idnits 2.17.1 draft-ietf-lisp-crypto-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 5 characters in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 98: '...for key exchange MUST be one round-tri...' RFC 2119 keyword, line 455: '... RLOCs in the RLOC-set, it MUST send a...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 1, 2015) is 3280 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'RFC2404' is mentioned on line 223, but not defined == Unused Reference: 'RFC4106' is defined on line 552, but no explicit reference was found in the text == Unused Reference: 'RFC5116' is defined on line 560, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2409 (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 6830 (Obsoleted by RFC 9300, RFC 9301) == Outdated reference: A later version (-04) exists of draft-agl-tls-chacha20poly1305-00 == Outdated reference: A later version (-22) exists of draft-ietf-lisp-lcaf-04 == Outdated reference: A later version (-04) exists of draft-fuller-lisp-ddt-03 == Outdated reference: A later version (-29) exists of draft-ietf-lisp-sec-06 Summary: 5 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force D. Farinacci 3 Internet-Draft lispers.net 4 Intended status: Experimental B. Weis 5 Expires: November 2, 2015 cisco Systems 6 May 1, 2015 8 LISP Data-Plane Confidentiality 9 draft-ietf-lisp-crypto-01 11 Abstract 13 This document describes a mechanism for encrypting LISP encapsulated 14 traffic. The design describes how key exchange is achieved using 15 existing LISP control-plane mechanisms as well as how to secure the 16 LISP data-plane from third-party surveillance attacks. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on November 2, 2015. 35 Copyright Notice 37 Copyright (c) 2015 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 3. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 3 55 4. Encoding and Transmitting Key Material . . . . . . . . . . . 4 56 5. Shared Keys used for the Data-Plane . . . . . . . . . . . . . 6 57 6. Data-Plane Operation . . . . . . . . . . . . . . . . . . . . 8 58 7. Procedures for Encryption and Decryption . . . . . . . . . . 10 59 8. Dynamic Rekeying . . . . . . . . . . . . . . . . . . . . . . 11 60 9. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 12 61 10. Security Considerations . . . . . . . . . . . . . . . . . . . 12 62 10.1. SAAG Support . . . . . . . . . . . . . . . . . . . . . . 12 63 10.2. LISP-Crypto Security Threats . . . . . . . . . . . . . . 12 64 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 65 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 66 12.1. Normative References . . . . . . . . . . . . . . . . . . 13 67 12.2. Informative References . . . . . . . . . . . . . . . . . 14 68 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 14 69 Appendix B. Document Change Log . . . . . . . . . . . . . . . . 14 70 B.1. Changes to draft-ietf-lisp-crypto-01.txt . . . . . . . . 15 71 B.2. Changes to draft-ietf-lisp-crypto-00.txt . . . . . . . . 15 72 B.3. Changes to draft-farinacci-lisp-crypto-01.txt . . . . . . 15 73 B.4. Changes to draft-farinacci-lisp-crypto-00.txt . . . . . . 16 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 76 1. Introduction 78 The Locator/ID Separation Protocol [RFC6830] defines a set of 79 functions for routers to exchange information used to map from non- 80 routable Endpoint Identifiers (EIDs) to routable Routing Locators 81 (RLOCs). LISP ITRs and PITRs encapsulate packets to ETRs and RTRs. 82 Packets that arrive at the ITR or PITR are typically not modified. 83 Which means no protection or privacy of the data is added. If the 84 source host encrypts the data stream then the encapsulated packets 85 can be encrypted but would be redundant. However, when plaintext 86 packets are sent by hosts, this design can encrypt the user payload 87 to maintain privacy on the path between the encapsulator (the ITR or 88 PITR) to a decapsulator (ETR or RTR). The encrypted payload is 89 unidirectional. However, return traffic uses the same procedures but 90 with different key values by the same xTRs or potentially different 91 xTRs when the paths between LISP sites are asymmetric. 93 This draft has the following requirements for the solution space: 95 o Do not require a separate Public Key Infrastructure (PKI) that is 96 out of scope of the LISP control-plane architecture. 98 o The budget for key exchange MUST be one round-trip time. That is, 99 only a two packet exchange can occur. 101 o Use symmetric keying so faster cryptography can be performed in 102 the LISP data plane. 104 o Avoid a third-party trust anchor if possible. 106 o Provide for rekeying when secret keys are compromised. 108 o Support Authenticated Encryption with packet integrity checks. 110 o Support multiple cipher suites so new crypto algorithms can be 111 easily introduced. 113 2. Overview 115 The approach proposed in this draft is to NOT rely on the LISP 116 mapping system (or any other key infrastructure system) to store 117 security keys. This will provide for a simpler and more secure 118 mechanism. Secret shared keys will be negotiated between the ITR and 119 the ETR in Map-Request and Map-Reply messages. Therefore, when an 120 ITR needs to obtain the RLOC of an ETR, it will get security material 121 to compute a shared secret with the ETR. 123 The ITR can compute 3 shared-secrets per ETR the ITR is encapsulating 124 to. And when the ITR encrypts a packet before encapsulation, it will 125 identify the key it used for the crypto calculation so the ETR knows 126 which key to use for decrypting the packet after decapsulation. By 127 using key-ids in the LISP header, we can also get real-time rekeying 128 functionality. 130 3. Diffie-Hellman Key Exchange 132 LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and 133 computation for computing a shared secret. The Diffie-Hellman 134 parameters will be passed via Cipher Suite code-points in Map-Request 135 and Map-Reply messages. 137 Here is a brief description how Diff-Hellman works: 139 +----------------------------+---------+----------------------------+ 140 | ITR | | ETR | 141 +------+--------+------------+---------+------------+---------------+ 142 |Secret| Public | Calculates | Sends | Calculates | Public |Secret| 143 +------|--------|------------|---------|------------|--------|------+ 144 | i | p,g | | p,g --> | | | e | 145 +------|--------|------------|---------|------------|--------|------+ 146 | i | p,g,I |g^i mod p=I | I --> | | p,g,I | e | 147 +------|--------|------------|---------|------------|--------|------+ 148 | i | p,g,I | | <-- E |g^e mod p=E | p,g | e | 149 +------|--------|------------|---------|------------|--------|------+ 150 | i,s |p,g,I,E |E^i mod p=s | |I^e mod p=s |p,g,I,E | e,s | 151 +------|--------|------------|---------|------------|--------|------+ 153 Public-key exchange for computing a shared private key [DH] 155 Diffie-Hellman parameters 'p' and 'g' must be the same values used by 156 the ITR and ETR. The ITR computes public-key 'I' and transmits 'I' 157 in a Map-Request packet. When the ETR receives the Map-Request, it 158 uses parameters 'p' and 'g' to compute the ETR's public key 'E'. The 159 ETR transmits 'E' in a Map-Reply message. At this point, the ETR has 160 enough information to compute 's', the shared secret, by using 'I' as 161 the base and the ETR's private key 'e' as the exponent. When the ITR 162 receives the Map-Reply, it uses the ETR's public-key 'E' with the 163 ITR's private key 'i' to compute the same 's' shared secret the ETR 164 computed. The value 'p' is used as a modulus to create the width of 165 the shared secret 's'. 167 4. Encoding and Transmitting Key Material 169 The Diffie-Hellman key material is transmitted in Map-Request and 170 Map-Reply messages. Diffie-Hellman parameters are encoded in the 171 LISP Security Type LCAF [LCAF]. 173 0 1 2 3 174 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 175 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 176 | AFI = 16387 | Rsvd1 | Flags | 177 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 178 | Type = 11 | Rsvd2 | 6 + n | 179 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 180 | Key Count | Rsvd3 |A| Cipher Suite| Rsvd4 |R| 181 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 182 | Key Length | Public Key Material ... | 183 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 | ... Public Key Material | 185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 186 | AFI = x | Locator Address ... | 187 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 189 Cipher Suite field contains DH Key Exchange and Cipher/Hash Functions 191 The 'Key Count' field encodes the number of {'Key-Length', 'Key- 192 Material'} fields included in the encoded LCAF. The maximum number 193 of keys that can be encoded are 3, each identified by key-id 1, 194 followed by key-id 2, an finally key-id 3. 196 The 'R' bit is not used for this use-case of the Security Type LCAF 197 but is reserved for [LISP-DDT] security. 199 When the A-bit is set, it indicates that Authentication only is 200 performed according to the Integrity hash function defined in the 201 Cipher Suites. That is an encapsulator will perform an Integrity 202 computation over an unencrypted packet and include an ICV value. 203 Since the packet contains no ciphertext, there is no IV value 204 included in the message. The 7-bit 'Cipher Suite' field defines the 205 following code-points: 207 Cipher Suite 0: 208 Reserved 210 Cipher Suite 1: 211 Diffie-Hellman Group: 1024-bit Modular Exponential (MODP) [RFC2409] 212 Encryption: AES with 128-bit keys in CBC mode [AES-CBC] 213 Integrity: HMAC-SHA1-96 [RFC2404] 215 Cipher Suite 2: 216 Diffie-Hellman Group: 2048-bit MODP [RFC3526] 217 Encryption: AES with 128-bit keys in CBC mode [AES-CBC] 218 Integrity: HMAC-SHA1-96 [RFC2404] 220 Cipher Suite 3: 221 Diffie-Hellman Group: 3072-bit MODP [RFC3526] 222 Encryption: AES with 128-bit keys in CBC mode [AES-CBC] 223 Integrity: HMAC-SHA1-96 [RFC2404] 225 The "Public Key Material" field contains the public key generated by 226 one of the Cipher Suites defined above. The length of the key in 227 octets is encoded in the "Key Length" field. 229 When an ITR or PITR send a Map-Request, they will encode their own 230 RLOC in the Security Type LCAF format within the ITR-RLOCs field. 231 When a ETR or RTR sends a Map-Reply, they will encode their RLOCs in 232 Security Type LCAF format within the RLOC-record field of each EID- 233 record supplied. 235 If an ITR or PITR sends a Map-Request with the Security Type LCAF 236 included and the ETR or RTR does not want to have encapsulated 237 traffic encrypted, they will return a Map-Reply with no RLOC records 238 encoded with the Security Type LCAF. This signals to the ITR or PITR 239 that it should not encrypt traffic (it cannot encrypt traffic anyways 240 since no ETR public-key was returned). 242 Likewise, if an ITR or PITR wish to include multiple key-ids in the 243 Map-Request but the ETR or RTR wish to use some but not all of the 244 key-ids, they return a Map-Reply only for those key-ids they wish to 245 use. 247 5. Shared Keys used for the Data-Plane 249 When an ITR or PITR receives a Map-Reply accepting the Cipher Suite 250 sent in the Map-Request, it is ready to create data plane keys. The 251 same process is followed by the ETR or RTR returning the Map-Reply. 253 The first step is to create a shared secret, using the peer's shared 254 Diffie-Hellman Public Key Material combined with device's own private 255 keying material as described in Section 3. The Diffie-Hellman group 256 used is defined in the Cipher Suite sent in the Map-Request and 257 copied into the Map-Reply. 259 The resulting shared secret is used to compute Encryption and 260 Integrity keys for the algorithms specified in the Cipher Suite. A 261 Key Derivation Function (KDF) in counter mode as specified by 262 [NIST-SP800-108] is used to generate the data-plane keys. The amount 263 of keying material that is derived depends on the algorithms in the 264 cipher suite. 266 The inputs to the KDF are as follows: 268 o KDF function. This is HMAC-SHA-256. 270 o A key for the KDF function. This is the most significant 16 271 octets of the computed Diffie-Hellman shared secret. 273 o Context that binds the use of the data-plane keys to this session. 274 The context is made up of the following fields, which are 275 concatenated and provided as the data to be acted upon by the KDF 276 function. 278 Context: 280 o A counter, represented as a two-octet value in network-byte order. 282 o The null-terminated string "lisp-crypto". 284 o The ITR's nonce from the the Map-Request the Cipher Suite was 285 included in. 287 o The number of bits of keying material required (L), represented as 288 a two-octet value in network byte order. 290 The counter value in the context is first set to 1. When the amount 291 of keying material exceeds the number of bits returned by the KDF 292 function, then the KDF function is called again with the same inputs 293 except that the counter increments for each call. When enough keying 294 material is returned, it is concatenated and used to create keys. 296 For example, AES with 128-bit keys requires 16 octets (128 bits) of 297 keying material, and HMAC-SHA1-96 requires another 16 octets (128 298 bits) of keying material in order to maintain a consistent 128-bits 299 of security. Since 32 octets (256 bits) of keying material are 300 required, and the KDF function HMAC-SHA-256 outputs 256 bits, only 301 one call is required. The inputs are as follows: 303 key-material = HMAC-SHA-256(dh-shared-secret, context) 305 where: context = 0x0001 || "lisp-crypto" || || 0x0100 307 In contrast, a cipher suite specifying AES with 256-bit keys requires 308 32 octets (256 bits) of keying material, and HMAC-SHA256-128 requires 309 another 32 octets (256 bits) of keying material in order to maintain 310 a consistent 256-bits of security. Since 64 octets (512 bits) of 311 keying material are required, and the KDF function HMAC-SHA-256 312 outputs 256 bits, two calls are required. 314 key-material-1 = HMAC-SHA-256(dh-shared-secret, context) 316 where: context = 0x0001 || "lisp-crypto" || || 0x0200 318 key-material-2 = HMAC-SHA-256(dh-shared-secret, context) 320 where: context = 0x0002 || "lisp-crypto" || || 0x0200 322 key-material = key-material-1 || key-material-2 324 If the key-material is longer than the required number of bits (L), 325 then only the most significant L bits are used. 327 From the derived key-material, the most significant bits are used for 328 the Encryption key, and least significant bits are used for the 329 Integrity key. For example, if the Cipher Suite contains both AES 330 with 128-bit keys and HMAC-SHA1-96, the most significant 128 bits 331 become the ITR's data-plane encryption key, and the next 128-bit 332 become the ITR's Integrity key. 334 6. Data-Plane Operation 336 The LISP encapsulation header [RFC6830] requires changes to encode 337 the key-id for the key being used for encryption. 339 0 1 2 3 340 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 342 / | Source Port = xxxx | Dest Port = 4341 | 343 UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 344 \ | UDP Length | UDP Checksum | 345 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 346 L / |N|L|E|V|I|P|K|K| Nonce/Map-Version | \ 347 I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 348 S \ | Instance ID/Locator-Status-Bits | | 349 P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 350 | Initialization Vector (IV) | I 351 E +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C 352 n / | | V 353 c | | | 354 r | Packet Payload with EID Header ... | | 355 y | | | 356 p \ | | / 357 t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 358 | Integrity Check Value (ICV) | 359 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 361 K-bits indicate when packet is encrypted and which key used 363 When the KK bits are 00, the encapsulated packet is not encrypted. 364 When the value of the KK bits are 1, 2, or 3, it encodes the key-id 365 of the secret keys computed during the Diffie-Hellman Map-Request/ 366 Map-Reply exchange. When the KK bits are not 0, the payload is 367 prepended with an Initialization Vector (IV) and appended with an 368 Integrity Check Value (ICV). The length of the IV and ICV fields 369 depend on the Cipher Suite negotiated in the control-plane. 371 When an ITR or PITR receives a packet to be encapsulated, they will 372 first decide what key to use, encode the key-id into the LISP header, 373 and use that key to encrypt all packet data that follows the LISP 374 header. Therefore, the outer header, UDP header, and LISP header 375 travel as plaintext. 377 There is an open working group item to discuss if the data 378 encapsulation header needs change for encryption or any new 379 applications. This draft proposes changes to the existing header so 380 experimentation can continue without making large changes to the 381 data-plane at this time. 383 7. Procedures for Encryption and Decryption 385 When an ITR, PITR, or RTR encapsulate a packet and have already 386 computed an encryption-key and integrity-key (detailed in section 387 Section 5) that is associated with a destination RLOC, the following 388 encryption and encapsulation procedures are performed: 390 1. The encapsulator creates a random number used as the IV. 391 Prepends the IV value to the packet being encapsulated. The IV 392 is incremented for every packet sent to the destination RLOC. 394 2. Next encrypt with cipher function AES-CBC using the encryption- 395 key over the packet payload. This does not include the IV. The 396 IV must be transmitted as plaintext so the decrypter can use it 397 as input to the decryption cipher. The payload should be padded 398 to an integral number of bytes a block cipher may require. 400 3. Prepend the LISP header. The key-id field of the LISP header is 401 set to the key-id value that corresponds to key-pair used for the 402 encryption cipher and for the ICV hash. 404 4. Next compute the ICV value by hashing the packet (which includes 405 the LISP header, the IV, and the packet payload) with the HMAC- 406 SHA1 function using the integrity-key. The resulting ICV value 407 is appended to the packet. The ICV is not ciphertext so a fast 408 integrity check can be performed without decryption at the 409 receiver. 411 5. Lastly, prepend the UDP header and outer IP header onto the 412 encrypted packet and send packet to destination RLOC. 414 When an ETR, PETR, or RTR receive an encapsulated packet, the 415 following decapsulation and decryption procedures are performed: 417 1. The outer IP header and UDP header are stripped from the start of 418 the packet and the ICV is stripped from the end of the packet. 420 2. Next the ICV is computed by running the Integrity function from 421 the cipher suite using the integrity-key over the packet (which 422 includes the LISP header, the IV and packet payload) using the 423 integrity-key. If the result does not match the ICV value from 424 the packet, the packet was been tampered with, and is dropped, 425 and an optional log message may be issued. The integrity-key is 426 obtained from a local-cache associated with the key-id value from 427 the LISP header. 429 3. If the hashed result matches the ICV value from the packet, then 430 the LISP header is stripped and decryption occurs over the packet 431 payload using the plaintext IV in the packet. 433 4. The IV is stripped from the packet. 435 5. The packet is decrypted using the encryption-key and the IV from 436 the packet. The encryption-key is obtained from a local-cache 437 associated with the key-id value from the LISP header. The 438 result of the decryption function is a plaintext packet payload. 440 6. The resulting packet is forwarded to the destination EID. 442 8. Dynamic Rekeying 444 Since multiple keys can be encoded in both control and data messages, 445 an ITR can encapsulate and encrypt with a specific key while it is 446 negotiating other keys with the same ETR. Soon as an ETR or RTR 447 returns a Map-Reply, it should be prepared to decapsulate and decrypt 448 using the new keys computed with the new Diffie-Hellman parameters 449 received in the Map-Request and returned in the Map-Reply. 451 RLOC-probing can be used to change keys or cipher suites by the ITR 452 at any time. And when an initial Map-Request is sent to populate the 453 ITR's map-cache, the Map-Request flows across the mapping system 454 where a single ETR from the Map-Reply RLOC-set will respond. If the 455 ITR decides to use the other RLOCs in the RLOC-set, it MUST send a 456 Map-Request directly to negotiate security parameters with the ETR. 457 This process may be used to test reachability from an ITR to an ETR 458 initially when a map-cache entry is added for the first time, so an 459 ITR can get both reachability status and keys negotiated with one 460 Map-Request/Map-Reply exchange. 462 A rekeying event is defined to be when an ITR or PITR changes the 463 cipher suite or public-key in the Map-Request. The ETR or RTR 464 compares the cipher suite and public-key it last received from the 465 ITR for the key-id, and if any value has changed, it computes a new 466 public-key and cipher suite requested by the ITR from the Map-Request 467 and returns it in the Map-Reply. Now a new shared secret is computed 468 and can be used for the key-id for encryption by the ITR and 469 decryption by the ETR. When the ITR or PITR starts this process of 470 negotiating a new key, it must not use the corresponding key-id in 471 encapsulated packets until it receives a Map-Reply from the ETR with 472 the same cipher suite value it expects (the values it sent in a Map- 473 Request). 475 Note when RLOC-probing continues to maintain RLOC reachability and 476 rekeying is not desirable, the ITR or RTR can either not include the 477 Security Type LCAF in the Map-Request or supply the same key material 478 as it received from the last Map-Reply from the ETR or RTR. This 479 approach signals to the ETR or RTR that no rekeying event is 480 requested. 482 9. Future Work 484 For performance considerations, newer Elliptic-Curve Diffie-Hellman 485 (ECDH) groups can be used as specified in [RFC4492] and [RFC6090] to 486 reduce CPU cycles required to compute shared secret keys. 488 For better security considerations as well as to be able to build 489 faster software implementations, newer approaches to ciphers and 490 authentication methods will be researched and tested. Some examples 491 are chacha20 and poly1305 [CHACHA-POLY]. 493 10. Security Considerations 495 10.1. SAAG Support 497 The LISP working group has and will continue to seek help from the 498 SAAG working group for security advice. The SAAG has been involved 499 early in the design process so they have early input and review. 501 10.2. LISP-Crypto Security Threats 503 Since ITRs and ETRs participate in key exchange over a public non- 504 secure network, a man-in-the-middle (MITM) could circumvent the key 505 exchange and compromise data-plane confidentiality. This can happen 506 when the MITM is acting as a Map-Replier, provides its own public key 507 so the ITR and the MITM generate a shared secret key among each 508 other. If the MITM is in the data path between the ITR and ETR, it 509 can use the shared secret key to decrypt traffic from the ITR. 511 Since LISP can secure Map-Replies by the authentication process 512 specified in [LISP-SEC], the ITR can detect when a MITM has signed a 513 Map-Reply for an EID-prefix it is not authoritative for. When an ITR 514 determines the signature verification fails, it discards and does not 515 reuse the key exchange parameters, avoids using the ETR for 516 encapsulation, and issues a severe log message to the network 517 administrator. Optionally, the ITR can send RLOC-probes to the 518 compromised RLOC to determine if can reach the authoritative ETR. 519 And when the ITR validates the signature of a Map-Reply, it can begin 520 encrypting and encapsulating packets to the RLOC of ETR. 522 11. IANA Considerations 524 This draft may require the use of the registry that selects Security 525 parameters. Rather than convey the key exchange parameters and 526 crypto functions directly in LISP control packets, the cipher suite 527 values can be assigned and defined in a registry. For example, 528 Diffie-Hellman group-id values can be used from [RFC2409] and 529 [RFC3526]. 531 This draft specifies how the 7-bit cipher suite values from the 532 Security Type LCAF are partitioned. The partitions are: 534 0: Reserved 535 1-96: Allocated by registry, but first 3 values defined in this document 536 97-127: Private use 538 12. References 540 12.1. Normative References 542 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 543 (IKE)", RFC 2409, November 1998. 545 [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 546 2631, June 1999. 548 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) 549 Diffie-Hellman groups for Internet Key Exchange (IKE)", 550 RFC 3526, May 2003. 552 [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode 553 (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 554 4106, June 2005. 556 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 557 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 558 for Transport Layer Security (TLS)", RFC 4492, May 2006. 560 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 561 Encryption", RFC 5116, January 2008. 563 [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 564 Curve Cryptography Algorithms", RFC 6090, February 2011. 566 [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The 567 Locator/ID Separation Protocol (LISP)", RFC 6830, January 568 2013. 570 12.2. Informative References 572 [AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated 573 Encryption with AES-CBC and HMAC-SHA", draft-mcgrew-aead- 574 aes-cbc-hmac-sha2-05.txt (work in progress). 576 [CHACHA-POLY] 577 Langley, A., "ChaCha20 and Poly1305 based Cipher Suites 578 for TLS", draft-agl-tls-chacha20poly1305-00 (work in 579 progress). 581 [DH] "Diffie-Hellman key exchange", Wikipedia 582 http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange. 584 [LCAF] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical 585 Address Format", draft-ietf-lisp-lcaf-04.txt (work in 586 progress). 588 [LISP-DDT] 589 Fuller, V., Lewis, D., Ermaagan, V., and A. Jain, "LISP 590 Delegated Database Tree", draft-fuller-lisp-ddt-03 (work 591 in progress). 593 [LISP-SEC] 594 Maino, F., Ermagan, V., Cabellos, A., and D. Saucez, 595 "LISP-Secuirty (LISP-SEC)", draft-ietf-lisp-sec-06 (work 596 in progress). 598 [NIST-SP800-108] 599 "National Institute of Standards and Technology, 600 "Recommendation for Key Derivation Using Pseudorandom 601 Functions NIST SP800-108"", NIST SP 800-108, October 2009. 603 Appendix A. Acknowledgments 605 The author would like to thank Dan Harkins, Joel Halpern, Fabio 606 Maino, Ed Lopez, Roger Jorgensen, Watson Ladd, and Ilari Liusvaara 607 for their interest, suggestions, and discussions about LISP data- 608 plane security. 610 In addition, the support and suggestions from the SAAG working group 611 were helpful and appreciative. 613 Appendix B. Document Change Log 614 B.1. Changes to draft-ietf-lisp-crypto-01.txt 616 o Posted May 2015. 618 o Create cipher suites and encode them in the Security LCAF. 620 o Add IV to beginning of packet header and ICV to end of packet. 622 o AEAD procedures are now part of encrpytion process. 624 B.2. Changes to draft-ietf-lisp-crypto-00.txt 626 o Posted January 2015. 628 o Changing draft-farinacci-lisp-crypto-01 to draft-ietf-lisp-crypto- 629 00. This draft has become a working group document 631 o Add text to indicate the working group may work on a new data 632 encapsulation header format for data-plane encryption. 634 B.3. Changes to draft-farinacci-lisp-crypto-01.txt 636 o Posted July 2014. 638 o Add Group-ID to the encoding format of Key Material in a Security 639 Type LCAF and modify the IANA Considerations so this draft can use 640 key exchange parameters from the IANA registry. 642 o Indicate that the R-bit in the Security Type LCAF is not used by 643 lisp-crypto. 645 o Add text to indicate that ETRs/RTRs can negotiate less number of 646 keys from which the ITR/PITR sent in a Map-Request. 648 o Add text explaining how LISP-SEC solves the problem when a man-in- 649 the-middle becomes part of the Map-Request/Map-Reply key exchange 650 process. 652 o Add text indicating that when RLOC-probing is used for RLOC 653 reachability purposes and rekeying is not desired, that the same 654 key exchange parameters should be used so a reallocation of a 655 pubic key does not happen at the ETR. 657 o Add text to indicate that ECDH can be used to reduce CPU 658 requirements for computing shared secret-keys. 660 B.4. Changes to draft-farinacci-lisp-crypto-00.txt 662 o Initial draft posted February 2014. 664 Authors' Addresses 666 Dino Farinacci 667 lispers.net 668 San Jose, California 95120 669 USA 671 Phone: 408-718-2001 672 Email: farinacci@gmail.com 674 Brian Weis 675 cisco Systems 676 170 West Tasman Drive 677 San Jose, California 95124-1706 678 USA 680 Phone: 408-526-4796 681 Email: bew@cisco.com