idnits 2.17.1 draft-ietf-ippm-ipsec-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 22, 2014) is 3563 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5996 (Obsoleted by RFC 7296) -- Obsolete informational reference (is this intentional?): RFC 2898 (Obsoleted by RFC 8018) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPPM WG K. Pentikousis, Ed. 3 Internet-Draft EICT 4 Intended status: Standards Track Y. Cui 5 Expires: January 23, 2015 E. Zhang 6 Huawei Technologies 7 July 22, 2014 9 IKEv2-based Shared Secret Key for O/TWAMP 10 draft-ietf-ippm-ipsec-04 12 Abstract 14 The O/TWAMP security mechanism requires that both the client and 15 server endpoints possess a shared secret. Since the currently- 16 standardized O/TWAMP security mechanism only supports a pre-shared 17 key mode, large scale deployment of O/TWAMP is hindered 18 significantly. At the same time, recent trends point to wider IKEv2 19 deployment which, in turn, calls for mechanisms and methods that 20 enable tunnel end-users, as well as operators, to measure one-way and 21 two-way network performance in a standardized manner. This document 22 discusses the use of keys derived from an IKEv2 SA as the shared key 23 in O/TWAMP. If the shared key can be derived from the IKEv2 SA, O/ 24 TWAMP can support certificate-based key exchange, which would allow 25 for more operational flexibility and efficiency. The key derivation 26 presented in this document can also facilitate automatic key 27 management. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at http://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on January 23, 2015. 46 Copyright Notice 48 Copyright (c) 2014 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 3. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4 66 3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4 67 3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 5 68 3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 6 69 4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 6 70 4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 6 71 4.2. Server Greeting Message Update . . . . . . . . . . . . . 7 72 4.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9 73 4.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 10 74 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 75 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 76 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 77 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 78 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 79 8.2. Informative References . . . . . . . . . . . . . . . . . 11 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 82 1. Introduction 84 The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the 85 Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to 86 measure network performance parameters, such as latency, bandwidth, 87 and packet loss by sending probe packets and monitoring their 88 experience in the network. In order to guarantee the accuracy of 89 network measurement results, security aspects must be considered. 90 Otherwise, attacks may occur and the authenticity of the measurement 91 results may be violated. For example, if no protection is provided, 92 an adversary in the middle may modify packet timestamps, thus 93 altering the measurement results. 95 The currently-standardized O/TWAMP security mechanism [RFC4656] 96 [RFC5357] requires that endpoints (i.e. both the client and the 97 server) possess a shared secret. In today's network deployments, 98 however, the use of pre-shared keys is far from optimal. For 99 example, in wireless infrastructure networks, certain network 100 elements, which can be seen as the two endpoints from an O/TWAMP 101 perspective, support certificate-based security. For instance, 102 consider the case in which one wants to measure IP performance 103 between an eNB and SeGW. Both eNB and SeGW are 3GPP LTE nodes and 104 support certificate mode and IKEv2. Since the currently standardized 105 O/TWAMP security mechanism only supports pre-shared key mode, large 106 scale deployment of O/TWAMP is hindered significantly. Furthermore, 107 deployment and management of "shared secrets" for massive equipment 108 installation consumes a tremendous amount of effort and is prone to 109 human error. 111 With IKEv2 widely used, employing keys derived from IKEv2 SA as 112 shared key can be considered as a viable alternative. In mobile 113 telecommunication networks, the deployment rate of IPsec exceeds 95% 114 with respect to the LTE serving network. In older-technology 115 cellular networks, such as UMTS and GSM, IPsec use penetration is 116 lower, but still quite significant. If the shared key can be derived 117 from the IKEv2 SA, O/TWAMP can support cert-based key exchange and 118 make it more flexible in practice and more efficient. The use of 119 IKEv2 also makes it easier to extend automatic key management. In 120 general, O/TWAMP measurement packets can be transmitted inside the 121 IPsec tunnel, as it occurs with typical user traffic, or transmitted 122 outside the IPsec tunnel. This may depend on the operator's policy 123 and is orthogonal to the mechanism described in this document. 125 We note that protecting unauthenticated O/TWAMP traffic using IPsec 126 security services is sufficient in many cases. That said, protecting 127 unauthenticated O/TWAMP control and/or test traffic via AH or ESP 128 cannot provide various security modes and cannot authenticate part of 129 a O/TWAMP packet as mentioned in [RFC4656]. In real-world 130 deployments this may hinder timestamp accuracy. This document 131 describes how to derive the shared secret key from the IKEv2 SA and 132 employ the security service at the O/TWAMP layer. This method SHOULD 133 be used when O/TWAMP traffic is bypassing IPsec protection and is 134 running over an external network exactly between two IKEv2 systems. 136 The remainder of this document is organized as follows. Section 3 137 summarizes O/TWAMP protocol operation with respect to security. 138 Section 4 presents a method of binding O/TWAMP and IKEv2 for network 139 measurements between the client and the server which both support 140 IKEv2. Finally, Section 5 discusses the security considerations 141 arising from the proposed mechanisms. 143 2. Terminology 145 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 146 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 147 document are to be interpreted as described in [RFC2119]. 149 3. O/TWAMP Security 151 Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in 152 the following subsections. 154 3.1. O/TWAMP-Control Security 156 O/TWAMP uses a simple cryptographic protocol which relies on 158 o AES in Cipher Block Chaining (AES-CBC) for confidentiality 160 o HMAC-SHA1 truncated to 128 bits for message authentication 162 Three modes of operation are supported in the OWAMP-Control protocol: 163 unauthenticated, authenticated, and encrypted. In addition to these 164 modes, the TWAMP-Control protocol also supports a mixed mode, i.e. 165 the TWAMP-Control protocol operates in encrypted mode while TWAMP- 166 Test protocol operates in unauthenticated mode. The authenticated, 167 encrypted and mixed modes require that endpoints possess a shared 168 secret, typically a passphrase. The secret key is derived from the 169 passphrase using a password-based key derivation function PBKDF2 170 (PKCS#5) [RFC2898]. 172 In the unauthenticated mode, the security parameters are left unused. 173 In the authenticated, encrypted and mixed modes, the security 174 parameters are negotiated during the control connection 175 establishment. 177 Figure 1 illustrates the initiation stage of the O/TWAMP-Control 178 protocol between a client and the server. In short, the client opens 179 a TCP connection to the server in order to be able to send O/TWAMP- 180 Control commands. The server responds with a Server Greeting, which 181 contains the Modes, Challenge, Salt, Count, and MBZ fields (see 182 Section 3.1 of [RFC4656]). If the client-preferred mode is 183 available, the client responds with a Set-Up- Response message, 184 wherein the selected Mode, as well as the KeyID, Token and Client IV 185 are included. The Token is the concatenation of a 16-octet 186 Challenge, a 16-octet AES Session-key used for encryption, and a 187 32-octet HMAC-SHA1 Session-key used for authentication. The Token is 188 encrypted using AES-CBC. 190 +--------+ +--------+ 191 | Client | | Server | 192 +--------+ +--------+ 193 | | 194 |<---- TCP Connection ----->| 195 | | 196 |<---- Greeting message ----| 197 | | 198 |----- Set-Up-Response ---->| 199 | | 200 |<---- Server-Start --------| 201 | | 203 Figure 1: Initiation of O/TWAMP-Control 205 Encryption uses a key derived from the shared secret associated with 206 KeyID. In the authenticated, encrypted and mixed modes, all further 207 communication is encrypted using the AES Session-key and 208 authenticated with the HMAC Session-key. After receiving Set-Up- 209 Response the server responds with a Server-Start message containing 210 Server-IV. The client encrypts everything it transmits through the 211 just-established O/TWAMP-Control connection using stream encryption 212 with Client- IV as the IV. Correspondingly, the server encrypts its 213 side of the connection using Server-IV as the IV. The IVs themselves 214 are transmitted in cleartext. Encryption starts with the block 215 immediately following that containing the IV. 217 The AES Session-key and HMAC Session-key are generated randomly by 218 the client. The HMAC Session-key is communicated along with the AES 219 Session-key during O/TWAMP-Control connection setup. The HMAC 220 Session-key is derived independently of the AES Session-key. 222 3.2. O/TWAMP-Test Security 224 The O/TWAMP-Test protocol runs over UDP, using the client and server 225 IP and port numbers that were negotiated during the Request-Session 226 exchange. O/TWAMP- Test has the same mode with O/TWAMP-Control and 227 all O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control 228 session mode except when operating in mixed mode. 230 The O/TWAMP-Test packet format is the same in authenticated and 231 encrypted modes. The encryption and authentication operations are, 232 however, different. Similarly with the respective O/TWAMP-Control 233 session, each O/TWAMP-Test session has two keys: an AES Session-key 234 and an HMAC Session-key. However, there is a difference in how the 235 keys are obtained: 237 O/TWAMP-Control: the keys are generated by the client and 238 communicated to the server during the control connection 239 establishment with the Set-Up-Response message (as part of 240 the Token). 242 O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and 243 the session identifier (SID), which serve as inputs of the 244 key derivation function (KDF). The O/TWAMP-Test AES Session- 245 key is generated using the O/TWAMP- Control AES Session-key, 246 with the 16-octet session identifier (SID), for encrypting 247 and decrypting the packets of the particular O/TWAMP-Test 248 session. The O/TWAMP-Test HMAC Session-key is generated 249 using the O/TWAMP-Control HMAC Session-key, with the 16-octet 250 session identifier (SID), for authenticating the packets of 251 the particular O/TWAMP-Test session. 253 3.3. O/TWAMP Security Root 255 As discussed above, the AES Session-key and HMAC Session-key used by 256 the O/TWAMP-Test protocol are derived from the AES Session-key and 257 HMAC Session-key which are used in O/TWAMP-Control protocol. The AES 258 Session-key and HMAC Session-key used in the O/TWAMP-Control protocol 259 are generated randomly by the client, and encrypted with the shared 260 secret associated with KeyID. Therefore, the security root is the 261 shared secret key. Thus, for large deployments, key provision and 262 management may become overly complicated. Comparatively, a 263 certificate-based approach using IKEv2 can automatically manage the 264 security root and solve this problem, as we explain in Section 4. 266 4. O/TWAMP for IPsec Networks 268 This section presents a method of binding O/TWAMP and IKEv2 for 269 network measurements between a client and a server which both support 270 IPsec. In short, the shared key used for securing O/TWAMP traffic is 271 derived using IKEv2 [RFC5996]. 273 4.1. Shared Key Derivation 275 In the authenticated, encrypted and mixed modes, the shared secret 276 key MUST be derived from the IKEv2 Security Association (SA). Note 277 that we explicitly opt to derive the shared secret key from the IKEv2 278 SA, rather than the child SA, since the use case whereby an IKEv2 SA 279 can be created without generating any child SA is possible [RFC6023]. 281 When the shared secret key is derived from the IKEv2 SA, SKEYSEED 282 must be generated first. SKEYSEED and its derivatives MUST be 283 computed as per [RFC5996], where prf is a pseudorandom function: 285 SKEYSEED = prf( Ni | Nr, g^ir ) 287 Ni and Nr are, respectively, the initiator and responder nonces, 288 which are negotiated during the initial exchange (see Section 1.2 of 289 [RFC5996]). g^ir is the shared secret from the ephemeral Diffie- 290 Hellman exchange and is represented as a string of octets. 292 The shared secret key MUST be generated as follows: 294 Shared secret key = PRF( SKEYSEED, "IPPM" ) 296 Wherein the string "IPPM" comprises four ASCII characters. It is 297 recommended that the shared secret key is derived in the IPsec layer. 298 This way, the IPsec keying material is not exposed to the O/TWAMP 299 client. Note, however, that the interaction between the O/TWAMP and 300 IPsec layers is host-internal and implementation-specific. 301 Therefore, this is clearly outside the scope of this document, which 302 focuses on the interaction between the O/TWAMP client and server. 303 That said, one possible way could be the following: at the client 304 side, the IPSec layer can perform a lookup in the Security 305 Association Database (SAD) using the IP address of the server and 306 thus match the corresponding IKEv2 SA. At the server side, the IPSec 307 layer can look up the corresponding IKEv2 SA by using the SPIs sent 308 by the client, and therefore extract the shared secret key. In case 309 that both client and server do support IKEv2 but there is no current 310 IKEv2 SA, two alternative ways could be considered. First, the O/ 311 TWAMP client initiates the establishment of the IKEv2 SA, logs this 312 operation, and selects the mode which supports IKEv2. Alternatively, 313 the O/TWAMP client does not initiate the establishment of the IKEv2 314 SA, logs an error for operational management purposes, and proceeds 315 with the modes defined in [RFC4656][RFC5618]. Again, although both 316 alternatives are feasible, they are in fact implementation-specific. 318 If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the 319 corresponding shared secret key generated from the SA can continue to 320 be used until the lifetime of the shared secret key expires. 322 4.2. Server Greeting Message Update 324 To achieve a binding association between the key generated from IKEv2 325 and the O/TWAMP shared secret key, Server Greeting Message should be 326 updated as in Figure 2. 328 0 1 2 3 329 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 330 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 331 | | 332 | Unused (12 octets) | 333 | | 334 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 335 | Modes | 336 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 337 | | 338 | Challenge (16 octets) | 339 | | 340 | | 341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 342 | | 343 | Salt (16 octets) | 344 | | 345 | | 346 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 347 | Count (4 octets) | 348 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 349 | | 350 | MBZ (12 octets) | 351 | | 352 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 354 Figure 2: Server Greeting format 356 The Modes field in Figure 2 will need to allow for support of key 357 derivation as discussed in Section 4.1. As such, the Modes value 358 extension MUST be supported by implementations compatible with this 359 document, indicating support for deriving shared key from IKEv2 SA. 360 Three new Modes including authenticated mode over IKEv2(IANA.TBA.O/ 361 TWAMP.IKEAuth),encrypted mode over IKEv2(IANA.TBA.O/TWAMP.IKEEnc) and 362 mixed mode over IKEv2(IANA.TBA.TWAMP.IKEMix) are proposed. 364 Authenticated mode over IKEv2 means that the client and server 365 operate in authenticated mode with the shared secret key derived from 366 IKEv2 SA. Encrypted mode over IKEv2 means that the client and server 367 operate in encrypted mode with the shared secret key derived from 368 IKEv2 SA. Mixed mode over IKEv2 means that the client and server 369 operate in encrypted mode for the O/TWAMP-Control protocol while 370 operating in unauthenticated mode for the O/TWAMP-Test protocol with 371 shared secret key derived from IKEv2 SA. 373 The choice of this set of Modes values poses the least backwards 374 compatibility problems to existing O/TWAMP clients. Robust client 375 implementations of [RFC4656] would disregard the fact that the first 376 29 Modes bits in the Server Greeting is set. If the server supports 377 other Modes, as one would assume, the client would then indicate any 378 of the Modes defined in [RFC4656] and effectively indicate that it 379 does not support key derivation from IKEv2. At this point, the 380 Server would need to use the Modes defined in [RFC4656] only. 382 4.3. Set-Up-Response Update 384 The Set-Up-Response Message should be updated as in Figure 3. 386 0 1 2 3 387 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 388 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 389 | Mode | 390 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 391 | | 392 | Key ID (80 octets) | 393 | | 394 | | 395 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 396 | | 397 | Token (16 octets) | 398 | | 399 | | 400 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 401 | | 402 | Client-IV (12 octets) | 403 | | 404 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 406 Figure 3: Set-Up-Response Message 408 The Security Parameter Index (SPI)(see [RFC4301] [RFC5996]) can 409 uniquely identify the Security Association (SA). If the client 410 supports the derivation of shared secret key from IKEv2 SA, it will 411 choose the corresponding mode value and carry SPIi and SPIr in the 412 Key ID field. SPIi and SPIr are included in the Key ID field of Set- 413 Up- Response Message to indicate the IKEv2 SA from which the O/TWAMP 414 shared secret key derived from. The length of SPI is 4 octets. 415 Therefore, the first 4 octets of Key ID field carry SPIi and the 416 second 4 octets carry SPIr. The remaining bits of the Key ID field 417 are set to zero. 419 A O/TWAMP server which supports the specification of this document, 420 can obtain the SPIi and SPIr from the first 8 octets and ignore the 421 rest octets of the Key ID field. Then, the client and the server can 422 derive the shared secret key based on the mode value and SPI. If the 423 O/TWAMP server cannot find the IKEv2 SA corresponding to the SPIi and 424 SPIr received, it MUST log the event for operational management 425 purposes. In addition, the O/TWAMP server SHOULD set the Accept 426 field of the Server-Start message to the value 6 to indicate that 427 server is not willing to conduct further transactions in this O/ 428 TWAMP-Control session since it can not find the corresponding IKEv2 429 SA. 431 4.4. O/TWAMP over an IPsec tunnel 433 IPsec AH [RFC4302] and ESP [RFC4303] provide confidentiality and 434 data integrity to IP datagrams. Thus and IPsec tunnel can be used to 435 provide the protection needed for O/TWAMP Control and Test packets, 436 even if the peers choose the unauthenticated mode of operation. If 437 the two endpoints are already connected through an IPSec tunnel it is 438 RECOMMENDED that the O/TWAMP measurement packets are forwarded over 439 the IPSec tunnel if the peers choose the unauthenticated mode in 440 order to ensure authenticity and security. 442 5. Security Considerations 444 As the shared secret key is derived from the IKEv2 SA, the key 445 derivation algorithm strength and limitations are as per [RFC5996]. 446 The strength of a key derived from a Diffie-Hellman exchange using 447 any of the groups defined here depends on the inherent strength of 448 the group, the size of the exponent used, and the entropy provided by 449 the random number generator employed. The strength of all keys and 450 implementation vulnerabilities, particularly Denial of Service (DoS) 451 attacks are as defined in [RFC5996]. 453 As a more general note, the IPPM community may want to revisit the 454 arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet 455 security mechanisms, such as TLS and DTLS, may also be considered for 456 future use over and above of what is already specified in [RFC4656] 457 [RFC5357]. 459 6. IANA Considerations 461 IANA will need to allocate additional values for the Modes options 462 presented in this document. 464 7. Acknowledgments 466 Emily Bi contributed to an earlier version of this document. 468 We thank Eric Chen, Yaakov Stein, Brian Trammell, John Mattsson, and 469 Steve Baillargeon for their comments and text suggestions, and Al 470 Morton for the good discussion and pointers to earlier related work 471 in IPPM WG. 473 8. References 475 8.1. Normative References 477 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 478 Requirement Levels", BCP 14, RFC 2119, March 1997. 480 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 481 2005. 483 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 484 4303, December 2005. 486 [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. 487 Zekauskas, "A One-way Active Measurement Protocol 488 (OWAMP)", RFC 4656, September 2006. 490 [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. 491 Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", 492 RFC 5357, October 2008. 494 [RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the 495 Two-Way Active Measurement Protocol (TWAMP)", RFC 5618, 496 August 2009. 498 [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, 499 "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 500 5996, September 2010. 502 8.2. Informative References 504 [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography 505 Specification Version 2.0", RFC 2898, September 2000. 507 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 508 Internet Protocol", RFC 4301, December 2005. 510 [RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A 511 Childless Initiation of the Internet Key Exchange Version 512 2 (IKEv2) Security Association (SA)", RFC 6023, October 513 2010. 515 Authors' Addresses 516 Kostas Pentikousis (editor) 517 EICT GmbH 518 EUREF-Campus Haus 13 519 Torgauer Strasse 12-15 520 10829 Berlin 521 Germany 523 Email: k.pentikousis@eict.de 525 Yang Cui 526 Huawei Technologies 527 Otemachi First Square 1-5-1 Otemachi 528 Chiyoda-ku, Tokyo 100-0004 529 Japan 531 Email: cuiyang@huawei.com 533 Emma Zhang 534 Huawei Technologies 535 Huawei Building, Q20, No.156, Rd. BeiQing 536 Haidian District , Beijing 100095 537 P. R. China 539 Email: emma.zhanglijia@huawei.com