[Search] [pdf|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01                                                         
IPSEC Working Group                                      Bill Sommerfeld
INTERNET-DRAFT                                           Hewlett Packard
draft-ietf-ipsec-inline-isakmp-01.txt                         March 1997




     Inline Keying within the ISAKMP Framework.
      <draft-ietf-ipsec-inline-isakmp-01.txt>




STATUS OF THIS MEMO

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as ``work in progress.''

   To learn the current status of any Internet-Draft, please check the
   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
   Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
   munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
   ftp.isi.edu (US West Coast).

   Distribution of this document is unlimited.

   This particular Internet Draft is being published in order to focus
   discussion on protocols for lightweight inline keying in the context
   of ISAKMP/Oakley.  It is intended that this version will raise more
   questions than it answers; there many ways to do inline keying and
   the author does not pretend to have all the answers.  A future
   version of this draft might become suitable for submission to the
   IESG as a standards track protocol.

ABSTRACT

   The current proposal for IP-layer key management [ISAKMP, OAKLEY,
   ISAOAK] has fairly high overhead.  Before a security association can
   be established, at least one pair of messages need to be exchanged
   between the communicating peers.  For efficiency, this suggests that
   ISAKMP setup should be infrequent.  However, general principles of



Sommerfeld               Expires 1 October 1997                 [Page 1]


Internet Draft    draft-ietf-ipsec-inline-isakmp-01.txt      March 1997


   key management suggest that individual keys should be used as little
   as practical and changed as frequently as possible.  Steve Bellovin
   has suggested that, ideally, different security associations should
   be used for each different transport-level connection[BADESP].

   This document discusses a way of structuring a protocol to permit
   this to happen with minimal overhead, both in round-trip delay at
   connection setup, and in bandwidth once the connection is
   established.

   The general concept of inline or in-band keying here was inspired by
   SKIP[SKIP].  However, SKIP's approach is burdened by the addition of
   an extra intermediate header of perhaps 20 to 28 bytes to every
   protected packet, which doubles the bandwidth overhead of protected
   traffic compared with ESP with fixed keying.  In order to minimise
   the per-packet overhead, an inline keying header should be used only
   until the desired security association is established, at which point
   the peers will fall back to pure ESP/AH.

IN-BAND SECURITY ASSOCIATION SETUP

   AH and ESP security associations are identified by a 32-bit
   identifier known as an SPI, which is assigned by the receiving end of
   the association.  This makes it difficult to create a new security
   association at the request of a traffic originator without at least
   one round trip.

   However, most packets are sent either in response to another packet,
   or in the expectation that a response will be received.

   We can exploit this, by having the sender allocate an SPI for return
   traffic, and include a message informing the recipient of it in the
   first message.  The reponse to this message can also contain a return
   SPI, so further packets in the conversation can be directed to the
   appropriate security association for the conversation.

   There are at least two applications for this protocol.  Hosts may
   wish to use separate SPIs for separate transport-layer connections.
   Similarly, routers doing tunnel-mode ESP may wish to establish
   separate SPIs for each active host-pair they tunnel.

   In the former case, for a typical TCP exchange, the in-band keying
   headers would piggyback on the SYN and SYN/ACK packets, and would
   then be absent from subsequent traffic.

   No explicit acknowledgement of the creation of the new SPI is needed,
   as use of the reply-SPI by the peer would (implicitly) acknowledge
   the key change.



Sommerfeld               Expires 1 October 1997                 [Page 2]


Internet Draft    draft-ietf-ipsec-inline-isakmp-01.txt      March 1997


   No explicit retransmission of in-band-keying requests is needed; if
   the upper-level protocol retransmits before the full SPI pair is
   created, the inline keying header is included in the retransmission.

PACKET PROCESSING

   Some additional logic needs to be added to an implementation's
   outbound and inbound policy engines.  As this protocol has not yet
   been implemented, the following is necessarily vague; suggestions on
   how to improve it are welcomed.

   When sending a packet, if there isn't a valid outbound SPI we want to
   use to reach the peer, and we have reason to believe the peer accepts
   inline keying headers, we look up the inbound SPI we want our peer to
   use (or create it if it's nonexistant) and insert an in-band keying
   header in the outbound packet.

   On the other hand, if there is a valid outbound SPI, we use it.  If
   there isn't a valid inbound SPI for a response, we create the inbound
   SPI we want to receive replies on and insert an in-band-keying header
   in the outbound packet, then send it using the outbound SPI.

   If an inbound packet contains a valid in-band-keying header with a
   reply SPI in it, we create an outbound SPI with the appropriate TTL,
   and then process the rest of the packet.

PARENT SPI PARAMETERS

   The parent SPI must have the following parameters specified or
   negotiated:
    - a shared secret
    - the pseudo-random function (prf) to be used for key derivation.
    - the algorithm to be used for encryption, and any algorithm-specific
   parameters (other than the key).
    - the algorithm to be used for message integrity protection, and any
   algorithm-specific parameters (other than the key).

ESTABLISHING THE PARENT SPI.

   This scheme can only "spawn" new SPIs from old SPIs; therefore, there
   needs to be a way to establish the "parent" SPI.

   There are several possible alternatives:

   One of the ISAKMP exchanges could be used to establish the parent
   SPI.

   Another alternative, very similar to SKIP, would be for each system



Sommerfeld               Expires 1 October 1997                 [Page 3]


Internet Draft    draft-ietf-ipsec-inline-isakmp-01.txt      March 1997


   to publish a certificate containing a Diffie-Hellman public key, a
   "well known" SPI, and the additional parent-SPI parameters listed
   above.  The shared secret actually used in the inline-keying protocol
   would depend on the source address of the packet.  It is not clear
   whether this variation is of interest and is included only for
   completeness.

ENCODING OPTIONS

   There are a number of potential ways of encoding this protocol, with
   different advantages and disadvantages; at this point, it is not
   clear which way is best.  The primary areas of variability include:

    - how the SPI-creation message is framed

    - what is contained in the SPI-creation message

    - how the user payload "along for the ride" is protected.

   In order to minimize complexity, in the end, there should only be one
   answer for each of these questions.  Several requirements on the
   encoding exist:

    1) the SPI-creation message must be optional
    2) there should be some "cryptographic distance" between the three
   kinds of keys involved:
    - the key(s) used to authenticate and/or encrypt the user
payload which is along for the ride
    - the key(s) used to authenticate the SPI-creation message
    - the key(s) used by the newly-created reply SPI.
    3) there should be as much commonality in encoding between this
   protocol and the various sub-protocols of ESP and ISAKMP with similar
   functionality.

    4) the inline keying header should be small.

 FRAMING

   Three alternatives suggest themselves:

    - special-case encoding within an ESP transform, perhaps using a bit
   out of the pad length by mutual agreement between the communicating
   peers.

    - a new IP-layer protocol

    - use of the "IPv6 destination options" IP-layer protocol.




Sommerfeld               Expires 1 October 1997                 [Page 4]


Internet Draft    draft-ietf-ipsec-inline-isakmp-01.txt      March 1997


   Using a new IP-layer protocol seems cleanest, though there has been
   strong opposition to it from some implementors.  The use of the IPv6
   destination options protocol would limits the size of a single option
   to no more than 255 octets, which may be a significant constraint.

 REPLY-SPI-CREATION CONTENTS

   There are essentially two possibilities for the reply-SPI-creation
   message: either an encapsulated quick mode message, or a custom
   message simpler than, but similar to quick mode.

  Encapsulating ISAKMP/Oakley

   A simpler, but less efficient, alternative would be to encapsulate
   various ISAKMP/Oakley quick-mode messages as the reply-SPI-creation
   message.

  Custom Format

   Notation here is derived from the notation used in the Oakley draft.

   We assume the existance of a shared secret, sSPI between the
   communicating parties, and a parent SPI corresponding to the shared
   secret.  This can be established in a number of ways, which will be
   discussed later.

   Fields:

        reply-SPI
        reply-SPI-scope
        reply-SPI-lifetime
        reply-SPI-nonce
        reply-SPI-parameters
        peer-SPI-nonce

   spi-creation-fields is a set of fields which tell the receiver how to
   create an outbound SPI for reponses to the payload of this datagram.
   This set includes:

   Reply-SPI is the number of an SPI created by the sender for responses
   to this packet.

   Reply-SPI-scope indicates the scope of the reply SPI; exact encoding
   is TBS and should probably be similar to the way the scope is handled
   in [DOI].  The scope should be able to select among (at least) four
   possible scopes: host-range, host, protocol, protocol+port.

   Reply-SPI-lifetime is the lifetime (exact encoding TBS), of the



Sommerfeld               Expires 1 October 1997                 [Page 5]


Internet Draft    draft-ietf-ipsec-inline-isakmp-01.txt      March 1997


   newly-created SPI.  A similar encoding to the one used by [DOI]
   should be used here.

   reply-SPI-parameters are other parameters of the newly created SPI,
   including the algorithm, and any algorithm-specific parameters.  An
   encoding similar to the one used by [DOI] should be used.

   Peer-spi-nonce is either all zeros, or the peer's reply-SPI-nonce.

   The key(s) associated with the newly-created SPI are derived from:

        prf (sSPI, reply-TAG | peer-spi-nonce | reply-spi-nonce |
   reply-SPI)

   reply-TAG is a well-known constant, TBD.

   sSPI is the shared secret associated with the parent SPI.

   prf(a, b) is a pseudo-random function as in Oakley; the exact
   function to use is a parameter of the parent SPI.

   It may be desirable to include other fields from the header in both
   of the key-derivation hashes.

 KEYING OF THE USER PAYLOAD

   If the "parent" algorithm is judged to be sufficently strong, the
   initial user payload could simply be encrypted using the ESP in the
   parent SPI.  However, the use of inline keying seems to suggest a
   desire to segregate different communications under different keys.

   A extension to ESP suggests itself.  We can negotiate the addition of
   a "key generation nonce" to the cleartext part of the ESP header, and
   then generate the key for encrypting the ciphertext portion of the
   packet using a keyed hash of the shared secret and the nonce:

        prf (sSPI, current-packet-nonce | SPI | other)

   sSPI is the SPI's shared secret;

   current-packet-nonce is a 128-bit random value generated by the
   sender (ideally different for each packet).

   "SPI" is the numeric SPI value.

   "other" are any additional fields which might make sense to include
   in the key-generation hash.




Sommerfeld               Expires 1 October 1997                 [Page 6]


Internet Draft    draft-ietf-ipsec-inline-isakmp-01.txt      March 1997


MISCELLANEOUS ISSUES

   There are a number of miscellaneous problems which arise as a result
   of constructing a protocol of this form.  None of them seem to be
   particularly insurmountable.  These considerations are based on the
   author's experience with vaguely similar security protocols.

 Interaction With MTU Discovery

   Because insertion of the inline keying header will change the size of
   the packet, there are likely to be interactions between this protocol
   and MTU discovery when the first packet triggering the creation of a
   new SA pair is near maximum size.

   Several potential solutions come to mind:

   1) With some cooperation between layers, it may be possible to reduce
   the amount of data in the outbound packet (this may be possible for
   TCP; it's almost certainly not possible for other protocols).

   2) MTU discovery could be deferred, by sending the packet with DF
   cleared.

   Neither of these seem really satisfactory; suggestions on how to
   handle this case are welcomed.

 SPI expiration and clock skew.

   This section perhaps belongs as an appendix to the a future version
   of the Internet DOI specification [DOI].

   Inline SPI's expire after a defined time.  Since relative timestamps
   are used in the protocol, clocks synchronized in phase are not
   assumed; however, some minimal accuracy in frequency is assumed.

   It is assumed here that SPI timestamps are maintained in absolute
   form internally and converted to and from relative form only for use
   over the network.

   The explicit expiration time of the SPI indicates the time after
   which the sender should no longer send to that SPI.  The recipient
   should still honor inbound packets to that SPI for an additional
   grace period of:
        K1 * MSL + K2 * nominal-lifetime
   where "MSL" is the maximum lifetime of a packet in the network as in
   TCP, "K1" is a fudge factor allowing some margin around MSL, and "K2"
   is a fudge factor allowing for a difference in clock frequency
   between systems.



Sommerfeld               Expires 1 October 1997                 [Page 7]


Internet Draft    draft-ietf-ipsec-inline-isakmp-01.txt      March 1997


   Proposed default values:
        MSL: 120  (same as TCP)
        K1: 2          (same as TCP)
        K2: 1/32  (allow for ~3% frequency difference)
   It may be useful for debugging purposes to allow these parameters to
   be adjusted.

   With the above constants, a nominal 10-minute SPI would be valid for
   about 14 minutes; and a nominal 2-hour SPI would be valid for
   approximately 2 hours and 8 minutes.

EXAMPLE

   The following is a simplified example of the messages involved in
   setting up a new SPI pair using inline keying.  A lot of detail has
   been omitted to clarify the presentation.

   Assume per-connection inline keying is in use between two hosts A and
   B, with a security association X existing from A to B.

   A wishes to establish a TCP connection to B.  Because per-connection
   keying is in use, A would first create a new inbound SPI "Y", and
   send:

        ESP [A-to-B, inline[N1, seq 0, Y], TCP [port 4352 to 21, SYN]]

   Upon receipt, B creates a new outbound SPI "Y", and a new inbound SPI
   "Z", and hands off the TCP packet to its TCP.  It then responds with:

        ESP [Y, inline[N2, seq 0, Z], TCP [port 21 to 4352, SYN+ACK]]

   Upon receipt, A creates a new outbound SPI "Z".

   Receipt of a packet on spi Y acknowleges receipt of the inline-keying
   message, so subsequent messages for this connection do not contain an
   inline keying header, so A responds with:

        ESP [Z, TCP [port 4352 to 21, ACK, data1]]

   Similarly, B responds with:

        ESP [Y, TCP [port 21 to 4352, ACK, data2]]

   and the conversation would continue like this until the TCP
   connection closed.

SECURITY CONSIDERATIONS




Sommerfeld               Expires 1 October 1997                 [Page 8]


Internet Draft    draft-ietf-ipsec-inline-isakmp-01.txt      March 1997


   This entire document concerns key management for the IP security
   protocols.

   This protocol does not provide for Perfect Forward Secrecy by itself,
   but if used in conjunction with ISAKMP, may provide a reasonable
   engineering tradeoff between security and performance.

   As with Oakley's Quick Mode, this protocol can consume the entropy of
   the shared secret[ISAOAK]. Implementors should take note of this fact
   and be able to limit the number of inline-keying messages allowed per
   shared secret.  This draft does not proscribe such a limit.

REFERENCES

   [BADESP]  Bellovin, S., "Problem Areas for the IP Security
   Protocols", Proceedings of the Sixth Usenix UNIX security
   symposium, July 1996 (available from
   ftp://ftp.research.att.com/dist/smb/badesp.ps)

   [AH]      Atkinson, R., "IP Encapsulating Security Payload (ESP)",
   RFC1826, August 1995.

   [DOI]     Piper, D., "The Internet IP Security Domain Of
   Interpretation for ISAKMP", version 1, draft-ietf-ipsec-
   ipsec-doi-00.txt.

   [ESP]     Atkinson, R., "IP Encapsulating Security Payload (ESP)",
   RFC1827, August 1995.

   [IPSEC]   Randall Atkinson, "Security Architecture for the Internet
   Protocol", Internet Draft draft-ietf-ipsec-arch-sec-01.txt,
   10 November 1996

   [ISAKMP]  Maughhan, D., Schertler, M., Schneider, M., and Turner, J.,
   "Internet Security Association and Key Management Protocol
   (ISAKMP)", version 6, draft-ietf-ipsec-isakmp-06.{ps,txt}.

   [ISAOAK]  Harkins, D., Carrel, D., "The resolution of ISAKMP with
   Oakley", draft-ietf-ipsec-isakmp-oakley-02.txt.

   [OAKLEY]  Orman, H., "The Oakley Key Determination Protocol", version
   1, draft-ietf-ipsec-oakley-01.txt.

   [SKIP]    Aziz, A., Markson, T., Prafullchandra, H., "Simple Key-
   Management For Internet Protocols", draft-ietf-ipsec-
   skip-07.txt.

AUTHOR'S ADDRESS:



Sommerfeld               Expires 1 October 1997                 [Page 9]


Internet Draft    draft-ietf-ipsec-inline-isakmp-01.txt      March 1997


   Bill Sommerfeld <sommerfeld@apollo.hp.com>
   Hewlett Packard
   300 Apollo Drive
   Chelmsford MA 01824

   Telephone: +1 508 436 4352













































Sommerfeld               Expires 1 October 1997                [Page 10]