summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5386.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc5386.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc5386.txt')
-rw-r--r--doc/rfc/rfc5386.txt619
1 files changed, 619 insertions, 0 deletions
diff --git a/doc/rfc/rfc5386.txt b/doc/rfc/rfc5386.txt
new file mode 100644
index 0000000..4564bef
--- /dev/null
+++ b/doc/rfc/rfc5386.txt
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group N. Williams
+Request for Comments: 5386 Sun
+Category: Standards Track M. Richardson
+ SSW
+ November 2008
+
+
+ Better-Than-Nothing Security: An Unauthenticated Mode of IPsec
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (c) 2008 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+Abstract
+
+ This document specifies how to use the Internet Key Exchange (IKE)
+ protocols, such as IKEv1 and IKEv2, to setup "unauthenticated"
+ security associations (SAs) for use with the IPsec Encapsulating
+ Security Payload (ESP) and the IPsec Authentication Header (AH). No
+ changes to IKEv2 bits-on-the-wire are required, but Peer
+ Authorization Database (PAD) and Security Policy Database (SPD)
+ extensions are specified. Unauthenticated IPsec is herein referred
+ to by its popular acronym, "BTNS" (Better-Than-Nothing Security).
+
+
+
+
+
+
+
+
+
+
+
+
+Williams & Richardson Standards Track [Page 1]
+
+RFC 5386 BTNS IPsec November 2008
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 1.1. Conventions Used in This Document . . . . . . . . . . . . 2
+ 2. BTNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.1. Example #1: A Security Gateway . . . . . . . . . . . . . . 5
+ 3.2. Example #2: A Mixed End-System . . . . . . . . . . . . . . 7
+ 3.3. Example #3: A BTNS-Only System . . . . . . . . . . . . . . 8
+ 3.4. Miscellaneous Comments . . . . . . . . . . . . . . . . . . 9
+ 4. Security Considerations . . . . . . . . . . . . . . . . . . . 9
+ 4.1. Connection Latching and Channel Binding . . . . . . . . . 9
+ 4.2. Leap-of-Faith (LoF) for BTNS . . . . . . . . . . . . . . . 10
+ 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
+ 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
+ 6.1. Normative References . . . . . . . . . . . . . . . . . . . 10
+ 6.2. Informative References . . . . . . . . . . . . . . . . . . 10
+
+1. Introduction
+
+ Here we describe how to establish unauthenticated IPsec SAs using
+ IKEv2 [RFC4306] and unauthenticated public keys. No new on-the-wire
+ protocol elements are added to IKEv2.
+
+ The [RFC4301] processing model is assumed.
+
+ This document does not define an opportunistic BTNS mode of IPsec
+ whereby nodes may fall back to unprotected IP when their peers do not
+ support IKEv2, nor does it describe "leap-of-faith" modes or
+ "connection latching".
+
+ See [RFC5387] for the applicability and uses of BTNS and definitions
+ of these terms.
+
+ This document describes BTNS in terms of IKEv2 and [RFC4301]'s
+ concepts. There is no reason why the same methods cannot be used
+ with IKEv1 [RFC2408], [RFC2409], and [RFC2401]; however, those
+ specifications do not include the PAD concepts, and therefore it may
+ not be possible to implement BTNS on all compliant RFC2401
+ implementations.
+
+1.1. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+
+
+
+
+Williams & Richardson Standards Track [Page 2]
+
+RFC 5386 BTNS IPsec November 2008
+
+
+2. BTNS
+
+ The IPsec processing model is hereby modified as follows:
+
+ o A new ID type is added: 'PUBLICKEY'. IDs of this type have public
+ keys as values. This ID type is not used on the wire.
+
+ o PAD entries that match on PUBLICKEY IDs are referred to as "BTNS
+ PAD entries". All other PAD entries are referred to as "non-BTNS
+ PAD entries".
+
+ o BTNS PAD entries may match on specific peer PUBLICKEY IDs (or
+ public key fingerprints) or on all peer public keys. The latter
+ is referred to as the "wildcard BTNS PAD entry".
+
+ o BTNS PAD entries MUST logically (see below) follow all other PAD
+ entries (the PAD being an ordered list).
+
+ o At most one wildcard BTNS PAD entry may appear in the PAD, and, if
+ present, MUST be the last entry in the PAD (see below).
+
+ o Any peer that uses an IKEv2 AUTH method involving a digital
+ signature (made with a private key to a public key cryptosystem)
+ may match a BTNS PAD entry, provided that it matches no non-BTNS
+ PAD entries. Suitable AUTH methods as of August 2007 are: RSA
+ Digital Signature (method #1) and DSS Digital Signature (method
+ #3); see [RFC4306], Section 3.8.
+
+ o A BTNS-capable implementation of IPsec will first search the PAD
+ for non-BTNS entries matching a peer's ID. If no matching
+ non-BTNS PAD entries are found, then the peer's ID MUST be coerced
+ to be of 'PUBLICKEY' type with the peer's public key as its value.
+ The PAD is then searched again for matching BTNS PAD entries.
+ This ensures that BTNS PAD entries logically follow non-BTNS PAD
+ entries. A single PAD search that preserves these semantics is
+ allowed.
+
+ o A peer that matches a BTNS PAD entry is referred to as a "BTNS
+ peer". Such a peer is "authenticated" by verifying the signature
+ in its IKEv2 AUTH payload with the public key from the peer's CERT
+ payload.
+
+ o Of course, if no matching PAD entry is found, then the IKE SA is
+ rejected as usual.
+
+
+
+
+
+
+
+Williams & Richardson Standards Track [Page 3]
+
+RFC 5386 BTNS IPsec November 2008
+
+
+ o A new flag for SPD entries: 'BTNS_OK'. Traffic to/from peers that
+ match the BTNS PAD entry will match only SPD entries that have the
+ BTNS_OK flag set. The SPD may be searched by address or by ID (of
+ type PUBLICKEY for BTNS peers), as per the IPsec processing model
+ [RFC4301]. Searching by ID in this case requires creation of SPD
+ entries that are bound to public key values. This could be used
+ to build "leap-of-faith" [RFC5387] behavior (see Section 4.2), for
+ example.
+
+ Nodes MUST reject IKE_SA proposals from peers that match non-BTNS PAD
+ entries but fail to authenticate properly.
+
+ Nodes wishing to be treated as BTNS nodes by their peers MUST include
+ bare public key CERT payloads. Currently only bare RSA public key
+ CERT payloads are defined, which means that BTNS works only with RSA
+ public keys at this time (see "Raw RSA Key" in Section 3.6 of
+ [RFC4306]). Nodes MAY also include any number of certificates that
+ bind the same public key. These certificates do not need to be
+ pre-shared with their peers (e.g., because ephemeral, self-signed).
+ RSA keys for use in BTNS may be generated at any time, but connection
+ latching [ConnLatch] requires that they remain constant between IKEv2
+ exchanges that are used to establish SAs for latched connections.
+
+ To preserve standard IPsec access control semantics:
+
+ o BTNS PAD entries MUST logically follow all non-BTNS PAD entries,
+
+ o the wildcard BTNS PAD entry MUST be the last entry in the PAD,
+ logically, and
+
+ o the wildcard BTNS PAD entry MUST have ID constraints that do not
+ logically overlap those of other PAD entries.
+
+ As described above, the logical PAD ordering requirements can easily
+ be implemented by searching the PAD twice at peer authentication
+ time: once using the peer-asserted ID, and if that fails, once using
+ the peer's public key as a PUBLICKEY ID. A single pass
+ implementation that meets this requirement is permitted.
+
+ The BTNS entry ID constraint non-overlap requirement can easily be
+ implemented by searching the PAD twice: once when BTNS peers
+ authenticate, and again when BTNS peers negotiate child SAs. In the
+ first pass, the PAD is searched for a matching PAD entry as described
+ above. In the second, it is searched to make sure that BTNS peers'
+ asserted child SA traffic selectors do not conflict with non-BTNS PAD
+ entries. Single pass implementations that preserve these semantics
+ are feasible.
+
+
+
+
+Williams & Richardson Standards Track [Page 4]
+
+RFC 5386 BTNS IPsec November 2008
+
+
+3. Usage Scenarios
+
+ In order to explain the above rules, a number of scenarios will be
+ examined. The goal here is to persuade the reader that the above
+ rules are both sufficient and necessary.
+
+ This section is informative only.
+
+ To explain the scenarios, a reference diagram describing an example
+ network will be used. It is as follows:
+
+ [Q] [R]
+ AS1 . . AS2
+ [A]----+----[SG-A].......+....+.......[SG-B]-------[B]
+ ...... \
+ ..PI.. ----[btns-B]
+ ......
+ [btns-C].....+....+.......[btns-D]
+
+ Figure 1: Reference Network Diagram
+
+ In this diagram, there are eight systems. Six systems are end-nodes
+ (A, B, C, D, Q, and R). Two are security gateways (SG-A, SG-B)
+ protecting networks on which [A] and [B] reside. Node [Q] is IPsec
+ and BTNS capable. Node [R] is a simple node, with no IPsec or BTNS
+ capability. Nodes [C] and [D] are BTNS capable.
+
+ Nodes [C] and [Q] have fixed addresses. Node [D] has a non-fixed
+ address.
+
+ We will examine how these various nodes communicate with node [SG-A]
+ and/or how [SG-A] rejects communications with some such nodes. In
+ the first example, we examine [SG-A]'s point of view. In the second
+ example, we look at [Q]'s point of view. In the third example, we
+ look at [C]'s point of view.
+
+ PI is the Public Internet ("The Wild").
+
+3.1. Example #1: A Security Gateway
+
+ The machine that we will focus on in this example is [SG-A], a
+ firewall device of some kind that we wish to configure to respond to
+ BTNS connections from [C].
+
+
+
+
+
+
+
+
+Williams & Richardson Standards Track [Page 5]
+
+RFC 5386 BTNS IPsec November 2008
+
+
+ [SG-A] has the following PAD and SPD entries:
+
+ Child SA
+ Rule Remote ID IDs allowed SPD Search by
+ ---- --------- ----------- -------------
+ 1 <B's ID> <B's network> by-IP
+ 2 <Q's ID> <Q's host> by-IP
+ 3 PUBLICKEY:any ANY by-IP
+
+ The last entry is the BTNS entry.
+
+ Figure 2: [SG-A] PAD Table
+
+ Note that [SG-A]'s PAD entry has one and only one wildcard PAD entry:
+ the BTNS catch-all PAD entry as the last entry, as described in
+ Section 2.
+
+ <Child SA IDs allowed> and <SPD Search by> are from [RFC4301],
+ Section 4.4.3.
+
+ Rule Local Remote Next Layer BTNS Action
+ addr addr Protocol ok
+ ---- ----- ------ ---------- ---- -----------------------
+ 1 [A] [R] ANY N/A BYPASS
+ 2 [A] [Q] ANY no PROTECT(ESP,tunnel,AES,
+ SHA256)
+ 3 [A] B-net ANY no PROTECT(ESP,tunnel,AES,
+ SHA256)
+ 4 [A] ANY ANY yes PROTECT(ESP,transport,
+ integr+conf)
+
+ Figure 3: [SG-A] SPD Table
+
+ The processing by [SG-A] of SA establishment attempts by various
+ peers is as follows:
+
+ o [Q] does not match PAD entry #1 but does match PAD entry #2. PAD
+ processing stops, then the SPD is searched by [Q]'s ID to find
+ entry #2. CHILD SAs are then allowed that have [SG-A]'s and [Q]'s
+ addresses as the end-point addresses.
+
+ o [SG-B] matches PAD entry #1. PAD processing stops, then the SPD
+ is searched by [SG-B]'s ID to find SPD entry #3. CHILD SAs are
+ then allowed that have [SG-A]'s address and any addresses from B's
+ network as the end-point addresses.
+
+ o [R] does not initiate any IKE SAs; its traffic to [A] is bypassed
+ by SPD entry #1.
+
+
+
+Williams & Richardson Standards Track [Page 6]
+
+RFC 5386 BTNS IPsec November 2008
+
+
+ o [C] does not match PAD entries #1 or #2 but does match entry #3,
+ the BTNS wildcard PAD entry. The SPD is searched by [C]'s
+ address, and SPD entry #4 is matched. CHILD SAs are then allowed
+ that have [SG-A]'s address and [C]'s address as the end-point
+ addresses, provided that [C]'s address is neither [Q]'s nor any of
+ [B]'s (see Section 2). See the last bullet item below.
+
+ o A rogue BTNS node attempting to assert [Q]'s or [B]'s addresses
+ will either match the PAD entries for [Q] or [B] and fail to
+ authenticate as [Q] or [B], in which case they are rejected, or
+ they will match PAD entry #3 but will not be allowed to create
+ CHILD SAs with [Q]'s or [B]'s addresses as traffic selectors.
+
+ o A rogue BTNS node attempting to establish an SA whereby the rogue
+ node asserts [C]'s address will succeed at establishing such an
+ SA. Protection for [C] requires additional bindings of [C]'s
+ specific BTNS ID (that is, its public key) to its traffic flows
+ through connection latching and channel binding or through leap-
+ of-faith, none of which are described here.
+
+3.2. Example #2: A Mixed End-System
+
+ [Q] is an NFSv4 server.
+
+ [Q] is a native IPsec implementation, and its NFSv4 implementation is
+ IPsec-aware.
+
+ [Q] wants to protect all traffic with [A]. [Q] also wants to protect
+ NFSv4 traffic with all peers. Its PAD and SPD are configured as
+ follows:
+
+ Child SA
+ Rule Remote ID IDs allowed SPD Search by
+ ---- --------- ----------- -------------
+ 1 <[A]'s ID> <[A]'s address> by-IP
+ 2 PUBLICKEY:any ANY by-IP
+
+ The last entry is the BTNS entry.
+
+ Figure 4: [Q] PAD Table
+
+
+
+
+
+
+
+
+
+
+
+Williams & Richardson Standards Track [Page 7]
+
+RFC 5386 BTNS IPsec November 2008
+
+
+ Rule Local Remote Next Layer BTNS Action
+ addr addr Protocol ok
+ ---- ----- ------ ---------- ---- -----------------------
+ 1 [Q] [A] ANY no PROTECT(ESP,tunnel,AES,
+ SHA256)
+ 2 [Q] ANY ANY yes PROTECT(ESP,transport,
+ with integr+conf)
+ port 2049
+
+ Figure 5: [Q] SPD Table
+
+ The same analysis shown above in Section 3.1 applies here with
+ respect to [SG-A], [C], and rogue peers. The second SPD entry
+ permits any BTNS-capable node to negotiate a port-specific SA to port
+ 2049, the port on which NFSv4 runs. Additionally, [SG-B] is treated
+ as a BTNS peer as it is not known to [Q], and therefore any host
+ behind [SG-B] can access the NFSv4 service on [Q]. As [Q] has no
+ formal relationship with [SG-B], rogues can impersonate [B] (i.e.,
+ assert [B]'s addresses).
+
+3.3. Example #3: A BTNS-Only System
+
+ [C] supports only BTNS and wants to use BTNS to protect NFSv4
+ traffic. Its PAD and SPD are configured as follows:
+
+ Child SA
+ Rule Remote ID IDs allowed SPD Search by
+ ---- --------- ----------- -------------
+ 1 PUBLICKEY:any ANY by-IP
+
+ The last (and only) entry is the BTNS entry.
+
+ Figure 6: [Q] PAD Table
+
+
+ Rule Local Remote Next Layer BTNS Action
+ addr addr Protocol ok
+ ---- ----- ------ ---------- ---- -----------------------
+ 1 [C] ANY ANY yes PROTECT(ESP,transport,
+ with integr+conf)
+ port
+ 2049
+
+ 2 [C] ANY ANY N/A BYPASS
+
+ Figure 7: [SG-A] SPD Table
+
+
+
+
+
+Williams & Richardson Standards Track [Page 8]
+
+RFC 5386 BTNS IPsec November 2008
+
+
+ The analysis from Section 3.1 applies as follows:
+
+ o Communication with [Q] on port 2049 matches SPD entry number 1.
+ This causes [C] to initiate an IKEv2 exchange with [Q]. The PAD
+ entry on [C] causes it to not care what identity [Q] asserts.
+ Further authentication (and channel binding) could occur within
+ the NFSv4 protocol.
+
+ o Communication with [A], [B], or any other internet machine
+ (including [Q]), occurs in the clear, so long as it is not on port
+ 2049.
+
+ o All analysis about rogue BTNS nodes applies, but they can only
+ assert SAs for port 2049.
+
+3.4. Miscellaneous Comments
+
+ If [SG-A] were not BTNS capable, then it would not have PAD and SPD
+ entries #3 and #4, respectively, in example #1. Then [C] would be
+ rejected as usual under the standard IPsec model [RFC4301].
+
+ Similarly, if [Q] were not BTNS capable, then it would not have PAD
+ and SPD entries #2 in example #2. Then [C] would be rejected as
+ usual under the standard IPsec model [RFC4301].
+
+4. Security Considerations
+
+ Unauthenticated security association negotiation is subject to man-
+ in-the-middle (MITM) attacks and should be used with care. Where
+ security infrastructures are lacking, this may indeed be better than
+ nothing.
+
+ Use with applications that bind authentication at higher network
+ layers to secure channels at lower layers may provide one secure way
+ to use unauthenticated IPsec, but this is not specified herein.
+
+ The BTNS PAD entry must be last and its child SA ID constraints must
+ be non-overlapping with any other PAD entry, as described in
+ Section 2. This will ensure that no BTNS peer can impersonate
+ another IPsec non-BTNS peer.
+
+4.1. Connection Latching and Channel Binding
+
+ BTNS is subject to MITM attacks. One way to protect against MITM
+ attacks subsequent to initial communications is to use "connection
+ latching" [ConnLatch]. In connection latching, upper layer protocols
+ (ULPs) cooperate with IPsec to bind discrete packet flows to
+
+
+
+
+Williams & Richardson Standards Track [Page 9]
+
+RFC 5386 BTNS IPsec November 2008
+
+
+ sequences of similar SAs. Connection latching requires native IPsec
+ implementations.
+
+ MITMs can be detected by using application-layer authentication
+ frameworks and/or mechanisms, such as the GSS-API [RFC2743], with
+ channel binding [RFC5056]. IPsec "channels" are nothing other than
+ latched connections.
+
+4.2. Leap-of-Faith (LoF) for BTNS
+
+ "Leap of faith" is the term generally used when a user accepts the
+ assertion that a given key identifies a peer on the first
+ communication (despite a lack of strong evidence for that assertion),
+ and then remembers this association for future communications.
+ Specifically this is a common mode of operation for Secure Shell
+ [RFC4251] clients. When a server is encountered for the first time,
+ the Secure Shell client may ask the user whether to accept the
+ server's public key. If so, the client records the server's name (as
+ given by the user) and public key in a database.
+
+ Leap of faith can work in a similar way for BTNS nodes, but it is
+ currently still being designed and specified by the IETF BTNS WG.
+
+5. Acknowledgements
+
+ Thanks to the following reviewer: Stephen Kent.
+
+6. References
+
+6.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
+ Internet Protocol", RFC 4301, December 2005.
+
+6.2. Informative References
+
+ [ConnLatch] Williams, N., "IPsec Channels: Connection Latching",
+ Work in Progress, April 2008.
+
+ [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
+ Internet Protocol", RFC 2401, November 1998.
+
+ [RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet
+ Security Association and Key Management Protocol
+ (ISAKMP)", RFC 2408, November 1998.
+
+
+
+Williams & Richardson Standards Track [Page 10]
+
+RFC 5386 BTNS IPsec November 2008
+
+
+ [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
+ (IKE)", RFC 2409, November 1998.
+
+ [RFC2743] Linn, J., "Generic Security Service Application Program
+ Interface Version 2, Update 1", RFC 2743, January 2000.
+
+ [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
+ Protocol Architecture", RFC 4251, January 2006.
+
+ [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
+ RFC 4306, December 2005.
+
+ [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
+ Channels", RFC 5056, November 2007.
+
+ [RFC5387] Touch, J., Black, D., and Y. Wang, "Problem and
+ Applicability Statement for Better-Than-Nothing Security
+ (BTNS)", RFC 5387, November 2008.
+
+Authors' Addresses
+
+ Nicolas Williams
+ Sun Microsystems
+ 5300 Riata Trace Ct
+ Austin, TX 78727
+ US
+
+ EMail: Nicolas.Williams@sun.com
+
+
+ Michael C. Richardson
+ Sandelman Software Works
+ 470 Dawson Avenue
+ Ottawa, ON K1Z 5V7
+ CA
+
+ EMail: mcr@sandelman.ottawa.on.ca
+ URI: http://www.sandelman.ottawa.on.ca/
+
+
+
+
+
+
+
+
+
+
+
+
+
+Williams & Richardson Standards Track [Page 11]
+