INTERNET DRAFT T. Polk
Intended Status: Informational NIST
R. Housley
Vigil Security
Expires: 19 April 2010 19 October 2009
Routing Authentication Using A Database of Long-Lived Cryptographic Keys
draft-polk-saag-rtg-auth-keytable-00.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Abstract
This document describes the application of a database of long-lived
cryptographic keys to establish session-specific cryptographic keys
to support authentication services in routing protocols. Keys may be
established between two peers for pair-wise communications, or
between groups of peers for multicast traffic.
Polk & Housley Expires 19 April 2010 [Page 1]
INTERNET DRAFT 19 October 2009
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Architecture and Design . . . . . . . . . . . . . . . . . . . . . 2
3 Pair-wise Application . . . . . . . . . . . . . . . . . . . . . . 3
4 Identifier Mapping . . . . . . . . . . . . . . . . . . . . . . . 5
4.1 Selected Range Reservation . . . . . . . . . . . . . . . . . 5
4.2 Protocol Specific Mapping Tables . . . . . . . . . . . . . . 6
5 Worked Example: TCP-AO . . . . . . . . . . . . . . . . . . . . . 6
6 Security Considerations . . . . . . . . . . . . . . . . . . . . 7
6 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.1 Normative References . . . . . . . . . . . . . . . . . . . 7
7.2 Informative References . . . . . . . . . . . . . . . . . . 7
Author's Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 8
1 Introduction
This document describes the application of a database of long-lived
cryptographic keys, as defined in [KEYTAB], to establish session-
specific cryptographic keys to provide authentication services in
routing protocols. Keys may be established between two peers for
pair-wise communications, or between groups of peers for multicast
traffic.
1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2 Architecture and Design
Polk & Housley Expires 19 April 2010 [Page 2]
INTERNET DRAFT 19 October 2009
Figure 1 illustrates the establishment and use of cryptographic keys
for authentication in routing protocols. Long-lived cryptographic
keys are inserted in a database manually. In the future, we
anticipate an automated key management protocol to insert these keys
in the database. In this future environment, we do not anticipate an
environment where the automated key management protocol will be used
to create short-lived cryptographic session keys. The structure of
the database of long-lived cryptographic keys is described in
[KEYTAB].
The cryptographic keying material for individual sessions is derived
from the keying material stored in the database of long-lived
cryptographic keys. A key derivation function (KDF) and its inputs
are named in the database of long-lived cryptographic keys; session
specific values based on the routing protocol are input the the KDF.
Protocol specific key identifiers may be assigned to the
cryptographic keying material for individual sessions if needed.
+--------------+ +----------------+
| | | |
| Manual Key | | Automated Key |
| Installation | | Mgmt. Protocol |
| | | |
+------+-------+ +--+----------+--+
| | |
| | |
V V |<== Not expected for security
+------------------------+ | of routing protocols, but
| | | often used in other
| Long-lived Crypto Keys | | protocol environments
| | | like IPsec and TLS.
+------------+-----------+ |
| |
| |
V V
+---------------------------------+
| |
| Short-lived Crypto Session Keys |
| |
+---------------------------------+
Figure 1. Cryptographic key establishment and use.
3 Pair-wise Application
Figure 2 illustrates how the long-lived cryptographic keys are
accessed and employed when an entity wishes to establish a protected
session with a peer. As one step in the initiation process, the
Polk & Housley Expires 19 April 2010 [Page 3]
INTERNET DRAFT 19 October 2009
intitator requests the set of long term keys associated with the peer
for the particular protocol. If the set contains more than one key,
the initiator selects one long-term key based on the local policy.
The long-term key is provided as an input, along with session-
specific information (e.g., ports or initial counters), to a key
derivation function. The result is session-specific key material
which is used to generate cryptographic authentication.
Where the initiator is establishing a multicast session, the Peer in
the key request identifies the set of systems that will receive this
information.
+-------------------------+
| |
| Long-Lived |
| Crypto Keys |
| |
+-+---------------------+-+
^ |
| |
| V
+-------+-------+ +-------+-------+
| | | |
| Lookup Keys | | Select Key |
| By Peer | | By Policy |
| and Protocol | | |
| | +-------+-------+
+-------+-------+ |
^ |
| V
| +-------+-------+
| | |
| | Session Key |
| | Derivation |
| | |
| +-------+-------+
| |
| |
+-------+-------+ V
| | +-------+-------+
| Initiate | | |
| Session | |Authentication |
| with Peer | | Mechanism |
| | | |
+---------------+ +---------------+
Figure 3 illustrates how an entity that receives a session generates
Polk & Housley Expires 19 April 2010 [Page 4]
INTERNET DRAFT 19 October 2009
the necessary long-lived cryptographic keys to verify data when a
protected session is requested. As step one in the initiation
process, the receiver extracts the keyID for the long-term keyID from
the received data. The receiver then requests the specified long-
term key from the table. The long-term key is provided as an input,
along with session-specific information (e.g., ports or initial
counters), to a key derivation function. The result is session-
specific key material which is used to verify the cryptographic
authentication information.
+-------------------------+
| |
| Long-Lived |
| Crypto Keys |
| |
+-+---------------------+-+
^ |
| |
| V
+-------+-------+ +-------+-------+
| | | |
| Lookup Key | | Session Key |
| By KeyID | | Derivation |
| | | |
+-------+-------+ +-------+-------+
^ |
| |
| V
+-------+-------+ +-------+-------+
| | | |
| Receive Data | |Authentication |
| From Peer | | Mechanism |
| | | |
+---------------+ +---------------+
4 Identifier Mapping
[KEYTAB] specifies a 16-bit identifier, but protocols already exist
with key identifiers of various sizes. Where the identifiers are of
different sizes, an extra mapping step may be required. Note that
mapping mechanisms are local - that is, different mapping mechanisms
could be employed on different peers.
4.1 Selected Range Reservation
Where a protocol sues an index of less than 16 bits, a selected range
Polk & Housley Expires 19 April 2010 [Page 5]
INTERNET DRAFT 19 October 2009
of the local index space can be reserved for a particular protocol.
For example, consider two protocols P1 and P2 that each use 8 bit key
identifiers. Sharing the space {0x0000 through 0x00ff} would limit
the pair pair of protocols to 256 keys in total. By reserving the
ranges {0xff00 through 0xffff} and {0xfe00 through 0xfeff} for P1 and
P2 respectively permits each protocol to use the full 256 key
identifiers and establishes an unambiguous mapping for the protocol
key identifiers and local table identifiers.
When an initiator selects a key from the set in the table, the given
key identifier needs to be masked or shifted to the on-the-wire
range. Before requesting a specific key, the receiver would use a
shim layer would need to map the on-the-wire identifier into the
reserved range.
4.2 Protocol Specific Mapping Tables
Each protocol can also maintain a simple mapping table with two
fields: the l6 bit index and the protocol specific value
KEYTAB index (16 bits) | Protocol specific index (8 bits)
In this case, the host system would maintain separate mapping tables
for protocols P1 and P2.
5 Worked Example: TCP-AO
This section describes the way a TCP-AO implementation could use the
database. [tcpao] TCP-AO protocol is an example where the key
identifier is limited to 8 bits, so an identifier mapping is needed.
We will assume two peers Xp and Yp. Xp employs the range reservation
method for mapping and has reserved the range {0xff00 ... 0xffff}
mapping to {0x00 ... 0xff}. Yp employs a protocol specific mapping
table.
<<Completed Example TBD>>
Polk & Housley Expires 19 April 2010 [Page 6]
INTERNET DRAFT 19 October 2009
6 Security Considerations
<Security considerations text>
6 IANA Considerations
This document requires no actions by IANA.
7 References
7.1 Normative References
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[KEYTAB] R. Housley and Polk, T. "Database of Long-Lived
Cryptographic Keys", draft-housley-saag-crypto-key-table-
00.txt, September 2009.
7.2 Informative References
[tcpao] J. Touch, Mankin A., and Bonica R. "The TCP Authentication
Option", draft-ietf-tcpm-tcp-auth-opt-05.txt, July 2009.
Author's Addresses
Tim Polk
National Institute of Standards and Technology
100 Bureau Drive, Mail Stop 8930
Gaithersburg, MD 20899-8930
USA
EMail: tim.polk@nist.gov
Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
USA
EMail: housley@vigilsec.com
Polk & Housley Expires 19 April 2010 [Page 7]
INTERNET DRAFT 19 October 2009
Full Copyright Statement
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
All IETF Documents and the information contained therein are provided
on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE
IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE
ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Polk & Housley Expires 19 April 2010 [Page 8]