idnits 2.17.1 draft-ietf-pana-ipsec-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 14. -- Found old boilerplate from RFC 3978, Section 5.5 on line 761. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 738. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 745. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 751. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 765), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 36. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year ** The document contains RFC2119-like boilerplate, but doesn't seem to mention RFC 2119. The boilerplate contains a reference [RFC2118], but that reference does not seem to mention RFC 2119 either. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 2005) is 6857 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2118' is mentioned on line 148, but not defined == Unused Reference: 'RFC2119' is defined on line 565, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2401 (Obsoleted by RFC 4301) -- No information found for draft-ietf-pana - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'PANA-PROT' ** Downref: Normative reference to an Informational RFC: RFC 4016 == Outdated reference: A later version (-10) exists of draft-ietf-pana-framework-01 -- Obsolete informational reference (is this intentional?): RFC 2409 (Obsoleted by RFC 4306) == Outdated reference: A later version (-17) exists of draft-ietf-ipsec-ikev2-15 -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 2461 (Obsoleted by RFC 4861) -- Obsolete informational reference (is this intentional?): RFC 2462 (Obsoleted by RFC 4862) -- Obsolete informational reference (is this intentional?): RFC 3041 (Obsoleted by RFC 4941) == Outdated reference: A later version (-22) exists of draft-ietf-eap-keying-06 == Outdated reference: A later version (-17) exists of draft-ietf-zeroconf-ipv4-linklocal-12 Summary: 7 errors (**), 0 flaws (~~), 8 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PANA Working Group 3 Internet Draft M. Parthasarathy 4 Document: draft-ietf-pana-ipsec-07.txt Nokia 5 Expires: January 2006 July 2005 7 PANA Enabling IPsec based Access Control 9 Status of this Memo 11 By submitting this Internet-Draft, each author represents that any 12 applicable patent or other IPR claims of which he or she is aware 13 have been or will be disclosed, and any of which he or she becomes 14 aware will be disclosed, in accordance with Section 6 of BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as 19 Internet-Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on January 2006. 34 Copyright Notice 36 Copyright (C) The Internet Society (2005). All Rights Reserved. 38 Abstract 40 PANA (Protocol for carrying Authentication for Network Access) is a 41 protocol for authenticating clients to the access network using IP 42 based protocols. The PANA protocol authenticates the client and also 43 establishes a PANA security association between the PANA client and 44 PANA authentication agent at the end of a successful authentication. 45 This document discusses the details for establishing an IPsec 46 security association using the PANA security association for enabling 47 IPsec based access control. 49 Table of Contents 50 1.0 Introduction..................................................2 51 2.0 Keywords......................................................4 52 3.0 Pre-requisites for IPsec SA establishment.....................4 53 4.0 IP Address Configuration......................................4 54 5.0 IKE Pre-shared key derivation.................................5 55 6.0 IKE and IPsec details.........................................6 56 7.0 Packet Formats................................................7 57 8.0 IPsec SPD entries.............................................8 58 9.0 Dual Stack Operation.........................................11 59 10.0 IANA Considerations.........................................12 60 10.0 Security considerations.....................................12 61 11.0 Normative References........................................12 62 12.0 Informative References......................................12 63 13.0 Acknowledgments.............................................14 64 14.0 Revision log................................................14 65 15.0 Appendix A..................................................15 66 16.0 Author's Addresses..........................................16 67 Intellectual Property Statement..................................16 68 Disclaimer of Validity...........................................17 69 Copyright Statement..............................................17 70 Acknowledgment...................................................17 72 1.0 Introduction 74 PANA (Protocol for carrying Authentication for Network Access) is a 75 protocol [PANA-PROT] for authenticating clients to the access network 76 using IP based protocols. The PANA protocol authenticates the client 77 and also establishes a PANA security association between the PANA 78 client (PaC) and PANA authentication agent (PAA) at the end of 79 successful authentication. The PAA indicates the results of the 80 authentication using the PANA-Bind-Request message wherein it can 81 indicate the access control method enforced by the access network. 82 The PANA protocol [PANA-PROT] does not discuss any details of IPsec 83 [RFC2401] security association (SA) establishment, when IPsec is used 84 for access control. This document discusses the details of 85 establishing an IPsec security association between the PANA client 86 and the enforcement point. The IPsec SA is established using IKE 87 [RFC2409], which in turn uses the pre-shared key derived from the EAP 88 authentication. The IPsec SA used to protect the packet provides the 89 assurance that the packet comes from the client that authenticated to 90 the network. Thus, the IPsec SA can be used for access control and 91 specifically used to prevent the service theft mentioned in 92 [RFC4016]. The term "access control" in this document refers to the 93 per-packet authentication provided by IPsec. IPsec is used to protect 94 packets flowing between PaC and EP in both directions. 96 Please refer to [PANAREQ] for terminology and definitions of terms 97 used in this document. The PANA framework document [PANA-FRAME] 98 describes the deployment scenarios for IPsec. The following picture 99 illustrates what is being protected with IPsec. The different 100 scenarios of PANA usage are described in the [PANAREQ]. When IPsec is 101 used, scenarios 3 and 5 are supported as shown below. As shown in 102 Figure 1, the Enforcement Point (EP), Access Router (AR) and the PANA 103 authentication agent are co-located which is described as scenario 3 104 in [PANAREQ]. 106 PaC ------------+ 107 | 108 +---EP/AR/PAA----Intranet/Internet 109 | 110 PaC ------------+ 112 <-------IPsec------> 114 Figure 1: PAA/EP/AR are co-located 116 As show in Figure 2, only the AR and EP are co-located. The PAA is a 117 separate node though located on the same link as the AR and EP. All 118 of them are one IP hop away from the PaC. This is the same as 119 scenario 5 described in [PANAREQ]. 121 PaC -------------+ 122 | 123 +---PAA 124 | 125 +---EP/AR-----Intranet/Internet 126 | 127 PaC -------------+ 129 <------IPsec-----> 131 Figure 2: EP and AR are co-located 133 The IPsec security association protects the traffic between the PaC 134 and EP. In IPsec terms, the EP is a security gateway (therefore a 135 router) and forwards packets coming from the PaC to other nodes. 137 First, this document discusses some of the pre-requisites for IPsec 138 SA establishment. Next, it gives details on what should be 139 communicated between the PAA and EP. Then, it gives the details of 140 IKE exchange with IPsec packet formats and SPD entries. Finally, it 141 discusses the dual stack operation. 143 2.0 Keywords 145 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 146 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 147 document are to be interpreted as described in [RFC2118]. 149 3.0 Pre-requisites for IPsec SA establishment 151 This document assumes that the following have already happened before 152 the IKE exchange starts. 154 1) The PaC) and PAA mutually authenticate each other using an EAP 155 method that is able to derive a AAA-key [EAP-KEY]. 157 2) The PaC learns the IP address of the Enforcement point (EP) 158 during the PANA exchange. 160 3) The PaC learns that the network uses IPsec [RFC2401] for 161 securing the link between the PaC and EP during the PANA 162 exchange. 164 4.0 IP Address Configuration 166 The IP address configuration is explained in [PANA-FRAME]. Some of 167 the details relevant to IPsec are briefly repeated here for clarity. 168 The PaC configures an IP address before the PANA protocol exchange 169 begins. This address is called a pre-PANA address (PRPA). After a 170 successful authentication, the client may have to configure a post- 171 PANA address (POPA) for communication with other nodes, if PRPA is a 172 local-use (e.g., link-local or private address) or a temporarily 173 allocated IP address. 175 The PRPA of the PaC may be a link-local address [IPV4-LINK] or a 176 private address [RFC1918] or a routable address or an IPv6 link-local 177 address or global address [RFC2462]. Please refer to [PANA-FRAME] for 178 more details on how these addresses may be configured. The PaC would 179 use the PRPA as the outer address of IPsec tunnel mode SA (IPsec- 180 TOA). The PaC also needs to configure an inner address (IPsec-TIA). 181 There are different ways to configure IPsec-TIA. 183 1) Some IPv4 IPsec implementations are known to work properly when 184 the same address is configured as both the IPsec-TIA and IPsec- 185 TOA. When PRPA is a routable address, the PRPA may be used as 186 both the IPsec-TIA and IPsec-TOA and POPA may not be configured. 188 2) In IPv4, an IPsec-TIA can be obtained via the configuration 189 method available using DHCP over IPsec tunnels [RFC3456]. The 190 minor difference from the original usage of [RFC3456] is that 191 the IPsec-TOA does not need to be a routable address when 192 [RFC3456] is used between the PaC and EP. 194 3) When IKEv2 [IKEV2] is used for security association negotiation, 195 the address configuration method available in [IKEV2] can be 196 used for configuring the IPsec-TIA for both IPv4 and IPv6. 198 There are other address configuration methods possible. They have 199 some implementation issues, which are described in the Appendix A. 201 5.0 IKE Pre-shared key derivation 203 If the network chooses IPsec to secure the link between the PaC and 204 EP, the PAA should communicate the IKE pre-shared key (Pac-EP Master 205 Key), Key-Id, the device identifier of the PaC, and the session-Id to 206 the EP before the IKE exchange begins. Whenever the IKE pre-shared 207 key changes due to re-authentication as described below, the new 208 value is computed by the PAA and communicated to the EP with all the 209 other parameters. 211 The IKE exchange between the PaC and PAA is equivalent to the 4-way 212 handshake in [IEEE80211i] following the EAP exchange. The IKE 213 exchange establishes the IPsec SA similar to the pair-wise transient 214 key (PTK) established in [IEEE80211i]. The IKE exchange provides both 215 key confirmation and protected cipher-suite negotiation. 217 The IKE pre-shared key is derived as follows (where "|" means 218 concactenation). 220 IKE Pre-shared Key = HMAC-SHA-1 (PaC-EP-Master-Key, 221 "IKE-preshared key" | 222 Session ID | Key-ID | EP-address) 224 The values have the following meaning: 226 PaC-EP-Master-Key: A key derived from the AAA-key for each EP as 227 defined in [PANA-PROT]. 229 Session ID: The value as defined in the PANA protocol [PANA-PROT], 230 identifies a particular session of a client. 232 Key-ID: This identifies the PaC-EP-Master-Key within a given session 233 [PANA-PROT]. During the lifetime of the PANA session, there could be 234 multiple runs of EAP re-authentications. As EAP re-authentication 235 changes the AAA-key which in turn affects Pac-EP-Master-Key, Key-ID 236 is used to identify the right PaC-EP-Master-Key. This is contained in 237 the Key-ID AVP [PANA-PROT]. 239 EP-address: This is the address of the enforcement point with which 240 the IKE exchange is being performed. When the PAA is controlling 241 multiple EPs, this provides a different pre-shared key for each of 242 the EPs. 244 During EAP re-authentication, the AAA-Key changes. Whenever the AAA- 245 Key changes, a new PaC-EP-Master-Key is derived and a new value for 246 Key-ID is established between the PaC and PAA/EP as defined in [PANA- 247 PROT]. The [EAP-KEY] document requires that all keys derived from 248 AAA-key be deleted when the AAA-key expires. Hence, a new IKE PSK 249 should be derived upon AAA-key expiry. As it also affects the IKE 250 and IPsec SAs derived from it, new security associations for IKE and 251 IPsec are established with the new IKE PSK. In case where two runs of 252 EAP authentication (NAP/ISP) are performed during a single PANA 253 authentication phase, a new PaC-EP-Master-Key is derived from the 254 AAA-key obtained from both authentications as specified in the [PANA- 255 PROT]. 257 6.0 IKE and IPsec details 259 IKE [RFC2409] MUST be used for establishing the IPsec SA. The details 260 specified in this document works with IKEv2 [IKEV2] as well as IKE. 261 Any difference between them would be explicitly noted. PANA 262 authenticates the client and network, and derives the keys to protect 263 the traffic. Hence, manual keying cannot be used. If IKE is used, 264 aggressive mode with pre-shared key MUST be supported. The PaC and EP 265 SHOULD use the following value in the payload of the ID_KEY_ID to 266 identify the pre-shared key. 268 ID_KEY_ID data = (Session-Id | Key-Id) 270 The Session-Id and Key-Id are the values contained in the data 271 portion of the Session-Id and Key-Id AVP respectively [PANA-PROT]. 272 They are concatenated to form the content of ID_KEY_ID data. IP 273 addresses cannot be used as identifier as the same PaC or different 274 PaC may use the same IP address across a PANA session. For the same 275 reason, main mode of IKE cannot be used, as it requires addresses to 276 be used as identifiers. 278 If IKE is used, a quick mode exchange is performed to establish an 279 ESP tunnel mode IPsec SA for protecting the traffic between the PaC 280 and EP. In IKEv2, the initial exchange (IKE_SA_INIT and IKE_AUTH) 281 creates the IPsec SA also. The identities (a.k.a. traffic selectors 282 in IKEv2) used during Phase 2 are explained later along with the SPD 283 entries. As mentioned in section 4.0, an address (POPA) may also have 284 to be configured. The address configuration method to be used by the 285 PaC is indicated in the PANA-Bind-Request message at the end of the 286 successful PANA authentication. The PaC chooses the appropriate 287 method and replies back in PANA-Bind-Answer message. 289 7.0 Packet Formats 291 Following acronyms are used throughout this document. 293 PAC-TIA denotes the IPsec-TIA used by the PaC. PAC-TIA may be set to 294 a PRPA when the same PRPA is used as the IPsec-TIA and IPsec-TOA on 295 the PaC. Otherwise, PAC-TIA is set to the POPA. 297 PAC-TOA denotes the IPsec-TOA used by the PaC. 299 EP-ADDR denotes the address of the EP. 301 The node with which the PaC is communicating is denoted by END-ADDR. 303 Following is the IPv4 packet format on the wire for packets sent from 304 the PaC to the EP: 306 IPv4 header (source = PAC-TOA, 307 destination = EP-ADDR) 308 ESP header 309 IPv4 header (source = PAC-TIA, 310 destination = END-ADDR) 312 Following is the IPv6 packet format on the wire for packets sent from 313 the PaC to the EP: 315 IPv6 header (source = PAC-TOA, 316 destination = EP-ADDR) 317 ESP header 318 IPv6 header (source = PAC-TIA, 319 destination = END-ADDR) 321 Following is the IPv4 packet format on the wire for packets sent from 322 the EP to the PaC: 324 IPv4 header (source = EP-ADDR, 325 destination = PAC-TOA) 326 ESP header 327 IPv4 header (source = END-ADDR, 328 destination = PAC-TIA) 330 Following is the IPv6 packet format on the wire for packets sent from 331 the EP to the PaC: 333 IPv6 header (source = EP-ADDR, 334 destination = PAC-TOA) 335 ESP header 336 IPv6 header (source = END-ADDR, 337 destination = PAC-TIA) 339 8.0 IPsec SPD entries 341 The SPD entries for IPv4 and IPv6 are specified separately as they 342 are different. When the same address is used as IPsec-TIA and IPsec- 343 TOA, the EP can add the entry to the SPD before the IKE exchange 344 starts, as it knows the address a priori. When IKEv2 [IKEV2] or 345 [RFC3456] is used for address configuration, the SPD entry cannot be 346 created until the IPsec SA is successfully negotiated as the address 347 is not known a priori. This is very similar to the road warrior case 348 described in [IPSEC-BIS]. In this case, an SPD entry with a name 349 selector is used and when the IPsec SA is successfully negotiated, a 350 new SPD entry is created with the appropriate addresses. The name 351 would be the contents of ID_KEY_ID payload. 353 In environments where the PaC is a router, the IPsec-TIA can be a 354 range of addresses (prefix) instead of a single host address. The PaC 355 acts like a security gateway in this case establishing the IPsec SA 356 with another security gateway (EP). This scenario is supported by 357 [RFC2401] and [IPSEC-BIS]. It is assumed that the PaC obtains the 358 prefix through other mechanisms not defined in this document. When 359 the IPsec SA is negotiated, the prefix is carried in the traffic 360 selectors. 362 Each SPD entry specifies packet disposition as BYPASS, DISCARD or 363 PROTECT. The entry that causes the traffic to be protected with IPsec 364 uses IPsec-TIA as the selector. This has the side effect of 365 protecting all the traffic, which could be a problem. Some of the 366 traffic that is not protected with IPsec is discussed below. 368 . The neighbor discovery messages specified in [RFC2461] are 369 protected using [RFC3971]. The Multicast listener Discovery 370 messages specified in [RFC2710] are also bypassed as IKE can 371 negotiate keys only for unicast traffic. The SPD contains entry 372 based on ICMPv6 type (130 to 137) to bypass such traffic. 374 . When IPsec-TIA and IPsec-TOA are the same (as discussed in 375 section 4.0), the PANA traffic also gets protected with IPsec. 376 As the IPsec protection adds extra overhead without any benefit, 377 we need explicit entries to bypass IPsec protection for PANA 378 traffic on PaC. This may not be needed always for traffic going 379 from PAA to PaC. If PAA and EP are not co-located, PAA would 380 send traffic directly to PaC without going through EP. Hence, EP 381 does not need to have SPD entries to bypass IPsec in this case. 383 If PAA and EP are co-located, the PANA packets will be protected 384 with IPsec only if the IPsec-TIA and IPsec-TOA are same. Hence, 385 we need explicit entries to bypass IPsec protection when PAA and 386 EP are co-located. The SPD entry is specified using PANA_PORT. 387 PANA_PORT is the IANA assigned (TBD) PANA protocol number [PANA- 388 PROT]. 390 There may be protocols that expect the TTL to be 255, which may not 391 be preserved as a result of IP forwarding by the EP. If the protocol 392 termination is in a different place than EP, then we may need 393 additional bypass entries for those protocols, which are not shown 394 here. Also, when the PaC is using IPsec for remote access, there may 395 be additional SPD entries and IPsec security associations, which are 396 not discussed in this document. 398 The format chosen to represent the SPD rules is similar to the one 399 used in [IPSEC-BIS] document (See Appendix E). Following acronyms are 400 used. 402 Rule - SPD rule and this column has ordered rules. 403 LADDR - Local address 404 RADDR - Remote address 405 LPORT - Local Port 406 RPORT - Remote Port 407 ITYPE - Specifies ICMPv6 type 408 Action - Specifies the IPsec actions (BYPASS, DROP, PROTECT) 410 8.1 IPv4 SPD entries 412 PaC's SPD: 414 Rule LADDR RADDR LPORT RPORT Action 415 ---- ----- ----- ----- ----- ------ 416 Rule 1 ANY PAA-ADDR ANY PANA_PORT BYPASS 418 Rule 2 PAC-TIA ANY ANY ANY PROTECT 419 (ESP, tunnel) 421 Rule 3 ANY ANY ANY ANY DISCARD 423 The ESP tunnel's outer source address is PAC-TOA and outer 424 destination address is EP-ADDR. 426 EP's SPD: 428 Rule LADDR RADDR LPORT RPORT Action 429 ---- ----- ----- ----- ----- ------ 430 Rule 1 PAA-ADDR ANY PANA_PORT ANY BYPASS 432 Rule 2 ANY PAC-TIA ANY ANY PROTECT 433 (ESP, tunnel) 435 Rule 3 ANY ANY ANY ANY DISCARD 437 The ESP tunnel's outer source address is EP-ADDR and outer 438 destination address is PAC-TOA. 440 The phase 2 identities (a.k.a. traffic selectors in IKEv2) differ 441 depending on how the PaC acquires the PAC-TIA. 443 . If the client uses PAC-TOA as the PAC-TIA, then it uses PAC-TOA 444 as the client identity (IDci). The responder identity (IDcr) 445 would contain the ID_IPV4_ADDR_RANGE with starting address as 446 zero address (0.0.0.0) and end address as (255.255.255.255). 448 . If the client uses [RFC3456] for acquiring the PAC-TIA, it needs 449 to establish the DHCP SA first. This requires additional SPD 450 entries. Once the PAC-TIA is acquired using DHCP, the DHCP SA is 451 deleted and a new IPsec tunnel mode SA is established as 452 specified in this document. When establishing such an SA, PAC- 453 TIA will be used as the IDci. The responder identity (IDcr)would 454 contain the ID_IPV4_ADDR_RANGE with starting address as zero 455 address (0.0.0.0) and end address as (255.255.255.255). 457 . If IKEv2 is used to obtain the PAC-TIA, the client uses the 458 configuration request (CFG_REQUEST) along with the traffic 459 selectors as given in IKEv2. PaC uses IPV4_ADDR_RANGE with 460 starting address as zero address (0.0.0.0) and end address as 461 (255.255.255.255) for both TSi and TSr. The EP assigns the 462 address (PAC-TIA) and returns it in both the configuration 463 payload (CFG_REPLY) and TSi. The TSr is left to contain the 464 IPV4_ADDR_RANGE. 466 8.2 IPv6 SPD entries 467 Pac's SPD: 469 Rule LADDR RADDR LPORT RPORT ITYPE Action 470 ---- ----- ----- ----- ----- ----- ------ 471 Rule 1 ANY ANY ANY ANY 130-137 BYPASS 473 Rule 2 ANY ANY PANA_PORT ANY ANY BYPASS 475 Rule 3 PAC-TIA ANY ANY ANY ANY PROTECT 476 (ESP, tunnel) 478 Rule 4 ANY ANY ANY ANY ANY DISCARD 480 The ESP tunnel's outer source address is PAC-TOA and outer 481 destination address is EP-ADDR. 483 EP's SPD: 485 Rule LADDR RADDR LPORT RPORT ITYPE Action 486 ---- ----- ----- ----- ----- ----- ------ 487 Rule 1 ANY ANY ANY ANY 130-137 BYPASS 489 Rule 2 ANY ANY ANY PANA_PORT ANY BYPASS 491 Rule 3 ANY PAC-TIA ANY ANY ANY PROTECT 492 (ESP, tunnel) 494 Rule 4 ANY ANY ANY ANY ANY DISCARD 496 The ESP tunnel's outer source address is EP-ADDR and outer 497 destination address is PAC-TOA. 499 IKEv2 [IKEV2] is used to configure the PAC-TIA address. The usage of 500 traffic selectors is very similar to the IPv4 usage as explained in 501 the previous section. The client may use the interface identifier in 502 the lower bits of the TSi so that the responder can assign an IPv6 503 address honoring the interface identifier also. 505 9.0 Dual Stack Operation 507 IKEv2 [IKEV2] can enable configuration of IPsec-TIA for both IPv4 and 508 IPv6 TIAs by sending both IPv4 and IPv6 configuration attributes in 509 the configuration request (CFG_REQUEST). This enables use of single 510 IPsec tunnel mode SA for sending both IPv4 and IPv6 traffic. 512 Therefore, IKEv2 is recommended for handling dual-stack PaCs where 513 single execution of IKE is desired. 515 10.0 IANA Considerations 517 This document does not make no request to IANA. 519 10.0 Security considerations 521 This document discusses the use of IPsec for access control when PANA 522 is used for authenticating the clients to the access network. 524 The aggressive mode in IKE [RFC2409] is considered bad due to its DoS 525 properties i.e., any attacker can bombard IKE aggressive mode packets 526 making the EP perform heavy diffie-hellman calculations. As the 527 ID_KEY_ID can be verified by the EP before doing the diffie-hellman 528 calculation, it prevents random attacks. The attacker now needs to 529 listen on the traffic between PaC and PAA to originate IKE requests 530 with valid ID_KEY_ID. 532 If the EP does not verify whether the PaC is authorized to use an IP 533 address, it is possible for the PaC to steal the traffic destined to 534 some other PaC. When IKEv2 [IKEV2] and [RFC3456] are used for address 535 configuration, the address is assigned by the EP and hence this 536 attack is not present in such cases. When the same address is used as 537 both IPsec-TIA and IPsec-TOA, the EP creates the SPD entry with the 538 appropriate address for the PaC and hence the address is verified 539 implicitly by the virtue of successful IPsec SA negotiation. 541 11.0 Normative References 543 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, 544 RFC 2026, October 1996. 546 [RFC2401] S. Kent et al., "Security Architecture for the Internet 547 Protocol", RFC 2401, November 1998 549 [PANA-PROT] D. Fosberg et al., "Protocol for Carrying Authentication 550 for Network Access", draft-ietf-pana-06.txt 552 [RFC4016] M. Parthasarathy, "Protocol for carrying Authentication for 553 Network Access (PANA) Threat analysis and security requirements", 554 RFC 4016, March 2005 556 12.0 Informative References 558 [PANAREQ] A. Yegin et al., "Protocol for Carrying Authentication for 559 Network Access (PANA) Requirements and Terminology", draft-ietf- 560 pana-requirements-09.txt 562 [PANA-FRAME] P. Jayaraman et al., "PANA Framework", draft-ietf-pana- 563 framework-01.txt 565 [RFC2119] S. Bradner, "Key words for use in RFCS to indicate 566 requirement levels", RFC 2119, March 1997 568 [RFC2409] D. Harkins et al., "Internet Key Exchange", RFC 2409, 569 November 1998 571 [IKEV2] C. Kauffman et al., "Internet Key Exchange(IKEv2) Protocol", 572 draft-ietf-ipsec-ikev2-15.txt 574 [IPSEC-BIS] S. Kent, "Security Architecture for the Internet 575 Protocol", draft-ietf-ipsec-rfc2401bis-06.txt 577 [RFC2131] R. Droms, "Dynamic Host Configuration Protocol", RFC 2131, 578 March 1997 580 [RFC3456] B. Patel et al., "Dynamic Host Configuration Protocol 581 (DHCPv4) Configuration of IPsec Tunnel Mode", RFC 3456, January 582 2003 584 [RFC3315] R. Droms et. al, "Dynamic Host Configuration Protocol for 585 IPv6", RFC 3315, July 2003 587 [RFC2461] T. Narten et al., "Neighbor Discovery for IP version 6 588 (IPv6) ", RFC 2461, December 1998 590 [RFC2462] S. Thomson et. al, "IPv6 Stateless Address 591 Autoconfiguration", RFC 2462, December 1998 593 [RFC3041] T. Narten et al., "Privacy Extensions for Stateless Address 594 Autoconfiguration in IPv6", RFC 3041, January 2001 596 [EAP-KEY] B. Aboba et al., "EAP Key Management Framework", draft- 597 ietf-eap-keying-06.txt 599 [RFC3971] J. Arkko et al., "SEcure Neighbor Discovery (SEND)", RFC 600 3971, March 2005 602 [IPV4-LINK] B. Aboba et al., "Dynamic configuration of Link-local 603 IPv4 addresses", draft-ietf-zeroconf-ipv4-linklocal-12.txt 605 [RFC1918] Y. Rekhter et al., "Address Allocation for Private 606 Internets", BCP 5, RFC 1918, February 1996 608 [RFC2710] S.Deering et al., "Multicast Listener Discovery (MLD)for 609 IPv6", RFC 2710, October 1999 611 [IEEE80211i] IEEE Draft 802.11I/D5.0, "Draft Supplement to STANDARD 612 FOR Telecommunications and Information Exchange between Systems 613 LAN/MAN Specific Requirements - Part 11: Wireless Medium Access 614 Control (MAC) and physical layer specifications: Specification for 615 Enhanced Security", August 2003. 617 13.0 Acknowledgments 619 The author would like to thank Francis Dupont, Pasi Eronen, Yoshihiro 620 Ohba, Jari Arkko, Hannes Tschofenig, Alper Yegin, Erik Nordmark, 621 Giaretta Gerardo, Rafa Marin Lopez, Tero Kivinen and other PANA WG 622 members for their valuable comments and discussions. 624 14.0 Revision log 626 Changes between revision 06 and 07 628 -Changed the format of the SPD to use a table 629 -Changed the IPv6 SPD entries to use ICMPv6 types 631 Changes between revision 05 and 06 633 -Clarified that PRPA can be a global address also in IPv6. 635 Changes between revision 04 and 05 637 -working group last call comments (mostly editorial) 639 Changes between revision 03 and 04 641 -Comments from Erik Nordmark (mostly editorial) 643 Changes between revision 02 and 03 645 -Clarified the use of key-Id in ID_KEY_ID payload 646 -Clarified the address configuration issues. 647 -Added an Appendix to clarify implementation issues. 649 Changes between revision 01 and 02 651 -Updated the draft with the fixes for all open issues 652 -Added the IP configuration section 653 -Modified the IKE pre-shared key derivation to handle PAA controlling 654 multiple EPs 655 -Clarification regarding DHCP usage and RFC3456 usage. 657 -Only aggressive mode to be supported. Main mode not needed anymore. 659 Changes between revision 00 and 01 661 -Specified the use of ESP tunnel mode SA instead of IP-IP transport 662 mode SA after working group discussion. 663 -Specified the IKE pre-shared key derivation. 665 15.0 Appendix A 667 This section describes the alternate address configuration methods 668 for Post-PANA address (POPA) and the issues associated with it. As 669 mentioned in section 4, there are multiple ways by which the PaC may 670 configure the POPA address. Only [IKEV2] and [RFC3456] address 671 configuration methods were described in section 4. Other 672 possibilities and the issues are as follows. 674 1) Some IKEv1 implementations support IKEv1 MODECFG for configuring 675 IP address. There is no RFC describing MODECFG feature of IKEv1. 676 Also, there is not much information on its widespread support 677 among the implementations. Hence, this document does not 678 recommend it. 680 2) The address may also be obtained using DHCP [RFC2131] [RFC3315] 681 before the IKE exchange starts. Normally the implementations 682 associate the address and other configuration information (e.g., 683 the default router address) with the interface on which the DHCP 684 is performed. This can cause problems with implementations if 685 they attempt to use an IP address that is configured via 686 [RFC2131] [RFC3315] on the physical interface and use it as the 687 IPsec-TIA on the IPsec tunnel interface. This may work without 688 problems when the IPsec-TIA and IPsec-TOA are same as the IPv4 689 PRPA that was obtained using DHCP, as the source address 690 selection has to deal with just one address. But using an IPv4 691 IPsec-TOA different than the IPsec-TIA on a single interface may 692 cause source address selection problem, as there is more than 693 one address to be dealt with. Similarly, an IPv6 address 694 obtained and maintained through a physical link but used on a 695 tunnel interface requires additional implementation 696 considerations. Therefore, this document does not handle the 697 case where DHCP is used to acquire an address for the IPsec-TIA 698 that is different from the IPsec-TOA. Note that this case is 699 different from the address configuration using [RFC3456], which 700 also uses DHCP. When [RFC3456] is used, DHCP is run over the 701 IPsec tunnel and the address (IPsec-TIA) is typically assigned 702 to the IPsec tunnel interface. The IPsec-TOA is assigned to the 703 physical interface. As there is only one address on each 704 interface, there are no address selection issues. 706 3) The address may also be obtained using auto-configuration 707 [RFC2461] including the temporary addresses described in 708 [RFC3041]. The problem described above for DHCP applies to this 709 also. The implementations would associate the auto-configured 710 addresses and the default router with the interface on which the 711 router advertisement was received. As we configure the SPD to 712 bypass IPsec for router discovery and neighbor discovery 713 messages, the address would be associated with the physical 714 interface and not with the IPsec interface. There is also an 715 additional issue, as the address configured by the PaC is not 716 known to the EP. It needs to trust whatever PaC provides in its 717 traffic selector during the IPsec SA negotiation. This leads to 718 a DoS attack where the PaC can steal some other PaC's address, 719 which cannot be prevented unless [RFC3971] is deployed. 721 16.0 Author's Addresses 723 Mohan Parthasarathy 724 313 Fairchild Drive 725 Mountain View CA-94043 727 Email: mohanp@sbcglobal.net 729 Intellectual Property Statement 731 The IETF takes no position regarding the validity or scope of any 732 Intellectual Property Rights or other rights that might be claimed to 733 pertain to the implementation or use of the technology described in 734 this document or the extent to which any license under such rights 735 might or might not be available; nor does it represent that it has 736 made any independent effort to identify any such rights. Information 737 on the procedures with respect to rights in RFC documents can be 738 found in BCP 78 and BCP 79. 740 Copies of IPR disclosures made to the IETF Secretariat and any 741 assurances of licenses to be made available, or the result of an 742 attempt made to obtain a general license or permission for the use of 743 such proprietary rights by implementers or users of this 744 specification can be obtained from the IETF on-line IPR repository at 745 http://www.ietf.org/ipr. 747 The IETF invites any interested party to bring to its attention any 748 copyrights, patents or patent applications, or other proprietary 749 rights that may cover technology that may be required to implement 750 this standard. Please address the information to the IETF at 751 ietf-ipr@ietf.org. 753 Disclaimer of Validity 755 This document and the information contained herein are provided on an 756 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 757 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 758 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 759 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 760 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 761 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 763 Copyright Statement 765 Copyright (C) The Internet Society (2005). 767 This document is subject to the rights, licenses and restrictions 768 contained in BCP 78, and except as set forth therein, the authors 769 retain all their rights. 771 Acknowledgment 773 Funding for the RFC Editor function is currently provided by the 774 Internet Society.