idnits 2.17.1 draft-ietf-ippm-ipsec-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 27, 2014) is 3409 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2898 (Obsoleted by RFC 8018) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPPM WG K. Pentikousis, Ed. 3 Internet-Draft EICT 4 Intended status: Standards Track E. Zhang 5 Expires: June 30, 2015 Y. Cui 6 Huawei Technologies 7 December 27, 2014 9 IKEv2-based Shared Secret Key for O/TWAMP 10 draft-ietf-ippm-ipsec-07 12 Abstract 14 The O/TWAMP security mechanism requires that both the client and 15 server endpoints possess a shared secret. Since the currently- 16 standardized O/TWAMP security mechanism only supports a pre-shared 17 key mode, large scale deployment of O/TWAMP is hindered 18 significantly. At the same time, recent trends point to wider IKEv2 19 deployment which, in turn, calls for mechanisms and methods that 20 enable tunnel end-users, as well as operators, to measure one-way and 21 two-way network performance in a standardized manner. This document 22 discusses the use of keys derived from an IKEv2 SA as the shared key 23 in O/TWAMP. If the shared key can be derived from the IKEv2 SA, O/ 24 TWAMP can support certificate-based key exchange, which would allow 25 for more operational flexibility and efficiency. The key derivation 26 presented in this document can also facilitate automatic key 27 management. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at http://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on June 30, 2015. 46 Copyright Notice 48 Copyright (c) 2014 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 3. Scope and Applicability . . . . . . . . . . . . . . . . . . . 4 66 4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4 67 4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5 68 4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6 69 4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7 70 5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7 71 5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7 72 5.2. Server Greeting Message Update . . . . . . . . . . . . . 8 73 5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 10 74 5.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 11 75 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 76 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 77 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 78 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 79 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 80 9.2. Informative References . . . . . . . . . . . . . . . . . 13 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 83 1. Introduction 85 The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the 86 Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to 87 measure network performance parameters, such as latency, bandwidth, 88 and packet loss by sending probe packets and monitoring their 89 experience in the network. In order to guarantee the accuracy of 90 network measurement results, security aspects must be considered. 91 Otherwise, attacks may occur and the authenticity of the measurement 92 results may be violated. For example, if no protection is provided, 93 an adversary in the middle may modify packet timestamps, thus 94 altering the measurement results. 96 The currently-standardized O/TWAMP security mechanism [RFC4656] 97 [RFC5357] requires that endpoints (i.e. both the client and the 98 server) possess a shared secret. In today's network deployments, 99 however, the use of pre-shared keys is far from optimal. For 100 example, in wireless infrastructure networks, certain network 101 elements, which can be seen as the two endpoints from an O/TWAMP 102 perspective, support certificate-based security. For instance, 103 consider the case in which one wants to measure IP performance 104 between an eNB and SeGW. Both eNB and SeGW are 3GPP LTE nodes and 105 support certificate mode and IKEv2. Since the currently standardized 106 O/TWAMP security mechanism only supports pre-shared key mode, large 107 scale deployment of O/TWAMP is hindered significantly. Furthermore, 108 deployment and management of "shared secrets" for massive equipment 109 installation consumes a tremendous amount of effort and is prone to 110 human error. 112 With IKEv2 widely used, employing keys derived from IKEv2 SA as 113 shared key can be considered as a viable alternative. In mobile 114 telecommunication networks, the deployment rate of IPsec exceeds 95% 115 with respect to the LTE serving network. In older-technology 116 cellular networks, such as UMTS and GSM, IPsec use penetration is 117 lower, but still quite significant. If the shared key can be derived 118 from the IKEv2 SA, O/TWAMP can support cert-based key exchange and 119 make it more flexible in practice and more efficient. The use of 120 IKEv2 also makes it easier to extend automatic key management. In 121 general, O/TWAMP measurement packets can be transmitted inside the 122 IPsec tunnel, as it occurs with typical user traffic, or transmitted 123 outside the IPsec tunnel. This may depend on the operator's policy 124 and is orthogonal to the mechanism described in this document. 126 When IPsec is deployed, protecting O/TWAMP traffic in unauthenticated 127 mode using IPsec is one option. Another option is to protect O/TWAMP 128 traffic using O/TWAMP layer security established using the PSK 129 derived from IKEv2 but bypassing the IPsec tunnel. Protecting 130 unauthenticated O/TWAMP control and/or test traffic via AH or ESP 131 cannot provide various security options, e.g. it cannot authenticate 132 part of a O/TWAMP packet as mentioned in [RFC4656]. For measuring 133 latency, timestamp is carried in O/TWAMP traffic. The sender has to 134 fetch the timestamp, encrypt it, and send it. In this case, the 135 middle step can be skipped, potentially improving accuracy as the 136 sequence number can be encrypted and authenticated before the 137 timestamp is fetched. It is the same case for the receiver since it 138 can obtain the timestamp by skipping the decryption step. In such 139 cases, protecting O/TWAMP traffic using O/TWAMP layer security but 140 bypassing IPsec tunnel has its advantages. This document describes 141 how to derive the shared secret key from the IKEv2 SA and employ the 142 security service at the O/TWAMP layer. This method SHOULD be used 143 when O/TWAMP traffic is bypassing IPsec protection and is running 144 over an external network exactly between two IKEv2 systems. 146 After clarifying the terminology and scope in the subsequent 147 sections, the remainder of this document is organized as follows. 148 Section 4 summarizes O/TWAMP protocol operation with respect to 149 security. Section 5 presents the method for binding TWAMP and IKEv2 150 for network measurements between the client and the server which both 151 support IKEv2. Finally, Section 6 discusses the security 152 considerations arising from the proposed mechanisms. 154 2. Terminology 156 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 157 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 158 document are to be interpreted as described in [RFC2119]. 160 3. Scope and Applicability 162 This document specifies a method for enabling network measurements 163 between a TWAMP client and a TWAMP server which both support IPsec. 164 In short, the shared key used for securing TWAMP traffic is derived 165 using IKEv2 [RFC7296]. This document reserves from the TWAMP-Modes 166 registry the Mode value IKEv2Derived which is equal to 128 (i.e. bit 167 set in position 7) [NOTE to IANA: remove before allocation and final 168 publication] and MUST be used by TWAMP implementations compatible 169 with this specification. 171 Although the control procedures described in this document are 172 applicable to OWAMP per se, the lack of an established IANA registry 173 for OWAMP Mode values technically prevents us from extending OWAMP 174 Mode values. Therefore, independent OWAMP implementations SHOULD be 175 checked for full compatibility with respect to the use of this Mode 176 value. Until an IANA registry for OWAMP Mode values is established, 177 the use this feature in OWAMP implementations MUST be arranged 178 privately among consenting OWAMP users. 180 4. O/TWAMP Security 182 Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in 183 the following subsections. 185 4.1. O/TWAMP-Control Security 187 O/TWAMP uses a simple cryptographic protocol which relies on 189 o AES in Cipher Block Chaining (AES-CBC) for confidentiality 191 o HMAC-SHA1 truncated to 128 bits for message authentication 193 Three modes of operation are supported in the OWAMP-Control protocol: 194 unauthenticated, authenticated, and encrypted. In addition to these 195 modes, the TWAMP-Control protocol also supports a mixed mode, i.e. 196 the TWAMP-Control protocol operates in encrypted mode while TWAMP- 197 Test protocol operates in unauthenticated mode. The authenticated, 198 encrypted and mixed modes require that endpoints possess a shared 199 secret, typically a passphrase. The secret key is derived from the 200 passphrase using a password-based key derivation function PBKDF2 201 (PKCS#5) [RFC2898]. 203 In the unauthenticated mode, the security parameters are left unused. 204 In the authenticated, encrypted and mixed modes, the security 205 parameters are negotiated during the control connection 206 establishment. 208 Figure 1 illustrates the initiation stage of the O/TWAMP-Control 209 protocol between a client and the server. In short, the client opens 210 a TCP connection to the server in order to be able to send O/TWAMP- 211 Control commands. The server responds with a Server Greeting, which 212 contains the Modes, Challenge, Salt, Count, and MBZ fields (see 213 Section 3.1 of [RFC4656]). If the client-preferred mode is 214 available, the client responds with a Set-Up- Response message, 215 wherein the selected Mode, as well as the KeyID, Token and Client IV 216 are included. The Token is the concatenation of a 16-octet 217 Challenge, a 16-octet AES Session-key used for encryption, and a 218 32-octet HMAC-SHA1 Session-key used for authentication. The Token is 219 encrypted using AES-CBC. 221 +--------+ +--------+ 222 | Client | | Server | 223 +--------+ +--------+ 224 | | 225 |<---- TCP Connection ----->| 226 | | 227 |<---- Greeting message ----| 228 | | 229 |----- Set-Up-Response ---->| 230 | | 231 |<---- Server-Start --------| 232 | | 234 Figure 1: Initiation of O/TWAMP-Control 236 Encryption uses a key derived from the shared secret associated with 237 KeyID. In the authenticated, encrypted and mixed modes, all further 238 communication is encrypted using the AES Session-key and 239 authenticated with the HMAC Session-key. After receiving Set-Up- 240 Response the server responds with a Server-Start message containing 241 Server-IV. The client encrypts everything it transmits through the 242 just-established O/TWAMP-Control connection using stream encryption 243 with Client- IV as the IV. Correspondingly, the server encrypts its 244 side of the connection using Server-IV as the IV. The IVs themselves 245 are transmitted in cleartext. Encryption starts with the block 246 immediately following that containing the IV. 248 The AES Session-key and HMAC Session-key are generated randomly by 249 the client. The HMAC Session-key is communicated along with the AES 250 Session-key during O/TWAMP-Control connection setup. The HMAC 251 Session-key is derived independently of the AES Session-key. 253 4.2. O/TWAMP-Test Security 255 The O/TWAMP-Test protocol runs over UDP, using the client and server 256 IP and port numbers that were negotiated during the Request-Session 257 exchange. O/TWAMP- Test has the same mode with O/TWAMP-Control and 258 all O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control 259 session mode except when operating in mixed mode. 261 The O/TWAMP-Test packet format is the same in authenticated and 262 encrypted modes. The encryption and authentication operations are, 263 however, different. Similarly with the respective O/TWAMP-Control 264 session, each O/TWAMP-Test session has two keys: an AES Session-key 265 and an HMAC Session-key. However, there is a difference in how the 266 keys are obtained: 268 O/TWAMP-Control: the keys are generated by the client and 269 communicated to the server during the control connection 270 establishment with the Set-Up-Response message (as part of 271 the Token). 273 O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and 274 the session identifier (SID), which serve as inputs of the 275 key derivation function (KDF). The O/TWAMP-Test AES Session- 276 key is generated using the O/TWAMP- Control AES Session-key, 277 with the 16-octet session identifier (SID), for encrypting 278 and decrypting the packets of the particular O/TWAMP-Test 279 session. The O/TWAMP-Test HMAC Session-key is generated 280 using the O/TWAMP-Control HMAC Session-key, with the 16-octet 281 session identifier (SID), for authenticating the packets of 282 the particular O/TWAMP-Test session. 284 4.3. O/TWAMP Security Root 286 As discussed above, the AES Session-key and HMAC Session-key used by 287 the O/TWAMP-Test protocol are derived from the AES Session-key and 288 HMAC Session-key which are used in O/TWAMP-Control protocol. The AES 289 Session-key and HMAC Session-key used in the O/TWAMP-Control protocol 290 are generated randomly by the client, and encrypted with the shared 291 secret associated with KeyID. Therefore, the security root is the 292 shared secret key. Thus, for large deployments, key provision and 293 management may become overly complicated. Comparatively, a 294 certificate-based approach using IKEv2 can automatically manage the 295 security root and solve this problem, as we explain in Section 5. 297 5. O/TWAMP for IPsec Networks 299 This section presents a method of binding O/TWAMP and IKEv2 for 300 network measurements between a client and a server which both support 301 IPsec. In short, the shared key used for securing O/TWAMP traffic is 302 derived using IKEv2 [RFC7296]. 304 5.1. Shared Key Derivation 306 In the authenticated, encrypted and mixed modes, the shared secret 307 key MUST be derived from the IKEv2 Security Association (SA). Note 308 that we explicitly opt to derive the shared secret key from the IKEv2 309 SA, rather than the child SA, since the use case whereby an IKEv2 SA 310 can be created without generating any child SA is possible [RFC6023]. 312 When the shared secret key is derived from the IKEv2 SA, SK_d must be 313 generated first. SK_d MUST be computed as per [RFC7296]. 315 The shared secret key MUST be generated as follows: 317 Shared secret key = PRF( SK_d, "IPPM" ) 319 Wherein the string "IPPM" comprises four ASCII characters and prf is 320 a pseudorandom function. It is recommended that the shared secret 321 key is derived in the IPsec layer. This way, the IPsec keying 322 material is not exposed to the O/TWAMP client. Note, however, that 323 the interaction between the O/TWAMP and IPsec layers is host-internal 324 and implementation-specific. Therefore, this is clearly outside the 325 scope of this document, which focuses on the interaction between the 326 O/TWAMP client and server. That said, one possible way could be the 327 following: at the client side, the IPSec layer can perform a lookup 328 in the Security Association Database (SAD) using the IP address of 329 the server and thus match the corresponding IKEv2 SA. At the server 330 side, the IPSec layer can look up the corresponding IKEv2 SA by using 331 the SPIs sent by the client, and therefore extract the shared secret 332 key. In case that both client and server do support IKEv2 but there 333 is no current IKEv2 SA, two alternative ways could be considered. 334 First, the O/TWAMP client initiates the establishment of the IKEv2 335 SA, logs this operation, and selects the mode which supports IKEv2. 336 Alternatively, the O/TWAMP client does not initiate the establishment 337 of the IKEv2 SA, logs an error for operational management purposes, 338 and proceeds with the modes defined in [RFC4656][RFC5357][RFC5618]. 339 Again, although both alternatives are feasible, they are in fact 340 implementation-specific. 342 If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the 343 corresponding shared secret key generated from the SA can continue to 344 be used until the O/TWAMP session terminates. 346 5.2. Server Greeting Message Update 348 To achieve a binding association between the key generated from IKEv2 349 and the O/TWAMP shared secret key, Server Greeting Message should be 350 updated as in Figure 2. 352 0 1 2 3 353 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 354 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 355 | | 356 | Unused (12 octets) | 357 | | 358 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 359 | Modes | 360 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 361 | | 362 | Challenge (16 octets) | 363 | | 364 | | 365 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 366 | | 367 | Salt (16 octets) | 368 | | 369 | | 370 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 371 | Count (4 octets) | 372 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 373 | | 374 | MBZ (12 octets) | 375 | | 376 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 378 Figure 2: Server Greeting format 380 The Modes field in Figure 2 will need to allow for support of key 381 derivation as discussed in Section 5.1. As such, the Modes value 382 extension MUST be supported by implementations compatible with this 383 document, indicating support for deriving the shared key from the 384 IKEv2 SA. The new Modes value indicating support for this 385 specification is IKEv2Derived and is equal to 128 (i.e. bit set in 386 position 7) [NOTE to IANA: remove before allocation and final 387 publication]. Clearly, an implementation compatible with this 388 specification MUST support the authenticated, encrypted and mixed 389 modes as per [RFC4656][RFC5357][RFC5618]. 391 The choice of this set of Modes values poses no backwards 392 compatibility problems to existing O/TWAMP clients. Robust legacy 393 client implementations would disregard the fact that the IKEv2Derived 394 Modes bit in the Server Greeting is set. On the other hand, a client 395 compatible with this specification can easily identify that the O/ 396 TWAMP server contacted does not support this specification. If the 397 server supports other Modes, as one could assume, the client would 398 then decide which Mode to use and indicate such accordingly as per 399 [RFC4656][RFC5357]. A client compatible with this specification 400 which decides not to employ IKEv2 derivation, can simply behave as a 401 purely [RFC4656]/[RFC5357] compatible client. 403 5.3. Set-Up-Response Update 405 The Set-Up-Response Message should be updated as in Figure 3. When a 406 O/TWAMP client compatible with this specification receives a Server 407 Greeting indicating support for Mode IKEv2Derived it SHOULD reply to 408 the O/TWAMP server with a Set-Up response that indicates so. For 409 example, a compatible O/TWAMP client choosing the authenticated mode 410 with IKEv2 shared secret key derivation should set Mode to 130, i.e. 411 set the bits in positions 1 and 7 (TBD IANA) to one. 413 0 1 2 3 414 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 415 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 416 | Mode | 417 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 418 | | 419 | Key ID (80 octets) | 420 | | 421 | | 422 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 423 | | 424 | Token (16 octets) | 425 | | 426 | | 427 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 428 | | 429 | Client-IV (12 octets) | 430 | | 431 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 433 Figure 3: Set-Up-Response Message 435 The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) can 436 uniquely identify the Security Association (SA). If the client 437 supports the derivation of shared secret key from IKEv2 SA, it will 438 choose the corresponding mode value and carry SPIi and SPIr in the 439 Key ID field. SPIi and SPIr MUST be included in the Key ID field of 440 Set-Up-Response Message to indicate the IKEv2 SA from which the O/ 441 TWAMP shared secret key derived from. The length of SPI is 4 octets. 442 Therefore, the first 4 octets of Key ID field MUST carry SPIi and the 443 second 4 octets MUST carry SPIr. The remaining bits of the Key ID 444 field MUST set to zero. 446 A O/TWAMP server which supports the specification of this document, 447 MUST obtain the SPIi and SPIr from the first 8 octets and ignore the 448 remaining octets of the Key ID field. Then, the client and the 449 server can derive the shared secret key based on the mode value and 450 SPI. If the O/TWAMP server cannot find the IKEv2 SA corresponding to 451 the SPIi and SPIr received, it MUST log the event for operational 452 management purposes. In addition, the O/TWAMP server SHOULD set the 453 Accept field of the Server-Start message to the value 6 to indicate 454 that server is not willing to conduct further transactions in this O/ 455 TWAMP-Control session since it can not find the corresponding IKEv2 456 SA. 458 5.4. O/TWAMP over an IPsec tunnel 460 IPsec AH [RFC4302] and ESP [RFC4303] provide confidentiality and 461 data integrity to IP datagrams. Thus an IPsec tunnel can be used to 462 provide the protection needed for O/TWAMP Control and Test packets, 463 even if the peers choose the unauthenticated mode of operation. If 464 the two endpoints are already connected through an IPSec tunnel it is 465 RECOMMENDED that the O/TWAMP measurement packets are forwarded over 466 the IPSec tunnel if the peers choose the unauthenticated mode in 467 order to ensure authenticity and security. 469 6. Security Considerations 471 As the shared secret key is derived from the IKEv2 SA, the key 472 derivation algorithm strength and limitations are as per [RFC7296]. 473 The strength of a key derived from a Diffie-Hellman exchange using 474 any of the groups defined here depends on the inherent strength of 475 the group, the size of the exponent used, and the entropy provided by 476 the random number generator employed. The strength of all keys and 477 implementation vulnerabilities, particularly Denial of Service (DoS) 478 attacks are as defined in [RFC7296]. 480 As a more general note, the IPPM community may want to revisit the 481 arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet 482 security mechanisms, such as TLS and DTLS, may also be considered for 483 future use over and above of what is already specified in [RFC4656] 484 [RFC5357]. 486 7. IANA Considerations 488 IANA is requested to allocate the IKEv2Derived Mode bit that is equal 489 to 128 (i.e. bit set in position 7) in the TWAMP-Modes registry. The 490 TWAMP-Modes registry should be augmented as follows: 492 Value Description Semantics Definition 493 -------------------------------------------------------- 494 128 IKEv2 Derived This memo, Section 5.2 495 Mode Capability new bit position 7 497 Figure 4: IKEv2 Modes Capability 499 8. Acknowledgments 501 We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John 502 Mattsson, and Steve Baillargeon for their comments and text 503 suggestions. 505 Al Morton deserves a special mention for his thorough reviews and 506 text contributions to this document as well as the constructive 507 discussions over several IPPM meetings. 509 9. References 511 9.1. Normative References 513 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 514 Requirement Levels", BCP 14, RFC 2119, March 1997. 516 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 517 2005. 519 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 520 4303, December 2005. 522 [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. 523 Zekauskas, "A One-way Active Measurement Protocol 524 (OWAMP)", RFC 4656, September 2006. 526 [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. 527 Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", 528 RFC 5357, October 2008. 530 [RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the 531 Two-Way Active Measurement Protocol (TWAMP)", RFC 5618, 532 August 2009. 534 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 535 Kivinen, "Internet Key Exchange Protocol Version 2 536 (IKEv2)", STD 79, RFC 7296, October 2014. 538 9.2. Informative References 540 [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography 541 Specification Version 2.0", RFC 2898, September 2000. 543 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 544 Internet Protocol", RFC 4301, December 2005. 546 [RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A 547 Childless Initiation of the Internet Key Exchange Version 548 2 (IKEv2) Security Association (SA)", RFC 6023, October 549 2010. 551 Authors' Addresses 553 Kostas Pentikousis (editor) 554 EICT GmbH 555 EUREF-Campus Haus 13 556 Torgauer Strasse 12-15 557 10829 Berlin 558 Germany 560 Email: k.pentikousis@eict.de 562 Emma Zhang 563 Huawei Technologies 564 Huawei Building, No.3, Rd. XinXi 565 Haidian District , Beijing 100095 566 P. R. China 568 Email: emma.zhanglijia@huawei.com 570 Yang Cui 571 Huawei Technologies 572 Otemachi First Square 1-5-1 Otemachi 573 Chiyoda-ku, Tokyo 100-0004 574 Japan 576 Email: cuiyang@huawei.com