idnits 2.17.1 draft-ietf-lisp-crypto-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 9 instances of too long lines in the document, the longest one being 13 characters in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 100: '...for key exchange MUST be one round-tri...' RFC 2119 keyword, line 475: '... RLOCs in the RLOC-set, it MUST send a...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 4, 2015) is 3059 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'RFC2404' is mentioned on line 219, but not defined == Missing Reference: 'AES-GCM' is mentioned on line 237, but not defined == Missing Reference: 'RFC1116' is mentioned on line 243, but not defined ** Obsolete undefined reference: RFC 1116 (Obsoleted by RFC 1184) == Unused Reference: 'RFC4106' is defined on line 576, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2409 (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 6830 (Obsoleted by RFC 9300, RFC 9301) ** Obsolete normative reference: RFC 7539 (Obsoleted by RFC 8439) == Outdated reference: A later version (-04) exists of draft-agl-tls-chacha20poly1305-00 == Outdated reference: A later version (-22) exists of draft-ietf-lisp-lcaf-04 == Outdated reference: A later version (-04) exists of draft-fuller-lisp-ddt-03 == Outdated reference: A later version (-29) exists of draft-ietf-lisp-sec-06 Summary: 7 errors (**), 0 flaws (~~), 9 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force D. Farinacci 3 Internet-Draft lispers.net 4 Intended status: Experimental B. Weis 5 Expires: June 6, 2016 cisco Systems 6 December 4, 2015 8 LISP Data-Plane Confidentiality 9 draft-ietf-lisp-crypto-03 11 Abstract 13 This document describes a mechanism for encrypting LISP encapsulated 14 traffic. The design describes how key exchange is achieved using 15 existing LISP control-plane mechanisms as well as how to secure the 16 LISP data-plane from third-party surveillance attacks. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on June 6, 2016. 35 Copyright Notice 37 Copyright (c) 2015 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 3. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 3 55 4. Encoding and Transmitting Key Material . . . . . . . . . . . 4 56 5. Shared Keys used for the Data-Plane . . . . . . . . . . . . . 7 57 6. Data-Plane Operation . . . . . . . . . . . . . . . . . . . . 9 58 7. Procedures for Encryption and Decryption . . . . . . . . . . 10 59 8. Dynamic Rekeying . . . . . . . . . . . . . . . . . . . . . . 11 60 9. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 12 61 10. Security Considerations . . . . . . . . . . . . . . . . . . . 12 62 10.1. SAAG Support . . . . . . . . . . . . . . . . . . . . . . 12 63 10.2. LISP-Crypto Security Threats . . . . . . . . . . . . . . 12 64 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 65 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 66 12.1. Normative References . . . . . . . . . . . . . . . . . . 13 67 12.2. Informative References . . . . . . . . . . . . . . . . . 14 68 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 15 69 Appendix B. Document Change Log . . . . . . . . . . . . . . . . 15 70 B.1. Changes to draft-ietf-lisp-crypto-03.txt . . . . . . . . 15 71 B.2. Changes to draft-ietf-lisp-crypto-02.txt . . . . . . . . 16 72 B.3. Changes to draft-ietf-lisp-crypto-01.txt . . . . . . . . 16 73 B.4. Changes to draft-ietf-lisp-crypto-00.txt . . . . . . . . 16 74 B.5. Changes to draft-farinacci-lisp-crypto-01.txt . . . . . . 16 75 B.6. Changes to draft-farinacci-lisp-crypto-00.txt . . . . . . 17 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 78 1. Introduction 80 The Locator/ID Separation Protocol [RFC6830] defines a set of 81 functions for routers to exchange information used to map from non- 82 routable Endpoint Identifiers (EIDs) to routable Routing Locators 83 (RLOCs). LISP ITRs and PITRs encapsulate packets to ETRs and RTRs. 84 Packets that arrive at the ITR or PITR are typically not modified. 85 Which means no protection or privacy of the data is added. If the 86 source host encrypts the data stream then the encapsulated packets 87 can be encrypted but would be redundant. However, when plaintext 88 packets are sent by hosts, this design can encrypt the user payload 89 to maintain privacy on the path between the encapsulator (the ITR or 90 PITR) to a decapsulator (ETR or RTR). The encrypted payload is 91 unidirectional. However, return traffic uses the same procedures but 92 with different key values by the same xTRs or potentially different 93 xTRs when the paths between LISP sites are asymmetric. 95 This draft has the following requirements for the solution space: 97 o Do not require a separate Public Key Infrastructure (PKI) that is 98 out of scope of the LISP control-plane architecture. 100 o The budget for key exchange MUST be one round-trip time. That is, 101 only a two packet exchange can occur. 103 o Use symmetric keying so faster cryptography can be performed in 104 the LISP data plane. 106 o Avoid a third-party trust anchor if possible. 108 o Provide for rekeying when secret keys are compromised. 110 o Support Authenticated Encryption with packet integrity checks. 112 o Support multiple cipher suites so new crypto algorithms can be 113 easily introduced. 115 2. Overview 117 The approach proposed in this draft is to NOT rely on the LISP 118 mapping system (or any other key infrastructure system) to store 119 security keys. This will provide for a simpler and more secure 120 mechanism. Secret shared keys will be negotiated between the ITR and 121 the ETR in Map-Request and Map-Reply messages. Therefore, when an 122 ITR needs to obtain the RLOC of an ETR, it will get security material 123 to compute a shared secret with the ETR. 125 The ITR can compute 3 shared-secrets per ETR the ITR is encapsulating 126 to. And when the ITR encrypts a packet before encapsulation, it will 127 identify the key it used for the crypto calculation so the ETR knows 128 which key to use for decrypting the packet after decapsulation. By 129 using key-ids in the LISP header, we can also get real-time rekeying 130 functionality. 132 When an ETR (when it is also an ITR) encapsulates packets to this ITR 133 (when it is also an ETR), a separate key exchange and shared-secret 134 computation is performed. The key management described in this 135 documemnt is unidirectional from the ITR (the encapsulator) to the 136 ETR (the decapsultor). 138 3. Diffie-Hellman Key Exchange 140 LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and 141 computation for computing a shared secret. The Diffie-Hellman 142 parameters will be passed via Cipher Suite code-points in Map-Request 143 and Map-Reply messages. 145 Here is a brief description how Diff-Hellman works: 147 +----------------------------+---------+----------------------------+ 148 | ITR | | ETR | 149 +------+--------+------------+---------+------------+---------------+ 150 |Secret| Public | Calculates | Sends | Calculates | Public |Secret| 151 +------|--------|------------|---------|------------|--------|------+ 152 | i | p,g | | p,g --> | | | e | 153 +------|--------|------------|---------|------------|--------|------+ 154 | i | p,g,I |g^i mod p=I | I --> | | p,g,I | e | 155 +------|--------|------------|---------|------------|--------|------+ 156 | i | p,g,I | | <-- E |g^e mod p=E | p,g | e | 157 +------|--------|------------|---------|------------|--------|------+ 158 | i,s |p,g,I,E |E^i mod p=s | |I^e mod p=s |p,g,I,E | e,s | 159 +------|--------|------------|---------|------------|--------|------+ 161 Public-key exchange for computing a shared private key [DH] 163 Diffie-Hellman parameters 'p' and 'g' must be the same values used by 164 the ITR and ETR. The ITR computes public-key 'I' and transmits 'I' 165 in a Map-Request packet. When the ETR receives the Map-Request, it 166 uses parameters 'p' and 'g' to compute the ETR's public key 'E'. The 167 ETR transmits 'E' in a Map-Reply message. At this point, the ETR has 168 enough information to compute 's', the shared secret, by using 'I' as 169 the base and the ETR's private key 'e' as the exponent. When the ITR 170 receives the Map-Reply, it uses the ETR's public-key 'E' with the 171 ITR's private key 'i' to compute the same 's' shared secret the ETR 172 computed. The value 'p' is used as a modulus to create the width of 173 the shared secret 's'. 175 4. Encoding and Transmitting Key Material 177 The Diffie-Hellman key material is transmitted in Map-Request and 178 Map-Reply messages. Diffie-Hellman parameters are encoded in the 179 LISP Security Type LCAF [LCAF]. 181 0 1 2 3 182 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 183 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 | AFI = 16387 | Rsvd1 | Flags | 185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 186 | Type = 11 | Rsvd2 | 6 + n | 187 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 188 | Key Count | Rsvd3 | Cipher Suite | Rsvd4 |R| 189 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 190 | Key Length | Public Key Material ... | 191 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 192 | ... Public Key Material | 193 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 194 | AFI = x | Locator Address ... | 195 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 197 Cipher Suite field contains DH Key Exchange and Cipher/Hash Functions 199 The 'Key Count' field encodes the number of {'Key-Length', 'Key- 200 Material'} fields included in the encoded LCAF. The maximum number 201 of keys that can be encoded are 3, each identified by key-id 1, 202 followed by key-id 2, an finally key-id 3. 204 The 'R' bit is not used for this use-case of the Security Type LCAF 205 but is reserved for [LISP-DDT] security. 207 Cipher Suite 0: 208 Reserved 210 Cipher Suite 1: 211 Diffie-Hellman Group: 2048-bit MODP [RFC3526] 212 Encryption: AES with 128-bit keys in CBC mode [AES-CBC] 213 Integrity: Integrated with [AES-CBC] AEAD [RFC5116] encryption 214 IV length: 16 bytes 216 Cipher Suite 2: 217 Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] 218 Encryption: AES with 128-bit keys in CBC mode [AES-CBC] 219 Integrity: HMAC-SHA1-96 [RFC2404] 220 IV length: 16 bytes 222 Cipher Suite 3: 223 Diffie-Hellman Group: 2048-bit MODP [RFC3526] 224 Encryption: AES with 128-bit keys in GCM mode [AES-GCM] 225 Integrity: Integrated with [AES-GCM] AEAD [RFC5116] encryption 226 IV length: 12 bytes 228 Cipher Suite 4: 229 Diffie-Hellman Group: 3072-bit MODP [RFC3526] 230 Encryption: AES with 128-bit keys in GCM mode [AES-GCM] 231 Integrity: Integrated with [AES-GCM] AEAD [RFC5116] encryption 232 IV length: 12 bytes 234 Cipher Suite 5: 235 Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] 236 Encryption: AES with 128-bit keys in GCM mode [AES-GCM] 237 Integrity: Integrated with [AES-GCM] AEAD [RFC5116] encryption 238 IV length: 12 bytes 240 Cipher Suite 6: 241 Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] 242 Encryption/Integrity: Chacha20-Poly1305 [CHACHA-POLY] [RFC7539] 243 Integrity: Integrated with Chacha20-Poly1305 AEAD [RFC1116] encryption 244 IV length: 8 bytes 246 The "Public Key Material" field contains the public key generated by 247 one of the Cipher Suites defined above. The length of the key in 248 octets is encoded in the "Key Length" field. 250 When an ITR or PITR send a Map-Request, they will encode their own 251 RLOC in the Security Type LCAF format within the ITR-RLOCs field. 252 When a ETR or RTR sends a Map-Reply, they will encode their RLOCs in 253 Security Type LCAF format within the RLOC-record field of each EID- 254 record supplied. 256 If an ITR or PITR sends a Map-Request with the Security Type LCAF 257 included and the ETR or RTR does not want to have encapsulated 258 traffic encrypted, they will return a Map-Reply with no RLOC records 259 encoded with the Security Type LCAF. This signals to the ITR or PITR 260 that it should not encrypt traffic (it cannot encrypt traffic anyways 261 since no ETR public-key was returned). 263 Likewise, if an ITR or PITR wish to include multiple key-ids in the 264 Map-Request but the ETR or RTR wish to use some but not all of the 265 key-ids, they return a Map-Reply only for those key-ids they wish to 266 use. 268 5. Shared Keys used for the Data-Plane 270 When an ITR or PITR receives a Map-Reply accepting the Cipher Suite 271 sent in the Map-Request, it is ready to create data plane keys. The 272 same process is followed by the ETR or RTR returning the Map-Reply. 274 The first step is to create a shared secret, using the peer's shared 275 Diffie-Hellman Public Key Material combined with device's own private 276 keying material as described in Section 3. The Diffie-Hellman group 277 used is defined in the cipher suite sent in the Map-Request and 278 copied into the Map-Reply. 280 The resulting shared secret is used to compute an AEAD-key for the 281 algorithms specified in the cipher suite. A Key Derivation Function 282 (KDF) in counter mode as specified by [NIST-SP800-108] is used to 283 generate the data-plane keys. The amount of keying material that is 284 derived depends on the algorithms in the cipher suite. 286 The inputs to the KDF are as follows: 288 o KDF function. This is HMAC-SHA-256. 290 o A key for the KDF function. This is the computed Diffie-Hellman 291 shared secret. 293 o Context that binds the use of the data-plane keys to this session. 294 The context is made up of the following fields, which are 295 concatenated and provided as the data to be acted upon by the KDF 296 function. 298 Context: 300 o A counter, represented as a two-octet value in network-byte order. 302 o The null-terminated string "lisp-crypto". 304 o The ITR's nonce from the the Map-Request the cipher suite was 305 included in. 307 o The number of bits of keying material required (L), represented as 308 a two-octet value in network byte order. 310 The counter value in the context is first set to 1. When the amount 311 of keying material exceeds the number of bits returned by the KDF 312 function, then the KDF function is called again with the same inputs 313 except that the counter increments for each call. When enough keying 314 material is returned, it is concatenated and used to create keys. 316 For example, AES with 128-bit keys requires 16 octets (128 bits) of 317 keying material, and HMAC-SHA1-96 requires another 16 octets (128 318 bits) of keying material in order to maintain a consistent 128-bits 319 of security. Since 32 octets (256 bits) of keying material are 320 required, and the KDF function HMAC-SHA-256 outputs 256 bits, only 321 one call is required. The inputs are as follows: 323 key-material = HMAC-SHA-256(dh-shared-secret, context) 325 where: context = 0x0001 || "lisp-crypto" || || 0x0100 327 In contrast, a cipher suite specifying AES with 256-bit keys requires 328 32 octets (256 bits) of keying material, and HMAC-SHA256-128 requires 329 another 32 octets (256 bits) of keying material in order to maintain 330 a consistent 256-bits of security. Since 64 octets (512 bits) of 331 keying material are required, and the KDF function HMAC-SHA-256 332 outputs 256 bits, two calls are required. 334 key-material-1 = HMAC-SHA-256(dh-shared-secret, context) 336 where: context = 0x0001 || "lisp-crypto" || || 0x0200 338 key-material-2 = HMAC-SHA-256(dh-shared-secret, context) 340 where: context = 0x0002 || "lisp-crypto" || || 0x0200 342 key-material = key-material-1 || key-material-2 344 If the key-material is longer than the required number of bits (L), 345 then only the most significant L bits are used. 347 From the derived key-material, the most significant 256 bits are used 348 for the AEAD-key by AEAD ciphers. The 256-bit AEAD-key is divided 349 into a 128-bit encryption key and a 128-bit integrity-check key 350 internal to the cipher used by the ITR. 352 6. Data-Plane Operation 354 The LISP encapsulation header [RFC6830] requires changes to encode 355 the key-id for the key being used for encryption. 357 0 1 2 3 358 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 359 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 360 / | Source Port = xxxx | Dest Port = 4341 | 361 UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 362 \ | UDP Length | UDP Checksum | 363 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 364 L / |N|L|E|V|I|P|K|K| Nonce/Map-Version | \ \ 365 I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AD 366 S \ | Instance ID/Locator-Status-Bits | | / 367 P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 368 | Initialization Vector (IV) | I 369 E +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C 370 n / | | V 371 c | | | 372 r | Packet Payload with EID Header ... | | 373 y | | | 374 p \ | | / 375 t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 377 K-bits indicate when packet is encrypted and which key used 379 When the KK bits are 00, the encapsulated packet is not encrypted. 380 When the value of the KK bits are 1, 2, or 3, it encodes the key-id 381 of the secret keys computed during the Diffie-Hellman Map-Request/ 382 Map-Reply exchange. When the KK bits are not 0, the payload is 383 prepended with an Initialization Vector (IV). The length of the IV 384 field is based on the cipher suite used. Since all cipher suites 385 defined in this document do Authenticated Encryption (AEAD), an ICV 386 field does not need to be present in the packet since it is included 387 in the ciphertext. The Additional Data (AD) used for the ICV is 388 shown above and includes the LISP header, the IV field and the packet 389 payload. 391 When an ITR or PITR receives a packet to be encapsulated, they will 392 first decide what key to use, encode the key-id into the LISP header, 393 and use that key to encrypt all packet data that follows the LISP 394 header. Therefore, the outer header, UDP header, and LISP header 395 travel as plaintext. 397 There is an open working group item to discuss if the data 398 encapsulation header needs change for encryption or any new 399 applications. This draft proposes changes to the existing header so 400 experimentation can continue without making large changes to the 401 data-plane at this time. 403 7. Procedures for Encryption and Decryption 405 When an ITR, PITR, or RTR encapsulate a packet and have already 406 computed an AEAD-key (detailed in section Section 5) that is 407 associated with a destination RLOC, the following encryption and 408 encapsulation procedures are performed: 410 1. The encapsulator creates an IV and prepends the IV value to the 411 packet being encapsulated. For GCM and Chacha cipher suites, the 412 IV is incremented for every packet (beginning with a value of 1 413 in the first packet) and sent to the destination RLOC. For CBC 414 cipher suites, the IV is a new random number for every packet 415 sent to the destination RLOC. For the Chacha cipher suite, the 416 IV is an 8-byte random value that is appended to a 4-byte counter 417 that is incremented for every packet (beginning with a value of 1 418 in the first packet). 420 2. Next encrypt with cipher function AES or Chacha20 using the AEAD- 421 key over the packet payload following the AEAD specification 422 referenced in the cipher suite definition. This does not include 423 the IV. The IV must be transmitted as plaintext so the decrypter 424 can use it as input to the decryption cipher. The payload should 425 be padded to an integral number of bytes a block cipher may 426 require. The result of the AEAD operation may contain an ICV, 427 the size of which is defined by the referenced AEAD 428 specification. Note that the AD (i.e. the LISP header exactly as 429 will be prepended in the next step and the IV) must be given to 430 the AEAD encryption function as the "associated data" argument. 432 3. Prepend the LISP header. The key-id field of the LISP header is 433 set to the key-id value that corresponds to key-pair used for the 434 encryption cipher. 436 4. Lastly, prepend the UDP header and outer IP header onto the 437 encrypted packet and send packet to destination RLOC. 439 When an ETR, PETR, or RTR receive an encapsulated packet, the 440 following decapsulation and decryption procedures are performed: 442 1. The outer IP header, UDP header, LISP header, and IV field are 443 stripped from the start of the packet. The LISP header and IV 444 are retained and given to the AEAD decryption operation as the 445 "associated data" argument. 447 2. The packet is decrypted using the AEAD-key and the IV from the 448 packet. The AEAD-key is obtained from a local-cache associated 449 with the key-id value from the LISP header. The result of the 450 decryption function is a plaintext packet payload if the cipher 451 returned a verified ICV. Otherwise, the packet has been tampered 452 with, is dropped, and an optional log message may be issued. If 453 the AEAD specification included an ICV, the AEAD decryption 454 function will locate the ICV in the ciphertext and compare it to 455 a version of the ICV that the AEAD decryption function computes. 456 If the computed ICV is different than the ICV located in the 457 ciphertext, then it will be considered tampered. 459 3. If the packet was not tampered with, the decrypted packet is 460 forwarded to the destination EID. 462 8. Dynamic Rekeying 464 Since multiple keys can be encoded in both control and data messages, 465 an ITR can encapsulate and encrypt with a specific key while it is 466 negotiating other keys with the same ETR. Soon as an ETR or RTR 467 returns a Map-Reply, it should be prepared to decapsulate and decrypt 468 using the new keys computed with the new Diffie-Hellman parameters 469 received in the Map-Request and returned in the Map-Reply. 471 RLOC-probing can be used to change keys or cipher suites by the ITR 472 at any time. And when an initial Map-Request is sent to populate the 473 ITR's map-cache, the Map-Request flows across the mapping system 474 where a single ETR from the Map-Reply RLOC-set will respond. If the 475 ITR decides to use the other RLOCs in the RLOC-set, it MUST send a 476 Map-Request directly to negotiate security parameters with the ETR. 477 This process may be used to test reachability from an ITR to an ETR 478 initially when a map-cache entry is added for the first time, so an 479 ITR can get both reachability status and keys negotiated with one 480 Map-Request/Map-Reply exchange. 482 A rekeying event is defined to be when an ITR or PITR changes the 483 cipher suite or public-key in the Map-Request. The ETR or RTR 484 compares the cipher suite and public-key it last received from the 485 ITR for the key-id, and if any value has changed, it computes a new 486 public-key and cipher suite requested by the ITR from the Map-Request 487 and returns it in the Map-Reply. Now a new shared secret is computed 488 and can be used for the key-id for encryption by the ITR and 489 decryption by the ETR. When the ITR or PITR starts this process of 490 negotiating a new key, it must not use the corresponding key-id in 491 encapsulated packets until it receives a Map-Reply from the ETR with 492 the same cipher suite value it expects (the values it sent in a Map- 493 Request). 495 Note when RLOC-probing continues to maintain RLOC reachability and 496 rekeying is not desirable, the ITR or RTR can either not include the 497 Security Type LCAF in the Map-Request or supply the same key material 498 as it received from the last Map-Reply from the ETR or RTR. This 499 approach signals to the ETR or RTR that no rekeying event is 500 requested. 502 9. Future Work 504 For performance considerations, newer Elliptic-Curve Diffie-Hellman 505 (ECDH) groups can be used as specified in [RFC4492] and [RFC6090] to 506 reduce CPU cycles required to compute shared secret keys. 508 For better security considerations as well as to be able to build 509 faster software implementations, newer approaches to ciphers and 510 authentication methods will be researched and tested. Some examples 511 are Chacha20 and Poly1305 [CHACHA-POLY] [RFC7539]. 513 10. Security Considerations 515 10.1. SAAG Support 517 The LISP working group has and will continue to seek help from the 518 SAAG working group for security advice. The SAAG has been involved 519 early in the design process so they have early input and review. 521 10.2. LISP-Crypto Security Threats 523 Since ITRs and ETRs participate in key exchange over a public non- 524 secure network, a man-in-the-middle (MITM) could circumvent the key 525 exchange and compromise data-plane confidentiality. This can happen 526 when the MITM is acting as a Map-Replier, provides its own public key 527 so the ITR and the MITM generate a shared secret key among each 528 other. If the MITM is in the data path between the ITR and ETR, it 529 can use the shared secret key to decrypt traffic from the ITR. 531 Since LISP can secure Map-Replies by the authentication process 532 specified in [LISP-SEC], the ITR can detect when a MITM has signed a 533 Map-Reply for an EID-prefix it is not authoritative for. When an ITR 534 determines the signature verification fails, it discards and does not 535 reuse the key exchange parameters, avoids using the ETR for 536 encapsulation, and issues a severe log message to the network 537 administrator. Optionally, the ITR can send RLOC-probes to the 538 compromised RLOC to determine if can reach the authoritative ETR. 540 And when the ITR validates the signature of a Map-Reply, it can begin 541 encrypting and encapsulating packets to the RLOC of ETR. 543 11. IANA Considerations 545 This draft may require the use of the registry that selects Security 546 parameters. Rather than convey the key exchange parameters and 547 crypto functions directly in LISP control packets, the cipher suite 548 values can be assigned and defined in a registry. For example, 549 Diffie-Hellman group-id values can be used from [RFC2409] and 550 [RFC3526]. 552 This draft specifies how the 7-bit cipher suite values from the 553 Security Type LCAF are partitioned. The partitions are: 555 0: Reserved 556 1-96: Allocated by registry, but first 3 values defined in this document 557 97-127: Private use 559 12. References 561 12.1. Normative References 563 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 564 (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, 565 . 567 [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", 568 RFC 2631, DOI 10.17487/RFC2631, June 1999, 569 . 571 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) 572 Diffie-Hellman groups for Internet Key Exchange (IKE)", 573 RFC 3526, DOI 10.17487/RFC3526, May 2003, 574 . 576 [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode 577 (GCM) in IPsec Encapsulating Security Payload (ESP)", 578 RFC 4106, DOI 10.17487/RFC4106, June 2005, 579 . 581 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 582 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 583 for Transport Layer Security (TLS)", RFC 4492, 584 DOI 10.17487/RFC4492, May 2006, 585 . 587 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 588 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 589 . 591 [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 592 Curve Cryptography Algorithms", RFC 6090, 593 DOI 10.17487/RFC6090, February 2011, 594 . 596 [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The 597 Locator/ID Separation Protocol (LISP)", RFC 6830, 598 DOI 10.17487/RFC6830, January 2013, 599 . 601 [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF 602 Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, 603 . 605 12.2. Informative References 607 [AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated 608 Encryption with AES-CBC and HMAC-SHA", draft-mcgrew-aead- 609 aes-cbc-hmac-sha2-05.txt (work in progress). 611 [CHACHA-POLY] 612 Langley, A., "ChaCha20 and Poly1305 based Cipher Suites 613 for TLS", draft-agl-tls-chacha20poly1305-00 (work in 614 progress). 616 [CURVE25519] 617 Bernstein, D., "Curve25519: new Diffie-Hellman speed 618 records", Publication 619 http://www.iacr.org/cryptodb/archive/2006/ 620 PKC/3351/3351.pdf. 622 [DH] "Diffie-Hellman key exchange", Wikipedia 623 http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange. 625 [LCAF] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical 626 Address Format", draft-ietf-lisp-lcaf-04.txt (work in 627 progress). 629 [LISP-DDT] 630 Fuller, V., Lewis, D., Ermaagan, V., and A. Jain, "LISP 631 Delegated Database Tree", draft-fuller-lisp-ddt-03 (work 632 in progress). 634 [LISP-SEC] 635 Maino, F., Ermagan, V., Cabellos, A., and D. Saucez, 636 "LISP-Secuirty (LISP-SEC)", draft-ietf-lisp-sec-06 (work 637 in progress). 639 [NIST-SP800-108] 640 "National Institute of Standards and Technology, 641 "Recommendation for Key Derivation Using Pseudorandom 642 Functions NIST SP800-108"", NIST SP 800-108, October 2009. 644 Appendix A. Acknowledgments 646 The authors would like to thank Dan Harkins, Joel Halpern, Fabio 647 Maino, Ed Lopez, Roger Jorgensen, and Watson Ladd for their interest, 648 suggestions, and discussions about LISP data-plane security. 650 The authors would like to give a special thank you to Ilari Liusvaara 651 for his extensive commentary and discussion. He has contributed his 652 security expertise to make lisp-crypto as secure as the state of the 653 art in cryptography. 655 In addition, the support and suggestions from the SAAG working group 656 were helpful and appreciative. 658 Appendix B. Document Change Log 660 B.1. Changes to draft-ietf-lisp-crypto-03.txt 662 o Posted December 2015. 664 o Changed cipher suite allocations. We now have 2 AES-CBC cipher 665 suites for compatibility, 3 AES-GCM cipher suites that are faster 666 ciphers that include AE and a Chacha20-Poly1305 cipher suite which 667 is the fastest but not totally proven/accepted.. 669 o Remove 1024-bit DH keys for key exchange. 671 o Make clear that AES and chacha20 ciphers use AEAD so part of 672 encrytion/decryption does authentication. 674 o Make it more clear that separate key pairs are used in each 675 direction between xTRs. 677 o Indicate that the IV length is different per cipher suite. 679 o Use a counter based IV for every packet for AEAD ciphers. 680 Previously text said to use a random number. But CBC ciphers, use 681 a random number. 683 o Indicate that key material is sent in network byte order (big 684 endian). 686 o Remove A-bit from Security Type LCAF. No need to do 687 authentication only with the introduction of AEAD ciphers. These 688 ciphers can do authentication. So you get ciphertext for free. 690 o Remove language that refers to "encryption-key" and "integrity- 691 key". Used term "AEAD-key" that is used by the AEAD cipher suites 692 that do encryption and authenticaiton internal to the cipher. 694 B.2. Changes to draft-ietf-lisp-crypto-02.txt 696 o Posted September 2015. 698 o Add cipher suite for Elliptic Curve 25519 DH exchange. 700 o Add cipher suite for Chacha20/Poly1305 ciphers. 702 B.3. Changes to draft-ietf-lisp-crypto-01.txt 704 o Posted May 2015. 706 o Create cipher suites and encode them in the Security LCAF. 708 o Add IV to beginning of packet header and ICV to end of packet. 710 o AEAD procedures are now part of encrpytion process. 712 B.4. Changes to draft-ietf-lisp-crypto-00.txt 714 o Posted January 2015. 716 o Changing draft-farinacci-lisp-crypto-01 to draft-ietf-lisp-crypto- 717 00. This draft has become a working group document 719 o Add text to indicate the working group may work on a new data 720 encapsulation header format for data-plane encryption. 722 B.5. Changes to draft-farinacci-lisp-crypto-01.txt 724 o Posted July 2014. 726 o Add Group-ID to the encoding format of Key Material in a Security 727 Type LCAF and modify the IANA Considerations so this draft can use 728 key exchange parameters from the IANA registry. 730 o Indicate that the R-bit in the Security Type LCAF is not used by 731 lisp-crypto. 733 o Add text to indicate that ETRs/RTRs can negotiate less number of 734 keys from which the ITR/PITR sent in a Map-Request. 736 o Add text explaining how LISP-SEC solves the problem when a man-in- 737 the-middle becomes part of the Map-Request/Map-Reply key exchange 738 process. 740 o Add text indicating that when RLOC-probing is used for RLOC 741 reachability purposes and rekeying is not desired, that the same 742 key exchange parameters should be used so a reallocation of a 743 pubic key does not happen at the ETR. 745 o Add text to indicate that ECDH can be used to reduce CPU 746 requirements for computing shared secret-keys. 748 B.6. Changes to draft-farinacci-lisp-crypto-00.txt 750 o Initial draft posted February 2014. 752 Authors' Addresses 754 Dino Farinacci 755 lispers.net 756 San Jose, California 95120 757 USA 759 Phone: 408-718-2001 760 Email: farinacci@gmail.com 762 Brian Weis 763 cisco Systems 764 170 West Tasman Drive 765 San Jose, California 95124-1706 766 USA 768 Phone: 408-526-4796 769 Email: bew@cisco.com