idnits 2.17.1 draft-ymbk-lsvr-l3dl-signing-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 26, 2019) is 1643 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-lsvr-l3dl-02 ** Downref: Normative reference to an Experimental draft: draft-ietf-lsvr-l3dl (ref. 'I-D.ietf-lsvr-l3dl') Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Bush 3 Internet-Draft Arrcus & IIJ 4 Intended status: Standards Track R. Austein 5 Expires: April 28, 2020 Arrcus 6 October 26, 2019 8 Layer 3 Discovery and Liveness Signing 9 draft-ymbk-lsvr-l3dl-signing-00 11 Abstract 13 The Layer 3 Discovery and Liveness protocol OPEN PDU may contain a 14 key and a certificate, which can be used to verify signatures on 15 subsequent PDUs. This document describes two mechanisms based on 16 digital signatures, one that is Trust On First Use (TOFU), and one 17 that uses certificates to provide authentication as well as session 18 integrity. 20 Requirements Language 22 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 23 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 24 "OPTIONAL" in this document are to be interpreted as described in 25 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 26 capitals, as shown here. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at https://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on April 28, 2020. 45 Copyright Notice 47 Copyright (c) 2019 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (https://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 2. Trust On First Use Method . . . . . . . . . . . . . . . . . . 3 64 2.1. Signing a PDU . . . . . . . . . . . . . . . . . . . . . . 3 65 2.2. Verifying the OPEN PDU . . . . . . . . . . . . . . . . . 4 66 2.3. Verifying Other PDUs . . . . . . . . . . . . . . . . . . 4 67 3. Public Key Infrastructure Method . . . . . . . . . . . . . . 5 68 3.1. Signing OPEN PDU with PKI . . . . . . . . . . . . . . . . 5 69 3.2. Verifying OPEN PDU with PKI . . . . . . . . . . . . . . . 5 70 4. Local Policy . . . . . . . . . . . . . . . . . . . . . . . . 6 71 5. NEWKEY, Key Roll . . . . . . . . . . . . . . . . . . . . . . 6 72 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 73 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 74 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 75 9. Normative References . . . . . . . . . . . . . . . . . . . . 8 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 78 1. Introduction 80 This draft is being published without incorporating changes from an 81 excellent security review. This is being done so a couple of other 82 drafts can reference it. While all comments will, of course, be 83 appreciated, readers may want to wait for the -01 version. 85 The Layer 3 Discovery and Liveness protocol [old ref because new 86 draft not yet pushed] [I-D.ietf-lsvr-l3dl] OPEN PDU contains an 87 algorithm specifier, a key, and a certificate, which can be used to 88 verify signatures on subsequent PDUs. This document describes two 89 methods of key generation and signing for use by L3DL, Trust On First 90 Use (TOFU) and a PKI-based mechanism to provide authentication as 91 well as session integrity. 93 The Key in the OPEN PDU SHOULD be the public key of an asymmetric key 94 pair. The sender signs with the private key, of course. The device 95 sending the OPEN may use one key for all links, a different key for 96 each link, or some aggregation(s) thereof. 98 In the TOFU method the OPEN key is generated on the sending device, 99 believed without question by the receiver, and used to verify all 100 subsequent PDUs from the same sender with the same Key Type. 102 With the PKI-mechanism, an enrollment step is performed. The public 103 key is put into a certificate, which is signed by the the operational 104 environment's trust anchor. In this way, the relying party can be 105 confident that the public key is under control of the identified L3DL 106 protocol entity. 108 To the receiver verifying signatures on PDUs, the two methods are 109 indistinguishable; the key provided in the OPEN PDU is used to verify 110 the signatures of subsequent PDUs. The difference that PKI-based 111 keys may be verified against the trust anchor when the OPEN PDU is 112 received. 114 In the PKI method the OPEN key MUST be verified against the trust 115 anchor for the operational domain. It is then used to verify all 116 subsequent PDUs in the session. 118 2. Trust On First Use Method 120 There are three parts to using a key: signing PDUs, verifying the 121 OPEN PDU, and verifying subsequent PDUs. 123 2.1. Signing a PDU 125 All signed PDUs are generated in the same way: 127 o Compose the PDU, with all fields including "Sig Type" and 128 "Signature Length" set, but omitting the trailing "Signature" 129 field itself. The Certificate Length should be zero and the 130 Certificate field should be empty. This is the "message to be 131 signed" for purposes of the signature algorithm. 133 o Generate the signature as specified for the chosen signature 134 suite, using the private member of the asymmetric key pair. In 135 general this will involve first hashing the "message to be signed" 136 then signing the hash, but the precise details may vary with the 137 specific algorithm. The result will be a sequence of octets, the 138 length of which MUST be equal to the setting of the "Signature 139 Length" field. 141 o Construct the complete message by appending the signature octets 142 to the otherwise complete message composed above. 144 In the case of the OPEN PDU, the message to be signed will include 145 the public member of the asymmetric keypair, but as far as the 146 signature algorithm is concerned that's just payload, no different 147 from any other PDU content. 149 2.2. Verifying the OPEN PDU 151 The process for verifying an OPEN PDU is slightly different from the 152 process for verifying other PDU types, because the OPEN PDU also 153 establishes the session key. 155 o Verify that the PDU is syntactically correct, and extract the Auth 156 Type, Key, Sig Type, and Signature fields. 158 o Verify that Auth Type and Sig Type refer to the same algorithm 159 suite, and that said algorithm suite is one that the 160 implementation understands. 162 o Construct the "message to be verified" by truncating the PDU to 163 remove the Signature field (in practice this should not require 164 copying any data, just subtract the signature length from the PDU 165 length). 167 o Verify the message constructed above against the public key using 168 the rules for the specific signature suite. 170 o Record Auth Type and Key as this sessions's authentication type 171 and session key, for use in verifying subseuqent PDUs. 173 If any of the above verification steps fail, generate an error using 174 error code 2 ("Authorization failure in OPEN"). 176 2.3. Verifying Other PDUs 178 The process for verifying non-OPEN PDUs is slightly simpler, but 179 follows the same basic pattern as for OPEN PDUs. 181 o Verify that the PDU is syntactically correct, and extract the Sig 182 Type and Signature fields. 184 o Verify that Sig Type refers to the same algorithm suite as the 185 Auth Type recorded during verification of the OPEN PDU. 187 o Construct the "message to be verified" by truncating the PDU to 188 remove the Signature field. 190 o Verify the message constructed above against the recorded session 191 key using the rules for the specific signature suite. 193 If any of the above verification steps fail, generate an error using 194 error code 3 ("Signature failure in PDU"). 196 3. Public Key Infrastructure Method 198 Using a PKI is almost the same as using TOFU, but with one additional 199 step: during verification of an OPEN PDU, after extracting the Key 200 field from the PDU but before attempting to use it to verify the 201 PDU's signature, the receiver MUST verify the received key against 202 the PKI to confirm that it's an authorized key. 204 Generating an OPEN PDU using the PKI method requires a certificate, 205 which must be supplied via out of band configuration. The 206 certificate is a signature of the public key to be sent in the Key 207 field of the OPEN PDU, signed by the trust anchor private key. 209 Verifying an OPEN PDU using the PKI method requires the public key of 210 the trust anchor, which the receiver uses to verify the certificate, 211 thereby demonstrating that the supplied is represents an authorized 212 L3DL speaker in this administrative domain. 214 We use the term "certificate" here in the generic sense. These are 215 not X.509 certificates: X.509 is much more complicated than we need 216 for I3DL. The certificates used here are just signatures of one key 217 (the session key supplied in the Key field of the OPEN PDU) by 218 another key (the trust anchor). 220 3.1. Signing OPEN PDU with PKI 222 Generating and signing the OPEN PDU with the PKI method is almost the 223 same as in Section 2.1. The only difference is that the PKI method 224 MUST supply the appropriate certificate in the Certificate field. 226 Note that the Auth Type field applies to both the Key and Certificate 227 fields. That is: the certificate uses the same certificate suite as 228 the session keys, L3DL does not support cross-algorithm-suite 229 certification. 231 3.2. Verifying OPEN PDU with PKI 233 Verifying the OPEN PDU with PKI is similar to verifying with TOFU as 234 described in Section 2.2, but includes one critical extra step: 236 After extracting the Key field from the PDU but before verifying the 237 Signature, extract the Certificate field and verfiy that the 238 Certificate is a valid signature of the Key field, according to the 239 rules for the signature suite specified by Auth Type. If this step 240 fails, handle as in Section 2.2. 242 4. Local Policy 244 Whether to use TOFU, PKI, or no signatures at all is a matter of 245 local policy, to be decided by the operator. The useful policy 246 combinations for Key and Certificate are probably: 248 o Not signing: sender need not sign, receiver does not check. 250 o Require TOFU: sender MUST supply key and receiver MUST check, 251 certificate not needed and ignored if sent. 253 o Allow TOFU: sender must supply key and receiver MUST check, 254 receiver SHOULD check certificate if supplyed by sender. 256 o Require PKI: sender must supply key and certificate, receiver must 257 check both. 259 5. NEWKEY, Key Roll 261 Modern key management allows for agility in 'rolling' to a new key or 262 even algorithm in case of key expiry, key compromise, or merely 263 prudence. Declaring a new key with an L3DL OPEN PDU would cause 264 serious churn in topology as a new OPEN may cause a withdraw of 265 previously announced encapsulations. Therefore, a gentler rekeying 266 is needed. 268 0 1 2 3 269 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 270 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 271 | Type = 8 | Payload Length | New Key Type | 272 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 273 | New Key Length | New Key ... | 274 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 275 | | New Cert Length | 276 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 277 | New Certificate ... | 278 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 279 | Old Sig Type | Old Signature Length | | 280 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 281 | Old Signature ... | 282 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 283 The New Key Type, New Key Length, New Key, New Cert Length, and New 284 Certificate field declare the replacement algorithm suite, key, and 285 certificate. 287 The NEWKEY PDU is signed using the current (soon to be old) algorithm 288 suite and key. 290 The sender and the receiver should be cautious of algorithm suite 291 downgrade attacks. 293 To avoid possible race conditions, the receiver SHOULD accept 294 signatures using either the new or old key for a configurable time 295 (default 30 seconds). This is intended to accommodate situations 296 such as senders with high peer out-degree and a single per-device 297 asymmetric key. 299 If the sender does not receive an ACK in the normal window, including 300 retransmission, then the sender MAY choose to allow a session reset 301 by either issuing a new OPEN or by letting the receiver eventually 302 have a signature failure (error code 3) on a PDU. 304 The rekeying operation changes the session key and algorithm suite 305 described in Section 2.3. The NEWKEY PDU itself is verified using 306 the old algorithm and session key, subsequent PDUs are verified with 307 the new algorithm and session key recorded after the NEWKEY PDU has 308 been accepted. 310 6. Security Considerations 312 The TOFU method requires a leap of faith to accept the key in the 313 OPEN PDU, as it can not be verified against any authority. Hence it 314 is jokingly referred to as Married On First Date. The assurance it 315 does provide is that subsequent signed PDUs are from the same peer. 316 And data integrity is a positive side effect of the signature 317 covering the payload. 319 The PKI-based method offers assurance that the certificate, and hence 320 the keying material, provided in the OPEN PDU are authorized by a 321 central authority, e.g. the network's network security team. The 322 onward assurance of talking to the same peer and data integrity are 323 the same as in the TOFU method. 325 With the PKI-based method, automated device provisioning could 326 restrict which certificates are allowed from which peers on a per 327 interface basis. This would complicate key rolls. Where one draws 328 the line between rigidity, flexibility, and security varies. 330 The REKEY PDU is open to abuse to create an algorithm suite downgrade 331 attack. 333 7. IANA Considerations 335 This document requests the IANA create a new entry in the L3DL PDU 336 Type registry as follows: 338 PDU 339 Code PDU Name 340 ---- ------------------- 341 8 NEWKEY 343 This document requests the IANA add a registry entry for "TOFU - 344 Trust On First Use" to the L3DL-Signature-Type registry as follows: 346 Number Name 347 ------ ------------------- 348 1 TOFU - Trust On First Use 349 2 PKI 351 8. Acknowledgments 353 The authors than Russ Housley for advice and review. 355 9. Normative References 357 [I-D.ietf-lsvr-l3dl] 358 Bush, R., Austein, R., and K. Patel, "Layer 3 Discovery 359 and Liveness", draft-ietf-lsvr-l3dl-02 (work in progress), 360 July 2019. 362 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 363 Requirement Levels", BCP 14, RFC 2119, 364 DOI 10.17487/RFC2119, March 1997, 365 . 367 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 368 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 369 May 2017, . 371 Authors' Addresses 372 Randy Bush 373 Arrcus & IIJ 374 5147 Crystal Springs 375 Bainbridge Island, WA 98110 376 United States of America 378 Email: randy@psg.com 380 Rob Austein 381 Arrcus, Inc. 383 Email: sra@hactrn.net