randy/draft-l3dl-signing
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

-02 published

Browse source
This commit is contained in:
Randy Bush 2021-02-12 14:53:00 -08:00
parent 06ae3da805
commit a460058fab
1 changed files with 92 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

167
draft-ietf-lsvr-l3dl-signing.xml
View file

@ -31,7 +31,6 @@
</address> </address>
</author> </author>
<!--
<author fullname="Russ Housley" initials="R" surname="Housley"> <author fullname="Russ Housley" initials="R" surname="Housley">
<organization abbrev="Vigil Security">Vigil Security, LLC</organization> <organization abbrev="Vigil Security">Vigil Security, LLC</organization>
<address> <address>
@ -45,7 +44,6 @@
<email>housley@vigilsec.com</email> <email>housley@vigilsec.com</email>
</address> </address>
</author> </author>
-->
<author initials="R." surname="Austein" fullname="Rob Austein"> <author initials="R." surname="Austein" fullname="Rob Austein">
<organization abbrev="Arrcus">Arrcus, Inc.</organization> <organization abbrev="Arrcus">Arrcus, Inc.</organization>
@ -59,11 +57,11 @@
<abstract> <abstract>
<t>The Layer-3 Discovery and Liveness protocol OPEN PDU may contain <t>The Layer-3 Discovery and Liveness protocol OPEN PDU may contain
a key and a certificate, which can be used to verify signatures on a public key and a certificate, which can be used to verify signatures
subsequent PDUs. This document describes two mechanisms based on on subsequent PDUs. This document describes two mechanisms based on
digital signatures, one that is Trust On First Use (TOFU), and one digital signatures, one that is Trust On First Use (TOFU), and one
that uses certificates to provide authentication as well as session that uses a trust anchor signture over the public key to provide
integrity.</t> authentication as well as session integrity.</t>
</abstract> </abstract>
@ -72,7 +70,7 @@
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when,
and only when, they appear in all capitals, as shown here.</t> and only when, they appear in all capitals, as shown here.</t>
</note> </note>
@ -83,14 +81,9 @@
<section anchor="intro" title="Introduction"> <section anchor="intro" title="Introduction">
<t>This draft is being published without incorporating changes from
an excellent security review. This is being done so a couple of
other drafts can reference it. While all comments will, of course,
be appreciated, readers may want to wait for the -01 version.</t>
<t>The Layer-3 Discovery and Liveness protocol <xref <t>The Layer-3 Discovery and Liveness protocol <xref
target="I-D.ietf-lsvr-l3dl"/> OPEN PDU contains an algorithm target="I-D.ietf-lsvr-l3dl"/> OPEN PDU contains an algorithm
identifier, a key, and a certificate, which can be used to verify identifier, a key, and a L3DL certificate, which can be used to verify
signatures on subsequent PDUs. This document describes two methods signatures on subsequent PDUs. This document describes two methods
of key generation and signing for use by L3DL, Trust On First Use of key generation and signing for use by L3DL, Trust On First Use
(TOFU) and a PKI-based mechanism to provide authentication as well (TOFU) and a PKI-based mechanism to provide authentication as well
@ -98,17 +91,16 @@
<t>The Key in the OPEN PDU SHOULD be the public key of an asymmetric <t>The Key in the OPEN PDU SHOULD be the public key of an asymmetric
key pair. The sender signs with the private key, of course. The key pair. The sender signs with the private key, of course. The
device sending the OPEN may use one key for all links, a different device sending the OPEN PDU may use one key for all links, a different
key for each link, or some mix(es) thereof.</t> key for each link, or some mix(es) thereof.</t>
<t>In the TOFU method the key sent in the OPEN PDU is generated on <t>In the TOFU method the key sent in the OPEN PDU is generated on
the sending device, is believed without question by the receiver, the sending device, is believed without question by the receiver,
and used to verify all subsequent PDUs from the same sender with the and used to verify all subsequent PDUs from the same sender with the
same Key Type and Algorithm.</t> same public key and algorithm.</t>
<t>With the PKI-mechanism, an enrollment step is performed. The <t>With the PKI method, an enrollment step is performed. The public
public key is put into a certificate <xref target="RFC5280"/>, which key is signed by the the operational environment's trust anchor. In
is signed by the the operational environment's trust anchor. In
this way, the relying party can be confident that the public key is this way, the relying party can be confident that the public key is
under control of the identified L3DL protocol entity.</t> under control of the identified L3DL protocol entity.</t>
@ -121,12 +113,32 @@
PKI-based keys may be verified against the trust anchor when the PKI-based keys may be verified against the trust anchor when the
OPEN PDU is received.</t> OPEN PDU is received.</t>
<t>In the PKI method the OPEN key MUST be verified against the trust <t>In the PKI method the public key in the OPEN PDU MUST be verified
anchor for the operational domain. The OPEN key is then used to against the trust anchor for the operational domain. The OPEN PDU
verify all subsequent PDUs in the session.</t> public key is then used to verify all subsequent PDUs in the
session. A mechanism for 'rolling' from the current public key
to a fresh one is described in <xref target="roll"/>.</t>
</section> </section>
<section anchor="algo" title="Signature Algorithm Identifiers">
<t>To avoid the creation of yet another IANA registry for
digital signature algorithm identifiers, this specification makes
use of the existing IANA registry for "DNS Security Algorithm Numbers"
<xref target="IANA"/>. In this registry, each signature algorithm is
identified by an 8-bit value. The entries in this registry with "Y"
in the "Zone Signing" column are appropriate for use with this
protocol.</t>
<t>For interoperability, all implementations of this protocol
MUST support the RSASHA256 algorithm (identified by the value 8).
Implementation MAY support any other registered "Zone Signing"
signature algorithms.</t>
</section>
<section anchor="tofu" title="Trust On First Use Method"> <section anchor="tofu" title="Trust On First Use Method">
<t>There are three parts to using a key: signing PDUs, verifying <t>There are three parts to using a key: signing PDUs, verifying
@ -149,13 +161,13 @@
</t> </t>
<t> <t>
Generate the signature as specified for the chosen signature Generate the signature as specified for the chosen algorithm,
suite, using the private member of the asymmetric key pair. using the private key of the asymmetric key pair. In general,
In general this will involve first hashing the "message to this will involve first hashing the "message to be signed" then
be signed" then signing the hash, but the precise details signing the hash, but the precise details may vary with the
may vary with the specific algorithm. The result will be a specific signature algorithm. The result will be a sequence of
sequence of octets, the length of which MUST be equal to the octets, the length of which MUST be equal to the value in the
setting of the "Signature Length" field. "Signature Length" field.
</t> </t>
<t> <t>
@ -284,12 +296,12 @@
<section anchor="pki" title="Public Key Infrastructure Method"> <section anchor="pki" title="Public Key Infrastructure Method">
<t> <t>
Using a PKI, <xref target="RFC5280"/>, is almost the same as using Using a PKI is almost the same as using TOFU, but with one
TOFU, but with one additional step: during verification of an OPEN additional step: during verification of an OPEN PDU, after
PDU, after extracting the Key field from the PDU but before extracting the Key field from the PDU but before attempting to use
attempting to use it to verify the PDU's signature, the receiver it to verify the OPEN PDU signature, the receiver MUST verify the
MUST verify the received key against the PKI to confirm that it's received key against the PKI to confirm that it's an authorized
an authorized key. key.
</t> </t>
<t> <t>
@ -303,17 +315,18 @@
<t> <t>
Verifying an OPEN PDU using the PKI method requires the public Verifying an OPEN PDU using the PKI method requires the public
key of the trust anchor, which the receiver uses to verify the key of the trust anchor, which the receiver uses to verify the
certificate, thereby demonstrating that the supplied is certificate, thereby demonstrating that the supplied public key
represents an authorized L3DL speaker in this administrative represents an authorized L3DL speaker in this administrative
domain. domain.
</t> </t>
<t> <t>
We use the term "certificate" here in the generic sense. These We use the term "certificate" here in the generic sense, not as
are not X.509 certificates: X.509 is much more complicated than defined in <xref target="RFC5280"/>. X.509 certificates are not
we need for L3DL. The certificates used here are just used here; X.509 certificates are more complicated than needed
signatures of one key (the session key supplied in the Key field for L3DL. The L3DL certificates are just signatures of one key
of the OPEN PDU) by another key (the trust anchor). (the public key supplied in the Key field of the OPEN PDU) that
can be verified by another trusted public key (the trust anchor).
</t> </t>
<section anchor="pki-open-signing" title="Signing OPEN PDU with PKI"> <section anchor="pki-open-signing" title="Signing OPEN PDU with PKI">
@ -372,17 +385,17 @@
<t> <t>
Require TOFU: sender MUST supply key and receiver MUST Require TOFU: sender MUST supply key and receiver MUST
check, certificate not needed and ignored if sent. check, but L3DL certificates not needed and ignored if sent.
</t> </t>
<t> <t>
Allow TOFU: sender must supply key and receiver MUST check, Allow TOFU: sender MUST supply key and receiver MUST check,
receiver SHOULD check certificate if supplyed by sender. receiver SHOULD check certificate if supplyed by sender.
</t> </t>
<t> <t>
Require PKI: sender MUST supply key and certificate, Require PKI: sender MUST supply key and L3DL certificate,
receiver MUST check both. receiver MUST check signature and verify the L3DL certificate.
</t> </t>
</list> </list>
@ -395,9 +408,13 @@
<t>Modern key management allows for agility in 'rolling' to a new <t>Modern key management allows for agility in 'rolling' to a new
key or even algorithm in case of key expiry, key compromise, or key or even algorithm in case of key expiry, key compromise, or
merely prudence. Declaring a new key with an L3DL OPEN PDU would merely prudence. Declaring a new key with an L3DL OPEN PDU would
cause serious churn in topology as a new OPEN may cause a withdraw cause serious churn in topology as a new OPEN PDU may cause a
of previously announced encapsulations. Therefore, a gentler withdraw of previously announced encapsulations. Therefore, a
rekeying is needed.</t> gentler rekeying is needed.</t>
<t>Prior to 'rolling' to a new key or new algorithm, a new public/private
key pair is generated. If PKI is being used, then the trust anchor
also signs the new public key to create a new L3DL certificate.</t>
<!-- <!--
protocol "Type = 8:8,Payload Length:16,New Key Algor:8,New Key Length:16,New Key ...:32,New Cert Length:16,New Certificate ...:32,Old Sig Type:8,Old Signature Length:16,Old Signature ...:40" protocol "Type = 8:8,Payload Length:16,New Key Algor:8,New Key Length:16,New Key ...:32,New Cert Length:16,New Certificate ...:32,Old Sig Type:8,Old Signature Length:16,Old Signature ...:40"
@ -408,7 +425,7 @@
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 8 | Payload Length | New Key Algor | | Type = 8 | Payload Length | New Key Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| New Key Length | New Key ... | | New Key Length | New Key ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@ -416,7 +433,7 @@
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| New Certificate ... | | New Certificate ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Old Sig Type | Old Signature Length | | | Old Key Type | Old Signature Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
| Old Signature ... | | Old Signature ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@ -424,14 +441,14 @@
</figure> </figure>
<t>The New Key Type, New Key Length, New Key, New Cert Length, and <t>The New Key Type, New Key Length, New Key, New Cert Length, and
New Certificate field declare the replacement algorithm suite, New Certificate fields declare the replacement algorithm, key, and
key, and certificate.</t> L3DL certificate.</t>
<t>The NEWKEY PDU is signed using the current (soon to be old) <t>The NEWKEY PDU is signed using the current (soon to be old)
algorithm suite and key.</t> algorithm and key.</t>
<t>The sender and the receiver should be cautious of algorithm suite <t>The sender and the receiver should be cautious of signature
downgrade attacks.</t> algorithm downgrade attacks.</t>
<t>To avoid possible race conditions, the receiver SHOULD accept <t>To avoid possible race conditions, the receiver SHOULD accept
signatures using either the new or old key for a configurable time signatures using either the new or old key for a configurable time
@ -441,16 +458,16 @@
<t>If the sender does not receive an ACK in the normal window, <t>If the sender does not receive an ACK in the normal window,
including retransmission, then the sender MAY choose to allow a including retransmission, then the sender MAY choose to allow a
session reset by either issuing a new OPEN or by letting the session reset by either issuing a new OPEN PDU or by letting the
receiver eventually have a signature failure (error code 3) on a receiver eventually have a signature failure (error code 3) on a
PDU.</t> PDU.</t>
<t> <t>
The rekeying operation changes the session key and algorithm The rekeying operation changes the session key and the associated
suite described in <xref target="tofu-other-verifying"/>. The algorithm described in <xref target="tofu-other-verifying"/>. The
NEWKEY PDU itself is verified using the old algorithm and NEWKEY PDU itself is verified using the old algorithm and session
session key, subsequent PDUs are verified with the new algorithm key. After the NEWKEY PDU has been accepted, subsequent PDUs are
and session key recorded after the NEWKEY PDU has been accepted. verified with the new algorithm and the new session key.
</t> </t>
</section> </section>
@ -464,19 +481,19 @@
And data integrity is a positive side effect of the signature And data integrity is a positive side effect of the signature
covering the payload.</t> covering the payload.</t>
<t>The PKI-based method offers assurance that the certificate, and <t>The PKI method offers assurance that the L3DL certificate, and
hence the keying material, provided in the OPEN PDU are authorized hence the public key, provided in the OPEN PDU are authorized
by a central authority, e.g. the network's network security team. The by a central authority, e.g. the network's security team. The
onward assurance of talking to the same peer and data integrity are onward assurance of talking to the same peer and data integrity are
the same as in the TOFU method.</t> the same as in the TOFU method.</t>
<t>With the PKI-based method, automated device provisioning could <t>With the PKI method, automated device provisioning could
restrict which certificates are allowed from which peers restrict which L3DL certificates are allowed from which peers
on a per interface basis. This would complicate key rolls. Where on a per interface basis. This would complicate key rolls. Where
one draws the line between rigidity, flexibility, and security one draws the line between rigidity, flexibility, and security
varies.</t> varies.</t>
<t>The REKEY PDU is open to abuse to create an algorithm suite <t>The REKEY PDU is open to abuse to create a signature algorithm
downgrade attack.</t> downgrade attack.</t>
</section> </section>
@ -507,12 +524,6 @@
</figure> </figure>
</section> </section>
<section anchor="acks" title="Acknowledgments">
<t>The authors thank Russ Housley for advice and reviews.</t>
</section>
</middle> </middle>
@ -520,14 +531,20 @@
<references title="Normative References"> <references title="Normative References">
<?rfc include="reference.RFC.2119"?> <?rfc include="reference.RFC.2119"?>
<?rfc include="reference.RFC.5280"?>
<?rfc include="reference.RFC.8174"?> <?rfc include="reference.RFC.8174"?>
<?rfc include="reference.I-D.ietf-lsvr-l3dl"?> <?rfc include="reference.I-D.ietf-lsvr-l3dl"?>
<reference anchor="IANA" target="https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml">
<front>
<title>DNS Security Algorithm Numbers</title>
<author/>
<date/>
</front>
</reference>
</references> </references>
<!--
<references title="Informative References"> <references title="Informative References">
<?rfc include="reference.RFC.5280"?>
</references> </references>
-->
</back> </back>