2013 9 Network Performance Measurement for IPsec 10 draft-ietf-ippm-ipsec-01 12 Abstract 14 IPsec is a mature technology with several interoperable 15 implementations. Indeed, the use of IPsec tunnels is increasingly 16 gaining popularity in several deployment scenarios, not the least in 17 what used to be solely areas of traditional telecommunication 18 protocols. Wider IPsec deployment calls for mechanisms and methods 19 that enable tunnel end-users, as well as operators, to measure one- 20 way and two-way network performance in a standardized manner. 21 Unfortunately, however, standard IP performance measurement security 22 mechanisms cannot be readily used with IPsec. This document makes 23 the case for employing IPsec to protect the One-way and Two-Way 24 Active Measurement Protocols (O/TWAMP) and proposes a method which 25 combines IKEv2 and O/TWAMP as defined in RFC 4656 and RFC 5357, 26 respectively. This specification aims, on the one hand, to ensure 27 that O/TWAMP can be secured with the best mechanisms we have at our 28 disposal today while, on the other hand, it facilitates the 29 applicability of O/TWAMP to networks that have already deployed 30 IPsec. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at http://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on April 24, 2014. 49 Copyright Notice 51 Copyright (c) 2013 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (http://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 67 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 68 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5 70 3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6 71 3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7 72 3.4. O/TWAMP and IPsec . . . . . . . . . . . . . . . . . . . . 7 73 4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 8 74 4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 8 75 4.2. Server Greeting Message Update . . . . . . . . . . . . . 9 76 4.3. Session Key Derivation . . . . . . . . . . . . . . . . . 11 77 4.3.1. Alternative 1 . . . . . . . . . . . . . . . . . . . . 12 78 4.3.2. Alternative 2 . . . . . . . . . . . . . . . . . . . . 14 79 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 80 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 81 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 82 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 83 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 84 8.2. Informative References . . . . . . . . . . . . . . . . . 16 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 87 1. Introduction 89 The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the 90 Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to 91 measure network performance parameters, such as latency, bandwidth, 92 and packet loss by sending probe packets and monitoring their 93 experience in the network. In order to guarantee the accuracy of 94 network measurement results, security aspects must be considered. 95 Otherwise, attacks may occur and the authenticity of the measurement 96 results may be violated. For example, if no protection is provided, 97 an adversary in the middle may modify packet timestamps, thus 98 altering the measurement results. 100 Cryptographic security mechanisms, such as IPsec, have been 101 considered during the early stage of the specification of the two 102 active measurement protocols mentioned above. However, due to 103 several reasons, it was decided to avoid tying the development and 104 deployment of O/TWAMP to such security mechanisms. In practice, for 105 many networks, the issues listed in [RFC4656], Sec. 6.6 with respect 106 to IPsec are still valid. However, we expect that in the near future 107 IPsec will be deployed in many more hosts and networks than today. 108 For example, IPsec tunnels may be used to secure wireless channels. 109 In this case, what we are interested in is measuring network 110 performance specifically for the traffic carried by the secured 111 tunnel, not over the wireless channel in general. This document 112 makes the case that O/TWAMP should be cognizant when IPsec and other 113 security mechanisms are in place and can be leveraged upon. In other 114 words, it is now time to specify how O/TWAMP is used in a network 115 environment where IPsec is already deployed. We expect that in such 116 an environment, measuring IP performance over IPsec tunnels with O/ 117 TWAMP is an important tool for operators. 119 For example, when considering the use of O/TWAMP in networks with 120 IPsec deployed, we can take advantage of the IPsec key exchange 121 protocol [RFC5996]. In particular, we note that it is not necessary 122 to use distinct keys in OWAMP-Control and OWAMP-Test layers. One key 123 for encryption and another for authentication is sufficient for both 124 Control and Test layers. This obviates the need to generate two keys 125 for each layer and reduces the complexity of O/TWAMP protocols in an 126 IPsec environment. This observation comes from the fact that 127 separate session keys in the OWAMP-Control and OWAMP-Test layers were 128 designed for preventing reflection attacks when employing the current 129 mechanism. Once IPsec is employed, such a potential threat is 130 alleviated. 132 The remainder of this document is organized as follows. Section 3 133 motivates this work by revisiting the arguments made in [RFC4656] 134 against the use of IPsec; this section also summarizes protocol 135 operation with respect to security. Section 4 presents a method of 136 binding O/TWAMP and IKEv2 for network measurements between a sender 137 and a receiver which both support IPsec. Finally, Section 5 138 discusses the security considerations arising from the proposed 139 mechanisms. 141 2. Terminology 142 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 143 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 144 document are to be interpreted as described in [RFC2119]. 146 3. Motivation 148 In order to motivate the solutions proposed in this document, let us 149 first revisit Section 6.6 of [RFC4656]. As we explain below, the 150 reasons originally listed therein may not apply in many cases today. 152 RFC 4656 opts against using IPsec and instead favors the use of "a 153 simple cryptographic protocol (based on a block cipher in CBC mode)". 154 The first argument justifying this decision in [RFC4656] is that 155 partial authentication in OWAMP authentication mode is not possible 156 with IPsec. IPsec indeed cannot authenticate only a part of a 157 packet. However, in an environment where IPsec is already deployed 158 and actively used, partial authentication for OWAMP contradicts the 159 operational reasons dictating the use of IPsec. It also increases 160 the operational complexity of OWAMP (and TWAMP) in networks where 161 IPsec is actively used and may in practice limit its applicability. 163 The second argument made is the need to keep separate deployment 164 paths between OWAMP and IPsec. In several currently deployed types 165 of networks IPsec is widely used to protect the data and signaling 166 planes. For example, in mobile telecommunication networks, the 167 deployment rate of IPsec exceeds 95% with respect to the LTE serving 168 network. In older technology cellular networks, such as UMTS and 169 GSM, IPsec use penetration is lower, but still quite significant. 170 Additionally, there is a great number of IPsec-based VPN applications 171 which are widely used in business applications to provide end-to-end 172 security over, for instance, publicly open or otherwise untrusted 173 IEEE 802.11 wireless LANs. At the same time, many IETF-standardized 174 protocols make use of IPsec/IKE, including MIPv4/v6, HIP, SCTP, BGP, 175 NAT and SIP, just to name a few. 177 The third argument in [RFC4656] is that, effectively, the adoption of 178 IPsec in OWAMP may be problematic for "lightweight embedded devices." 179 However, since the publication of RFC 4656, a large number of 180 limited-resource and low-cost hardware, such as Ethernet switches, 181 DSL modems, set-top boxes and other such devices come with support 182 for IPsec "out of the box". Therefore concerns about implementation, 183 although likely valid a decade ago, are not well founded today. 185 Finally, everyday use of IPsec applications by field technicians and 186 good understanding of the IPsec API by many programmers should no 187 longer be a reason for concern. On the contrary: By now, IPsec open 188 source code is available for anyone who wants to use it. Therefore, 189 although IPsec does need a certain level of expertise to deal with 190 it, in practice, most competent technical personnel and programmers 191 have no problems using it on a daily basis. 193 OWAMP and TWAMP actually consist of two inter-related protocols: O/ 194 TWAMP-Control and O/TWAMP-Test. With respect to TWAMP, since "TWAMP 195 and OWAMP use the same protocol for establishment of Control and Test 196 procedures" [RFC5357] (Section 6), IPsec is also not considered. O/ 197 TWAMP-Control is used to initiate, start, and stop test sessions and 198 to fetch their results, whereas O/TWAMP-Test is used to exchange test 199 packets between two measurement nodes. 201 In the remainder of this section we review security for O/TWAMP- 202 Control and O/TWAMP-Test separately and then make the case for using 203 them over IPsec. 205 3.1. O/TWAMP-Control Security 207 O/TWAMP uses a simple cryptographic protocol which relies on 209 o AES in Cipher Block Chaining (AES-CBC) for confidentiality 211 o HMAC-SHA1 truncated to 128 bits for message authentication 213 Three modes of operation are supported: unauthenticated, 214 authenticated, and encrypted. The authenticated and encrypted modes 215 require that endpoints possess a shared secret, typically a 216 passphrase. The secret key is derived from the passphrase using a 217 password-based key derivation function PBKDF2 (PKCS#5) [RFC2898]. 219 In the unauthenticated mode, the security parameters are left unused. 220 In the authenticated and encrypted modes, security parameters are 221 negotiated during the control connection establishment. 223 Figure 1 illustrates the initiation stage of the O/TWAMP-Control 224 protocol between a client and the server. In short, the client opens 225 a TCP connection to the server in order to be able to send OWAMP- 226 Control commands. The server responds with a Server Greeting, which 227 contains the Modes, Challenge, Salt, Count, and MBZ fields (see 228 Section 3.1 of [RFC4656]). If the client-preferred mode is 229 available, the client responds with a Set-Up-Response message, 230 wherein the selected Mode, as well as the KeyID, Token and Client IV 231 are included. The Token is the concatenation of a 16-octet 232 Challenge, a 16-octet AES Session-key used for encryption, and a 233 32-octet HMAC-SHA1 Session-key used for authentication. The Token is 234 encrypted using AES-CBC. 236 +--------+ +--------+ 237 | Client | | Server | 238 +--------+ +--------+ 239 | | 240 |<---- TCP Connection ----->| 241 | | 242 |<---- Greeting message ----| 243 | | 244 |----- Set-Up-Response ---->| 245 | | 246 |<---- Server-Start --------| 247 | | 249 Figure 1: Initiation of O/TWAMP-Control 251 Encryption uses a key derived from the shared secret associated with 252 KeyID. In the authenticated and encrypted modes, all further 253 communication is encrypted using the AES Session-key and 254 authenticated with the HMAC Session-key. The client encrypts 255 everything it transmits through the just-established O/TWAMP-Control 256 connection using stream encryption with Client-IV as the IV. 257 Correspondingly, the server encrypts its side of the connection using 258 Server-IV as the IV. The IVs themselves are transmitted in 259 cleartext. Encryption starts with the block immediately following 260 that containing the IV. 262 The AES Session-key and HMAC Session-key are generated randomly by 263 the client. The HMAC Session-key is communicated along with the AES 264 Session-key during O/TWAMP-Control connection setup. The HMAC 265 Session-key is derived independently of the AES Session-key. 267 3.2. O/TWAMP-Test Security 269 The O/TWAMP-Test protocol runs over UDP, using the sender and 270 receiver IP and port numbers that were negotiated during the Request- 271 Session exchange. O/TWAMP-Test has the same three modes as with O/ 272 TWAMP-Control (unauthenticated, authenticated, and encrypted) and all 273 O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control 274 session mode. 276 The O/TWAMP-Test packet format is the same in authenticated and 277 encrypted modes. The encryption and authentication operations are, 278 however, different. Similarly with the respective O/TWAMP-Control 279 session, each O/TWAMP-Test session has two keys: an AES Session-key 280 and an HMAC Session-key. However, there is a difference in how the 281 keys are obtained: 283 O/TWAMP-Control: the keys are generated by the client and 284 communicated to the server during the control connection 285 establishment with the Set-Up-Response message (as part of 286 the Token). 288 O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and 289 the session identifier (SID), which serve as inputs of the 290 key derivation function (KDF). The O/TWAMP-Test AES Session- 291 key is generated using the O/TWAMP-Control AES Session-key, 292 with the 16-octet session identifier (SID), for encrypting 293 and decrypting the packets of the particular O/TWAMP-Test 294 session. The O/TWAMP-Test HMAC Session-key is generated 295 using the O/TWAMP-Control HMAC Session-key, with the 16-octet 296 session identifier (SID), for authenticating the packets of 297 the particular O/TWAMP-Test session. 299 3.3. O/TWAMP Security Root 301 As discussed above, the AES Session-key and HMAC Session-key used in 302 the O/TWAMP-Test protocol are derived from the AES Session-key and 303 HMAC Session-key which are used in O/TWAMP-Control protocol. The AES 304 Session-key and HMAC Session-key used in the O/TWAMP-Control protocol 305 are generated randomly by the client, and encrypted with the shared 306 secret associated with KeyID. Therefore, the security root is the 307 shared secret key. Thus, for large deployments, key provision and 308 management may become overly complicated. Comparatively, a 309 certificate-based approach using IKEv2/IPsec can automatically manage 310 the security root and solve this problem, as we explain in Section 4. 312 3.4. O/TWAMP and IPsec 314 According to [RFC4656] the "deployment paths of IPsec and OWAMP could 315 be separate if OWAMP does not depend on IPsec." However, the problem 316 that arises in practice is that the security mechanism of O/TWAMP and 317 IPsec cannot coexist at the same time without adding overhead or 318 increasing complexity. 320 IPsec provides confidentiality and data integrity to IP datagrams. 321 Distinct protocols are provided: Authentication Header (AH), 322 Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE 323 v1/v2). AH provides only integrity protection, while ESP can also 324 provide encryption. IKE is used for dynamical key negotiation and 325 automatic key management. 327 When sender and receiver implement O/TWAMP over IPsec, they need to 328 agree on a shared secret key during the IPsec tunnel establishment. 329 Subsequently, all IP packets sent by the sender are protected. If 330 the AH protocol is used, IP packets are transmitted in plaintext. 332 The authentication part covers the entire packet. So all test 333 information, such as UDP port number, and the test results will be 334 visible to any attacker, which can intercept these test packets, and 335 introduce errors or forge packets that may be injected during the 336 transmission. In order to avoid this attack, the receiver must 337 validate the integrity of these packets with the negotiated secret 338 key. If ESP is used, IP packets are encrypted, and hence only the 339 receiver can use the IPsec secret key to decrypt the IP packet, and 340 obtain the test data in order to assess the IP network performance 341 based on the measurements. Both the sender and receiver must support 342 IPsec to generate the security secret key of IPsec. 344 Currently, after the test packets are received by the receiver, it 345 cannot execute active measurement over IPsec. That is because the 346 receiver knows only the shared secret key but not the IPsec key, 347 while the test packets are protected by the IPsec key ultimately. 348 Therefore, it needs to be considered how to measure IP network 349 performance in an IPsec tunnel with O/TWAMP. Without this 350 functionality, the use of OWAMP and TWAMP over IPsec is hindered. 352 Of course, backward compatibility should be considered as well. That 353 is, the intrinsic security method based on shared key as specified in 354 the O/TWAMP standards can also still be suitable for other network 355 settings. There should be no impact on the current security 356 mechanisms defined in O/TWAMP for other use cases. This document 357 describes possible solutions to this problem which take advantage of 358 the secret key derived by IPsec, in order to provision the key needed 359 for active network measurements based on [RFC4656] and [RFC5357]. 361 4. O/TWAMP for IPsec Networks 363 This section presents a method of binding O/TWAMP and IKEv2 for 364 network measurements between a client and a server which both support 365 IPsec. In short, the shared key used for securing O/TWAMP traffic is 366 derived using IKEv2 [RFC5996]. 368 4.1. Shared Key Derivation 370 If the AH protocol is used, the IP packets are transmitted in 371 plaintext, but all O/TWAMP traffic is integrity-protected by IPsec. 372 Therefore, even if the peers choose to opt for the unauthenticated 373 mode, IPsec integrity protection is extended to O/TWAMP. In the 374 authenticated and encrypted modes, the shared secret can be derived 375 from the IKEv2 Security Association (SA), or IPsec SA. 377 If the shared secret key is derived from the IKEv2 SA, SKEYSEED must 378 be generated firstly. SKEYSEED and its derivatives are computed as 379 per [RFC5996], where prf is a pseudorandom function: 381 SKEYSEED = prf( Ni | Nr, g^ir ) 383 Ni and Nr are, respectively, the initiator and responder nonces, 384 which are negotiated during the initial exchange (see Section 1.2 of 385 [RFC5996]). g^ir is the shared secret from the ephemeral Diffie- 386 Hellman exchange and is represented as a string of octets. Note that 387 this SKEYSEED can be used as the O/TWAMP shared secret key directly. 389 Alternatively, the shared secret key can be generated as follows: 391 Shared secret key = PRF{ SKEYSEED, Session ID } 393 wherein the Session ID is the O/TWAMP-Test SID. 395 If the shared secret key is derived from the IPsec SA, instead, the 396 shared secret key can be equal to KEYMAT, wherein 398 KEYMAT = prf+( SK_d, Ni | Nr ) 400 The term "prf+" stands for a function that outputs a pseudorandom 401 stream based on the inputs to a prf, while SK_d is defined in 402 [RFC5996] (Sections 2.13 and 1.2, respectively). The shared secret 403 key can alternatively be generated as follows: 405 Shared secret key = PRF{ KEYMAT, Session ID } 407 wherein the session ID is is the O/TWAMP-Test SID. 409 If rekeying for the IKE SA and IPsec SA occurs, the corresponding key 410 of the SA is updated. Generally, ESP and AH SAs always exist in 411 pairs, with one SA in each direction. If the SA is deleted, the key 412 generated from the IKE SA or IPsec SA should also be updated. 414 4.2. Server Greeting Message Update 416 As discussed above, a binding association between the key generated 417 from IPsec and the O/TWAMP shared secret key needs to be considered. 418 The Security Association (SA) can be identified by the Security 419 Parameter Index (SPI) and protocol uniquely for a given sender and 420 receiver pair. Therefore, these parameters should be agreed upon 421 during the initiation stage of O/TWAMP-Control. At the stage that 422 the sender and receiver negotiate the integrity key, the IPsec 423 protocol and SPI MUST be checked. Only if the two parameters are 424 matched with the IPsec information, MUST the O/TWAMP connection be 425 established. 427 The Security Parameter Index (SPI) and protocol type (see [RFC4301] 428 [RFC5996]) will need to be included in the Server Greeting of the O/ 429 TWAMP-Control protocol depicted in Figure 1. After the client 430 receives the greeting, it MUST close the connection if it receives a 431 greeting with an erroneous SPI and protocol value (Figure 2). 432 Otherwise, the client SHOULD generate the shared secret key as 433 discussed in Section 4.1 and respond with the server-expected Set-Up- 434 Response message. 436 The Modes field in Figure 2 will need to allow for support of key 437 derivation as discussed in Section 4.1. As such, pending discussion 438 in the IPPM WG, Modes value 8 MUST be supported by compatible 439 implementations, indicating support for IPsec. Server 440 implementations compatible with this document MUST set the first 28 441 bits of the Modes field to zero. A client compatible with this 442 specification MUST ignore the first 28 bits of the Modes field. For 443 backward compatibility, the server is obviously allowed to indicate 444 support for the Modes defined in [RFC4656] 446 0 1 2 3 447 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 448 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 449 | Protocol | 450 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 451 | SPIi | 452 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 453 | SPIr | 454 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 455 | Modes | 456 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 457 | | 458 | Challenge (16 octets) | 459 | | 460 | | 461 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 462 | | 463 | Salt (16 octets) | 464 | | 465 | | 466 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 467 | Count (4 octets) | 468 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 469 | | 470 | MBZ (12 octets) | 471 | | 472 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 474 Figure 2: Server Greeting format 476 A compatible O/TWAMP client implementation would then interpret the 477 originally unused 12 bits of the Server Greeting (see sec. 3.1 of 478 [RFC4656]) as follows: The first 4 octets of the Server Greeting 479 message indicate the protocol type, while the following 8 octets 480 indicate the initiator (SPIi) and responder (SPIr) SPIs as 481 illustrated in Figure 2. Note that in this case, the remaining 482 fields of the Server Greeting message remain as per [RFC4656]. 484 EDITOR'S NOTE: 485 We expect that this implementation option would pose the least 486 backwards compatibility problems to existing O/TWAMP clients. 487 Robust client implementations of [RFC4656] would disregard that 488 the 29th Modes bit in the Server Greeting is set, and should 489 ignore the information contained in the newly defined fields 490 (Protocol, SPIi, SPIr). If the server supports other Modes, as 491 one would assume, the client would then indicate any of the 492 Modes defined in [RFC4656] and effectively indicate that it 493 does not support the IPsec mode. At this point, the Server 494 would need to use the Modes defined in [RFC4656] only. 496 When using ESP, all IP packets are encrypted, and therefore only the 497 receiver can use the IPsec key to decrypt the IP active measurement 498 packets. In this case, the IPsec tunnel between the sender and 499 receiver provides additional security: even if the peers choose the 500 unauthenticated mode, IPsec encryption and integrity protection is 501 provided to O/TWAMP. If the sender and receiver decide to use the 502 authenticated or encrypted mode, the shared secret can also be 503 derived from IKE SA or IPsec SA. The method for key generation and 504 binding association is the same discussed above for the AH protocol 505 mode. 507 There is an encryption-only configuration in ESP, though this is not 508 recommended due to its limitations. Since it does not produce 509 integrity key in this case, either encryption-only ESP should be 510 prohibited for O/TWAMP, or a decryption failure should be 511 distinguished due to possible integrity attack. 513 4.3. Session Key Derivation 515 Section 4.1 described a method for deriving the shared key for O/ 516 TWAMP by capitalizing on IPsec. This is a step forward in terms of 517 facilitating O/TWAMP deployment at scale in IPsec networks as it 518 allows for greater and secure automation of standardized network 519 performance measurements. We note, however, that the O/TWAMP 520 protocol uses distinct encryption and integrity keys for O/TWAMP- 521 Control and O/TWAMP-Test. Consequently, four keys are generated to 522 protect O/TWAMP-Control and O/TWAMP-Test messages. 524 In fact, once IPsec is employed, one key for encryption and another 525 for authentication is sufficient for both the Control and Test 526 protocols. Therefore, in an IPsec environment we can further reduce 527 the operational complexity of O/TWAMP protocols in a straightforward 528 manner, as discussed below. 530 EDITOR'S NOTE: 531 We expect that both session key derivation proposals and 532 optimization alternatives will be discussed in the IPPM working 533 group and we are looking forward to community comments and 534 feedback. 536 4.3.1. Alternative 1 538 If an IPsec SA is established between the server and the client, or 539 both server and client support IPsec, the root key for O/TWAMP-based 540 active network measurements can be derived from the IKE or IPsec SA. 542 If the root key that will be used in O/TWAMP network performance 543 measurements is derived from the IKE SA, SKEYSEED must be generated 544 first. SKEYSEED and its derivatives are computed as per [RFC5996]. 545 SKEYSEED can be used as the root key of O/TWAMP directly; then the 546 root key of O/TWAMP is equal to SKEYSEED. If the root key of O/TWAMP 547 is derived from the IPsec SA, the shared secret key can be equal to 548 KEYMAT. KEYMAT and its derivatives are computed as per usual 549 [RFC5996]. 551 Then, the session keys for encryption and authentication can be 552 derived from the root key of O/TWAMP, wherein: 554 Session key for enc = PRF{ root key of O/TWAMP, "O/TWAMP enc" } 556 Session key for auth = PRF{ root key of O/TWAMP, "O/TWAMP auth" } 558 The former can provide encryption protection for O/TWAMP-Control and 559 O/TWAMP-Test messages, while the latter can provide integrity 560 protection. 562 Note that there are cases where rekeying the IKE SA and IPsec SA is 563 necessary, and after which the corresponding key of SA is updated. 564 If the SA is deleted, the O/TWAMP shared key generated from the IKE 565 SA or IPsec SA should also be updated. 567 EDITOR'S NOTE: 569 In addition to optimizing session key derivation, we can also 570 reduce the verbosity of the Server Greeting and Set-Up-Response 571 messages, as explained below. Note, however, that such O/TWAMP 572 message simplification poses backward compatibility challenges, 573 which should be discussed in the IPPM WG. 575 In this optimization, the O/TWAMP-Control message exchange flow 576 remains as per Figure 1. However, the optimized Server Greeting 577 (Figure 3) can do without the Salt and Count parameters (cf. Figure 578 2) since the root key of O/TWAMP is derived from IKE SA or IPsec SA. 579 O/TWAMP security can rely on IPsec and the SPI can uniquely identify 580 the IPsec SA from which the root key was derived from. 582 0 1 2 3 583 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 584 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 585 | Protocol | 586 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 587 | SPIi | 588 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 589 | SPIr | 590 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 591 | Modes | 592 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 593 | | 594 | Challenge (16 octets) | 595 | | 596 | | 597 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 598 | | 599 | MBZ (12 octets) | 600 | | 601 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 603 Figure 3: Optimized Server Greeting format 605 The format of the Set-Up-Response is illustrated in Figure 4. The 606 Token carried in the Set-Up-Response is calculated as follows: 608 Token = Enc_root-key( Challenge ) 610 where Challenge is the value received earlier in the Server Greeting 611 (Figure 3) 613 0 1 2 3 614 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 615 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 616 | Mode | 617 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 618 | | 619 | Token (16 octets) | 620 | | 621 | | 622 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 623 | | 624 | Client-IV (12 octets) | 625 | | 626 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 628 Figure 4: Set-Up-Response in Alternative 1 630 If the server authenticates the token successfully, then the O/TWAMP- 631 Control message exchange flow can continue. 633 4.3.2. Alternative 2 635 Another way for optimizing the shared key use is to set the O/TWAMP 636 session keys equal to the keys of the IPsec SA directly, i.e: 638 Session key for enc = encryption key of the IPsec SA 640 Session key for auth = integrity key of the IPsec SA 642 The former session key can provide encryption protection for O/TWAMP- 643 Control and O/TWAMP-Test messages, while the latter can provide 644 integrity protection. The point made in the previous subsection 645 about rekeying the IPsec SA applies here too. 647 EDITOR'S NOTE: 648 As noted in the previous subsection, here too we can reduce the 649 verbosity of the Server Greeting and Set-Up-Response messages 650 even further, as explained below. Note, however, that such O/ 651 TWAMP message simplification poses backward compatibility 652 challenges, which should be discussed in the IPPM WG. 654 The O/TWAMP control message exchange flow remains the same (i.e. as 655 per Figure 1), while the Server Greeting format is illustrated in 656 Figure 5. The Challenge, Salt, and Count parameters can be 657 eliminated since the session keys of O/TWAMP are equal to the keys of 658 an IPsec SA directly. SPI can identify the IPsec SA where the 659 session keys derived from. The similarly optimized Set-Up-Response 660 message is illustrated in Figure 6. 662 0 1 2 3 663 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 664 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 665 | Protocol | 666 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 667 | SPIi | 668 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 669 | SPIr | 670 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 671 | Modes | 672 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 673 | | 674 | MBZ (12 octets) | 675 | | 676 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 678 Figure 5: Optimized Server Greeting format 680 0 1 2 3 681 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 682 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 683 | Mode | 684 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 685 | | 686 | Client-IV (12 octets) | 687 | | 688 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 690 Figure 6: Set-Up-Response in Alternative 2 692 5. Security Considerations 694 As the shared secret key is derived from IPsec, the key derivation 695 algorithm strength and limitations are as per [RFC5996]. The 696 strength of a key derived from a Diffie-Hellman exchange using any of 697 the groups defined here depends on the inherent strength of the 698 group, the size of the exponent used, and the entropy provided by the 699 random number generator employed. The strength of all keys and 700 implementation vulnerabilities, particularly Denial of Service (DoS) 701 attacks are as defined in [RFC5996]. 703 EDITOR'S NOTE: 704 As a general note, the IPPM community may want to revisit the 705 arguments listed in [RFC4656], Sec. 6.6. Other widely-used 706 Internet security mechanisms, such as TLS and DTLS, may also be 707 considered for future use over and above of what is already 708 specified in [RFC4656] [RFC5357]. 710 6. IANA Considerations 711 IANA may need to allocate additional values for the Modes options 712 presented in this document. The values of the protocol field may 713 need to be assigned from the numbering space. 715 7. Acknowledgments 717 Emily Bi contributed to an earlier version of this document. 719 We thank Eric Chen and Yakov Stein for their comments on this draft, 720 and Al Morton for the discussion on related earlier work in IPPM WG. 722 8. References 724 8.1. Normative References 726 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 727 Requirement Levels", BCP 14, RFC 2119, March 1997. 729 [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. 730 Zekauskas, "A One-way Active Measurement Protocol 731 (OWAMP)", RFC 4656, September 2006. 733 [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. 734 Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", 735 RFC 5357, October 2008. 737 [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, 738 "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 739 5996, September 2010. 741 8.2. Informative References 743 [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography 744 Specification Version 2.0", RFC 2898, September 2000. 746 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 747 Internet Protocol", RFC 4301, December 2005. 749 Authors' Addresses 751 Kostas Pentikousis (editor) 752 EICT GmbH 753 Torgauer Strasse 12-15 754 10829 Berlin 755 Germany 757 Email: k.pentikousis@eict.de 758 Yang Cui 759 Huawei Technologies 760 Otemachi First Square 1-5-1 Otemachi 761 Chiyoda-ku, Tokyo 100-0004 762 Japan 764 Email: cuiyang@huawei.com 766 Emma Zhang 767 Huawei Technologies 768 Huawei Building, Q20, No.156, Rd. BeiQing 769 Haidian District , Beijing 100095 770 P. R. China 772 Email: emma.zhanglijia@huawei.com