Problem and Applicability Statement for Better-Than-Nothing Security (BTNS)
RFC 5387

 
Document Type RFC - Informational (November 2008; Errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 5387 (Informational)
Telechat date
Responsible AD Tim Polk
Send notices to btns-chairs@ietf.org
Network Working Group                                           J. Touch
Request for Comments: 5387                                       USC/ISI
Category: Informational                                         D. Black
                                                                     EMC
                                                                 Y. Wang
                                                               Microsoft
                                                           November 2008

                 Problem and Applicability Statement
                for Better-Than-Nothing Security (BTNS)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (c) 2008 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Abstract

   The Internet network security protocol suite, IPsec, requires
   authentication, usually of network-layer entities, to enable access
   control and provide security services.  This authentication can be
   based on mechanisms such as pre-shared symmetric keys, certificates
   with associated asymmetric keys, or the use of Kerberos (via
   Kerberized Internet Negotiation of Keys (KINK)).  The need to deploy
   authentication information and its associated identities can be a
   significant obstacle to the use of IPsec.

   This document explains the rationale for extending the Internet
   network security protocol suite to enable use of IPsec security
   services without authentication.  These extensions are intended to
   protect communication, providing "better-than-nothing security"
   (BTNS).  The extensions may be used on their own (this use is called
   Stand-Alone BTNS, or SAB) or may be used to provide network-layer
   security that can be authenticated by higher layers in the protocol

Touch, et al.                Informational                      [Page 1]
RFC 5387             BTNS Problem and Applicability        November 2008

   stack (this use is called Channel-Bound BTNS, or CBB).  The document
   also explains situations for which use of SAB and/or CBB extensions
   are applicable.

Table of Contents

   1. Introduction ....................................................3
      1.1. Authentication .............................................3
      1.2. IPsec Channels and Channel Binding .........................4
      1.3. BTNS Methods ...............................................6
      1.4. BTNS Scope .................................................6
      1.5. Structure of This Document .................................7
   2. Problem Statement ...............................................7
      2.1. Network Layer ..............................................8
           2.1.1. Authentication Identities ...........................8
           2.1.2. Authentication Methods ..............................8
           2.1.3. Current IPsec Limits on Unauthenticated Peers .......9
      2.2. Higher Layer Issues ........................................9
           2.2.1. Transport Protection from Packet Spoofing ...........9
           2.2.2. Authentication at Multiple Layers ..................10
   3. BTNS Overview and Threat Models ................................12
      3.1. BTNS Overview .............................................12
      3.2. BTNS and IPsec Security Services ..........................13
      3.3. BTNS and IPsec Modes ......................................14
   4. Applicability Statement ........................................15
      4.1. Benefits ..................................................16
      4.2. Vulnerabilities ...........................................16
      4.3. Stand-Alone BTNS (SAB) ....................................17
           4.3.1. Symmetric SAB ......................................17
           4.3.2. Asymmetric SAB .....................................18
      4.4. Channel-Bound BTNS (CBB) ..................................18
      4.5. Summary of Uses, Vulnerabilities, and Benefits ............19
   5. Security Considerations ........................................20
      5.1. Threat Models and Evaluation ..............................20
      5.2. Interaction with Other Security Services ..................20
      5.3. MITM and Masquerader Attacks ..............................21
      5.4. Denial of Service (DoS) Attacks and Resource
Show full document text