idnits 2.17.1 draft-ietf-karp-isis-analysis-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 9, 2015) is 3329 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'I-D.hartman-karp-mrkmp' is defined on line 488, but no explicit reference was found in the text == Unused Reference: 'RFC4107' is defined on line 506, but no explicit reference was found in the text == Outdated reference: A later version (-16) exists of draft-yeung-g-ikev2-08 -- Obsolete informational reference (is this intentional?): RFC 6822 (Obsoleted by RFC 8202) Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Routing Working Group U. Chunduri 3 Internet-Draft A. Tian 4 Intended status: Informational W. Lu 5 Expires: September 10, 2015 Ericsson Inc., 6 March 9, 2015 8 KARP IS-IS security analysis 9 draft-ietf-karp-isis-analysis-04 11 Abstract 13 This document analyzes the threats applicable for Intermediate system 14 to Intermediate system (IS-IS) routing protocol and security gaps 15 according to the KARP Design Guide. This document also provides 16 specific requirements to address the gaps with both manual and auto 17 key management protocols. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on September 10, 2015. 36 Copyright Notice 38 Copyright (c) 2015 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 55 1.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Current State . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2.1. Key Usage . . . . . . . . . . . . . . . . . . . . . . . . 4 58 2.1.1. Sub network Independent . . . . . . . . . . . . . . . 4 59 2.1.2. Sub network dependent . . . . . . . . . . . . . . . . 4 60 2.2. Key Agility . . . . . . . . . . . . . . . . . . . . . . . 5 61 2.3. Security Issues . . . . . . . . . . . . . . . . . . . . . 5 62 2.3.1. Replay Attacks . . . . . . . . . . . . . . . . . . . 5 63 2.3.1.1. Current Recovery mechanism for LSPs . . . . . . . 6 64 2.3.2. Spoofing Attacks . . . . . . . . . . . . . . . . . . 7 65 2.3.3. DoS Attacks . . . . . . . . . . . . . . . . . . . . . 8 66 3. Gap Analysis and Security Requirements . . . . . . . . . . . 8 67 3.1. Manual Key Management . . . . . . . . . . . . . . . . . . 8 68 3.2. Key Management Protocols . . . . . . . . . . . . . . . . 9 69 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 70 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 71 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 72 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 73 7.1. Normative References . . . . . . . . . . . . . . . . . . 10 74 7.2. Informative References . . . . . . . . . . . . . . . . . 11 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 77 1. Introduction 79 This document analyzes the current state of Intermediate system to 80 Intermediate system (IS-IS) protocol according to the requirements 81 set forth in [RFC6518] for both manual and auto key management 82 protocols. 84 With currently published work, IS-IS meets some of the requirements 85 expected from a manually keyed routing protocol. Integrity 86 protection is expanded with more cryptographic algorithms and also 87 limited algorithm agility (HMAC-SHA family) is provided with 88 [RFC5310]. Basic form of Intra-connection re-keying capability is 89 provided by the specification [RFC5310] with some gaps as explained 90 in Section 3. 92 This draft summarizes the current state of cryptographic key usage in 93 IS-IS protocol and several previous efforts to analyze IS-IS 94 security. This includes base IS-IS specification [RFC1195], 95 [RFC5304], [RFC5310] and the OPSEC working group document [RFC6039]. 97 Authors would like to acknowledge all the previous work done in the 98 above documents. 100 This document also analyzes applicability of various threats as 101 described in [RFC6862] to IS-IS, lists gaps and provide specific 102 recommendations to thwart the applicable threats for both manual 103 keying and for auto key management mechanisms. 105 1.1. Requirements Language 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 109 document are to be interpreted as described in RFC 2119 [RFC2119]. 111 1.2. Acronyms 113 DoS - Denial of Service. 115 IGP - Interior Gateway Protocol. 117 IIH - IS-IS HELLO PDU. 119 IPv4 - Internet Protocol version 4. 121 KMP - Key Management Protocol (auto key management). 123 LSP - IS-IS Link State PDU. 125 MKM - Manual Key management Protocols. 127 NONCE - Number Once. 129 SA - Security Association. 131 SNP - Sequence number PDU. 133 2. Current State 135 IS-IS is specified in International Standards Organization (ISO) 136 10589, with extensions to support Internet Protocol version 4 (IPv4) 137 described in [RFC1195]. The specification includes an authentication 138 mechanism that allows for any authentication algorithm and also 139 specifies the algorithm for clear text passwords. Further [RFC5304] 140 extends the authentication mechanism to work with HMAC-MD5 and also 141 modifies the base protocol for more effectiveness. [RFC5310] 142 provides algorithm agility, with new generic crypto authentication 143 mechanism (CRYPTO_AUTH) for IS-IS. The CRYPTO_AUTH also introduces 144 Key ID mechanism that map to unique IS-IS Security Associations 145 (SAs). 147 The following sections describe the current authentication key usage 148 for various IS-IS messages, current key change methodologies and the 149 various potential security threats. 151 2.1. Key Usage 153 IS-IS can be provisioned with a per interface, peer-to-peer key for 154 IS-IS HELLO PDUs (IIH) and a group key for Link State PDUs (LSPs) and 155 Sequence number PDUs (SNPs). If provisioned, IIH packets potentially 156 can use the same group key used for LSPs and SNPs. 158 2.1.1. Sub network Independent 160 Link State PDUs, Complete and partial Sequence Number PDUs come under 161 Sub network Independent messages. For protecting Level-1 SNPs and 162 Level-1 LSPs, provisioned Area Authentication key is used. Level-2 163 SNPs as well as Level-2 LSPs use the provisioned domain 164 authentication key. 166 Since authentication is performed on the LSPs transmitted by an IS, 167 rather than on the LSP packets transmitted to a specific neighbor, it 168 is implied that all the ISes within a single flooding domain must be 169 configured with the same key in order for authentication to work 170 correctly. This is also true for SNP packets, though they are 171 limited to link local scope in broadcast networks. 173 If multiple instances share the circuits as specified in [RFC6822], 174 instance specific authentication credentials can be used to protect 175 the LSPs and SNPs with in an area or domain. It is important to 176 note, [RFC6822] also allows usage of topology specific authentication 177 credentials with in an instance for the LSPs and SNPs. 179 2.1.2. Sub network dependent 181 IS-IS HELLO PDUs use the Link Level Authentication key, which may be 182 different from that of LSPs and SNPs. This could be particularly 183 true for point-to-point links. In broadcast networks it is possible 184 to provision the same common key used for LSPs and SNPs, to protect 185 IIH messages. This allows neighbor discovery and adjacency formation 186 with more than one neighbor on the same physical interface. If 187 multiple instances share the circuits as specified in [RFC6822], 188 instance specific authentication credentials can be used to protect 189 Hello messages. 191 2.2. Key Agility 193 Key roll over without effecting the routing protocols operation in 194 general and IS-IS in particular, is necessary for effective key 195 management protocol integration. 197 Current HMAC-MD5 crypto authentication as defined in [RFC5304], 198 suggests a transition mode, so that ISes use a set of keys when 199 verifying the authentication value, to allow key changes. This 200 approach will allow changing the authentication key manually without 201 bringing down the adjacency and without dropping any control packet. 202 But, this can increase the load on control plane for the key 203 transition duration as each control packet may have to be verified by 204 more than one key and also allows to mount a potential Denial of 205 Service (DoS) attack in the transition duration. 207 The above situation is improved with the introduction of Key ID 208 mechanism as defined in [RFC5310]. With this, the receiver 209 determines the active security association (SA) by looking at the Key 210 ID field in the incoming PDU and need not try with other keys, when 211 the integrity check or digest verification fails. But, neither Key 212 co-ordination across the group nor exact key change mechanism is 213 clearly defined. [RFC5310] says: " Normally, an implementation would 214 allow the network operator to configure a set of keys in a key chain, 215 with each key in the chain having a fixed lifetime. The actual 216 operation of these mechanisms is outside the scope of this document." 218 2.3. Security Issues 220 The following section analyzes various security threats possible, in 221 the current state for IS-IS protocol. 223 2.3.1. Replay Attacks 225 Replaying a captured protocol packet to cause damage is a common 226 threat for any protocol. Securing the packet with cryptographic 227 authentication information alone cannot mitigate this threat 228 completely. Though this problem is more prevalent in broadcast 229 networks it is important to note, most of the IGP deployments use 230 P2P-over-lan [RFC5309], which makes an adversary replay 'easier' than 231 the traditional P2P networks 233 In intra-session replay attacks a secured protocol packet of the 234 current session is replayed, can cause damage, if there is no other 235 mechanism to confirm this is a replay packet. In inter-session 236 replay attacks, captured packet from one of the previous session can 237 be replayed to cause the damage. IS-IS packets are vulnerable to 238 both these attacks, as there is no sequence number verification for 239 IIH packets and SNP packets. Also with current manual key management 240 periodic key changes across the group are done rarely. Thus the 241 intra-connection and inter-connection replay requirements are not 242 met. 244 IS-IS specifies the use of the HMAC-MD5 [RFC5304] and HMAC-SHA-1 245 family in [RFC5310], to protect IS-IS packets. An adversary could 246 replay old IIHs or replay old SNPs that would cause churn in the 247 network or bring down the adjacencies. 249 1. At the time of adjacency bring up an IS sends IIH packet with 250 empty neighbor list (TLV 6) and with the authentication 251 information as per provisioned authentication mechanism. If this 252 packet is replayed later on the broadcast network, all ISes in 253 the broadcast network can bounce the adjacency to create a huge 254 churn in the network. 256 2. Today LSPs have intra-session replay protection as LSP header 257 contains 32-bit sequence number which is verified for every 258 received packet against the local LSP database. But, if a node 259 in the network is out of service (is undergoing some sort of high 260 availability condition, or an upgrade) for more than LSP refresh 261 time and the rest of the network ages out the LSPs of the node 262 under consideration, an adversary can potentially plunge in 263 inter-session replay attacks in the network. If the key is not 264 changed in the above circumstances, attack can be launched by 265 replaying an old LSP with higher sequence number and fewer 266 prefixes or fewer adjacencies. This may force the receiver to 267 accept and remove the routes from the routing table, which 268 eventually causes traffic disruption to those prefixes. However, 269 as per the IS-IS specification there is a built-in recovery 270 mechanism for LSPs from inter-session replay attacks and it is 271 further discussed in Section 2.3.1.1. 273 3. In any IS-IS network (broadcast or otherwise), if an old and an 274 empty Complete Sequence Number packet (CSNP) is replayed this can 275 cause LSP flood in the network. Similarly a replayed Partial 276 Sequence Number packet (PSNP) can cause LSP flood in the 277 broadcast network. 279 2.3.1.1. Current Recovery mechanism for LSPs 281 In the event of inter-session replay attack by an adversary, as LSP 282 with higher sequence number gets accepted, it also gets propagated 283 until it reaches the originating node of the LSP. The originator 284 recognizes the LSP is "newer" than in the local database and this 285 prompts the originator to flood a newer version of the LSP with 286 higher sequence number than the received. This newer version can 287 potentially replace any versions of the replayed LSP which may exist 288 in the network. 290 But in the above process, depending on where in the network the 291 replay is initiated, how quick the nodes in the network react to the 292 replayed LSP and also how different the content in the accepted LSP 293 determines the damage caused by the replayed LSP. 295 2.3.2. Spoofing Attacks 297 IS-IS shares the same key between all neighbors in an area or in a 298 domain to protect the LSP, SNP packets and in broadcast networks even 299 IIH packets. False advertisement by a router is not within scope of 300 the KARP work. However, given the wide sharing of keys as described 301 above, there is a significant risk that an attacker can compromise a 302 key from one device, and use it to falsely participate in the 303 routing, possibly even in a very separate part of the network. 305 If the same underlying topology is shared across multiple instances 306 to transport routing/application information as defined in [RFC6822], 307 it is necessary to use different authentication credentials for 308 different instances. In this connection, based on the deployment 309 considerations, if certain topologies in a particular IS-IS instance 310 require more protection from spoofing attacks and less exposure, 311 topology specific authentication credentials can be used for LSPs and 312 SNPs as facilitated in [RFC6822]. 314 Currently possession of the key itself is used as authentication 315 check and there is no identity check done separately. Spoofing 316 occurs when an illegitimate device assumes the identity of a 317 legitimate one. An attacker can use spoofing as a means for 318 launching various types of attacks. For example: 320 1. The attacker can send out unrealistic routing information that 321 might cause the disruption of network services such as block 322 holes. 324 2. A rogue system having access to the common key used to protect 325 the LSP, can send an LSP, setting the Remaining Lifetime field to 326 zero, and flooding it thereby initiating a purge. Subsequently, 327 this also can cause the sequence number of all the LSPs to 328 increase quickly to max out the sequence number space, which can 329 cause an IS to shut down for MaxAge + ZeroAgeLifetime period to 330 allow the old LSPs to age out in other ISes of the same flooding 331 domain. 333 2.3.3. DoS Attacks 335 Denial-of-service (DoS) attacks using the authentication mechanism is 336 possible and an attacker can send packets which can overwhelm the 337 security mechanism itself. An example is initiating an overwhelming 338 load of spoofed but integrity protected protocol packets, so that the 339 receiver needs to process the integrity check, only to discard the 340 packet. This can cause significant CPU usage. DoS attacks are not 341 generally preventable with in the routing protocol. As the attackers 342 are often remote, the DoS attacks are more damaging to area-scoped or 343 domain-scoped packet receivers than link-local scoped packet 344 receivers. 346 3. Gap Analysis and Security Requirements 348 This section outlines the differences between the current state of 349 the IS-IS routing protocol and the desired state as specified in KARP 350 Design Guidelines [RFC6518]. The section focuses on where IS-IS 351 protocol fails to meet general requirements as specified in the 352 threats and requirements document. 354 This section also describes security requirements that should be met 355 by IS-IS implementations that are secured by manual as well as auto 356 key management protocols. 358 3.1. Manual Key Management 360 1. With CRYPTO_AUTH specification [RFC5310], IS-IS packets can be 361 protected with HMAC-SHA family of cryptographic algorithms. The 362 specification provides the limited algorithm agility (SHA 363 family). By using Key IDs, it also conceals the algorithm 364 information from the protected control messages. 366 2. Even though both intra and inter session replay attacks are best 367 prevented by deploying key management protocols with frequent key 368 change capability, basic constructs for sequence number should be 369 there in the protocol messages. So, some basic or extended 370 sequence number mechanism should be in place to protect IIH 371 packets and SNP packets. The sequence number should be increased 372 for each protocol packet. This allows mitigation of some of the 373 replay threats as mentioned in Section 2.3.1. 375 3. Any common key mechanism with keys shared across a group of 376 routers is susceptible to spoofing attacks caused by a malicious 377 router. Separate authentication check (apart from the integrity 378 check to verify the digest) with digital signatures as described 379 in [RFC2154], can effectively nullify this attack. But this 380 approach was never deployed and one can only assume due to 381 operational considerations at that time. The alternative 382 approach to thwart this threat would be by using the keys from 383 the group key management protocol. As the group key(s) are 384 generated by authenticating the member ISes in the group first, 385 and then periodically rekeyed, per packet identity or 386 authentication check may not be needed. 388 4. In general DoS attacks may not be preventable with mechanism from 389 routing protocols itself. But some form of Admin controlled 390 lists (ACLs) at the forwarding plane can reduce the damage. 391 There are some other forms the DoS attacks common to any protocol 392 are not in scope as per the section 3.3 in [RFC6862]. 394 As discussed in Section 2.2, though Key ID mechanism in [RFC5310] 395 helps, better key co-ordination mechanism for key roll over is 396 desirable even with manual key management. But, it fell short of 397 specifying exact mechanism other than using key chains. The specific 398 requirements: 400 a. Keys SHOULD be able to change without affecting the established 401 adjacency and even better without any control packet loss. 403 b. Keys SHOULD be able to change without effecting the protocol 404 operations, for example, LSP flooding should not be held for a 405 specific Key ID availability. 407 c. Any proposed mechanism SHOULD also be further incrementally 408 deployable with key management protocols. 410 3.2. Key Management Protocols 412 In broadcast deployments, the keys used for protecting IS-IS 413 protocols messages can, in particular, be group keys. A mechanism, 414 similar to as described in [I-D.weis-gdoi-mac-tek] can be used to 415 distribute group keys to a group of ISes in Level-1 area or Level-2 416 domain, using GDOI as specified in [RFC6407]. There are also similar 417 approaches with IKEv2 based group key management solutions, to 418 routing protocols as described in [I-D.yeung-g-ikev2] and [I- 419 D.hartman-karp-mrkmp]. 421 If a group key is used, the authentication granularity becomes group 422 membership of devices, not peer authentication between devices. 423 Group key management protocol deployed SHOULD be capable of 424 supporting rekeying support. 426 In some deployments, where IS-IS point-to-point (P2P) mode is used 427 for adjacency bring-up, sub network dependent messages (IIHs) can use 428 a different key shared between the two point-to-point peers, while 429 all other messages use a group key. When group keying mechanism is 430 deployed, even the P2P IIHs can be protected with the common group 431 keys. This approach facilitates one key management mechanism instead 432 of both pair-wise keying and group keying protocols to be deployed 433 together. If same circuits are shared across multiple instances, the 434 granularity of the group can become per instance for IIHs and per 435 instance/topology for LSPs and SNPs as specified in the [RFC6822]. 437 Effective key change capability with in the routing protocol which 438 allows key roll over without impacting the routing protocol 439 operation, is one of the requirements for deploying any group key 440 mechanism. Once such mechanism is in place with deployment of group 441 key management protocol, IS-IS can be protected from various threats 442 not limited to intra and inter session replay attacks and spoofing 443 attacks. 445 Specific use of crypto tables [RFC7210] should be defined for IS-IS 446 protocol. 448 4. IANA Considerations 450 This document defines no new namespaces. 452 5. Security Considerations 454 This document is mostly about security considerations of IS-IS 455 protocol, lists potential threats and security requirements for 456 solving those threats. This document does not introduce any new 457 security threats for IS-IS protocol. For more detailed security 458 considerations please refer the Security Considerations section of 459 the KARP Design Guide [RFC6518] document as well as KARP threat 460 document [RFC6862]. 462 6. Acknowledgements 464 Authors would like to thank Joel Halpern for initial discussions on 465 this document and giving valuable review comments. Authors would 466 like to acknowledge Naiming Shen for reviewing and providing feedback 467 on this document. 469 7. References 471 7.1. Normative References 473 [RFC1195] Callon, R., "Use of OSI IS-IS for routing in TCP/IP and 474 dual environments", RFC 1195, December 1990. 476 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 477 Requirement Levels", BCP 14, RFC 2119, March 1997. 479 [RFC5304] Li, T. and R. Atkinson, "IS-IS Cryptographic 480 Authentication", RFC 5304, October 2008. 482 [RFC5310] Bhatia, M., Manral, V., Li, T., Atkinson, R., White, R., 483 and M. Fanto, "IS-IS Generic Cryptographic 484 Authentication", RFC 5310, February 2009. 486 7.2. Informative References 488 [I-D.hartman-karp-mrkmp] 489 Hartman, S., Zhang, D., and G. Lebovitz, "Multicast Router 490 Key Management Protocol (MaRK)", draft-hartman-karp- 491 mrkmp-05 (work in progress), September 2012. 493 [I-D.weis-gdoi-mac-tek] 494 Weis, B. and S. Rowles, "GDOI Generic Message 495 Authentication Code Policy", draft-weis-gdoi-mac-tek-03 496 (work in progress), September 2011. 498 [I-D.yeung-g-ikev2] 499 Rowles, S., Yeung, A., Tran, P., and Y. Nir, "Group Key 500 Management using IKEv2", draft-yeung-g-ikev2-08 (work in 501 progress), October 2014. 503 [RFC2154] Murphy, S., Badger, M., and B. Wellington, "OSPF with 504 Digital Signatures", RFC 2154, June 1997. 506 [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic 507 Key Management", BCP 107, RFC 4107, June 2005. 509 [RFC5309] Shen, N. and A. Zinin, "Point-to-Point Operation over LAN 510 in Link State Routing Protocols", RFC 5309, October 2008. 512 [RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues 513 with Existing Cryptographic Protection Methods for Routing 514 Protocols", RFC 6039, October 2010. 516 [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain 517 of Interpretation", RFC 6407, October 2011. 519 [RFC6518] Lebovitz, G. and M. Bhatia, "Keying and Authentication for 520 Routing Protocols (KARP) Design Guidelines", RFC 6518, 521 February 2012. 523 [RFC6822] Previdi, S., Ginsberg, L., Shand, M., Roy, A., and D. 524 Ward, "IS-IS Multi-Instance", RFC 6822, December 2012. 526 [RFC6862] Lebovitz, G., Bhatia, M., and B. Weis, "Keying and 527 Authentication for Routing Protocols (KARP) Overview, 528 Threats, and Requirements", RFC 6862, March 2013. 530 [RFC7210] Housley, R., Polk, T., Hartman, S., and D. Zhang, 531 "Database of Long-Lived Symmetric Cryptographic Keys", RFC 532 7210, April 2014. 534 Authors' Addresses 536 Uma Chunduri 537 Ericsson Inc., 538 300 Holger Way, 539 San Jose, California 95134 540 USA 542 Phone: 408 750-5678 543 Email: uma.chunduri@ericsson.com 545 Albert Tian 546 Ericsson Inc., 547 300 Holger Way, 548 San Jose, California 95134 549 USA 551 Phone: 408 750-5210 552 Email: albert.tian@ericsson.com 554 Wenhu Lu 555 Ericsson Inc., 556 300 Holger Way, 557 San Jose, California 95134 558 USA 560 Email: wenhu.lu@ericsson.com