IKEv2-Derived Shared Secret Key for the One-Way Active Measurement Protocol (OWAMP) and Two-Way Active Measurement Protocol (TWAMP)
draft-ietf-ippm-ipsec-11
Technical Summary
The One-way Active Measurement Protocol (OWAMP) and Two-Way Active
Measurement Protocol (TWAMP) security mechanism require that both the
client and server endpoints possess a shared secret. Since the
currently-standardized O/TWAMP security mechanism only supports a
pre-shared key mode, large scale deployment of O/TWAMP is hindered
significantly. At the same time, recent trends point to wider
Internet Key Exchange Protocol Version 2 (IKEv2) deployment which, in
turn, calls for mechanisms and methods that enable tunnel end-users,
as well as operators, to measure one-way and two- way network
performance in a standardized manner. This document describes the
use of keys derived from an IKEv2 security association (SA) as the
shared key in O/TWAMP. If the shared key can be derived from the
IKEv2 SA, O/TWAMP can support certificate-based key exchange, which
would allow for more operational flexibility and efficiency. The key
derivation presented in this document can also facilitate automatic
key management.
Working Group Summary
The document was discussed extensively within the IPPM WG,
and has gone through two WGLCs. There was no significant
controversy during the discussion of the document -- the main
points of discussion had to do with the details of how to implement
the binding between O/TWAMP and IPsec and whether the packet
format used needed to be backward-compatible with non-IPsec
O/TWAMP. The document has consensus to go forward.
Document Quality
As the document "glues" O/TWAMP to IPsec, it required review
from both communities The document has had less comment
from the IPsec WG than from the IPPM WG, but comments from
IPsec were addressed.
Personnel
Brian Trammell is the document shepherd.
Spencer Dawkins is the responsible AD.