idnits 2.17.1 draft-ietf-ippm-ipsec-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 11, 2015) is 3361 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2898 (Obsoleted by RFC 8018) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPPM WG K. Pentikousis, Ed. 3 Internet-Draft EICT 4 Intended status: Standards Track E. Zhang 5 Expires: August 15, 2015 Y. Cui 6 Huawei Technologies 7 February 11, 2015 9 IKEv2-based Shared Secret Key for O/TWAMP 10 draft-ietf-ippm-ipsec-09 12 Abstract 14 The One-way Active Measurement Protocol (OWAMP) and Two-Way Active 15 Measurement Protocol (TWAMP) security mechanism require that both the 16 client and server endpoints possess a shared secret. Since the 17 currently-standardized O/TWAMP security mechanism only supports a 18 pre-shared key mode, large scale deployment of O/TWAMP is hindered 19 significantly. At the same time, recent trends point to wider 20 Internet Key Exchange Protocol Version 2 (IKEv2) deployment which, in 21 turn, calls for mechanisms and methods that enable tunnel end-users, 22 as well as operators, to measure one-way and two- way network 23 performance in a standardized manner. This document describes the 24 use of keys derived from an IKEv2 security association (SA) as the 25 shared key in O/TWAMP. If the shared key can be derived from the 26 IKEv2 SA, O/TWAMP can support certificate-based key exchange, which 27 would allow for more operational flexibility and efficiency. The key 28 derivation presented in this document can also facilitate automatic 29 key management. 31 Status of This Memo 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF). Note that other groups may also distribute 38 working documents as Internet-Drafts. The list of current Internet- 39 Drafts is at http://datatracker.ietf.org/drafts/current/. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 This Internet-Draft will expire on August 15, 2015. 48 Copyright Notice 50 Copyright (c) 2015 IETF Trust and the persons identified as the 51 document authors. All rights reserved. 53 This document is subject to BCP 78 and the IETF Trust's Legal 54 Provisions Relating to IETF Documents 55 (http://trustee.ietf.org/license-info) in effect on the date of 56 publication of this document. Please review these documents 57 carefully, as they describe your rights and restrictions with respect 58 to this document. Code Components extracted from this document must 59 include Simplified BSD License text as described in Section 4.e of 60 the Trust Legal Provisions and are provided without warranty as 61 described in the Simplified BSD License. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 66 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 67 3. Scope and Applicability . . . . . . . . . . . . . . . . . . . 4 68 4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 4 69 4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5 70 4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6 71 4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7 72 5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7 73 5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7 74 5.2. Server Greeting Message Update . . . . . . . . . . . . . 8 75 5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 10 76 5.4. O/TWAMP over an IPsec tunnel . . . . . . . . . . . . . . 11 77 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 78 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 79 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 80 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 81 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 82 9.2. Informative References . . . . . . . . . . . . . . . . . 12 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 85 1. Introduction 87 The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the 88 Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to 89 measure network performance parameters such as latency, bandwidth, 90 and packet loss by sending probe packets and monitoring their 91 experience in the network. In order to guarantee the accuracy of 92 network measurement results, security aspects must be considered. 93 Otherwise, attacks may occur and the authenticity of the measurement 94 results may be violated. For example, if no protection is provided, 95 an adversary in the middle may modify packet timestamps, thus 96 altering the measurement results. 98 The currently-standardized O/TWAMP security mechanism [RFC4656] 99 [RFC5357] requires that endpoints (i.e. both the client and the 100 server) possess a shared secret. In today's network deployments, 101 however, the use of pre-shared keys is far from optimal. For 102 example, in wireless infrastructure networks, certain network 103 elements, which can be seen as the two endpoints from an O/TWAMP 104 perspective, support certificate-based security. For instance, 105 consider the case in which one wants to measure IP performance 106 between a E-UTRAN Evolved Node B (eNB) and Security Gateway (SeGW). 107 Both eNB and SeGW are 3GPP Long Term Evolution (LTE) nodes and 108 support certificate mode and the Internet Key Exchange Protocol 109 Version 2 (IKEv2). Since the currently standardized O/TWAMP security 110 mechanism only supports pre-shared key mode, large scale deployment 111 of O/TWAMP is hindered significantly. Furthermore, deployment and 112 management of "shared secrets" for massive equipment installation 113 consumes a tremendous amount of effort and is prone to human error. 115 With IKEv2 widely used, employing keys derived from IKEv2 security 116 association (SA) as shared key can be considered as a viable 117 alternative. In mobile telecommunication networks, the deployment 118 rate of IPsec exceeds 95% with respect to the LTE serving network. 119 In older-technology cellular networks, such as UMTS and GSM, IPsec 120 use penetration is lower, but still quite significant. If the shared 121 key can be derived from the IKEv2 SA, O/TWAMP can support cert-based 122 key exchange and practically increase operational flexibility and 123 efficiency. The use of IKEv2 also makes it easier to extend 124 automatic key management. In general, O/TWAMP measurement packets 125 can be transmitted inside the IPsec tunnel, as it occurs with typical 126 user traffic, or transmitted outside the IPsec tunnel. This may 127 depend on the operator's policy and is orthogonal to the mechanism 128 described in this document. 130 When IPsec is deployed, protecting O/TWAMP traffic in unauthenticated 131 mode using IPsec is one option. Another option is to protect O/TWAMP 132 traffic using O/TWAMP layer security established using the PSK 133 derived from IKEv2 but bypassing the IPsec tunnel. Protecting 134 unauthenticated O/TWAMP control and/or test traffic via 135 Authentication Header (AH) [RFC4302] or Encapsulating Security 136 Payload (ESP) [RFC4303] cannot provide various security options, 137 e.g. it cannot authenticate part of a O/TWAMP packet as mentioned in 138 [RFC4656]. For measuring latency, timestamp is carried in O/TWAMP 139 traffic. The sender has to fetch the timestamp, encrypt it, and send 140 it. In this case, the middle step can be skipped, potentially 141 improving accuracy as the sequence number can be encrypted and 142 authenticated before the timestamp is fetched. It is the same case 143 for the receiver since it can obtain the timestamp by skipping the 144 decryption step. In such cases, protecting O/TWAMP traffic using O/ 145 TWAMP layer security but bypassing IPsec tunnel has its advantages. 147 This document specifies a method for enabling network measurements 148 between a TWAMP client and a TWAMP server, as discussed in Section 3. 149 In short, the shared key used for securing TWAMP traffic is derived 150 using IKEv2 [RFC7296]. From an operations and management perspective 151 [RFC5706], the mechanism described in this document requires that 152 both the TWAMP client and server support IPsec. This method SHOULD 153 be used when O/TWAMP traffic is bypassing IPsec protection and is 154 running over an external network exactly between two IKEv2 systems. 156 After clarifying the terminology and scope in the subsequent 157 sections, the remainder of this document is organized as follows. 158 Section 4 summarizes O/TWAMP protocol operation with respect to 159 security. Section 5 presents the method for binding TWAMP and IKEv2 160 for network measurements between the client and the server which both 161 support IKEv2. Finally, Section 6 discusses the security 162 considerations arising from the proposed mechanisms. 164 2. Terminology 166 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 167 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 168 document are to be interpreted as described in [RFC2119]. 170 3. Scope and Applicability 172 This document reserves from the TWAMP-Modes registry the Mode value 173 IKEv2Derived which is equal to 128 (i.e. bit set in position 7) and 174 MUST be used by TWAMP implementations compatible with this 175 specification. 177 Although the control procedures described in this document are 178 applicable to OWAMP per se, the lack of an established IANA registry 179 for OWAMP Mode values technically prevents us from extending OWAMP 180 Mode values. Therefore, independent OWAMP implementations SHOULD be 181 checked for full compatibility with respect to the use of this Mode 182 value. Until an IANA registry for OWAMP Mode values is established, 183 the use this feature in OWAMP implementations MUST be arranged 184 privately among consenting OWAMP users. 186 4. O/TWAMP Security 188 Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in 189 the following subsections. 191 4.1. O/TWAMP-Control Security 193 O/TWAMP uses a simple cryptographic protocol which relies on 195 o AES in Cipher Block Chaining (AES-CBC) for confidentiality 197 o HMAC-SHA1 truncated to 128 bits for message authentication 199 Three modes of operation are supported in the OWAMP-Control protocol: 200 unauthenticated, authenticated, and encrypted. In addition to these 201 modes, the TWAMP-Control protocol also supports a mixed mode, i.e. 202 the TWAMP-Control protocol operates in encrypted mode while TWAMP- 203 Test protocol operates in unauthenticated mode. The authenticated, 204 encrypted and mixed modes require that endpoints possess a shared 205 secret, typically a passphrase. The secret key is derived from the 206 passphrase using a password-based key derivation function PBKDF2 207 (PKCS#5) [RFC2898]. 209 In the unauthenticated mode, the security parameters are left unused. 210 In the authenticated, encrypted and mixed modes, the security 211 parameters are negotiated during the control connection 212 establishment. 214 Figure 1 illustrates the initiation stage of the O/TWAMP-Control 215 protocol between a client and the server. In short, the client opens 216 a TCP connection to the server in order to be able to send O/TWAMP- 217 Control commands. The server responds with a Server Greeting, which 218 contains the Modes, Challenge, Salt, Count, and MBZ fields (see 219 Section 3.1 of [RFC4656]). If the client-preferred mode is 220 available, the client responds with a Set-Up- Response message, 221 wherein the selected Mode, as well as the KeyID, Token and Client 222 initialization vector (IV) are included. The Token is the 223 concatenation of a 16-octet Challenge, a 16-octet AES Session-key 224 used for encryption, and a 32-octet HMAC-SHA1 Session-key used for 225 authentication. The Token is encrypted using AES-CBC. 227 +--------+ +--------+ 228 | Client | | Server | 229 +--------+ +--------+ 230 | | 231 |<---- TCP Connection ----->| 232 | | 233 |<---- Greeting message ----| 234 | | 235 |----- Set-Up-Response ---->| 236 | | 237 |<---- Server-Start --------| 238 | | 240 Figure 1: Initiation of O/TWAMP-Control 242 Encryption uses a key derived from the shared secret associated with 243 KeyID. In the authenticated, encrypted and mixed modes, all further 244 communication is encrypted using the AES Session-key and 245 authenticated with the HMAC Session-key. After receiving Set-Up- 246 Response the server responds with a Server-Start message containing 247 Server-IV. The client encrypts everything it transmits through the 248 just-established O/TWAMP-Control connection using stream encryption 249 with Client- IV as the IV. Correspondingly, the server encrypts its 250 side of the connection using Server-IV as the IV. The IVs themselves 251 are transmitted in cleartext. Encryption starts with the block 252 immediately following that containing the IV. 254 The AES Session-key and HMAC Session-key are generated randomly by 255 the client. The HMAC Session-key is communicated along with the AES 256 Session-key during O/TWAMP-Control connection setup. The HMAC 257 Session-key is derived independently of the AES Session-key. 259 4.2. O/TWAMP-Test Security 261 The O/TWAMP-Test protocol runs over UDP, using the client and server 262 IP and port numbers that were negotiated during the Request-Session 263 exchange. O/TWAMP- Test has the same mode with O/TWAMP-Control and 264 all O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control 265 session mode except when operating in mixed mode. 267 The O/TWAMP-Test packet format is the same in authenticated and 268 encrypted modes. The encryption and authentication operations are, 269 however, different. Similarly with the respective O/TWAMP-Control 270 session, each O/TWAMP-Test session has two keys: an AES Session-key 271 and an HMAC Session-key. However, there is a difference in how the 272 keys are obtained: 274 O/TWAMP-Control: the keys are generated by the client and 275 communicated to the server during the control connection 276 establishment with the Set-Up-Response message (as part of 277 the Token). 279 O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and 280 the session identifier (SID), which serve as inputs of the 281 key derivation function (KDF). The O/TWAMP-Test AES Session- 282 key is generated using the O/TWAMP- Control AES Session-key, 283 with the 16-octet session identifier (SID), for encrypting 284 and decrypting the packets of the particular O/TWAMP-Test 285 session. The O/TWAMP-Test HMAC Session-key is generated 286 using the O/TWAMP-Control HMAC Session-key, with the 16-octet 287 session identifier (SID), for authenticating the packets of 288 the particular O/TWAMP-Test session. 290 4.3. O/TWAMP Security Root 292 As discussed above, the AES Session-key and HMAC Session-key used by 293 the O/TWAMP-Test protocol are derived from the AES Session-key and 294 HMAC Session-key which are used in O/TWAMP-Control protocol. The AES 295 Session-key and HMAC Session-key used in the O/TWAMP-Control protocol 296 are generated randomly by the client, and encrypted with the shared 297 secret associated with KeyID. Therefore, the security root is the 298 shared secret key. Thus, for large deployments, key provision and 299 management may become overly complicated. Comparatively, a 300 certificate-based approach using IKEv2 can automatically manage the 301 security root and solve this problem, as we explain in Section 5. 303 5. O/TWAMP for IPsec Networks 305 This section presents a method of binding O/TWAMP and IKEv2 for 306 network measurements between a client and a server which both support 307 IPsec. In short, the shared key used for securing O/TWAMP traffic is 308 derived using IKEv2 [RFC7296]. 310 5.1. Shared Key Derivation 312 In the authenticated, encrypted and mixed modes, the shared secret 313 key MUST be derived from the IKEv2 Security Association (SA). Note 314 that we explicitly opt to derive the shared secret key from the IKEv2 315 SA, rather than the child SA, since the use case whereby an IKEv2 SA 316 can be created without generating any child SA is possible [RFC6023]. 318 When the shared secret key is derived from the IKEv2 SA, SK_d must be 319 generated first. SK_d MUST be computed as per [RFC7296]. 321 The shared secret key MUST be generated as follows: 323 Shared secret key = prf( SK_d, "IPPM" ) 325 Wherein the string "IPPM" comprises four ASCII characters and "prf" 326 is a pseudorandom function. It is recommended that the shared secret 327 key is derived in the IPsec layer. This way, the IPsec keying 328 material is not exposed to the O/TWAMP client. Note, however, that 329 the interaction between the O/TWAMP and IPsec layers is host-internal 330 and implementation-specific. Therefore, this is clearly outside the 331 scope of this document, which focuses on the interaction between the 332 O/TWAMP client and server. That said, one possible way could be the 333 following: at the client side, the IPSec layer can perform a lookup 334 in the Security Association Database (SAD) using the IP address of 335 the server and thus match the corresponding IKEv2 SA. At the server 336 side, the IPSec layer can look up the corresponding IKEv2 SA by using 337 the SPIs sent by the client, and therefore extract the shared secret 338 key. In case that both client and server do support IKEv2 but there 339 is no current IKEv2 SA, two alternative ways could be considered. 340 First, the O/TWAMP client initiates the establishment of the IKEv2 341 SA, logs this operation, and selects the mode which supports IKEv2. 342 Alternatively, the O/TWAMP client does not initiate the establishment 343 of the IKEv2 SA, logs an error for operational management purposes, 344 and proceeds with the modes defined in [RFC4656][RFC5357][RFC5618]. 345 Again, although both alternatives are feasible, they are in fact 346 implementation-specific. 348 If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the 349 corresponding shared secret key generated from the SA can continue to 350 be used until the O/TWAMP session terminates. 352 5.2. Server Greeting Message Update 354 To achieve a binding association between the key generated from IKEv2 355 and the O/TWAMP shared secret key, Server Greeting Message should 356 include these extensions, as in Figure 2. 358 0 1 2 3 359 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 360 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 361 | | 362 | Unused (12 octets) | 363 | | 364 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 365 | Modes | 366 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 367 | | 368 | Challenge (16 octets) | 369 | | 370 | | 371 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 372 | | 373 | Salt (16 octets) | 374 | | 375 | | 376 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 377 | Count (4 octets) | 378 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 379 | | 380 | MBZ (12 octets) | 381 | | 382 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 384 Figure 2: Server Greeting format 386 The Modes field in Figure 2 will need to allow for support of key 387 derivation as discussed in Section 5.1. As such, the Modes value 388 extension MUST be supported by implementations compatible with this 389 document, indicating support for deriving the shared key from the 390 IKEv2 SA. The new Modes value indicating support for this 391 specification is IKEv2Derived and is equal to 128 (i.e. bit set in 392 position 7). Clearly, an implementation compatible with this 393 specification MUST support the authenticated, encrypted and mixed 394 modes as per [RFC4656][RFC5357][RFC5618]. 396 The choice of this set of Modes values poses no backwards 397 compatibility problems to existing O/TWAMP clients. Robust legacy 398 client implementations would disregard the fact that the IKEv2Derived 399 Modes bit in the Server Greeting is set. On the other hand, a client 400 compatible with this specification can easily identify that the O/ 401 TWAMP server contacted does not support this specification. If the 402 server supports other Modes, as one could assume, the client would 403 then decide which Mode to use and indicate such accordingly as per 404 [RFC4656][RFC5357]. A client compatible with this specification 405 which decides not to employ IKEv2 derivation, can simply behave as a 406 purely [RFC4656]/[RFC5357] compatible client. 408 5.3. Set-Up-Response Update 410 The Set-Up-Response Message should be updated as in Figure 3. When a 411 O/TWAMP client compatible with this specification receives a Server 412 Greeting indicating support for Mode IKEv2Derived it SHOULD reply to 413 the O/TWAMP server with a Set-Up response that indicates so. For 414 example, a compatible O/TWAMP client choosing the authenticated mode 415 with IKEv2 shared secret key derivation should set Mode to 130, i.e. 416 set the bits in positions 1 and 7 to one. 418 0 1 2 3 419 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 420 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 421 | Mode | 422 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 423 | | 424 | Key ID (80 octets) | 425 | | 426 | | 427 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 428 | | 429 | Token (16 octets) | 430 | | 431 | | 432 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 433 | | 434 | Client-IV (12 octets) | 435 | | 436 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 438 Figure 3: Set-Up-Response Message 440 The Security Parameter Index (SPI)(see [RFC4301] [RFC7296]) can 441 uniquely identify the Security Association (SA). If the client 442 supports the derivation of shared secret key from IKEv2 SA, it will 443 choose the corresponding mode value and carry SPIi and SPIr in the 444 Key ID field. SPIi and SPIr MUST be included in the Key ID field of 445 Set-Up-Response Message to indicate the IKEv2 SA from which the O/ 446 TWAMP shared secret key derived from. The length of SPI is 8 octets. 447 Therefore, the first 8 octets of Key ID field MUST carry SPIi and the 448 second 8 octets MUST carry SPIr. The remaining bits of the Key ID 449 field MUST set to zero. 451 A O/TWAMP server which supports the specification of this document, 452 MUST obtain the SPIi and SPIr from the first 16 octets and ignore the 453 remaining octets of the Key ID field. Then, the client and the 454 server can derive the shared secret key based on the mode value and 455 SPI. If the O/TWAMP server cannot find the IKEv2 SA corresponding to 456 the SPIi and SPIr received, it MUST log the event for operational 457 management purposes. In addition, the O/TWAMP server SHOULD set the 458 Accept field of the Server-Start message to the value 6 to indicate 459 that server is not willing to conduct further transactions in this O/ 460 TWAMP-Control session since it can not find the corresponding IKEv2 461 SA. 463 5.4. O/TWAMP over an IPsec tunnel 465 IPsec Authentication Header (AH) [RFC4302] and Encapsulating Security 466 Payload (ESP) [RFC4303] provide confidentiality and data integrity to 467 IP datagrams. An IPsec tunnel can be used to provide the protection 468 needed for O/TWAMP Control and Test packets, even if the peers choose 469 the unauthenticated mode of operation. In order to ensure 470 authenticity and security, the IPsec tunnel SHOULD be configured to 471 include O/TWAMP measurement packets even when using the 472 unauthenticated mode. 474 6. Security Considerations 476 As the shared secret key is derived from the IKEv2 SA, the key 477 derivation algorithm strength and limitations are as per [RFC7296]. 478 The strength of a key derived from a Diffie-Hellman exchange using 479 any of the groups defined here depends on the inherent strength of 480 the group, the size of the exponent used, and the entropy provided by 481 the random number generator employed. The strength of all keys and 482 implementation vulnerabilities, particularly Denial of Service (DoS) 483 attacks are as defined in [RFC7296]. 485 7. IANA Considerations 487 IANA is requested to allocate the IKEv2Derived Mode bit that is equal 488 to 128 (i.e. bit set in position 7) in the TWAMP-Modes registry. The 489 TWAMP-Modes registry should be augmented as follows: 491 Value Description Semantics Definition 492 -------------------------------------------------------- 493 128 IKEv2 Derived This memo, Section 5.2 494 Mode Capability new bit position 7 496 Figure 4: IKEv2 Modes Capability 498 8. Acknowledgments 500 We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John 501 Mattsson, Steve Baillargeon, Spencer Dawkins, Tero Kivinen, Fred 502 Baker, Meral Shirazipour, and Hannes Tschofenig for their reviews, 503 comments and text suggestions. 505 Al Morton deserves a special mention for his thorough reviews and 506 text contributions to this document as well as the constructive 507 discussions over several IPPM meetings. 509 9. References 511 9.1. Normative References 513 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 514 Requirement Levels", BCP 14, RFC 2119, March 1997. 516 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 517 2005. 519 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 520 4303, December 2005. 522 [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. 523 Zekauskas, "A One-way Active Measurement Protocol 524 (OWAMP)", RFC 4656, September 2006. 526 [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. 527 Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", 528 RFC 5357, October 2008. 530 [RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the 531 Two-Way Active Measurement Protocol (TWAMP)", RFC 5618, 532 August 2009. 534 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 535 Kivinen, "Internet Key Exchange Protocol Version 2 536 (IKEv2)", STD 79, RFC 7296, October 2014. 538 9.2. Informative References 540 [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography 541 Specification Version 2.0", RFC 2898, September 2000. 543 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 544 Internet Protocol", RFC 4301, December 2005. 546 [RFC5706] Harrington, D., "Guidelines for Considering Operations and 547 Management of New Protocols and Protocol Extensions", RFC 548 5706, November 2009. 550 [RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A 551 Childless Initiation of the Internet Key Exchange Version 552 2 (IKEv2) Security Association (SA)", RFC 6023, October 553 2010. 555 Authors' Addresses 557 Kostas Pentikousis (editor) 558 EICT GmbH 559 EUREF-Campus Haus 13 560 Torgauer Strasse 12-15 561 10829 Berlin 562 Germany 564 Email: k.pentikousis@eict.de 566 Emma Zhang 567 Huawei Technologies 568 Huawei Building, No.3, Rd. XinXi 569 Haidian District , Beijing 100095 570 P. R. China 572 Email: emma.zhanglijia@huawei.com 574 Yang Cui 575 Huawei Technologies 576 Otemachi First Square 1-5-1 Otemachi 577 Chiyoda-ku, Tokyo 100-0004 578 Japan 580 Email: cuiyang@huawei.com