randy/draft-l3dl-signing
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
draft-l3dl-signing/draft-ymbk-lsvr-l3dl-signing.xml

257 lines
9 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc comments="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc inline="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<?rfc toc="yes"?>
<?rfc tocdepth="6"?>
<?rfc tocindent="yes"?>
<?rfc tocompact="yes"?>
<rfc category="std" docName="draft-ymbk-lsvr-l3dl-signing-00" ipr="trust200902">
<front>
<title>Layer 3 Discovery and Liveness Signing</title>
<author fullname="Randy Bush" initials="R." surname="Bush">
<organization>Arrcus &amp; IIJ</organization>
<address>
<postal>
<street>5147 Crystal Springs</street>
<city>Bainbridge Island</city>
<region>WA</region>
<code>98110</code>
<country>United States of America</country>
</postal>
<email>randy@psg.com</email>
</address>
</author>
<!--
<author fullname="Russ Housley" initials="R" surname="Housley">
<organization abbrev="Vigil Security">Vigil Security, LLC</organization>
<address>
<postal>
<street>918 Spring Knoll Drive</street>
<city>Herndon</city>
<region>VA</region>
<code>20170</code>
<country>USA</country>
</postal>
<email>housley@vigilsec.com</email>
</address>
</author>
-->
<author initials="R." surname="Austein" fullname="Rob Austein">
<organization abbrev="Arrcus">Arrcus, Inc.</organization>
<address>
<email>sra@hactrn.net</email>
</address>
</author>
<date />
<abstract>
<t>The Layer 3 Discovery and Liveness protocol OPEN PDU contains a
key which can be used to verify signatures on subsequent PDUs. This
document describes two mechanisms based on digital signatures, one
that is Trust On First Use (TOFU), and one that uses certificates to
provide authentication as well as session integrity.</t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/> when,
and only when, they appear in all capitals, as shown here.</t>
</note>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>The Layer 3 Discovery and Liveness protocol [old ref because new
draft not yet pushed] <xref target="I-D.ietf-lsvr-lsoe"/> OPEN PDU
contains an algorithm specifier and a key which can be used to
verify signatures on subsequent PDUs. This document describes two
methods of key generation and signing for use by L3DL, Trust On
First Use (TOFU) and a PKI-based mechanism to provide authentication
as well as session integrity.</t>
<t>The Key in the OPEN PDU SHOULD be the public key of an asymmetric
key pair. The sender signs with the private key, of course. The
device sending the OPEN may use one key for all links, a different
key for each link, or some aggregation(s) thereof.</t>
<t>In the TOFU method the OPEN key is generated on the sending
device, believed without question by the receiver, and used to
verify all subsequent PDUs from the same sender with the same Key
Type.</t>
<t>With the PKI-mechanism, an enrollment step is performed. The
public key and an identifier of the subject are put into a
certificate, which is signed by the the operational environment's
trust anchor. In this way, the relying party can be confident that
the public key is under control of the identified L3DL protocol
entity.</t>
<t>To the receiver verifying signatures on PDUs, the two methods are
indistinguishable; the key provided in the OPEN PDU is used to
verify the signatures of subsequent PDUs. The difference that
PKI-based keys may be verified against the trust anchor when the
OPEN PDU is received.</t>
<t>In the PKI method the OPEN key MUST be verified against the trust
anchor for the operational domain. It is then used to verify all
subsequent PDUs from the same peer with the same Key Type.</t>
</section>
<section anchor="tofu" title="Trust On First Use Method">
</section>
<section anchor="pki" title="Public Key Infrastructure Method">
</section>
<section anchor="roll" title="NEWKEY, Key Roll">
<t>Modern key management allows for agility in 'rolling' to a new
key or even algorithm in case of key expiry, key compromise, or
merely prudence. Declaring a new key with an L3DL OPEN PDU would
cause serious churn in topology as a new OPEN causes a withdraw of
previously announced encapsulations. Therefore, a gentler rekeying
is needed.</t>
<!--
protocol "Type = 8:8,Payload Length:16,New Key Type:8,New Key Length:16,New Key ...:40,Old Sig Type:8,Old Signature Length:16,Old Signature ...:40"
-->
<figure>
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 8 | Payload Length | New Key Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| New Key Length | ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
~ New Key ... | Old Sig Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Old Signature Length | ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
~ Old Signature ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t>The New Key Type, New Key Length, and New Key fields declare the
replacement algorithm suite and key.</t>
<t>The NEWKEY PDU is signed using the current (soon to be old)
algorithm suite and key.</t>
<t>The sender and the receiver should be cautious of algorithm suite
downgrade attacks.</t>
<t>To avoid possible race conditions, the receiver SHOULD accept
signatures using either the new or old key for a configurable time
(default 30 seconds). This is intended to accommodate situations
such as senders with high peer out-degree and a single per-device
asymmetric key.</t>
<t>If the sender does not receive an ACK in the normal window,
including retransmission, then the sender MAY choose to allow a
session reset by either issuing a new OPEN or by letting the
receiver eventually have a signature failure (error code 3) on a
PDU.</t>
</section>
<section anchor="security" title="Security Considerations">
<t>The TOFU method requires a leap of faith to accept the key in the
OPEN PDU, as it can not be verified against any authority. Hence it
is jokingly referred to as Married On First Date. The assurance it
does provide is that subsequent signed PDUs are from the same peer.
And data integrity is a positive side effect of the signature.</t>
<t>The PKI-based method offers assurance that the certificate, and
hence the keying material, provided in the OPEN PDU are authorized
by a central authority, e.g. the Clos's network security team. The
onward assurance of talking to the same peer and data integrity are
the same as in the TOFU method.</t>
<t>With the PKI-based method, automated device provisioning could
restrict which subsidiary certificates were allowed from which peers
on a per interface basis. This would complicate key rolls. Where
one draws the line between rigidity, flexibility, and security
varies.</t>
<t>The REKEY PDU is open to abuse to create an algorithm suite
downgrade attack.</t>
</section>
<section anchor="iana" title="IANA Considerations">
<t>This document requests the IANA create a new entry in the L3DL PDU
Type registry as follows:</t>
<figure>
<artwork>
PDU
Code PDU Name
---- -------------------
8 NEWKEY
</artwork>
</figure>
<t>This document requests the IANA add a registry entry for "TOFU -
Trust On First Use" to the L3DL-Signature-Type registry as follows:</t>
<figure>
<artwork>
Number Name
------ -------------------
1 TOFU - Trust On First Use
2 PKI
</artwork>
</figure>
</section>
<section anchor="acks" title="Acknowledgments">
<t>The authors than Russ Housley for advice and review.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"?>
<?rfc include="reference.RFC.8174"?>
<?rfc include="reference.I-D.ietf-lsvr-lsoe"?>
</references>
<!--
<references title="Informative References">
</references>
-->
</back>
</rfc>
Reference in a new issue View git blame Copy permalink