idnits 2.17.1 draft-ietf-lisp-crypto-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 12, 2016) is 2751 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Outdated reference: A later version (-22) exists of draft-ietf-lisp-lcaf-13 ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) ** Obsolete normative reference: RFC 6830 (Obsoleted by RFC 9300, RFC 9301) ** Obsolete normative reference: RFC 7539 (Obsoleted by RFC 8439) == Outdated reference: A later version (-29) exists of draft-ietf-lisp-sec-10 Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force D. Farinacci 3 Internet-Draft lispers.net 4 Intended status: Experimental B. Weis 5 Expires: April 15, 2017 cisco Systems 6 October 12, 2016 8 LISP Data-Plane Confidentiality 9 draft-ietf-lisp-crypto-09 11 Abstract 13 This document describes a mechanism for encrypting LISP encapsulated 14 traffic. The design describes how key exchange is achieved using 15 existing LISP control-plane mechanisms as well as how to secure the 16 LISP data-plane from third-party surveillance attacks. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on April 15, 2017. 35 Copyright Notice 37 Copyright (c) 2016 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3 54 3. Definition of Terms . . . . . . . . . . . . . . . . . . . . . 4 55 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 5. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 4 57 6. Encoding and Transmitting Key Material . . . . . . . . . . . 5 58 7. Shared Keys used for the Data-Plane . . . . . . . . . . . . . 8 59 8. Data-Plane Operation . . . . . . . . . . . . . . . . . . . . 10 60 9. Procedures for Encryption and Decryption . . . . . . . . . . 11 61 10. Dynamic Rekeying . . . . . . . . . . . . . . . . . . . . . . 12 62 11. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 13 63 12. Security Considerations . . . . . . . . . . . . . . . . . . . 13 64 12.1. SAAG Support . . . . . . . . . . . . . . . . . . . . . . 13 65 12.2. LISP-Crypto Security Threats . . . . . . . . . . . . . . 14 66 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 67 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 68 14.1. Normative References . . . . . . . . . . . . . . . . . . 15 69 14.2. Informative References . . . . . . . . . . . . . . . . . 16 70 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 17 71 Appendix B. Document Change Log . . . . . . . . . . . . . . . . 17 72 B.1. Changes to draft-ietf-lisp-crypto-09.txt . . . . . . . . 17 73 B.2. Changes to draft-ietf-lisp-crypto-08.txt . . . . . . . . 18 74 B.3. Changes to draft-ietf-lisp-crypto-07.txt . . . . . . . . 18 75 B.4. Changes to draft-ietf-lisp-crypto-06.txt . . . . . . . . 18 76 B.5. Changes to draft-ietf-lisp-crypto-05.txt . . . . . . . . 18 77 B.6. Changes to draft-ietf-lisp-crypto-04.txt . . . . . . . . 18 78 B.7. Changes to draft-ietf-lisp-crypto-03.txt . . . . . . . . 18 79 B.8. Changes to draft-ietf-lisp-crypto-02.txt . . . . . . . . 19 80 B.9. Changes to draft-ietf-lisp-crypto-01.txt . . . . . . . . 19 81 B.10. Changes to draft-ietf-lisp-crypto-00.txt . . . . . . . . 19 82 B.11. Changes to draft-farinacci-lisp-crypto-01.txt . . . . . . 20 83 B.12. Changes to draft-farinacci-lisp-crypto-00.txt . . . . . . 20 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 86 1. Introduction 88 The Locator/ID Separation Protocol [RFC6830] defines a set of 89 functions for routers to exchange information used to map from non- 90 routable Endpoint Identifiers (EIDs) to routable Routing Locators 91 (RLOCs). LISP Ingress Tunnel Routers (ITRs) and Proxy Ingress Tunnel 92 Routers (PITRs) encapsulate packets to Egress Tunnel Routers (ETRs) 93 and Reencapsulating Tunnel Routers (RTRs). Packets that arrive at 94 the ITR or PITR are typically not modified, which means no protection 95 or privacy of the data is added. If the source host encrypts the 96 data stream then the encapsulated packets can be encrypted but would 97 be redundant. However, when plaintext packets are sent by hosts, 98 this design can encrypt the user payload to maintain privacy on the 99 path between the encapsulator (the ITR or PITR) to a decapsulator 100 (ETR or RTR). The encrypted payload is unidirectional. However, 101 return traffic uses the same procedures but with different key values 102 by the same xTRs or potentially different xTRs when the paths between 103 LISP sites are asymmetric. 105 This document has the following requirements (as well as the general 106 requirements from [RFC6973]) for the solution space: 108 o Do not require a separate Public Key Infrastructure (PKI) that is 109 out of scope of the LISP control-plane architecture. 111 o The budget for key exchange MUST be one round-trip time. That is, 112 only a two packet exchange can occur. 114 o Use symmetric keying so faster cryptography can be performed in 115 the LISP data plane. 117 o Avoid a third-party trust anchor if possible. 119 o Provide for rekeying when secret keys are compromised. 121 o Support Authenticated Encryption with packet integrity checks. 123 o Support multiple cipher suites so new crypto algorithms can be 124 easily introduced. 126 Satisfying the above requirements provides the following benefits: 128 o Avoiding a PKI infrastructure reduces the operational cost of 129 managing a secure network. Key management is distributed and 130 independent from any other infrastructure. 132 o Packet transport is optimized due to less packet headers. Packet 133 loss is reduced by a more efficient key exchange. 135 o Authentication and privacy are provided with a single mechanism 136 thereby providing less per packet overhead and therefore more 137 resource efficiency. 139 2. Requirements Notation 141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 143 document are to be interpreted as described in [RFC2119]. 145 3. Definition of Terms 147 AEAD: Authenticated Encryption with Additional Data. 149 ICV: Integrity Check Value. 151 LCAF: LISP Canonical Address Format ([LCAF]). 153 xTR: A general reference to ITRs, ETRs, RTRs, and PxTRs. 155 4. Overview 157 The approach proposed in this document is to NOT rely on the LISP 158 mapping system (or any other key infrastructure system) to store 159 security keys. This will provide for a simpler and more secure 160 mechanism. Secret shared keys will be negotiated between the ITR and 161 the ETR in Map-Request and Map-Reply messages. Therefore, when an 162 ITR needs to obtain the RLOC of an ETR, it will get security material 163 to compute a shared secret with the ETR. 165 The ITR can compute 3 shared-secrets per ETR the ITR is encapsulating 166 to. When the ITR encrypts a packet before encapsulation, it will 167 identify the key it used for the crypto calculation so the ETR knows 168 which key to use for decrypting the packet after decapsulation. By 169 using key-ids in the LISP header, we can also get fast rekeying 170 functionality. 172 The key management described in this documemnt is unidirectional from 173 the ITR (the encapsulator) to the ETR (the decapsultor). 175 5. Diffie-Hellman Key Exchange 177 LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and 178 computation for computing a shared secret. The Diffie-Hellman 179 parameters will be passed via Cipher Suite code-points in Map-Request 180 and Map-Reply messages. 182 Here is a brief description how Diff-Hellman works: 184 +----------------------------+---------+----------------------------+ 185 | ITR | | ETR | 186 +------+--------+------------+---------+------------+---------------+ 187 |Secret| Public | Calculates | Sends | Calculates | Public |Secret| 188 +------|--------|------------|---------|------------|--------|------+ 189 | i | p,g | | p,g --> | | | e | 190 +------|--------|------------|---------|------------|--------|------+ 191 | i | p,g,I |g^i mod p=I | I --> | | p,g,I | e | 192 +------|--------|------------|---------|------------|--------|------+ 193 | i | p,g,I | | <-- E |g^e mod p=E | p,g | e | 194 +------|--------|------------|---------|------------|--------|------+ 195 | i,s |p,g,I,E |E^i mod p=s | |I^e mod p=s |p,g,I,E | e,s | 196 +------|--------|------------|---------|------------|--------|------+ 198 Public-key exchange for computing a shared private key [DH] 200 Diffie-Hellman parameters 'p' and 'g' must be the same values used by 201 the ITR and ETR. The ITR computes public-key 'I' and transmits 'I' 202 in a Map-Request packet. When the ETR receives the Map-Request, it 203 uses parameters 'p' and 'g' to compute the ETR's public key 'E'. The 204 ETR transmits 'E' in a Map-Reply message. At this point, the ETR has 205 enough information to compute 's', the shared secret, by using 'I' as 206 the base and the ETR's private key 'e' as the exponent. When the ITR 207 receives the Map-Reply, it uses the ETR's public-key 'E' with the 208 ITR's private key 'i' to compute the same 's' shared secret the ETR 209 computed. The value 'p' is used as a modulus to create the width of 210 the shared secret 's' (see Section 6). 212 6. Encoding and Transmitting Key Material 214 The Diffie-Hellman key material is transmitted in Map-Request and 215 Map-Reply messages. Diffie-Hellman parameters are encoded in the 216 LISP Security Type LCAF [LCAF]. 218 0 1 2 3 219 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 220 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 221 | AFI = 16387 | Rsvd1 | Flags | 222 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 223 | Type = 11 | Rsvd2 | 6 + n | 224 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 225 | Key Count | Rsvd3 | Cipher Suite | Rsvd4 |R| 226 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 227 | Key Length | Public Key Material ... | 228 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 229 | ... Public Key Material | 230 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 231 | AFI = x | Locator Address ... | 232 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 234 Cipher Suite field contains DH Key Exchange and Cipher/Hash Functions 236 The 'Key Count' field encodes the number of {'Key-Length', 'Key- 237 Material'} fields included in the encoded LCAF. The maximum number 238 of keys that can be encoded are 3, each identified by key-id 1, 239 followed by key-id 2, and finally key-id 3. 241 The 'R' bit is not used for this use-case of the Security Type LCAF 242 but is reserved for [LISP-DDT] security. Therefore, the R bit SHOULD 243 be transmitted as 0 and MUST be ignored on receipt. 245 Cipher Suite 0: 246 Reserved 248 Cipher Suite 1: 249 Diffie-Hellman Group: 2048-bit MODP [RFC3526] 250 Encryption: AES with 128-bit keys in CBC mode [AES-CBC] 251 Integrity: Integrated with [AES-CBC] AEAD_AES_128_CBC_HMAC_SHA_256 252 IV length: 16 bytes 254 Cipher Suite 2: 255 Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] 256 Encryption: AES with 128-bit keys in CBC mode [AES-CBC] 257 Integrity: Integrated with [AES-CBC] AEAD_AES_128_CBC_HMAC_SHA_256 258 IV length: 16 bytes 260 Cipher Suite 3: 261 Diffie-Hellman Group: 2048-bit MODP [RFC3526] 262 Encryption: AES with 128-bit keys in GCM mode [RFC5116] 263 Integrity: Integrated with [RFC5116] AEAD_AES_128_GCM 264 IV length: 12 bytes 266 Cipher Suite 4: 267 Diffie-Hellman Group: 3072-bit MODP [RFC3526] 268 Encryption: AES with 128-bit keys in GCM mode [RFC5116] 269 Integrity: Integrated with [RFC5116] AEAD_AES_128_GCM 270 IV length: 12 bytes 272 Cipher Suite 5: 273 Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] 274 Encryption: AES with 128-bit keys in GCM mode [RFC5116] 275 Integrity: Integrated with [RFC5116] AEAD_AES_128_GCM 276 IV length: 12 bytes 278 Cipher Suite 6: 279 Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] 280 Encryption: Chacha20-Poly1305 [CHACHA-POLY] [RFC7539] 281 Integrity: Integrated with [CHACHA-POLY] AEAD_CHACHA20_POLY1305 282 IV length: 8 bytes 284 The "Public Key Material" field contains the public key generated by 285 one of the Cipher Suites defined above. The length of the key in 286 octets is encoded in the "Key Length" field. 288 When an ITR, PITR, or RTR sends a Map-Request, they will encode their 289 own RLOC in the Security Type LCAF format within the ITR-RLOCs field. 290 When a ETR or RTR sends a Map-Reply, they will encode their RLOCs in 291 Security Type LCAF format within the RLOC-record field of each EID- 292 record supplied. 294 If an ITR, PITR, or RTR sends a Map-Request with the Security Type 295 LCAF included and the ETR or RTR does not want to have encapsulated 296 traffic encrypted, they will return a Map-Reply with no RLOC records 297 encoded with the Security Type LCAF. This signals to the ITR, PITR 298 or RTR not to encrypt traffic (it cannot encrypt traffic anyways 299 since no ETR public-key was returned). 301 Likewise, if an ITR or PITR wish to include multiple key-ids in the 302 Map-Request but the ETR or RTR wish to use some but not all of the 303 key-ids, they return a Map-Reply only for those key-ids they wish to 304 use. 306 7. Shared Keys used for the Data-Plane 308 When an ITR or PITR receives a Map-Reply accepting the Cipher Suite 309 sent in the Map-Request, it is ready to create data plane keys. The 310 same process is followed by the ETR or RTR returning the Map-Reply. 312 The first step is to create a shared secret, using the peer's shared 313 Diffie-Hellman Public Key Material combined with device's own private 314 keying material as described in Section 5. The Diffie-Hellman 315 parameters used is defined in the cipher suite sent in the Map- 316 Request and copied into the Map-Reply. 318 The resulting shared secret is used to compute an AEAD-key for the 319 algorithms specified in the cipher suite. A Key Derivation Function 320 (KDF) in counter mode as specified by [NIST-SP800-108] is used to 321 generate the data-plane keys. The amount of keying material that is 322 derived depends on the algorithms in the cipher suite. 324 The inputs to the KDF are as follows: 326 o KDF function. This is HMAC-SHA-256. 328 o A key for the KDF function. This is the computed Diffie-Hellman 329 shared secret. 331 o Context that binds the use of the data-plane keys to this session. 332 The context is made up of the following fields, which are 333 concatenated and provided as the data to be acted upon by the KDF 334 function. 336 Context: 338 o A counter, represented as a two-octet value in network byte order. 340 o The null-terminated string "lisp-crypto". 342 o The ITR's nonce from the Map-Request the cipher suite was included 343 in. 345 o The number of bits of keying material required (L), represented as 346 a two-octet value in network byte order. 348 The counter value in the context is first set to 1. When the amount 349 of keying material exceeds the number of bits returned by the KDF 350 function, then the KDF function is called again with the same inputs 351 except that the counter increments for each call. When enough keying 352 material is returned, it is concatenated and used to create keys. 354 For example, AES with 128-bit keys requires 16 octets (128 bits) of 355 keying material, and HMAC-SHA1-96 requires another 16 octets (128 356 bits) of keying material in order to maintain a consistent 128-bits 357 of security. Since 32 octets (256 bits) of keying material are 358 required, and the KDF function HMAC-SHA-256 outputs 256 bits, only 359 one call is required. The inputs are as follows: 361 key-material = HMAC-SHA-256(dh-shared-secret, context) 363 where: context = 0x0001 || "lisp-crypto" || || 0x0100 365 In contrast, a cipher suite specifying AES with 256-bit keys requires 366 32 octets (256 bits) of keying material, and HMAC-SHA256-128 requires 367 another 32 octets (256 bits) of keying material in order to maintain 368 a consistent 256-bits of security. Since 64 octets (512 bits) of 369 keying material are required, and the KDF function HMAC-SHA-256 370 outputs 256 bits, two calls are required. 372 key-material-1 = HMAC-SHA-256(dh-shared-secret, context) 374 where: context = 0x0001 || "lisp-crypto" || || 0x0200 376 key-material-2 = HMAC-SHA-256(dh-shared-secret, context) 378 where: context = 0x0002 || "lisp-crypto" || || 0x0200 380 key-material = key-material-1 || key-material-2 382 If the key-material is longer than the required number of bits (L), 383 then only the most significant L bits are used. 385 From the derived key-material, the most significant 256 bits are used 386 for the AEAD-key by AEAD ciphers. The 256-bit AEAD-key is divided 387 into a 128-bit encryption key and a 128-bit integrity check key 388 internal to the cipher used by the ITR. 390 8. Data-Plane Operation 392 The LISP encapsulation header [RFC6830] requires changes to encode 393 the key-id for the key being used for encryption. 395 0 1 2 3 396 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 397 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 398 / | Source Port = xxxx | Dest Port = 4341 | 399 UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 400 \ | UDP Length | UDP Checksum | 401 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 402 L / |N|L|E|V|I|R|K|K| Nonce/Map-Version |\ \ 403 I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |A 404 S \ | Instance ID/Locator-Status-Bits | |D 405 P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |/ 406 | Initialization Vector (IV) | I 407 E +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C 408 n / | | V 409 c | | | 410 r | Packet Payload with EID Header ... | | 411 y | | | 412 p \ | |/ 413 t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 415 K-bits indicate when packet is encrypted and which key used 417 When the KK bits are 00, the encapsulated packet is not encrypted. 418 When the value of the KK bits are 1, 2, or 3, it encodes the key-id 419 of the secret keys computed during the Diffie-Hellman Map-Request/ 420 Map-Reply exchange. When the KK bits are not 0, the payload is 421 prepended with an Initialization Vector (IV). The length of the IV 422 field is based on the cipher suite used. Since all cipher suites 423 defined in this document do Authenticated Encryption (AEAD), an ICV 424 field does not need to be present in the packet since it is included 425 in the ciphertext. The Additional Data (AD) used for the ICV is 426 shown above and includes the LISP header, the IV field and the packet 427 payload. 429 When an ITR or PITR receives a packet to be encapsulated, the device 430 will first decide what key to use, encode the key-id into the LISP 431 header, and use that key to encrypt all packet data that follows the 432 LISP header. Therefore, the outer header, UDP header, and LISP 433 header travel as plaintext. 435 There is an open working group item to discuss if the data 436 encapsulation header needs change for encryption or any new 437 applications. This document proposes changes to the existing header 438 so experimentation can continue without making large changes to the 439 data-plane at this time. This document allocates 2 bits of the 440 previously unused 3 flag bits (note the R-bit above is still a 441 reserved flag bit as documented in [RFC6830]) for the KK bits. 443 9. Procedures for Encryption and Decryption 445 When an ITR, PITR, or RTR encapsulate a packet and have already 446 computed an AEAD-key (detailed in section Section 7) that is 447 associated with a destination RLOC, the following encryption and 448 encapsulation procedures are performed: 450 1. The encapsulator creates an IV and prepends the IV value to the 451 packet being encapsulated. For GCM and Chacha cipher suites, the 452 IV is incremented for every packet (beginning with a value of 1 453 in the first packet) and sent to the destination RLOC. For CBC 454 cipher suites, the IV is a new random number for every packet 455 sent to the destination RLOC. For the Chacha cipher suite, the 456 IV is an 8-byte random value that is appended to a 4-byte counter 457 that is incremented for every packet (beginning with a value of 1 458 in the first packet). 460 2. Next encrypt with cipher function AES or Chacha20 using the AEAD- 461 key over the packet payload following the AEAD specification 462 referenced in the cipher suite definition. This does not include 463 the IV. The IV must be transmitted as plaintext so the decrypter 464 can use it as input to the decryption cipher. The payload should 465 be padded to an integral number of bytes a block cipher may 466 require. The result of the AEAD operation may contain an ICV, 467 the size of which is defined by the referenced AEAD 468 specification. Note that the AD (i.e. the LISP header exactly as 469 will be prepended in the next step and the IV) must be given to 470 the AEAD encryption function as the "associated data" argument. 472 3. Prepend the LISP header. The key-id field of the LISP header is 473 set to the key-id value that corresponds to key-pair used for the 474 encryption cipher. 476 4. Lastly, prepend the UDP header and outer IP header onto the 477 encrypted packet and send packet to destination RLOC. 479 When an ETR, PETR, or RTR receive an encapsulated packet, the 480 following decapsulation and decryption procedures are performed: 482 1. The outer IP header, UDP header, LISP header, and IV field are 483 stripped from the start of the packet. The LISP header and IV 484 are retained and given to the AEAD decryption operation as the 485 "associated data" argument. 487 2. The packet is decrypted using the AEAD-key and the IV from the 488 packet. The AEAD-key is obtained from a local-cache associated 489 with the key-id value from the LISP header. The result of the 490 decryption function is a plaintext packet payload if the cipher 491 returned a verified ICV. Otherwise, the packet has been tampered 492 with and is discarded. If the AEAD specification included an 493 ICV, the AEAD decryption function will locate the ICV in the 494 ciphertext and compare it to a version of the ICV that the AEAD 495 decryption function computes. If the computed ICV is different 496 than the ICV located in the ciphertext, then it will be 497 considered tampered. 499 3. If the packet was not tampered with, the decrypted packet is 500 forwarded to the destination EID. 502 10. Dynamic Rekeying 504 Since multiple keys can be encoded in both control and data messages, 505 an ITR can encapsulate and encrypt with a specific key while it is 506 negotiating other keys with the same ETR. As soon as an ETR or RTR 507 returns a Map-Reply, it should be prepared to decapsulate and decrypt 508 using the new keys computed with the new Diffie-Hellman parameters 509 received in the Map-Request and returned in the Map-Reply. 511 RLOC-probing can be used to change keys or cipher suites by the ITR 512 at any time. And when an initial Map-Request is sent to populate the 513 ITR's map-cache, the Map-Request flows across the mapping system 514 where a single ETR from the Map-Reply RLOC-set will respond. If the 515 ITR decides to use the other RLOCs in the RLOC-set, it MUST send a 516 Map-Request directly to negotiate security parameters with the ETR. 517 This process may be used to test reachability from an ITR to an ETR 518 initially when a map-cache entry is added for the first time, so an 519 ITR can get both reachability status and keys negotiated with one 520 Map-Request/Map-Reply exchange. 522 A rekeying event is defined to be when an ITR or PITR changes the 523 cipher suite or public-key in the Map-Request. The ETR or RTR 524 compares the cipher suite and public-key it last received from the 525 ITR for the key-id, and if any value has changed, it computes a new 526 public-key and cipher suite requested by the ITR from the Map-Request 527 and returns it in the Map-Reply. Now a new shared secret is computed 528 and can be used for the key-id for encryption by the ITR and 529 decryption by the ETR. When the ITR or PITR starts this process of 530 negotiating a new key, it must not use the corresponding key-id in 531 encapsulated packets until it receives a Map-Reply from the ETR with 532 the same cipher suite value it expects (the values it sent in a Map- 533 Request). 535 Note when RLOC-probing continues to maintain RLOC reachability and 536 rekeying is not desirable, the ITR or RTR can either not include the 537 Security Type LCAF in the Map-Request or supply the same key material 538 as it received from the last Map-Reply from the ETR or RTR. This 539 approach signals to the ETR or RTR that no rekeying event is 540 requested. 542 11. Future Work 544 For performance considerations, newer Elliptic-Curve Diffie-Hellman 545 (ECDH) groups can be used as specified in [RFC4492] and [RFC6090] to 546 reduce CPU cycles required to compute shared secret keys. 548 For better security considerations as well as to be able to build 549 faster software implementations, newer approaches to ciphers and 550 authentication methods will be researched and tested. Some examples 551 are Chacha20 and Poly1305 [CHACHA-POLY] [RFC7539]. 553 12. Security Considerations 555 12.1. SAAG Support 557 The LISP working group received security advice and guidance from the 558 Security Area Advisory Group (SAAG). The SAAG has been involved 559 early in the design process and their input and reviews have been 560 included in this document. 562 Comments from the SAAG included: 564 1. Do not use asymmetric ciphers in the data-plane. 566 2. Consider adding ECDH early in the design. 568 3. Add cipher suites because ciphers are created more frequently 569 than protocols that use them. 571 4. Consider the newer AEAD technology so authentication comes with 572 doing encryption. 574 12.2. LISP-Crypto Security Threats 576 Since ITRs and ETRs participate in key exchange over a public non- 577 secure network, a man-in-the-middle (MITM) could circumvent the key 578 exchange and compromise data-plane confidentiality. This can happen 579 when the MITM is acting as a Map-Replier, provides its own public key 580 so the ITR and the MITM generate a shared secret key among each 581 other. If the MITM is in the data path between the ITR and ETR, it 582 can use the shared secret key to decrypt traffic from the ITR. 584 Since LISP can secure Map-Replies by the authentication process 585 specified in [LISP-SEC], the ITR can detect when a MITM has signed a 586 Map-Reply for an EID-prefix it is not authoritative for. When an ITR 587 determines the signature verification fails, it discards and does not 588 reuse the key exchange parameters, avoids using the ETR for 589 encapsulation, and issues a severe log message to the network 590 administrator. Optionally, the ITR can send RLOC-probes to the 591 compromised RLOC to determine if can reach the authoritative ETR. 592 And when the ITR validates the signature of a Map-Reply, it can begin 593 encrypting and encapsulating packets to the RLOC of ETR. 595 13. IANA Considerations 597 This document describes a mechanism for encrypting LISP encapsulated 598 packets based on Diffie-Hellman key exchange procedures. During the 599 exchange the devices have to agree on a Cipher Suite used (i.e. the 600 cipher and hash functions used to encrypt/decrypt and to sign/verify 601 packets). The 8-bit Cipher Suite field is reserved for such purpose 602 in the security material section of the Map-Request and Map-Reply 603 messages. 605 This document requests IANA to create and maintain a new registry (as 606 outlined in [RFC5226]) entitled "LISP Crypto Cipher Suite". Initial 607 values for the registry are provided below. Future assignments are 608 to be made on a First Come First Served Basis. 610 +-----+--------------------------------------------+------------+ 611 |Value| Suite | Definition | 612 +-----+--------------------------------------------+------------+ 613 | 0 | Reserved | Section 6 | 614 +-----+--------------------------------------------+------------+ 615 | 1 | LISP_2048MODP_AES128_CBC_SHA256 | Section 6 | 616 +-----+--------------------------------------------+------------+ 617 | 2 | LISP_EC25519_AES128_CBC_SHA256 | Section 6 | 618 +-----+--------------------------------------------+------------+ 619 | 3 | LISP_2048MODP_AES128_GCM | Section 6 | 620 +-----+--------------------------------------------+------------+ 621 | 4 | LISP_3072MODP_AES128_GCM M-3072 | Section 6 | 622 +-----+--------------------------------------------+------------+ 623 | 5 | LISP_256_EC25519_AES128_GCM | Section 6 | 624 +-----+--------------------------------------------+------------+ 625 | 6 | LISP_256_EC25519_CHACHA20_POLY1305 | Section 6 | 626 +-----+--------------------------------------------+------------+ 628 LISP Crypto Cipher Suites 630 14. References 632 14.1. Normative References 634 [LCAF] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical 635 Address Format", draft-ietf-lisp-lcaf-13.txt (work in 636 progress). 638 [NIST-SP800-108] 639 "National Institute of Standards and Technology, 640 "Recommendation for Key Derivation Using Pseudorandom 641 Functions NIST SP800-108"", NIST SP 800-108, October 2009. 643 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 644 Requirement Levels", BCP 14, RFC 2119, 645 DOI 10.17487/RFC2119, March 1997, 646 . 648 [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", 649 RFC 2631, DOI 10.17487/RFC2631, June 1999, 650 . 652 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) 653 Diffie-Hellman groups for Internet Key Exchange (IKE)", 654 RFC 3526, DOI 10.17487/RFC3526, May 2003, 655 . 657 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 658 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 659 for Transport Layer Security (TLS)", RFC 4492, 660 DOI 10.17487/RFC4492, May 2006, 661 . 663 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 664 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 665 . 667 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 668 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 669 DOI 10.17487/RFC5226, May 2008, 670 . 672 [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 673 Curve Cryptography Algorithms", RFC 6090, 674 DOI 10.17487/RFC6090, February 2011, 675 . 677 [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The 678 Locator/ID Separation Protocol (LISP)", RFC 6830, 679 DOI 10.17487/RFC6830, January 2013, 680 . 682 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 683 Morris, J., Hansen, M., and R. Smith, "Privacy 684 Considerations for Internet Protocols", RFC 6973, 685 DOI 10.17487/RFC6973, July 2013, 686 . 688 [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF 689 Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, 690 . 692 14.2. Informative References 694 [AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated 695 Encryption with AES-CBC and HMAC-SHA", draft-mcgrew-aead- 696 aes-cbc-hmac-sha2-05.txt (work in progress). 698 [CHACHA-POLY] 699 Langley, A., "ChaCha20 and Poly1305 based Cipher Suites 700 for TLS", draft-agl-tls-chacha20poly1305-04 (work in 701 progress). 703 [CURVE25519] 704 Bernstein, D., "Curve25519: new Diffie-Hellman speed 705 records", Publication 706 http://www.iacr.org/cryptodb/archive/2006/ 707 PKC/3351/3351.pdf. 709 [DH] "Diffie-Hellman key exchange", Wikipedia 710 http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange. 712 [LISP-DDT] 713 Fuller, V., Lewis, D., Ermaagan, V., and A. Jain, "LISP 714 Delegated Database Tree", draft-fuller-lisp-ddt-04 (work 715 in progress). 717 [LISP-SEC] 718 Maino, F., Ermagan, V., Cabellos, A., and D. Saucez, 719 "LISP-Secuirty (LISP-SEC)", draft-ietf-lisp-sec-10 (work 720 in progress). 722 Appendix A. Acknowledgments 724 The authors would like to thank Dan Harkins, Joel Halpern, Fabio 725 Maino, Ed Lopez, Roger Jorgensen, and Watson Ladd for their interest, 726 suggestions, and discussions about LISP data-plane security. An 727 individual thank you to LISP WG chair Luigi Iannone for shepherding 728 this document as well as contributing to the IANA Considerations 729 section. 731 The authors would like to give a special thank you to Ilari Liusvaara 732 for his extensive commentary and discussion. He has contributed his 733 security expertise to make lisp-crypto as secure as the state of the 734 art in cryptography. 736 In addition, the support and suggestions from the SAAG working group 737 were helpful and appreciative. 739 Appendix B. Document Change Log 741 [RFC Editor: Please delete this section on publication as RFC.] 743 B.1. Changes to draft-ietf-lisp-crypto-09.txt 745 o Posted October 2016. 747 o Addressed comments from OPs Directorate reviewer Susan Hares. 749 B.2. Changes to draft-ietf-lisp-crypto-08.txt 751 o Posted September 2016. 753 o Addressed comments from Security Directorate reviewer Chris 754 Lonvick. 756 B.3. Changes to draft-ietf-lisp-crypto-07.txt 758 o Posted September 2016. 760 o Addressed comments from Routing Directorate reviewer Danny 761 McPherson. 763 B.4. Changes to draft-ietf-lisp-crypto-06.txt 765 o Posted June 2016. 767 o Fixed IDnits errors. 769 B.5. Changes to draft-ietf-lisp-crypto-05.txt 771 o Posted June 2016. 773 o Update document which reflects comments Luigi provided as document 774 shepherd. 776 B.6. Changes to draft-ietf-lisp-crypto-04.txt 778 o Posted May 2016. 780 o Update document timer from expiration. 782 B.7. Changes to draft-ietf-lisp-crypto-03.txt 784 o Posted December 2015. 786 o Changed cipher suite allocations. We now have 2 AES-CBC cipher 787 suites for compatibility, 3 AES-GCM cipher suites that are faster 788 ciphers that include AE and a Chacha20-Poly1305 cipher suite which 789 is the fastest but not totally proven/accepted.. 791 o Remove 1024-bit DH keys for key exchange. 793 o Make clear that AES and chacha20 ciphers use AEAD so part of 794 encrytion/decryption does authentication. 796 o Make it more clear that separate key pairs are used in each 797 direction between xTRs. 799 o Indicate that the IV length is different per cipher suite. 801 o Use a counter based IV for every packet for AEAD ciphers. 802 Previously text said to use a random number. But CBC ciphers, use 803 a random number. 805 o Indicate that key material is sent in network byte order (big 806 endian). 808 o Remove A-bit from Security Type LCAF. No need to do 809 authentication only with the introduction of AEAD ciphers. These 810 ciphers can do authentication. So you get ciphertext for free. 812 o Remove language that refers to "encryption-key" and "integrity- 813 key". Used term "AEAD-key" that is used by the AEAD cipher suites 814 that do encryption and authenticaiton internal to the cipher. 816 B.8. Changes to draft-ietf-lisp-crypto-02.txt 818 o Posted September 2015. 820 o Add cipher suite for Elliptic Curve 25519 DH exchange. 822 o Add cipher suite for Chacha20/Poly1305 ciphers. 824 B.9. Changes to draft-ietf-lisp-crypto-01.txt 826 o Posted May 2015. 828 o Create cipher suites and encode them in the Security LCAF. 830 o Add IV to beginning of packet header and ICV to end of packet. 832 o AEAD procedures are now part of encrpytion process. 834 B.10. Changes to draft-ietf-lisp-crypto-00.txt 836 o Posted January 2015. 838 o Changing draft-farinacci-lisp-crypto-01 to draft-ietf-lisp-crypto- 839 00. This draft has become a working group document 841 o Add text to indicate the working group may work on a new data 842 encapsulation header format for data-plane encryption. 844 B.11. Changes to draft-farinacci-lisp-crypto-01.txt 846 o Posted July 2014. 848 o Add Group-ID to the encoding format of Key Material in a Security 849 Type LCAF and modify the IANA Considerations so this draft can use 850 key exchange parameters from the IANA registry. 852 o Indicate that the R-bit in the Security Type LCAF is not used by 853 lisp-crypto. 855 o Add text to indicate that ETRs/RTRs can negotiate less number of 856 keys from which the ITR/PITR sent in a Map-Request. 858 o Add text explaining how LISP-SEC solves the problem when a man-in- 859 the-middle becomes part of the Map-Request/Map-Reply key exchange 860 process. 862 o Add text indicating that when RLOC-probing is used for RLOC 863 reachability purposes and rekeying is not desired, that the same 864 key exchange parameters should be used so a reallocation of a 865 pubic key does not happen at the ETR. 867 o Add text to indicate that ECDH can be used to reduce CPU 868 requirements for computing shared secret-keys. 870 B.12. Changes to draft-farinacci-lisp-crypto-00.txt 872 o Initial draft posted February 2014. 874 Authors' Addresses 876 Dino Farinacci 877 lispers.net 878 San Jose, California 95120 879 USA 881 Phone: 408-718-2001 882 Email: farinacci@gmail.com 883 Brian Weis 884 cisco Systems 885 170 West Tasman Drive 886 San Jose, California 95124-1706 887 USA 889 Phone: 408-526-4796 890 Email: bew@cisco.com