Re: [lisp] LISP-SEC review (finally)
Fabio Maino <fmaino@cisco.com> Wed, 26 October 2016 14:33 UTC
Return-Path: <fmaino@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 007A4129493; Wed, 26 Oct 2016 07:33:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.951
X-Spam-Level:
X-Spam-Status: No, score=-14.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pm3ajkoLRxLz; Wed, 26 Oct 2016 07:32:48 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ADF41293FF; Wed, 26 Oct 2016 07:32:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=235213; q=dns/txt; s=iport; t=1477492368; x=1478701968; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=oVTS4x9zBggH9IsxVyUfu7bZnw+3XV+B7Q+Jg9SU/gY=; b=XL6aX57YwtiBXzqqPCcfg0vxUmtAaSm2D3CB8x2Odm6SAykmOuQQMd7z uZIrdK/uurl81DYKWoOO/ZrwEmwrby2YSO0HYPJTOyWC259ovEWpMvjty 6MyvU/D0TxxCO9q2QYwzmHtENKzdoavTJnpAH+YehF3Mw3upJCgYDjeLf 8=;
X-IronPort-AV: E=Sophos;i="5.31,551,1473120000"; d="scan'208,217";a="164006682"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Oct 2016 14:32:47 +0000
Received: from [10.24.86.122] ([10.24.86.122]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id u9QEWiZX030393; Wed, 26 Oct 2016 14:32:44 GMT
To: Luigi Iannone <luigi.iannone@telecom-paristech.fr>
References: <FC4677DB-855C-4273-8B52-161039B900A8@telecom-paristech.fr> <8204baa6-8cbd-83b3-aa88-dc3ba16c5a33@cisco.com> <38FE74C1-A8F3-4A92-B575-CC5CF4E249D8@telecom-paristech.fr> <37a920e9-b1aa-33c1-6321-e24937bc6c8d@cisco.com> <748f2c3d-16fd-03f3-988d-11a9c262a43a@cisco.com> <4F3484F0-20F5-4B03-9456-0CAB8E4D3344@telecom-paristech.fr>
From: Fabio Maino <fmaino@cisco.com>
Message-ID: <8d0f2d3a-d44d-9983-54f8-eedced0d638e@cisco.com>
Date: Wed, 26 Oct 2016 07:32:44 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <4F3484F0-20F5-4B03-9456-0CAB8E4D3344@telecom-paristech.fr>
Content-Type: multipart/alternative; boundary="------------2C17378A2F0B1C07C9AB2D2D"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/HCDMNcRIy8bdgJhmnaw7xLEzvro>
Cc: lisp-chairs@ietf.org, Damien Saucez <damien.saucez@inria.fr>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] LISP-SEC review (finally)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2016 14:33:03 -0000
sounds good. Fabio On 10/26/16 2:14 AM, Luigi Iannone wrote: > Hi Fabio, > > thanks. > > I you don’t mind I prefer that we converge first (see other reply). > So that I have to check only one final update. > > ciao > > L. > > >> On 26 Oct 2016, at 06:07, Fabio Maino <fmaino@cisco.com >> <mailto:fmaino@cisco.com>> wrote: >> >> Ciao Luigi, >> here is the updated draft and the diff from -11. >> >> >> Thanks, >> Fabio >> >> >> On 10/25/16 5:14 PM, Fabio Maino wrote: >>> Hi Luigi, >>> below are more replies skipping the ones we agreed already. Looks >>> like we are converging... >>> >>> >>> wrt to 6830bis, I think we should not wait. I suspect the security >>> review of the document will take some time, so we can do some >>> progress in parallel to 6830bis. >>> >>> We will have to do a LISP-SECbis afterwards, but that should be simple. >>> >>> Please, see below. >>> >>> >>> >>> >>> On 10/24/16 3:02 AM, Luigi Iannone wrote: >>>> Hi Fabio, >>>> >>>> se my comment inline. >>>> (I do not consider the points we agree and everything related to >>>> the “SHOULD” clarification) >>>> >>>> Thanks for your work >>>> >>>> Ciao >>>> >>>> L. >>>> >>>> >>>>> On 22 Oct 2016, at 01:23, Fabio Maino <fmaino@cisco.com >>>>> <mailto:fmaino@cisco.com>> wrote: >>>>> >>>>> Ciao Luigi, >>>>> below I have replied to each comment. I'm working to the updated >>>>> text, that I will send as soon as it is ready. ideally we might be >>>>> able to publish a new version before draft deadline. >>>> >>>> Excellent. Thanks >>>> >>>>> >>>>> Just a note on the most recurring comment: SHOULD vs. MUST. >>>>> >>>>> The use of SHOULD across the document is according to RFC 2119: >>>>> >>>>> >>>>> SHOULD >>>>> >>>>> This word, or the adjective "RECOMMENDED", mean that there >>>>> may exist valid reasons in particular circumstances to ignore a >>>>> particular item, but the full implications must be understood and >>>>> carefully weighed before choosing a different course. >>>>> >>>>> >>>>> There are use cases where, carefully weighing the implications, >>>>> some of the security services of LISP-SEC can be turned-off. We >>>>> want to leave implementors the freedom to allow this flexibility. >>>>> >>>>> For example, in a DC deployment it may make sense to turn off OTK >>>>> decryption between XTR and MS/MR, as MiTM is very unlikely. >>>>> >>>>> Similarly, an ITR may decide to implement a loose policy on >>>>> accepting an AD authenticated with an algorithm different from the >>>>> preferred authentication algorithm expressed by the ITR. Using a >>>>> MUST would force support of a given authentication algorithm >>>>> across each and every MS and ETR, that might not be the case when >>>>> incrementally deploying LISP-SEC (or while upgrading routers). >>>>> >>>>> Using a MUST would prevent this flexibility, that we would like to >>>>> leave to the implementors. >>>>> >>>>> >>>>> >>>> >>>> This is fixed as for the suggestion of Joel. Thanks. >>>> >>>> >>>>> >>>>> >>>>> On 10/19/16 8:06 AM, Luigi Iannone wrote: >>>>>> Dear Authors of the LISP-SEC document, >>>>>> >>>>>> hereafter my review of the document. >>>>>> This was long overdue, sorry for being so late. >>>>>> >>>>>> I really like the solution and the majority of my comments are >>>>>> just clarification questions. >>>>>> Let me know if my comments are clear. >>>>>> >>>>>> ciao >>>>>> >>>>>> L. >>>>>> >>>>>> >>>>>> >>>>>>> 1. Introduction >>>>>>> >>>>>>> The Locator/ID Separation Protocol [RFC6830] defines a set of >>>>>>> functions for routers to exchange information used to map from non- >>>>>>> routable Endpoint Identifiers (EIDs) to routable Routing Locators >>>>>>> (RLOCs). >>>>>> I find the above sentence confusing. Wouldn’t be better to >>>>>> specify that we are talking about IP addresses? >>>>> >>>>> That's how LISP is described in RFC6830, section 1. If you start >>>>> using the term IP address then you need to qualify if you are >>>>> talking about Identity-IP or Locator-IP, so the sentence gets >>>>> complicated pretty quickly. >>>>> >>>> >>>> Not really. The very first sentence of the abstract of 6830 states: >>>> >>>> This document describes a network-layer-based protocol that enables >>>> separation of IP addresses into two new numbering spaces: Endpoint >>>> Identifiers (EIDs) and Routing Locators (RLOCs). >>>> >>>> >>>> So clearly speaks about IP address. >>>> Furthermore “routable" en “non routable” is true only in the >>>> inter-domain point of view, because EID are locally routable. >>>> Note that 6830 does not specify in the first sentence what is >>>> routable and what is not. >>> >>> ok, fixed with text from 6830. >>> >>> >>>> >>>> >>>>> I would leave this one unchanged. >>>>>> >>>>>>> If these EID-to-RLOC mappings, carried through Map-Reply >>>>>>> messages, are transmitted without integrity protection, an adversary >>>>>>> can manipulate them and hijack the communication, impersonate the >>>>>>> requested EID, or mount Denial of Service or Distributed Denial of >>>>>>> Service attacks. Also, if the Map-Reply message is transported >>>>>>> unauthenticated, an adversarial LISP entity can overclaim an EID- >>>>>>> prefix and maliciously redirect traffic directed to a large number of >>>>>>> hosts. A detailed description of "overclaiming" attack is provided >>>>>>> in [RFC7835]. >>>>>>> >>>>>>> This memo specifies LISP-SEC, a set of security mechanisms that >>>>>>> provides origin authentication, integrity and anti-replay protection >>>>>>> to LISP's EID-to-RLOC mapping data conveyed via mapping lookup >>>>>>> process. >>>>>> >>>>>> I would put s forward reference to section 3 stating that the >>>>>> reader will find details about the threat model. >>>>> >>>>> OK. We can replace the sentence >>>>> A detailed description of "overclaiming" attack is provided >>>>> in [RFC7835] >>>>> >>>>> with >>>>> >>>>> The LISP-SEC threat model, described in Section 3, is built on top of the LISP threat model defined in RFC7835, that includes a detailed description of "overclaiming" attack. >>>> OK >>>> >>>> >>>>> >>>>> >>>>>> >>>>>>> LISP-SEC also enables verification of authorization on EID- >>>>>>> prefix claims in Map-Reply messages, ensuring that the sender of a >>>>>>> Map-Reply that provides the location for a given EID-prefix is >>>>>>> entitled to do so according to the EID prefix registered in the >>>>>>> associated Map-Server. Map-Register security, including the right >>>>>>> for a LISP entity to register an EID-prefix or to claim presence at >>>>>>> an RLOC, is out of the scope of LISP-SEC. Additional security >>>>>>> considerations are described in Section 6. >>>>>>> >>>>>>> 2. Definition of Terms >>>>>>> >>>>>>> One-Time Key (OTK): An ephemeral randomly generated key that must >>>>>>> be used for a single Map-Request/Map-Reply exchange. >>>>>>> >>>>>>> >>>>>>> >>>>>>> ITR-OTK: The One-Time Key generated at the ITR. >>>>>>> >>>>>>> MS-OTK: The One-Time Key generated at the Map-Server. >>>>>> >>>>>> Why are you considering ITR-OTK and MS-OTK sub-terms? >>>>>> I would elevate them at full terms, hence avoiding spacing and >>>>>> indentation. >>>>> >>>>> Ok. >>>>> >>>>>> >>>>>>> Encapsulated Control Message (ECM): A LISP control message that is >>>>>>> prepended with an additional LISP header. ECM is used by ITRs to >>>>>>> send LISP control messages to a Map-Resolver, by Map-Resolvers to >>>>>>> forward LISP control messages to a Map-Server, and by Map- >>>>>>> Resolvers to forward LISP control messages to an ETR. >>>>>>> >>>>>> Why are you re-defining ECM? >>>>>> You do not specify other packets, e.g., Map-Reply, so why ECM? >>>>>> I would drop it. >>>>> >>>>> It is not defined in the Definitions section of 6830. One would >>>>> need to go through the body of 6830 to find it. >>>> >>>> I see your point. Just keep the text and add a ref to section 6.1.8 >>>> of 6830. This will clarify that is something coming from a specific >>>> section of that document. >>> >>> I have dropped the definition, expanded the acronym ECM and referred >>> to the specific section. >>> >>> In this way we don't have to wait for 6830bis, but we refer to the >>> proper definition. >>> >>>> >>>> >>>>> >>>>> I'll drop it, but we need to make sure that ECM gets into the >>>>> definition section of 6830bis. >>>>> >>>>> Albert: are you looking into that document? Can you take care of >>>>> this? >>>>> >>>>> >>>>>> >>>>>> >>>>>>> Authentication Data (AD): Metadata that is included either in a >>>>>>> LISP ECM header or in a Map-Reply message to support >>>>>>> confidentiality, integrity protection, and verification of EID- >>>>>>> prefix authorization. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 3] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> OTK-AD: The portion of ECM Authentication Data that contains a >>>>>>> One-Time Key. >>>>>>> >>>>>>> EID-AD: The portion of ECM and Map-Reply Authentication Data >>>>>>> used for verification of EID-prefix authorization. >>>>>>> >>>>>>> PKT-AD: The portion of Map-Reply Authentication Data used to >>>>>>> protect the integrity of the Map-Reply message. >>>>>> >>>>>> >>>>>> Why are you considering OTK-AD, EID-AD, and PKT-AD sub-terms? >>>>>> I would elevate them at full terms, hence avoiding spacing and >>>>>> indentation. >>>>>> >>>>> ok. >>>>> >>>>>> >>>>>>> For definitions of other terms, notably Map-Request, Map-Reply, >>>>>>> Ingress Tunnel Router (ITR), Egress Tunnel Router (ETR), Map-Server >>>>>>> (MS), and Map-Resolver (MR) please consult the LISP specification >>>>>>> [RFC6830]. >>>>>>> >>>>>>> 3. LISP-SEC Threat Model >>>>>>> >>>>>>> LISP-SEC addresses the control plane threats, described in [RFC7835], >>>>>>> that target EID-to-RLOC mappings, including manipulations of Map- >>>>>>> Request and Map-Reply messages, and malicious ETR EID prefix >>>>>>> overclaiming. LISP-SEC makes two main assumptions: (1) the LISP >>>>>>> mapping system is expected to deliver a Map-Request message to their >>>>>>> intended destination ETR as identified by the EID, and (2) no man-in- >>>>>>> the-middle (MITM) attack can be mounted within the LISP Mapping >>>>>>> System. Furthermore, while LISP-SEC enables detection of EID prefix >>>>>>> overclaiming attacks, it assumes that Map-Servers can verify the EID >>>>>>> prefix authorization at time of registration. >>>>>> LISP-SEC does not require OTK confidentiality in the mapping >>>>>> system. This should be discussed here. >>>>> we could add to the above >>>>> "and (2) no man-in- >>>>> the-middle (MITM) attack can be mounted within the LISP Mapping >>>>> System." >>>>> >>>>> How the Mapping System is protected from MiTM attacks depends from the particular Mapping System used, and is out of the scope of this memo. >>>>> >>>>> >>>> >>>> That’s fine for me. >>>> >>>> >>>>> >>>>>> >>>>>> >>>>>>> According to the threat model described in [RFC7835] LISP-SEC assumes >>>>>>> that any kind of attack, including MITM attacks, can be mounted in >>>>>>> the access network, outside of the boundaries of the LISP mapping >>>>>>> system. An on-path attacker, outside of the LISP mapping system can, >>>>>>> for example, hijack Map-Request and Map-Reply messages, spoofing the >>>>>>> identity of a LISP node. Another example of on-path attack, called >>>>>>> overclaiming attack, can be mounted by a malicious Egress Tunnel >>>>>>> Router (ETR), by overclaiming the EID-prefixes for which it is >>>>>>> authoritative. In this way the ETR can maliciously redirect traffic >>>>>>> directed to a large number of hosts. >>>>>>> >>>>>>> 4. Protocol Operations >>>>>>> >>>>>>> The goal of the security mechanisms defined in [RFC6830] is to >>>>>>> prevent unauthorized insertion of mapping data by providing origin >>>>>>> authentication and integrity protection for the Map-Registration, and >>>>>>> by using the nonce to detect unsolicited Map-Reply sent by off-path >>>>>>> attackers. >>>>>>> >>>>>>> LISP-SEC builds on top of the security mechanisms defined in >>>>>>> [RFC6830] to address the threats described in Section 3 by leveraging >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 4] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> the trust relationships existing among the LISP entities >>>>>>> participating to the exchange of the Map-Request/Map-Reply messages. >>>>>>> Those trust relationships are used to securely distribute a One-Time >>>>>>> Key (OTK) that provides origin authentication, integrity and anti- >>>>>>> replay protection to mapping data conveyed via the mapping lookup >>>>>>> process, and that effectively prevent overclaiming attacks. The >>>>>>> processing of security parameters during the Map-Request/Map-Reply >>>>>>> exchange is as follows: >>>>>>> >>>>>>> o The ITR-OTK is generated and stored at the ITR, and securely >>>>>>> transported to the Map-Server. >>>>>>> >>>>>>> o The Map-Server uses the ITR-OTK to compute an HMAC that protects >>>>>> You did not define HMAC acronym. Please define and add a reference. >>>>> >>>>> ok. >>>>> >>>>> >>>>>> >>>>>>> the integrity of the mapping data known to the Map-Server to >>>>>>> prevent overclaiming attacks. The Map-Server also derives a new >>>>>>> OTK, the MS-OTK, that is passed to the ETR, by applying a Key >>>>>>> Derivation Function (KDF) to the ITR-OTK. >>>>>>> >>>>>>> o The ETR uses the MS-OTK to compute an HMAC that protects the >>>>>>> integrity of the Map-Reply sent to the ITR. >>>>>>> >>>>>>> o Finally, the ITR uses the stored ITR-OTK to verify the integrity >>>>>>> of the mapping data provided by both the Map-Server and the ETR, >>>>>>> and to verify that no overclaiming attacks were mounted along the >>>>>>> path between the Map-Server and the ITR. >>>>>>> >>>>>>> Section 5 provides the detailed description of the LISP-SEC control >>>>>>> messages and their processing, while the rest of this section >>>>>>> describes the flow of protocol operations at each entity involved in >>>>>>> the Map-Request/Map-Reply exchange: >>>>>>> >>>>>>> o The ITR, upon needing to transmit a Map-Request message, generates >>>>>>> and stores an OTK (ITR-OTK). This ITR-OTK is included into the >>>>>>> Encapsulated Control Message (ECM) that contains the Map-Request >>>>>>> sent to the Map-Resolver. To provide confidentiality to the ITR- >>>>>>> OTK over the path between the ITR and its Map-Resolver, the ITR- >>>>>>> OTK SHOULD >>>>>> Why not using “MUST”??? >>>>>> Are you suggesting that a different way to provide >>>>>> confidentiality can be used (e.g. a different shared key)??? >>>>>> If yes, please state so. >>>>>> >>>>>> Or are you suggesting that no encryption at all is used? But this >>>>>> means not providing confidentiality… >>>>>> Can you clarify? >>>>>> >>>>>> (this very same comment will appear several time in this review) >>>>> >>>>> We don't want to make the use of pre-shared key *mandatory* to all >>>>> LISP deployments. There are deployments where the risk of MiTM >>>>> between the xTR and the MS/MR may not justify the cost of >>>>> provisioning a shared key (data centers, for example). >>>>> >>>>> >>>>>>> be encrypted using a preconfigured key shared between >>>>>>> the ITR and the Map-Resolver, similar to the key shared between >>>>>>> the ETR and the Map-Server in order to secure ETR registration >>>>>>> [RFC6833]. >>>>>>> >>>>>>> o The Map-Resolver decapsulates the ECM message, decrypts the ITR- >>>>>>> OTK, if needed, and forwards through the Mapping System the >>>>>>> received Map-Request and the ITR-OTK, as part of a new ECM >>>>>>> message. As described in Section 5.6, the LISP Mapping System >>>>>>> delivers the ECM to the appropriate Map-Server, as identified by >>>>>>> the EID destination address of the Map-Request. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 5] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> o The Map-Server is configured with the location mappings and policy >>>>>>> information for the ETR responsible for the EID destination >>>>>>> address. Using this preconfigured information, the Map-Server, >>>>>>> after the decapsulation of the ECM message, finds the longest >>>>>>> match EID-prefix that covers the requested EID in the received >>>>>>> Map-Request. The Map-Server adds this EID-prefix, together with >>>>>>> an HMAC computed using the ITR-OTK, to a new Encapsulated Control >>>>>>> Message that contains the received Map-Request. >>>>>>> >>>>>>> o The Map-Server derives a new OTK, the MS-OTK, by applying a Key >>>>>>> Derivation Function (KDF) to the ITR-OTK. This MS-OTK is included >>>>>>> in the Encapsulated Control Message that the Map-Server uses to >>>>>>> forward the Map-Request to the ETR. To provide MS-OTK >>>>>>> confidentiality over the path between the Map-Server and the ETR, >>>>>>> the MS-OTK should >>>>>> This “should” should be a “SHOULD” (sorry for the cacophony…) >>>>> >>>>> Ok. >>>>>> >>>>>> Why not using “MUST”??? >>>>>> Are you suggesting that a different way to provide >>>>>> confidentiality can be used (e.g. a different shared key)??? >>>>>> If yes, please state so. >>>>>> >>>>>> Or are you suggesting that no encryption at all is used? But this >>>>>> means not providing confidentiality… >>>>>> Can you clarify? >>>>> >>>>> Same as above. >>>>> >>>>>> >>>>>>> be encrypted using the key shared between the >>>>>>> ETR and the Map-Server in order to secure ETR registration >>>>>>> [RFC6833]. >>>>>>> >>>>>>> o If the Map-Server is acting in proxy mode, as specified in >>>>>>> [RFC6830], the ETR is not involved in the generation of the Map- >>>>>>> Reply. In this case the Map-Server generates the Map-Reply on >>>>>>> behalf of the ETR as described below. >>>>>>> >>>>>>> o The ETR, upon receiving the ECM encapsulated Map-Request from the >>>>>>> Map-Server, decrypts the MS-OTK, if needed, and originates a >>>>>>> standard Map-Reply that contains the EID-to-RLOC mapping >>>>>>> information as specified in [RFC6830]. >>>>>>> >>>>>>> o The ETR computes an HMAC over this standard Map-Reply, keyed with >>>>>>> MS-OTK to protect the integrity of the whole Map-Reply. The ETR >>>>>>> also copies the EID-prefix authorization data that the Map-Server >>>>>>> included in the ECM encapsulated Map-Request into the Map-Reply >>>>>>> message. The ETR then sends this complete Map-Reply message to >>>>>>> the requesting ITR. >>>>>>> >>>>>>> o The ITR, upon receiving the Map-Reply, uses the locally stored >>>>>>> ITR-OTK to verify the integrity of the EID-prefix authorization >>>>>>> data included in the Map-Reply by the Map-Server. The ITR >>>>>>> computes the MS-OTK by applying the same KDF used by the Map- >>>>>>> Server, and verifies the integrity of the Map-Reply. If the >>>>>>> integrity checks fail, the Map-Reply MUST be discarded. Also, if >>>>>>> the EID-prefixes claimed by the ETR in the Map-Reply are not equal >>>>>>> or more specific than the EID-prefix authorization data inserted >>>>>>> by the Map-Server, the ITR MUST discard the Map-Reply. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 6] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> 5. LISP-SEC Control Messages Details >>>>>>> >>>>>>> LISP-SEC metadata associated with a Map-Request is transported within >>>>>>> the Encapsulated Control Message that contains the Map-Request. >>>>>>> >>>>>>> LISP-SEC metadata associated with the Map-Reply is transported within >>>>>>> the Map-Reply itself. >>>>>>> >>>>>>> 5.1. Encapsulated Control Message LISP-SEC Extensions >>>>>>> >>>>>>> LISP-SEC uses the ECM (Encapsulated Control Message) defined in >>>>>>> [RFC6830] with Type set to 8, and S bit set to 1 to indicate that the >>>>>>> LISP header includes Authentication Data (AD). The format of the >>>>>>> LISP-SEC ECM Authentication Data is defined in the following figure. >>>>>>> OTK-AD stands for One-Time Key Authentication Data and EID-AD stands >>>>>>> for EID Authentication Data. >>>>>>> >>>>>>> 0 1 2 3 >>>>>>> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>>>>> | AD Type |V| Reserved | Requested HMAC ID | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\ >>>>>>> | OTK Length | OTK Encryption ID | | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | >>>>>>> | One-Time-Key Preamble ... | | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ OTK-AD >>>>>>> | ... One-Time-Key Preamble | | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | >>>>>>> ~ One-Time Key (128 bits) ~/ >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ <---+ >>>>>>> | EID-AD Length | KDF ID | | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | >>>>>>> | Record Count | Reserved | EID HMAC ID | EID-AD >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\ | >>>>>>> | Reserved | EID mask-len | EID-AFI | | | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Rec | >>>>>>> ~ EID-prefix ... ~ | | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+/ | >>>>>>> ~ EID HMAC ~ | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ <—+ >>>>>> I think that “rec” is mis-aligned and should be shifted one >>>>>> character upward. >>>>> >>>>> No. The row above is the portion of the header that specifies how >>>>> many records will follow. Rec shows one Rec item, in the array of >>>>> Records. It is consistent with 6830. >>>>> >>>>> >>>> >>>> OK >>>> >>>>> >>>>>> >>>>>>> LISP-SEC ECM Authentication Data >>>>>>> >>>>>>> AD Type: 1 (LISP-SEC Authentication Data) >>>>>> This is the first document starting to allocate values to the "AD >>>>>> Type” value. >>>>>> Why not asking IANA to create a registry?? >>>>>> (to be done in the IANA Considerations Section) >>>>> >>>>> >>>>> Ok. >>>>> >>>>>> >>>>>> >>>>>> >>>>>>> V: Key Version bit. This bit is toggled when the sender switches >>>>>>> to a new OTK wrapping key >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 7] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> Reserved: Set to 0 on transmission and ignored on receipt. >>>>>>> >>>>>>> Requested HMAC ID: The HMAC algorithm requested by the ITR. See >>>>>>> Section 5.4 for details. >>>>>>> >>>>>>> OTK Length: The length (in bytes) of the OTK Authentication Data >>>>>>> (OTK-AD), that contains the OTK Preamble and the OTK. >>>>>>> >>>>>>> OTK Encryption ID: The identifier of the key wrapping algorithm >>>>>>> used to encrypt the One-Time-Key. When a 128-bit OTK is sent >>>>>>> unencrypted by the Map-Resolver, the OTK Encryption ID is set to >>>>>>> NULL_KEY_WRAP_128. See Section 5.5 for more details. >>>>>>> >>>>>>> One-Time-Key Preamble: set to 0 if the OTK is not encrypted. When >>>>>>> the OTK is encrypted, this field may carry additional metadata >>>>>>> resulting from the key wrapping operation. When a 128-bit OTK is >>>>>>> sent unencrypted by Map-Resolver, the OTK Preamble is set to >>>>>>> 0x0000000000000000 (64 bits). See Section 5.5 for details. >>>>>>> >>>>>>> One-Time-Key: the OTK encrypted (or not) as specified by OTK >>>>>>> Encryption ID. See Section 5.5 for details. >>>>>>> >>>>>>> EID-AD Length: length (in bytes) of the EID Authentication Data >>>>>>> (EID-AD). The ITR MUST set EID-AD Length to 4 bytes, as it only >>>>>>> fills the KDF ID field, and all the remaining fields part of the >>>>>>> EID-AD are not present. An EID-AD MAY contain multiple EID- >>>>>>> records. Each EID-record is 4-byte long plus the length of the >>>>>>> AFI-encoded EID-prefix. >>>>>>> >>>>>>> KDF ID: Identifier of the Key Derivation Function used to derive >>>>>>> the MS-OTK. The ITR SHOULD use this field to indicate the >>>>>>> recommended KDF algorithm, according to local policy. >>>>>> I am not sure I understand the rationale of this “SHOULD”. If for >>>>>> any reason the ITR does not indicate the KDF ID what are the >>>>>> consequences? >>>>> >>>>> That should be a MAY, I believe, >>>>> >>>>> The ITR can specify "no preference" for KDF ID, using a value of 0. >>>> >>>> I think this is the unclear information: that the ITR can state “no >>>> preference” using value 0. >>>> Would be good if you can state it more clearly. >>> >>> I've added text to clarify this. >>> >>>> >>>> >>>>> >>>>> In the ITR processing section 5.4, we should add to >>>>> >>>>> The KDF ID field, specifies the suggested key derivation function to >>>>> be used by the Map-Server to derive the MS-OTK. >>>>> >>>>> a text like: "A KDF ID value of 0 (NONE), MAY be used to specify >>>>> that the ITR has no preferred KDF ID". >>>>> >>>>> >>>>> >>>>>> Is the MS free to choose the algorithm? This should be clarified. >>>>> This is specified in section 5.7. >>>>> >>>>> " >>>>> The Map-Server updates the OTK-AD by deriving a new OTK (MS-OTK) from >>>>> the ITR-OTK received with the Map-Request. MS-OTK is derived >>>>> applying the key derivation function specified in the KDF ID field. >>>>> If the algorithm specified in the KDF ID field is not supported, the >>>>> Map-Server uses a different algorithm to derive the key and updates >>>>> the KDF ID field accordingly. >>>>> " >>>>> >>>>> >>>> >>>> Since this paragraph does not use any 2119 language it actually >>>> mean that an MS can choose freely the algorithm to use. >>>> right? >>> >>> right. If the ITR does support that specific ID, the ITR may still >>> decide to use it. >>> >>>> >>>>> >>>>>> >>>>>>> The Map- >>>>>>> Server can overwrite the KDF ID if it does not support the KDF ID >>>>>>> recommended by the ITR. >>>>>> What happens if the MS will choose a KDF ID not supported by the ITR? >>>>>> Can you clarify how to solve this situation or explain why this >>>>>> will never happen? >>>>> >>>>> This is specified in 5.4, ITR processing. >>>>> >>>>> " >>>>> To verify the integrity of the PKT-AD, first the MS-OTK is derived >>>>> from the locally stored ITR-OTK using the algorithm specified in the >>>>> KDF ID field. This is because the PKT-AD is generated by the ETR >>>>> using the MS-OTK. If the KDF ID in the Map-Reply does not match the >>>>> KDF ID requested in the Map-Request, the ITR SHOULD discard the Map- >>>>> Reply and send, at the first opportunity it needs to, a new Map- >>>>> Request with a different KDF ID, according to ITR's local policy. >>>>> " >>>>> >>>>> >>>>> There are two typical use cases: >>>>> - strict KDF ID policy: ITR specifiy a KDF ID, and will discard >>>>> map-reply with different KDF IDs. If local policy allows, another >>>>> map-request will be sent with a different KDF ID >>>>> - loose KDF ID policy: ITR specify KDF ID = none, and will accept >>>>> map-reply with any KDF ID (if supported by ITR). If received KDF >>>>> is not supported the ITR shall drop the map-reply >>>>> >>>> >>>> The above text does not reflect the policies you are describing. >>>> That “SHOULD” should be a “MAY” and your policies spelled out. >>> I think we need to separate the recommendations for the two actions: >>> SHOULD drop and MAY resend. >>> >>> " >>> , the ITR SHOULD discard the Map- >>> Reply. At the first opportunity it needs to, the ITR MAY send a new Map- >>> Request with a different KDF ID, according to ITR's local policy. >>> >>> What do you think? >>> >>>> >>>> Also, what is the MS stubbornly insists in using an algorithm that >>>> the ITR does not support? >>> >>> The MS might not have alternatives, as it might only support one >>> algorithm. >>> >>> >>> >>>> >>>> >>>>> >>>>>> >>>>>>> See Section 5.4 for more details. >>>>>>> >>>>>>> Record Count: The number of records in this Map-Request message. >>>>>>> A record is comprised of the portion of the packet that is labeled >>>>>>> 'Rec' above and occurs the number of times equal to Record Count. >>>>>>> >>>>>>> Reserved: Set to 0 on transmission and ignored on receipt. >>>>>>> >>>>>>> EID HMAC ID: Identifier of the HMAC algorithm used to protect the >>>>>>> integrity of the EID-AD. This field is filled by Map-Server that >>>>>>> computed the EID-prefix HMAC. See Section 5.4 for more details. >>>>>>> >>>>>>> EID mask-len: Mask length for EID-prefix. >>>>>>> >>>>>>> EID-AFI: Address family of EID-prefix according to [RFC5226] >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 8] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> EID-prefix: The Map-Server uses this field to specify the EID- >>>>>>> prefix that the destination ETR is authoritative for, and is the >>>>>>> longest match for the requested EID. >>>>>>> >>>>>>> EID HMAC: HMAC of the EID-AD computed and inserted by Map-Server. >>>>>>> Before computing the HMAC operation the EID HMAC field MUST be set >>>>>>> to 0. The HMAC covers the entire EID-AD. >>>>>>> >>>>>>> 5.2. Map-Reply LISP-SEC Extensions >>>>>>> >>>>>>> LISP-SEC uses the Map-Reply defined in [RFC6830], with Type set to 2, >>>>>>> and S bit set to 1 to indicate that the Map-Reply message includes >>>>>>> Authentication Data (AD). The format of the LISP-SEC Map-Reply >>>>>>> Authentication Data is defined in the following figure. PKT-AD is >>>>>>> the Packet Authentication Data that covers the Map-Reply payload. >>>>>>> >>>>>>> 0 1 2 3 >>>>>>> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>>>>> | AD Type | Reserved | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ <---+ >>>>>>> | EID-AD Length | KDF ID | | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | >>>>>>> | Record Count | Reserved | EID HMAC ID | EID-AD >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\ | >>>>>>> | Reserved | EID mask-len | EID-AFI | | | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Rec | >>>>>>> ~ EID-prefix ... ~ | | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+/ | >>>>>>> ~ EID HMAC ~ | >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ <---+ >>>>>>> | PKT-AD Length | PKT HMAC ID |\ >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | >>>>>>> ~ PKT HMAC ~ PKT-AD >>>>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+/ >>>>>>> >>>>>>> LISP-SEC Map-Reply Authentication Data >>>>>>> >>>>>>> AD Type: 1 (LISP-SEC Authentication Data) >>>>>> Shouldn’t this be a different value? This AD format is different >>>>>> from the one described in section 5.1! >>>>>> Another reason to ask IANA for a registry…. >>>>> >>>>> One is the LISP-SEC authentication data that applies to the ECM >>>>> message (when S-bit = 1), the other is the LISP-SEC authentication >>>>> data that applies to the Map-Reply (when S-bit = 1). >>>>> >>>>> Those are extensions of two different messages (ECM and >>>>> map-reply), and they are both identified by an AD Type (that >>>>> happens to be set to value 1 for both). >>>> >>>> This is not clear in the current text. >>> >>> Right. I have updated the text to clarify it. Together with the IANA >>> disposition it should be clear now. >>> >>> >>>> >>>>> >>>>> Yes, the AD type space is different so we will need two IANA >>>>> registries. >>>>> >>>>> >>>>> Question for the co-auhtors: should we change the name to 'ECM AD >>>>> Type' and 'Map-Reply AD Type’? >>>> >>>> IMHO you have to, otherwise there will be always confusion…. >>> >>> done. >>> >>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> EID-AD Length: length (in bytes) of the EID-AD. An EID-AD MAY >>>>>>> contain multiple EID-records. Each EID-record is 4-byte long plus >>>>>>> the length of the AFI-encoded EID-prefix. >>>>>>> >>>>>>> KDF ID: Identifier of the Key Derivation Function used to derive >>>>>>> MS-OTK. See Section 5.7 for more details. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 9] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> Record Count: The number of records in this Map-Reply message. A >>>>>>> record is comprised of the portion of the packet that is labeled >>>>>>> 'Rec' above and occurs the number of times equal to Record Count. >>>>>>> >>>>>>> Reserved: Set to 0 on transmission and ignored on receipt. >>>>>>> >>>>>>> EID HMAC ID: Identifier of the HMAC algorithm used to protect the >>>>>>> integrity of the EID-AD. See Section 5.7 for more details. >>>>>>> >>>>>>> EID mask-len: Mask length for EID-prefix. >>>>>>> >>>>>>> EID-AFI: Address family of EID-prefix according to [RFC5226]. >>>>>>> >>>>>>> EID-prefix: This field contains an EID-prefix that the destination >>>>>>> ETR is authoritative for, and is the longest match for the >>>>>>> requested EID. >>>>>>> >>>>>>> EID HMAC: HMAC of the EID-AD, as computed by the Map-Server. >>>>>>> Before computing the HMAC operation the EID HMAC field MUST be set >>>>>>> to 0. The HMAC covers the entire EID-AD. >>>>>>> >>>>>>> PKT-AD Length: length (in bytes) of the Packet Authentication Data >>>>>>> (PKT-AD). >>>>>>> >>>>>>> PKT HMAC ID: Identifier of the HMAC algorithm used to protect the >>>>>>> integrity of the Map-reply Location Data. >>>>>> “Location Data” is something nowhere defined. Can you clarify >>>>>> what do you mean? >>>>> >>>>> we can just remove 'Location Data’ >>>> >>>> OK. >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> PKT HMAC: HMAC of the whole Map-Reply packet, including the LISP- >>>>>>> SEC Authentication Data. The scope of the authentication goes >>>>>>> from the Map-Reply Type field to the PKT HMAC field included. >>>>>>> Before computing the HMAC operation the PKT HMAC field MUST be set >>>>>>> to 0. See Section 5.8 for more details. >>>>>>> >>>>>>> 5.3. Map-Register LISP-SEC Extentions >>>>>>> >>>>>>> The second bit after the Type field in a Map-Register message is >>>>>>> allocated as the S bit. >>>>>> I would better explain that this document is allocating a bit >>>>>> marked as reserved in 6830. >>>>> >>>>> Ok. We will need to reflect this in 6830bis as well. >>>> >>>> Sure >>>> >>>> >>>>> >>>>>> Furthermore, at the cost of being redundant, I would put the >>>>>> packet format highlighting the position of the bit so that there >>>>>> is no confusion whatsoever. >>>>> >>>>> We wanted to explicitly avoid to include the format of messages >>>>> when already defined in other documents, >>>> >>>> The S-bit is not defined in other documents. IMHO is important to >>>> have the visual aid of which exact bit your are talking about. >>>> >>> I've added text to clarify. I really prefer not to have the whole >>> picture, but just refer to it. >>> >>> Considering that 6830 will evolve into 6830bis, eventually (with the >>> next LISP-SEC) the reference will be updated in 6830bis. >>> >>> >>>>> so we point rather than copy. If we address this in 6830bis, the >>>>> problem will be solved. >>>> >>>> You mentioned 6830bis several time, let me ask: Would you like to >>>> reference that document? >>>> In this case we have to hold this back until we have at least a >>>> stable version of that document. >>>> Then the RFC editor will hold this document back until that one is >>>> RFC, because of missing reference. >>>> Or you keep it this way and later on you make a ST version. >>>> >>>> Either way is fine for me. >>> >>> I think we should move this draft forward, without waiting for >>> 6830bis. Considering that this is security I expect the review >>> process to last quite some time, so we can make progress without >>> waiting for 6830bis. Eventually even teh LISP-SEC RFC will be >>> updated, and all will be good. >>> >>>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>>> The S bit indicates to the Map-Server that >>>>>>> the registering ETR is LISP-SEC enabled. An ETR that supports LISP- >>>>>>> SEC MUST set the S bit in its Map-Register messages. >>>>>>> >>>>>>> 5.4. ITR Processing >>>>>>> >>>>>>> Upon creating a Map-Request, the ITR generates a random ITR-OTK that >>>>>>> is stored locally, together with the nonce generated as specified in >>>>>>> [RFC6830]. >>>>>>> >>>>>>> The Map-Request MUST be encapsulated in an ECM, with the S-bit set to >>>>>>> 1, to indicate the presence of Authentication Data. If the ITR and >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 10] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> the Map-Resolver are configured with a shared key, >>>>>> In section 4 you seem to suggest that this is not the only way to >>>>>> protect the OTK (see my comment). >>>>>> Here instead you suggest that a shared key is the only way. >>>>> >>>>> >>>>> Right. Here it says what to do IF there is a shared key, that is >>>>> consistent with the SHOULD above. >>>> >>>> OK. >>>> >>>>> >>>>> >>>>>>> the ITR-OTK >>>>>>> confidentiality SHOULD be protected by wrapping the ITR-OTK with the >>>>>>> algorithm specified by the OTK Encryption ID field. >>>>>> Not clear what this “SHOULD” refers to. >>>>>> IS the SHOULD related to the fact to encrypt the OTK? The ITR >>>>>> SHOULD encrypt. >>>>>> Or the choice of the algorithm? The ITR SHOULD use the algorithm >>>>>> specified by the OTK Encryption ID? >>>>>> The second case looks impossible since is the ITR is choosing the >>>>>> algorithm. May be the sentence can be rewritten. >>>>> >>>>> SHOULD refers to protecting the confidentiality of the ITR-OTK. >>>>> Maybe the 'by' should be replaced by 'with’? >>>> >>>> Just drop the “by”? >>>> >>>> >>>>> >>>>>> >>>>>> Similarly to previous comment: Why it is not a MUST? >>>>> Same as other SHOULD. >>>>> >>>>> >>>>> >>>>>>> See Section 5.5 >>>>>>> for further details on OTK encryption. >>>>>>> >>>>>>> The Requested HMAC ID field contains the suggested HMAC algorithm to >>>>>>> be used by the Map-Server and the ETR to protect the integrity of the >>>>>>> ECM Authentication data and of the Map-Reply. >>>>>>> >>>>>> What happens if the MS will choose a HMAC not supported by the >>>>>> ETR or the ITR? >>>>>> Can you clarify how to solve this situation or explain why this >>>>>> will never happen? >>>>> >>>>> This is described 5 paragraphs below: >>>>> >>>>> " >>>>> If the EID HMAC ID field does >>>>> not match the Requested HMAC ID the ITR SHOULD discard the Map-Reply >>>>> and send, at the first opportunity it needs to, a new Map-Request >>>>> with a different Requested HMAC ID field, according to ITR's local >>>>> policy. >>>>> " >>>>> >>>> >>>> What about the ETR? >>> >>> It's specified in 5.8, the ETR makes the same processing as the MS. >>> >>> "If the ETR does not support the Requested HMAC ID, it uses a >>> different algorithm and updates the PKT HMAC ID field accordingly. " >>> >>> Also the ETR doesn't process the AD computed by the MS, it just >>> copies into the Map-Reply. >>> >>> >>> >>>> >>>>> >>>>>> >>>>>>> The KDF ID field, specifies the suggested key derivation function to >>>>>>> be used by the Map-Server to derive the MS-OTK. >>>>>> >>>>>> What happens if the MS will choose a KDF ID not supported by the ITR? >>>>>> Can you clarify how to solve this situation or explain why this >>>>>> will never happen? >>>>> >>>>> This is described a few paragraphs below: >>>>> " >>>>> If the KDF ID in the Map-Reply does not match the >>>>> KDF ID requested in the Map-Request, the ITR SHOULD discard the Map- >>>>> Reply and send, at the first opportunity it needs to, a new Map- >>>>> Request with a different KDF ID, according to ITR's... >>>>> " >>>>> >>>> >>>> This does not guarantee that the MS will reply with something the >>>> ITR understands…. >>> >>> For some local ITR's policy it may not be guaranteed. It's a balance >>> between reachability and security that the ITR will have to choose. >>> >>> >>> >>> >>> >>> >>>> >>>> >>>> >>>>>> >>>>>>> The EID-AD length is set to 4 bytes, since the Authentication Data >>>>>>> does not contain EID-prefix Authentication Data, and the EID-AD >>>>>>> contains only the KDF ID field. >>>>>>> >>>>>>> In response to an encapsulated Map-Request that has the S-bit set, an >>>>>>> ITR MUST receive a Map-Reply with the S-bit set, that includes an >>>>>>> EID-AD and a PKT-AD. If the Map-Reply does not include both ADs, the >>>>>>> ITR MUST discard it. In response to an encapsulated Map-Request with >>>>>>> S-bit set to 0, the ITR expects a Map-Reply with S-bit set to 0, and >>>>>>> the ITR SHOULD discard the Map-Reply if the S-bit is set. >>>>>> Why a “SHOULD”? If the Map-Request has S-bit=0 it mean that there >>>>>> is no AD, hence no OTK, how can the ITR decrypt the reply????? >>>>>> It MUST discard….. >>>>> >>>>> If S-bit = 0 there's no Authentication Data. The Map-reply is in >>>>> clear, and can be read. >>>> >>>> I am not sure you understood my point. >>>> >>>> You send a Map-Request with S=0, hence unenbcrypted. How can you >>>> possible receive a Map-Reply with S=1? >>>> How is it encrypted if the ITR did not provide any OTK? >>> >>> Misconfiguration, bugs? I was just trying to enumerate the behaviors >>> of the ITR. There's probably something wrong, and the map-reply >>> should be discarded. Still the mapping is readable, so an ITR >>> favoring reachability may decide to use the mapping. >>> >>>> >>>> >>>> >>>> >>>>> >>>>> >>>>> Here again the SHOULD leaves open to ITR local policy that can be >>>>> strict (drop anything not authenticated) or loose (accept >>>>> unauthenticated map-reply). >>>>> >>>>> There are use cases where LISP-SEC is not deployed everywhere, >>>>> where the ITR might have to use loose policy. >>>>> >>>>> >>>>>> >>>>>> >>>>>>> Upon receiving a Map-Reply, the ITR must verify the integrity of both >>>>>>> the EID-AD and the PKT-AD, and MUST discard the Map-Reply if one of >>>>>>> the integrity checks fails. >>>>>>> >>>>>>> The integrity of the EID-AD is verified using the locally stored ITR- >>>>>>> OTK to re-compute the HMAC of the EID-AD using the algorithm >>>>>>> specified in the EID HMAC ID field. If the EID HMAC ID field does >>>>>>> not match the Requested HMAC ID the ITR SHOULD discard the Map-Reply >>>>>> Why is this a SHOULD? If it supports the HMAC Algorithm why not >>>>>> decrypt? Shouldn’t this be a “MAY”, according to internal policy? >>>>> >>>>> because this could be used by an attacker to force weaker HMACs >>>>> (e.g. MD5). >>>> >>>> OK >>>> >>>>> The SHOULD leaves open the door to not discarding, according to >>>>> local policy. >>>>> >>>>> >>>> >>>> OK. >>>> >>>> >>>>> >>>>> >>>>>>> and send, at the first opportunity it needs to, a new Map-Request >>>>>>> with a different Requested HMAC ID field, according to ITR's local >>>>>>> policy. The ITR MUST set the EID HMAC ID field to 0 before computing >>>>>>> the HMAC. >>>>>> Shouldn’t the MS do the same thing? Otherwise different values >>>>>> will be obtained. This is not specified in the MS functioning >>>>>> description. >>>>> >>>>> good catch. Actually it's a typo here, the EID HMAC field should >>>>> be set to 0 (that is consistent with section 5.7), not the EID >>>>> HMAC ID that should not be touched. >>>>> >>>> >>>> OK >>>>> >>>>> The ITR MUST set the EID HMAC ID field to 0 before computing >>>>> the HMAC. >>>>> >>>>> should change to >>>>> >>>>> The scope of the HMAC operation covers the >>>>> entire EID-AD, from the EID-AD Length field to the EID HMAC field, >>>>> which must be set to 0 before the computation. >>>>>>> To verify the integrity of the PKT-AD, first the MS-OTK is derived >>>>>>> from the locally stored ITR-OTK using the algorithm specified in the >>>>>>> KDF ID field. This is because the PKT-AD is generated by the ETR >>>>>>> using the MS-OTK. If the KDF ID in the Map-Reply does not match the >>>>>>> KDF ID requested in the Map-Request, the ITR SHOULD discard the Map- >>>>>>> Reply and send, at the first opportunity it needs to, a new Map- >>>>>>> Request with a different KDF ID, according to ITR's local policy. >>>>>>> The derived MS-OTK is then used to re-compute the HMAC of the PKT-AD >>>>>>> using the Algorithm specified in the PKT HMAC ID field. If the PKT >>>>>>> HMAC ID field does not match the Requested HMAC ID the ITR SHOULD >>>>>>> discard the Map-Reply and send, at the first opportunity it needs to, >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 11] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> a new Map-Request with a different Requested HMAC ID according to >>>>>>> ITR's local policy. >>>>>>> >>>>>>> Each individual Map-Reply EID-record is considered valid only if: (1) >>>>>>> both EID-AD and PKT-AD are valid, and (2) the intersection of the >>>>>>> EID-prefix in the Map-Reply EID-record with one of the EID-prefixes >>>>>>> contained in the EID-AD is not empty. After identifying the Map- >>>>>>> Reply record as valid, the ITR sets the EID-prefix in the Map-Reply >>>>>>> record to the value of the intersection set computed before, and adds >>>>>>> the Map-Reply EID-record to its EID-to-RLOC cache, as described in >>>>>>> [RFC6830]. An example of Map-Reply record validation is provided in >>>>>>> Section 5.4.1. >>>>>>> >>>>>>> The ITR SHOULD send SMR triggered Map-Requests over the mapping >>>>>>> system in order to receive a secure Map-Reply. >>>>>> I do not understand this “SHOULD”. This has consequences in the >>>>>> choice how to react to SMR. This is a local policy. >>>>>> _If_ the ITR wants to protect Map-Requests using LISP-SEC, than >>>>>> SMR triggered Map-Request MUST be sent through the mapping system. >>>> >>>>> so the _if_ is what makes that MUST a SHOULD... According to local >>>>> policy the ITR SHOULD send the SMR. >>>> >>>> I read the sentence in this way: >>>> >>>> In order to received a secure Map-Reply, the ITR MUST send SMR >>>> triggered Map-Requests over the mapping system. >>>> >>>> No? >>> >>> I see what you are saying. I'll rephrase as: >>> >>> If an ITR accepts piggybacked Map-Replies, it SHOULD also send a >>> Map-Request over the mapping system in order to verify the >>> piggybacked Map-Reply with a secure Map-Reply. >>> >>> >>> >>> >>>> >>>>>>> If an ITR accepts >>>>>>> piggybacked Map-Replies, it SHOULD also send a Map-Request over the >>>>>>> mapping system in order to securely verify the piggybacked Map-Reply. >>>>>> Same as above. >>>>>>> 5.4.1. Map-Reply Record Validation >>>>>>> >>>>>>> The payload of a Map-Reply may contain multiple EID-records. The >>>>>>> whole Map-Reply is signed by the ETR, with the PKT HMAC, to provide >>>>>>> integrity protection and origin authentication to the EID-prefix >>>>>>> records claimed by the ETR. The Authentication Data field of a Map- >>>>>>> Reply may contain multiple EID-records in the EID-AD. The EID-AD is >>>>>>> signed by the Map-Server, with the EID HMAC, to provide integrity >>>>>>> protection and origin authentication to the EID-prefix records >>>>>>> inserted by the Map-Server. >>>>>>> >>>>>>> Upon receiving a Map-Reply with the S-bit set, the ITR first checks >>>>>>> the validity of both the EID HMAC and of the PKT-AD HMAC. If either >>>>>>> one of the HMACs is not valid, a log message is issued and the Map- >>>>>>> Reply is not processed any further. >>>>>> I think “log message" is too much implementation specific. >>>>>> If there is a notification, and how this notification is done, is >>>>>> implementation specific IMHO. >>>>> Ok. 'a log message is issued' will change to 'a log action should >>>>> be taken'. The point is that there could be an attack behind it, >>>>> and we want to record the event >>>> >>>> OK >>>> >>>>>>> If both HMACs are valid, the ITR >>>>>>> proceeds with validating each individual EID-record claimed by the >>>>>>> ETR by computing the intersection of each one of the EID-prefix >>>>>>> contained in the payload of the Map-Reply with each one of the EID- >>>>>>> prefixes contained in the EID-AD. An EID-record is valid only if at >>>>>>> least one of the intersections is not the empty set. >>>>>>> >>>>>>> For instance, the Map-Reply payload contains 3 mapping record EID- >>>>>>> prefixes: >>>>>>> >>>>>>> 1.1.1.0/24 >>>>>>> >>>>>>> 1.1.2.0/24 >>>>>>> >>>>>>> 1.2.0.0/16 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 12] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> The EID-AD contains two EID-prefixes: >>>>>>> >>>>>>> 1.1.2.0/24 >>>>>>> >>>>>>> 1.2.3.0/24 >>>>>>> >>>>>>> The EID-record with EID-prefix 1.1.1.0/24 is not processed since it >>>>>>> is not included in any of the EID-ADs signed by the Map-Server. A >>>>>>> log message is issued. >>>>>> I think “log message" is too much implementation specific. >>>>>> If there is a notification, and how this notification is done, is >>>>>> implementation specific IMHO. >>>>> ok. Same as above. >>>>>>> The EID-record with EID-prefix 1.1.2.0/24 is stored in the map-cache >>>>>>> because it matches the second EID-prefix contained in the EID-AD. >>>>>>> >>>>>>> The EID-record with EID-prefix 1.2.0.0/16 is not processed since it >>>>>>> is not included in any of the EID-ADs signed by the Map-Server. A >>>>>>> log message is issued. >>>>>> I think “log message" is too much implementation specific. >>>>>> If there is a notification, and how this notification is done, is >>>>>> implementation specific IMHO. >>>>> ok. Same as above >>>>>>> In this last example the ETR is trying to >>>>>>> over claim the EID-prefix 1.2.0.0/16, but the Map-Server authorized >>>>>>> only 1.2.3.0/24, hence the EID-record is discarded. >>>>>> Reading the example I am not sure I would follow this behaviour. >>>>>> Only 1 record out of 3 is valid so why should I actually trust >>>>>> the ETR instead of throwing everything away? >>>>>> Can you explain ??? >>>>> The other two records are validated by the MS, so there is no >>>>> reason to throw those away. >>>> >>>> Yes, but the ETR is still trying to cheat on the third one…. >>>> So the ETR may be compromised, why should I send traffic to him??? >>> >>> ITR has flagged the security exception with the log entry, and some >>> local ITR policy will decide what to do (including stop >>> encapsulating to the ETR, if that's what is specified by the >>> policy). At the LISP level LISP-SEC has done its job: verified >>> mapping goes into the map-cache, overclaimed mapping is dropped. >>> >>> >>>> >>>> >>>>>>> 5.4.2. PITR Processing >>>>>>> >>>>>>> The processing performed by a PITR is equivalent to the processing of >>>>>>> an ITR. However, if the PITR is directly connected to the ALT, >>>>>> This would be LISP+ALT. Pleas add a reference to 6836. >>>>> ok. >>>>>>> the >>>>>>> PITR performs the functions of both the ITR and the Map-Resolver >>>>>>> forwarding the Map-Request encapsulated in an ECM header that >>>>>>> includes the Authentication Data fields as described in Section 5.6. >>>>>>> >>>>>>> 5.5. Encrypting and Decrypting an OTK >>>>>>> >>>>>>> MS-OTK confidentiality is required in the path between the Map-Server >>>>>>> and the ETR, the MS-OTK SHOULD >>>>>> If confidentiality is required why there is not a MUST? >>>>> Same. >>>>>>> be encrypted using the preconfigured >>>>>>> key shared between the Map-Server and the ETR for the purpose of >>>>>>> securing ETR registration [RFC6833]. Similarly, if ITR-OTK >>>>>>> confidentiality is required in the path between the ITR and the Map- >>>>>>> Resolver, the ITR-OTK SHOULD >>>>>> Again, if confidentiality is required why there is not a MUST? >>>>> Same. >>>>>>> be encrypted with a key shared between >>>>>>> the ITR and the Map-Resolver. >>>>>>> >>>>>>> The OTK is encrypted using the algorithm specified in the OTK >>>>>>> Encryption ID field. When the AES Key Wrap algorithm is used to >>>>>>> encrypt a 128-bit OTK, according to [RFC3339], >>>>>> The correct RFC is 3394. >>>>> ok. >>>>>>> the AES Key Wrap >>>>>>> Initialization Value MUST be set to 0xA6A6A6A6A6A6A6A6 (64 bits). >>>>>>> The output of the AES Key Wrap operation is 192-bit long. The most >>>>>>> significant 64-bit are copied in the One-Time Key Preamble field, >>>>>>> while the 128 less significant bits are copied in the One-Time Key >>>>>>> field of the LISP-SEC Authentication Data. >>>>>>> >>>>>>> When decrypting an encrypted OTK the receiver MUST verify that the >>>>>>> Initialization Value resulting from the AES Key Wrap decryption >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 13] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> operation is equal to 0xA6A6A6A6A6A6A6A6. If this verification fails >>>>>>> the receiver MUST discard the entire message. >>>>>>> >>>>>>> When a 128-bit OTK is sent unencrypted the OTK Encryption ID is set >>>>>>> to NULL_KEY_WRAP_128, and the OTK Preamble is set to >>>>>>> 0x0000000000000000 (64 bits). >>>>>>> >>>>>>> 5.6. Map-Resolver Processing >>>>>>> >>>>>>> Upon receiving an encapsulated Map-Request with the S-bit set, the >>>>>>> Map-Resolver decapsulates the ECM message. The ITR-OTK, if >>>>>>> encrypted, is decrypted as specified in Section 5.5. >>>>>>> >>>>>>> The Map-Resolver, as specified in [RFC6833], originates a new ECM >>>>>>> header with the S-bit set, that contains the unencrypted ITR-OTK, as >>>>>>> specified in Section 5.5, and the other data derived from the ECM >>>>>>> Authentication Data of the received encapsulated Map-Request. >>>>>> Few points on this last paragraph: >>>>>> - You assume that there is no need of confidentiality inside the >>>>>> Mapping System? >>>>>> - Why not stating that encryption inside the mapping system is >>>>>> mapping system specify and out of scope of this document? >>>>> ok. as it was pointed out above. >>>>>> - Why are you assuming that all of the Mapping system will use >>>>>> ECM? Future Mapping system may use soemthos different. The >>>>>> important point is to ship the AD along. >>>>> good point, and I agree with your suggestion to fix this below. >>>>>>> The Map-Resolver then forwards >>>>>> to whom? >>>>> ok. add 'to the Map-Server' >>>>>>> the received Map-Request, encapsulated >>>>>>> in the new ECM header that includes the newly computed Authentication >>>>>>> Data fields. >>>>>> As for my comment of the previous paragraph I would be more >>>>>> generic stating that the MR will hand over the request to the >>>>>> mapping system. >>>>>> You can still provide the example of DDT using ECM. >>>>> right. >>>>>>> 5.7. Map-Server Processing >>>>>>> >>>>>>> Upon receiving an ECM encapsulated Map-Request with the S-bit set, >>>>>>> the Map-Server process the Map-Request according to the value of the >>>>>>> S-bit contained in the Map-Register sent by the ETR during >>>>>>> registration. >>>>>>> >>>>>>> If the S-bit contained in the Map-Register was clear the Map-Server >>>>>>> decapsulates the ECM and generates a new ECM encapsulated Map-Request >>>>>>> that does not contain an ECM Authentication Data, as specified in >>>>>>> [RFC6830]. The Map-Server does not perform any further LISP-SEC >>>>>>> processing. >>>>>> This equivalent to not using LISP-SEC. Please specify that the >>>>>> Map-Reply will be not protected. >>>>> ok. >>>>>>> If the S-bit contained in the Map-Register was set the Map-Server >>>>>>> decapsulates the ECM and generates a new ECM Authentication Data. >>>>>>> The Authentication Data includes the OTK-AD and the EID-AD, that >>>>>>> contains EID-prefix authorization information, that are ultimately >>>>>>> sent to the requesting ITR. >>>>>>> >>>>>>> The Map-Server updates the OTK-AD by deriving a new OTK (MS-OTK) from >>>>>>> the ITR-OTK received with the Map-Request. MS-OTK is derived >>>>>>> applying the key derivation function specified in the KDF ID field. >>>>>>> If the algorithm specified in the KDF ID field is not supported, the >>>>>>> Map-Server uses a different algorithm to derive the key and updates >>>>>>> the KDF ID field accordingly. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 14] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> The Map-Server and the ETR MUST be configured with a shared key for >>>>>>> mapping registration according to [RFC6833]. If MS-OTK >>>>>>> confidentiality is required, then the MS-OTK SHOULD be encrypted, >>>>>> Again, if confidentiality is required why there is not a MUST? >>>>> same as above. >>>>>>> by >>>>>>> wrapping the MS-OTK with the algorithm specified by the OTK >>>>>>> Encryption ID field as specified in Section 5.5. >>>>>>> >>>>>>> The Map-Server includes in the EID-AD the longest match registered >>>>>>> EID-prefix for the destination EID, and an HMAC of this EID-prefix. >>>>>>> The HMAC is keyed with the ITR-OTK contained in the received ECM >>>>>>> Authentication Data, and the HMAC algorithm is chosen according to >>>>>>> the Requested HMAC ID field. If The Map-Server does not support this >>>>>>> algorithm, the Map-Server uses a different algorithm and specifies it >>>>>>> in the EID HMAC ID field. The scope of the HMAC operation covers the >>>>>>> entire EID-AD, from the EID-AD Length field to the EID HMAC field, >>>>>>> which must be set to 0 before the computation. >>>>>>> >>>>>>> The Map-Server then forwards the updated ECM encapsulated Map- >>>>>>> Request, that contains the OTK-AD, the EID-AD, and the received Map- >>>>>>> Request to an authoritative ETR as specified in [RFC6830]. >>>>>>> >>>>>>> 5.7.1. Map-Server Processing in Proxy mode >>>>>>> >>>>>>> If the Map-Server is in proxy mode, it generates a Map-Reply, as >>>>>>> specified in [RFC6830], with the S-bit set to 1. The Map-Reply >>>>>>> includes the Authentication Data that contains the EID-AD, computed >>>>>>> as specified in Section 5.7, as well as the PKT-AD computed as >>>>>>> specified in Section 5.8. >>>>>>> >>>>>>> 5.8. ETR Processing >>>>>>> >>>>>>> Upon receiving an ECM encapsulated Map-Request with the S-bit set, >>>>>>> the ETR decapsulates the ECM message. The OTK field, if encrypted, >>>>>>> is decrypted as specified in Section 5.5 to obtain the unencrypted >>>>>>> MS-OTK. >>>>>>> >>>>>>> The ETR then generates a Map-Reply as specified in [RFC6830] and >>>>>>> includes the Authentication Data that contains the EID-AD, as >>>>>>> received in the encapsulated Map-Request, as well as the PKT-AD. >>>>>>> >>>>>>> The EID-AD is copied from the Authentication Data of the received >>>>>>> encapsulated Map-Request. >>>>>>> >>>>>>> The PKT-AD contains the HMAC of the whole Map-Reply packet, keyed >>>>>>> with the MS-OTK and computed using the HMAC algorithm specified in >>>>>>> the Requested HMAC ID field of the received encapsulated Map-Request. >>>>>>> If the ETR does not support the Requested HMAC ID, it uses a >>>>>>> different algorithm and updates the PKT HMAC ID field accordingly. >>>>>>> The scope of the HMAC operation covers the entire PKT-AD, from the >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 15] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> Map-Reply Type field to the PKT HMAC field, which must be set to 0 >>>>>>> before the computation. >>>>>>> >>>>>>> Finally the ETR sends the Map-Reply to the requesting ITR as >>>>>>> specified in [RFC6830]. >>>>>>> >>>>>>> 6. Security Considerations >>>>>>> >>>>>>> 6.1. Mapping System Security >>>>>>> >>>>>>> The LISP-SEC threat model described in Section 3, assumes that the >>>>>>> LISP Mapping System is working properly and eventually delivers Map- >>>>>>> Request messages to a Map-Server that is authoritative for the >>>>>>> requested EID. >>>>>>> >>>>>> As for a previous comment, can you elaborate if OTK >>>>>> confidentiality is required in the mapping system and what are >>>>>> the consequences? >>>>> ok. >>>>>>> Map-Register security, including the right for a LISP entity to >>>>>>> register an EID-prefix or to claim presence at an RLOC, is out of the >>>>>>> scope of LISP-SEC. >>>>>>> >>>>>>> 6.2. Random Number Generation >>>>>>> >>>>>>> The ITR-OTK MUST be generated by a properly seeded pseudo-random (or >>>>>>> strong random) source. See [RFC4086] for advice on generating >>>>>>> security-sensitive random data >>>>>>> >>>>>>> 6.3. Map-Server and ETR Colocation >>>>>>> >>>>>>> If the Map-Server and the ETR are colocated, LISP-SEC does not >>>>>>> provide protection from overclaiming attacks mounted by the ETR. >>>>>>> However, in this particular case, since the ETR is within the trust >>>>>>> boundaries of the Map-Server, ETR's overclaiming attacks are not >>>>>>> included in the threat model. >>>>>>> >>>>>>> 7. IANA Considerations >>>>>> This section is not conform to RFC 5226. >>>>>> There right way to go is to ask IANA to create three new >>>>>> registries, for HMAC, Key Wrap, and Key Derivation functions. >>>>>> Define what is the allocation process (in light of the size of >>>>>> the field FCFS should not cause any problem IMHO) >>>>>> Then ask to populate the registries as already described. >>>>> Ok, so each one of the sections 7.x will say: IANA is requested to >>>>> create a new <registry-name> registry for use … >>>> >>>> There is slightly more text to add. >>> >>> right. I have added more. I'm almost ready to send a new rev. >>> >>>> >>>> >>>>>>> 7.1. HMAC functions >>>>>>> >>>>>>> The following HMAC ID values are defined by this memo for use as >>>>>>> Requested HMAC ID, EID HMAC ID, and PKT HMAC ID in the LISP-SEC >>>>>>> Authentication Data: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 16] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> Name Number Defined In >>>>>>> ------------------------------------------------- >>>>>>> NONE 0 >>>>>>> AUTH-HMAC-SHA-1-96 1 [RFC2104] >>>>>>> AUTH-HMAC-SHA-256-128 2 [RFC4634] >>>>>>> >>>>>>> values 2-65535 are reserved to IANA. >>>>>>> >>>>>>> HMAC Functions >>>>>>> >>>>>>> AUTH-HMAC-SHA-1-96 MUST be supported, AUTH-HMAC-SHA-256-128 should be >>>>>>> supported. >>>>>>> >>>>>>> 7.2. Key Wrap Functions >>>>>>> >>>>>>> The following OTK Encryption ID values are defined by this memo for >>>>>>> use as OTK key wrap algorithms ID in the LISP-SEC Authentication >>>>>>> Data: >>>>>>> >>>>>>> Name Number Defined In >>>>>>> ------------------------------------------------- >>>>>>> NULL-KEY-WRAP-128 1 >>>>>>> AES-KEY-WRAP-128 2 [RFC3394] >>>>>>> >>>>>>> values 0 and 3-65535 are reserved to IANA. >>>>>>> >>>>>>> Key Wrap Functions >>>>>>> >>>>>>> NULL-KEY-WRAP-128, and AES-KEY-WRAP-128 MUST be supported. >>>>>>> >>>>>>> NULL-KEY-WRAP-128 is used to carry an unencrypted 128-bit OTK, with a >>>>>>> 64-bit preamble set to 0x0000000000000000 (64 bits). >>>>>>> >>>>>>> 7.3. Key Derivation Functions >>>>>>> >>>>>>> The following KDF ID values are defined by this memo for use as KDF >>>>>>> ID in the LISP-SEC Authentication Data: >>>>>>> >>>>>>> Name Number Defined In >>>>>>> ------------------------------------------------- >>>>>>> NONE 0 >>>>>>> HKDF-SHA1-128 1 [RFC5869] >>>>>>> >>>>>>> values 2-65535 are reserved to IANA. >>>>>>> >>>>>>> Key Derivation Functions >>>>>>> >>>>>>> HKDF-SHA1-128 MUST be supported >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 17] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> 8. Acknowledgements >>>>>>> >>>>>>> The authors would like to acknowledge Pere Monclus, Dave Meyer, Dino >>>>>>> Farinacci, Brian Weis, David McGrew, Darrel Lewis and Landon Curt >>>>>>> Noll for their valuable suggestions provided during the preparation >>>>>>> of this document. >>>>>>> >>>>>>> 9. Normative References >>>>>> Please Check your reference, this is the output if the nits tool: >>>>>> Checking references for intended status: Experimental >>>>>> ---------------------------------------------------------------------------- >>>>>> == Missing Reference: 'RFC3339' is mentioned on line 602, but >>>>>> not defined >>>>>> == Missing Reference: 'RFC4634' is mentioned on line 752, but >>>>>> not defined >>>>>> ** Obsolete undefined reference: RFC 4634 (Obsoleted by RFC 6234) >>>>> ok. >>>>>>> [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- >>>>>>> Hashing for Message Authentication", RFC 2104, >>>>>>> DOI 10.17487/RFC2104, February 1997, >>>>>>> <http://www.rfc-editor.org/info/rfc2104>. >>>>>>> >>>>>>> [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate >>>>>>> Requirement Levels", BCP 14, RFC 2119, >>>>>>> DOI 10.17487/RFC2119, March 1997, >>>>>>> <http://www.rfc-editor.org/info/rfc2119>. >>>>>>> >>>>>>> [RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard >>>>>>> (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394, >>>>>>> September 2002, <http://www.rfc-editor.org/info/rfc3394>. >>>>>>> >>>>>>> [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, >>>>>>> "Randomness Requirements for Security", BCP 106, RFC 4086, >>>>>>> DOI 10.17487/RFC4086, June 2005, >>>>>>> <http://www.rfc-editor.org/info/rfc4086>. >>>>>>> >>>>>>> [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an >>>>>>> IANA Considerations Section in RFCs", BCP 26, RFC 5226, >>>>>>> DOI 10.17487/RFC5226, May 2008, >>>>>>> <http://www.rfc-editor.org/info/rfc5226>. >>>>>>> >>>>>>> [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand >>>>>>> Key Derivation Function (HKDF)", RFC 5869, >>>>>>> DOI 10.17487/RFC5869, May 2010, >>>>>>> <http://www.rfc-editor.org/info/rfc5869>. >>>>>>> >>>>>>> [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The >>>>>>> Locator/ID Separation Protocol (LISP)", RFC 6830, >>>>>>> DOI 10.17487/RFC6830, January 2013, >>>>>>> <http://www.rfc-editor.org/info/rfc6830>. >>>>>>> >>>>>>> [RFC6833] Fuller, V. and D. Farinacci, "Locator/ID Separation >>>>>>> Protocol (LISP) Map-Server Interface", RFC 6833, >>>>>>> DOI 10.17487/RFC6833, January 2013, >>>>>>> <http://www.rfc-editor.org/info/rfc6833>. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 18] >>>>>>> >>>>>>> Internet-Draft LISP-SEC October 2016 >>>>>>> >>>>>>> >>>>>>> [RFC7835] Saucez, D., Iannone, L., and O. Bonaventure, "Locator/ID >>>>>>> Separation Protocol (LISP) Threat Analysis", RFC 7835, >>>>>>> DOI 10.17487/RFC7835, April 2016, >>>>>>> <http://www.rfc-editor.org/info/rfc7835>. >>>>>>> >>>>>>> Authors' Addresses >>>>>>> >>>>>>> Fabio Maino >>>>>>> Cisco Systems >>>>>>> 170 Tasman Drive >>>>>>> San Jose, California 95134 >>>>>>> USA >>>>>>> >>>>>>> Email:fmaino@cisco.com <mailto:fmaino@cisco.com> >>>>>>> >>>>>>> >>>>>>> Vina Ermagan >>>>>>> Cisco Systems >>>>>>> 170 Tasman Drive >>>>>>> San Jose, California 95134 >>>>>>> USA >>>>>>> >>>>>>> Email:vermagan@cisco.com <mailto:vermagan@cisco.com> >>>>>>> >>>>>>> >>>>>>> Albert Cabellos >>>>>>> Technical University of Catalonia >>>>>>> c/ Jordi Girona s/n >>>>>>> Barcelona 08034 >>>>>>> Spain >>>>>>> >>>>>>> Email:acabello@ac.upc.edu <mailto:acabello@ac.upc.edu> >>>>>>> >>>>>>> >>>>>>> Damien Saucez >>>>>>> INRIA >>>>>>> 2004 route des Lucioles - BP 93 >>>>>>> Sophia Antipolis >>>>>>> France >>>>>>> >>>>>>> Email:damien.saucez@inria.fr <mailto:damien.saucez@inria.fr> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Maino, et al. Expires April 6, 2017 [Page 19] >>>>> >>>> >>> >> >> <Diff_ draft-ietf-lisp-sec-11.txt - >> draft-ietf-lisp-sec-12a.txt.html><draft-ietf-lisp-sec-12a.txt> >
- [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Joel M. Halpern
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Dino Farinacci
- Re: [lisp] LISP-SEC review (finally) Fabio Maino (fmaino)
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone