1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
|
Network Working Group S. Sakane
Request for Comments: 4430 K. Kamada
Category: Standards Track Yokogawa Electric Corp.
M. Thomas
J. Vilhuber
Cisco Systems
March 2006
Kerberized Internet Negotiation of Keys (KINK)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes the Kerberized Internet Negotiation of Keys
(KINK) protocol. KINK defines a low-latency, computationally
inexpensive, easily managed, and cryptographically sound protocol to
establish and maintain security associations using the Kerberos
authentication system. KINK reuses the Quick Mode payloads of the
Internet Key Exchange (IKE), which should lead to substantial reuse
of existing IKE implementations.
Table of Contents
1. Introduction ....................................................3
1.1. Conventions Used in This Document ..........................3
2. Protocol Overview ...............................................4
3. Message Flows ...................................................4
3.1. GETTGT Message Flow ........................................5
3.2. CREATE Message Flow ........................................6
3.2.1. CREATE Key Derivation Considerations ................7
3.3. DELETE Message Flow ........................................8
3.4. STATUS Message Flow ........................................9
3.5. Reporting Errors ...........................................9
3.6. Rekeying Security Associations ............................10
3.7. Dead Peer Detection .......................................10
3.7.1. Coping with Dead User-to-User Peers ................12
Sakane, et al. Standards Track [Page 1]
^L
RFC 4430 KINK March 2006
4. KINK Message Format ............................................13
4.1. KINK Alignment Rules ......................................15
4.2. KINK Payloads .............................................16
4.2.1. KINK_AP_REQ Payload ................................17
4.2.2. KINK_AP_REP Payload ................................18
4.2.3. KINK_KRB_ERROR Payload .............................19
4.2.4. KINK_TGT_REQ Payload ...............................20
4.2.5. KINK_TGT_REP Payload ...............................21
4.2.6. KINK_ISAKMP Payload ................................21
4.2.7. KINK_ENCRYPT Payload ...............................22
4.2.8. KINK_ERROR Payload .................................23
5. Differences from IKE Quick Mode ................................25
5.1. Security Association Payloads .............................26
5.2. Proposal and Transform Payloads ...........................26
5.3. Identification Payloads ...................................26
5.4. Nonce Payloads ............................................26
5.5. Notify Payloads ...........................................27
5.6. Delete Payloads ...........................................28
5.7. KE Payloads ...............................................28
6. Message Construction and Constraints for IPsec DOI .............28
6.1. REPLY Message .............................................28
6.2. ACK Message ...............................................28
6.3. CREATE Message ............................................29
6.4. DELETE Message ............................................30
6.5. STATUS Message ............................................31
6.6. GETTGT Message ............................................32
7. ISAKMP Key Derivation ..........................................32
8. Key Usage Numbers for Kerberos Key Derivation ..................33
9. Transport Considerations .......................................33
10. Security Considerations .......................................34
11. IANA Considerations ...........................................35
12. Forward Compatibility Considerations ..........................35
12.1. New Versions of Quick Mode ...............................36
12.2. New DOI ..................................................36
13. Related Work ..................................................36
14. Acknowledgements ..............................................37
15. References ....................................................37
15.1. Normative References .....................................37
15.2. Informative References ...................................38
Sakane, et al. Standards Track [Page 2]
^L
RFC 4430 KINK March 2006
1. Introduction
KINK is designed to provide a secure, scalable mechanism for
establishing keys between communicating entities within a centrally
managed environment in which it is important to maintain consistent
security policy. The security goals of KINK are to provide privacy,
authentication, and replay protection of key management messages and
to avoid denial of service vulnerabilities whenever possible. The
performance goals of the protocol are to have a low computational
cost, low latency, and a small footprint. It is also to avoid or
minimize the use of public key operations. In particular, the
protocol provides the capability to establish IPsec security
associations (SAs) in two messages with minimal computational effort.
These requirements are described in RFC 3129 [REQ4KINK].
Kerberos [KERBEROS] provides an efficient authentication mechanism
for clients and servers using a trusted third-party model. Kerberos
also provides a mechanism for cross-realm authentication natively. A
client obtains a ticket from an online authentication server, the Key
Distribution Center (KDC). The ticket is then used to construct a
credential for authenticating the client to the server. As a result
of this authentication operation, the server will also share a secret
key with the client. KINK uses this property as the basis of
distributing keys for IPsec.
The central key management provided by Kerberos is efficient because
it limits computational cost and limits complexity versus IKE's
necessity of using public key cryptography [IKE]. Initial
authentication to the KDC may be performed using either symmetric
keys, or asymmetric keys using the Public Key Cryptography for
Initial Authentication in Kerberos [PKINIT]; however, subsequent
requests for tickets as well as authenticated exchanges between the
client and servers always utilize symmetric cryptography. Therefore,
public key operations (if any) are limited and are amortized over the
lifetime of the credentials acquired in the initial authentication
operation to the KDC. For example, a client may use a single public
key exchange with the KDC to efficiently establish multiple SAs with
many other servers in the realm of the KDC. Kerberos also scales
better than direct peer-to-peer keying when symmetric keys are used.
The reason is that since the keys are stored in the KDC, the number
of principal keys is O(n+m) rather than O(n*m), where "n" is the
number of clients and "m" is the number of servers.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Sakane, et al. Standards Track [Page 3]
^L
RFC 4430 KINK March 2006
It is assumed that the readers are familiar with the terms and
concepts described in Kerberos Version 5 [KERBEROS], IPsec [IPSEC],
and IKE [IKE].
2. Protocol Overview
KINK is a command/response protocol that can create, delete, and
maintain IPsec SAs. Each command or response contains a common
header along with a set of type-length-value payloads. The type of a
command or a response constrains the payloads sent in the messages of
the exchange. KINK itself is a stateless protocol in that each
command or response does not require storage of hard state for KINK.
This is in contrast to IKE, which uses Main Mode to first establish
an Internet Security Association and Key Management Protocol (ISAKMP)
SA followed by subsequent Quick Mode exchanges.
KINK uses Kerberos mechanisms to provide mutual authentication and
replay protection. For establishing SAs, KINK provides
confidentiality for the payloads that follow the Kerberos AP-REQ
payload. The design of KINK mitigates denial of service attacks by
requiring authenticated exchanges before the use of any public key
operations and the installation of any state. KINK also provides a
means of using Kerberos User-to-User mechanisms when there is not a
key shared between the server and the KDC. This is typically, but
not limited to, the case with IPsec peers using PKINIT for initial
authentication.
KINK directly reuses Quick Mode payloads defined in section 5.5 of
[IKE], with some minor changes and omissions. In most cases, KINK
exchanges are a single command and its response. An optional third
message is required when creating SAs, only if the responder rejects
the first proposal from the initiator or wants to contribute the
keying materials. KINK also provides rekeying and dead peer
detection.
3. Message Flows
All KINK message flows follow the same pattern between the two peers:
a command, a response, and an optional acknowledgement in a CREATE
flow. A command is a GETTGT, CREATE, DELETE, or STATUS message; a
response is a REPLY message; and an acknowledgement is an ACK
message.
KINK uses Kerberos as the authentication mechanism; therefore, a KINK
host needs to get a service ticket for each peer before actual key
negotiations. This is basically a pure Kerberos exchange and the
actual KDC traffic here is for illustrative purposes only. In
practice, when a principal obtains various tickets is a subject of
Sakane, et al. Standards Track [Page 4]
^L
RFC 4430 KINK March 2006
Kerberos and local policy consideration. As an exception, the GETTGT
message flow of KINK (described in section 3.1) is used when a User-
to-User authentication is required. In this flow, we assume that
both A and B have ticket-granting tickets (TGTs) from their KDCs.
After a service ticket is obtained, KINK uses the CREATE message flow
(section 3.2), DELETE message flow (section 3.3), and STATUS message
flow (section 3.4) to manage SAs. In these flows, we assume that A
has a service ticket for B.
3.1. GETTGT Message Flow
This flow is used to retrieve a TGT from the remote peer in User-to-
User authentication mode.
If the initiator determines that it will not be able to get a normal
(non-User-to-User) service ticket for the responder, it can try a
User-to-User authentication. In this case, it first fetches a TGT
from the responder in order to get a User-to-User service ticket:
A B KDC
------ ------ ---
1 GETTGT+KINK_TGT_REQ------>
2 <-------REPLY+KINK_TGT_REP
3 TGS-REQ+TGT(B)------------------------------------>
4 <-------------------------------------------TGS-REP
Figure 1: GETTGT Message Flow
The initiator MAY support the following events as triggers to go to
the User-to-User path. Note that the two errors described below will
not be authenticated, and how to act on them depends on the policy.
o The local policy says that the responder requires a User-
to-User authentication.
o A KRB_AP_ERR_USER_TO_USER_REQUIRED error is returned from
the responder.
o A KDC_ERR_MUST_USE_USER2USER error is returned from the
KDC.
Sakane, et al. Standards Track [Page 5]
^L
RFC 4430 KINK March 2006
3.2. CREATE Message Flow
This flow creates SAs. The CREATE command takes an "optimistic"
approach, where SAs are initially created on the expectation that the
responder will choose the initial proposed payload. The optimistic
proposal is placed in the first transform payload(s) of the first
proposal. The initiator MUST check to see if the optimistic proposal
was selected by comparing all transforms and attributes, which MUST
be identical to those in the initiator's optimistic proposal with the
exceptions of LIFE_KILOBYTES and LIFE_SECONDS. Each of these
attributes MAY be set to a lower value by the responder and still
expect optimistic keying, but MUST NOT be set to a higher value that
MUST generate a NO-PROPOSAL-CHOSEN error. The initiator MUST use the
shorter lifetime.
When a CREATE command contains an existing Security Parameter Index
(SPI), the responder MUST reject it and SHOULD return an ISAKMP
notification with INVALID-SPI.
When a key exchange (KE) payload is sent from the initiator but the
responder does not support it, the responder MUST reject it with an
ISAKMP notification of INVALID-PAYLOAD-TYPE containing a KE payload
type as its notification data. When the initiator receives this
error, it MAY retry without a KE payload (as another transaction) if
its policy allows that.
A B KDC
------ ------ ---
A creates an optimistic inbound SA (B->A) unless using a KE.
1 CREATE+ISAKMP------------>
B creates an inbound SA (A->B).
B creates an outbound SA (B->A) if optimistic and not using a KE.
2 <-------------REPLY+ISAKMP
A creates an outbound SA (A->B).
A replaces an inbound SA (B->A) if non-optimistic.
A creates an inbound SA (B->A) if using a KE.
3 [ ACK---------------------> ]
[ B creates an outbound SA (B->A). ]
Figure 2: CREATE Message Flow
Sakane, et al. Standards Track [Page 6]
^L
RFC 4430 KINK March 2006
Creating SAs has two modes: 2-way handshake and 3-way handshake.
The initiator usually begins a negotiation expecting a 2-way
handshake. When the optimistic proposal is not chosen by the
responder, the negotiation is switched to a 3-way handshake. When
and only when the initiator uses a KE payload, 3-way handshake is
expected from the beginning.
A 2-way handshake is performed in the following steps:
1) The host A creates an inbound SA (B->A) in its SA database
using the optimistic proposal in the ISAKMP SA proposal. It is
then ready to receive any messages from B.
2) A then sends the CREATE message to B.
3) If B agrees to A's optimistic proposal, B creates an inbound SA
(A->B) and an outbound SA (B->A) in its database. If B does
not choose the first proposal or wants to add a Nonce payload,
switch to step 3 of the 3-way handshake described below.
4) B then sends a REPLY to A without a Nonce payload and without
requesting an ACK.
5) Upon receipt of the REPLY, A creates an outbound SA (A->B).
A 3-way handshake is performed in the following steps:
1) The host A sends the CREATE message to B without creating any
SA.
2) B chooses one proposal according to its policy.
3) B creates an inbound SA (A->B) and sends the actual choice in
the REPLY. It SHOULD send the optional Nonce payload (as it
does not increase message count and generally increases entropy
sources) and MUST request that the REPLY be acknowledged.
4) Upon receipt of the REPLY, A creates the inbound SA (B->A) (or
modifies it as necessary, if switched from 2-way), and the
outbound SA (A->B).
5) A now sends the ACK message.
6) Upon receipt of the ACK, B installs the final outbound SA
(B->A).
If B does not choose the first proposal, adds a nonce, or accepts the
KE exchange, then it MUST request an ACK (i.e., set the ACKREQ bit)
so that it can install the final outbound SA. The initiator MUST
always generate an ACK if the ACKREQ bit is set in the KINK header,
even if it believes that the responder was in error.
3.2.1. CREATE Key Derivation Considerations
The CREATE command's optimistic approach allows an SA to be created
in two messages rather than three. The implication of a two-message
exchange is that B will not contribute to the key since A must set up
Sakane, et al. Standards Track [Page 7]
^L
RFC 4430 KINK March 2006
the inbound SA before it receives any additional keying material from
B. This may be suspect under normal circumstances; however, KINK
takes advantage of the fact that the KDC provides a reliable source
of randomness which is used in key derivation. In many cases, this
will provide an adequate session key so that B will not require an
acknowledgement. Since B is always at liberty to contribute to the
keying material, this is strictly a trade-off between the key
strength versus the number of messages, which KINK implementations
may decide as a matter of policy.
3.3. DELETE Message Flow
The DELETE command deletes existing SAs. The domain of
interpretation (DOI)-specific payloads describe the actual SA to be
deleted. For the IPsec DOI, those payloads will include an ISAKMP
payload containing the list of the SPIs to be deleted.
A B KDC
------ ------ ---
A deletes outbound SA to B.
1 DELETE+ISAKMP------------>
B deletes inbound and outbound SA to A.
2 <-------------REPLY+ISAKMP
A deletes inbound SA to B.
Figure 3: DELETE Message Flow
The DELETE command takes a "pessimistic" approach, which does not
delete inbound SAs until it receives acknowledgement that the other
host has received the DELETE. The exception to the pessimistic
approach is if the initiator wants to immediately cease all activity
on an inbound SA. In this case, it MAY delete the inbound SA as well
in step 1, above.
The ISAKMP payload contains ISAKMP Delete payload(s) that indicate
the inbound SA(s) for the initiator of this flow. KINK does not
allow half-open SAs; thus, when the responder receives a DELETE
command, it MUST delete SAs of both directions, and MUST reply with
ISAKMP Delete payload(s) that indicate the inbound SA(s) for the
responder of this flow. If the responder cannot find an appropriate
SPI to be deleted, it MUST return an ISAKMP notification with
INVALID_SPI, which also serves to inform the initiator that it can
delete the inbound SA.
Sakane, et al. Standards Track [Page 8]
^L
RFC 4430 KINK March 2006
A race condition with the DELETE flow exists. Due to network
reordering, etc., packets in flight while the DELETE operation is
taking place may arrive after the diagrams above, which recommend
deleting the inbound SA. A KINK implementation SHOULD implement a
grace timer that SHOULD be set to a period of at least two times the
average round-trip time, or to a configurable value. A KINK
implementation MAY choose to set the grace period to zero at
appropriate times to delete an SA ungracefully. The behavior
described here is referred from the behavior of the TCP [RFC793]
flags FIN and RST.
3.4. STATUS Message Flow
This flow is used to send any information to a peer or to elicit any
information from a peer. An initiator may send a STATUS command to
the responder at any time, optionally with DOI-specific ISAKMP
payloads. In the case of the IPsec DOI, these are generally in the
form of ISAKMP Notification payloads. A STATUS command is also used
as a means of dead peer detection described in section 3.7.
A B KDC
------ ------ ---
1 STATUS[+ISAKMP]---------->
2 <-----------REPLY[+ISAKMP]
Figure 4: STATUS Message Flow
3.5. Reporting Errors
When the responder detects an error in a received command, it can
send a DOI-specific payload to indicate the error in a REPLY message.
There are three types of payloads that can indicate errors:
KINK_KRB_ERROR payloads for Kerberos errors, KINK_ERROR payloads for
KINK errors, and KINK_ISAKMP payloads for ISAKMP errors. Details are
described in sections 4.2.3, 4.2.8, and 4.2.6, respectively.
If the initiator detects an error in a received reply, there is no
means to report it back to the responder. The initiator SHOULD log
the event and MAY take a remedial action by reinitiating the initial
command.
If the server clock and the client clock are off by more than the
policy-determined clock skew limit (usually 5 minutes), the server
MUST return a KRB_AP_ERR_SKEW. The optional client's time in the
KRB-ERROR SHOULD be filled out. If the server protects the error by
adding the Cksum field and returning the correct client's time, the
Sakane, et al. Standards Track [Page 9]
^L
RFC 4430 KINK March 2006
client SHOULD compute the difference (in seconds) between the two
clocks based upon the client and server time contained in the
KRB-ERROR message. The client SHOULD store this clock difference and
use it to adjust its clock in subsequent messages. If the error is
not protected, the client MUST NOT use the difference to adjust
subsequent messages, because doing so would allow an attacker to
construct authenticators that can be used to mount replay attacks.
3.6. Rekeying Security Associations
KINK expects the initiator of an SA to be responsible for rekeying
the SA for two reasons. The first reason is to prevent needless
duplication of SAs as the result of collisions due to an initiator
and responder both trying to renew an existing SA. The second reason
is due to the client/server nature of Kerberos exchanges, which
expects the client to get and maintain tickets. While KINK expects
that a KINK host is able to get and maintain tickets, in practice it
is often advantageous for servers to wait for clients to initiate
sessions so that they do not need to maintain a large ticket cache.
There are no special semantics for rekeying SAs in KINK. That is, in
order to rekey an existing SA, the initiator must CREATE a new SA
followed by either deleting the old SA with the DELETE flow or
letting it time out. When identical flow selectors are available on
different SAs, KINK implementations SHOULD choose the SA most
recently created. It should be noted that KINK avoids most of the
problems of [IKE] rekeying by having a reliable delete mechanism.
Normally, a KINK implementation that rekeys existing SAs will try to
rekey the SA ahead of an SA termination, which may include the hard
lifetime in time/bytecount or the overflow of the sequence number
counter. We call this time "soft lifetime". The soft lifetime MUST
be randomized to avoid synchronization with similar implementations.
In the case of the lifetime in time, one reasonable approach to
determine the soft lifetime is picking a random time between T-rekey
and T-retrans and subtracting it from the hard lifetime. Here,
T-rekey is the reasonable maximum rekeying margin, and T-retrans is
the amount of time it would take to go through a full retransmission
cycle. T-rekey SHOULD be at least twice as high as T-retrans.
3.7. Dead Peer Detection
In order to determine that a KINK peer has lost its security database
information, KINK peers MUST record the current epoch for which they
have valid SA information for a peer and reflect that epoch in each
AP-REQ and AP-REP message. When a KINK peer creates state for a
given SA, it MUST also record the principal's epoch. If it discovers
Sakane, et al. Standards Track [Page 10]
^L
RFC 4430 KINK March 2006
on a subsequent message that the principal's epoch has changed, it
MUST consider all SAs created by that principal as invalid, and take
some action such as tearing those SAs down.
While a KINK peer SHOULD use feedback from routing (in the form of
ICMP messages) as a trigger to check whether or not the peer is still
alive, a KINK peer MUST NOT conclude the peer is dead simply based on
unprotected routing information (said ICMP messages).
If there is suspicion that a peer may be dead (based on any
information available to the KINK peer, including lack of IPsec
traffic, etc.), the KINK STATUS message SHOULD be used to coerce an
acknowledgement out of the peer. Since nothing is negotiated about
dead peer detection in KINK, each peer can decide its own metric for
"suspicion" and also what timeouts to use before declaring a peer
dead due to lack of response to the STATUS message. This is
desirable, and does not break interoperability.
The STATUS message has a twofold effect. First, it elicits a
cryptographically secured (and replay-protected) response from the
peer, which tells us whether or not the peer is reachable/alive.
Second, it carries the epoch number of the peer, so we know whether
or not the peer has rebooted and lost all state. This is crucial to
the KINK protocol: In IKE, if a peer reboots, we lose all
cryptographic context, and no cryptographically secure communication
is possible without renegotiating keys. In KINK, due to Kerberos
tickets, we can communicate securely with a peer, even if the peer
rebooted, as the shared cryptographic key used is carried in the
Kerberos ticket. Thus, active cryptographic communication is not an
indication that the peer has not rebooted and lost all state, and the
epoch is needed.
Assume a Peer A sending a STATUS and a peer B sending the REPLY (see
section 3.4). Peer B MAY assume that the sender is alive, and the
epoch in the STATUS message will indicate whether or not the peer A
has lost state. Peer B MUST acknowledge the STATUS message with a
REPLY message, as described in section 3.4.
The REPLY message will indicate to peer A that the peer is alive, and
the epoch in the REPLY will indicate whether peer B has lost its
state or not. If peer A does not receive a REPLY message from peer B
in a suitable timeout, peer A MAY send another STATUS message. It is
up to peer A to decide how aggressively to declare peer B dead. The
level of aggressiveness may depend on many factors such as rapid fail
over versus number of messages sent by nodes with large numbers of
SAs.
Sakane, et al. Standards Track [Page 11]
^L
RFC 4430 KINK March 2006
Note that peer B MUST NOT make any inferences about a lack of STATUS
message from peer A. Peer B MAY use a STATUS message from peer A as
an indication of A's aliveness, but peer B MUST NOT expect another
STATUS message at any time (i.e., dead peer detection is not periodic
keepalives).
Strategies for sending STATUS messages are the following: Peer A may
decide to send a STATUS message only after a prolonged period where
no traffic was sent in either direction over the IPsec SAs with the
peer. Once there is traffic, peer A may want to know if the traffic
is going into a black hole, and send a STATUS message.
Alternatively, peer A may use an idle timer to detect lack of traffic
with the peer, and send STATUS messages in the quiet phase to make
sure the peer is still alive for when traffic needs to finally be
sent.
3.7.1. Coping with Dead User-to-User Peers
When an initiator uses a User-to-User ticket and a responder has lost
its previous TGT, the usual dead peer detection (DPD) mechanism does
not work, because the responder cannot decrypt the ticket with its
new TGT. In this case, the following actions are taken.
o When the responder receives a KINK command with a User-to-User
ticket that cannot be decrypted with its TGT, it returns a
REPLY with a KINK_TGT_REP payload containing the TGT.
o When the initiator receives a KINK_TGT_REP, it retrieves a new
service ticket with the TGT and retries the command.
This does not directly define a method to detect a dead User-to-User
peer, but to recover from the situation that the responder does not
have an appropriate TGT to decrypt a service ticket sent from the
initiator. After recovery, they can exchange their epochs, and usual
DPD mechanism will detect a dead peer if it really has been dead.
The initiator MUST NOT think the peer has been dead on the receipt of
a KINK_TGT_REP because of two reasons. One is that the message is
not authenticated, and the other is that losing a TGT does not
necessarily mean losing the SA database information. The initiator
SHOULD NOT forget the previous service ticket until the new one is
successfully obtained in order to reduce the cost when a forged
KINK_TGT_REP is received.
Sakane, et al. Standards Track [Page 12]
^L
RFC 4430 KINK March 2006
4. KINK Message Format
All values in KINK are formatted in network byte order (most
significant byte first). The RESERVED fields MUST be set to zero (0)
when a packet is sent. The receiver MUST ignore these fields.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | MjVer |RESRVED| Length |
+---------------+---------------+---------------+---------------+
| Domain of Interpretation (DOI) |
+-------------------------------+-------------------------------+
| Transaction ID (XID) |
+---------------+-+-------------+-------------------------------+
| NextPayload |A| RESERVED2 | CksumLen |
+---------------+-+-------------+-------------------------------+
| |
~ A series of payloads ~
| |
+-------------------------------+-------------------------------+
| |
~ Cksum (variable) ~
| |
+-------------------------------+-------------------------------+
Figure 5: Format of a KINK Message
Fields:
o Type (1 octet) -- The type of this message.
Type Value
----- -----
RESERVED 0
CREATE 1
DELETE 2
REPLY 3
GETTGT 4
ACK 5
STATUS 6
RESERVED TO IANA 7 - 127
Private Use 128 - 255
o MjVer (4 bits) -- Major protocol version number. This MUST be
set to 1.
Sakane, et al. Standards Track [Page 13]
^L
RFC 4430 KINK March 2006
o RESRVED (4 bits) -- Reserved and MUST be zero when sent, MUST
be ignored when received.
o Length (2 octets) -- Length of the message in octets. It is
not forbidden in KINK that there are unnecessary data after
the message, but the Length field MUST represent the actual
length of the message.
o DOI (4 octets) -- The domain of interpretation. All DOIs must
be registered with the IANA in the ISAKMP Domain of
Interpretation section of the isakmp-registry [ISAKMP-REG].
The IANA Assigned Number for the Internet IP Security DOI
[IPDOI] is one (1). This field defines the context of all
sub-payloads in this message. If sub-payloads have a DOI
field (e.g., Security Association Payload), then the DOI in
that sub-payload MUST be checked against the DOI in this
header, and the values MUST be the same.
o XID (4 octets) -- The transaction ID. A KINK transaction is
bound together by a transaction ID, which is created by the
command initiator and replicated in subsequent messages in the
transaction. A transaction is defined as a command, a reply,
and an optional acknowledgement. Transaction IDs are used by
the initiator to discriminate between multiple outstanding
requests to a responder. It is not used for replay protection
because that functionality is provided by Kerberos. The value
of XID is chosen by the initiator and MUST be unique with all
outstanding transactions. XIDs MAY be constructed by using a
monotonic counter or random number generator.
o NextPayload (1 octet) -- Indicates the type of the first
payload after the message header.
o A, or ACKREQ (1 bit) -- ACK Request. Set to one if the
responder requires an explicit acknowledgement that a REPLY
was received. An initiator MUST NOT set this flag, nor should
a responder except for a REPLY to a CREATE when the optimistic
proposal is chosen.
o RESERVED2 (7 bits) -- Reserved and MUST be zero on send, MUST
be ignored by a receiver.
o CksumLen (2 octets) -- CksumLen is the length in octets of the
cryptographic checksum of the message. A CksumLen of zero
implies that the message is unauthenticated.
Sakane, et al. Standards Track [Page 14]
^L
RFC 4430 KINK March 2006
o Cksum (variable) -- Kerberos keyed checksum over the entire
message excluding the Cksum field itself. When any padding
bytes are required between the last payload and the Cksum
field, they MUST be included in the calculation. This field
MUST always be present whenever a key is available via an
AP-REQ or AP-REP payload. The key used MUST be the session
key in the ticket. When a key is not available, this field is
not present, and the CksumLen field is set to zero. The
content of this field is the output of the Kerberos 5 get_mic
function [KCRYPTO]. The get_mic function used is specified by
a checksum type, which is a "required checksum mechanism" of
the etype for the Kerberos session key in the Kerberos ticket.
If the checksum type is not a keyed algorithm, the message
MUST be rejected.
To compute the checksum, the CksumLen field is zeroed out and
the Length field is filled with the total packet length
without the checksum. Then, the packet is passed to the
get_mic function and its output is appended to the packet.
Any KINK padding after the Cksum field is not allowed, except
the Kerberos internal one, which may be included in the output
of the get_mic function. Finally, the CksumLen field is
filled with the checksum length and the Length field is filled
with the total packet length including the checksum.
To verify the checksum, a length-without-checksum is
calculated from the value of Length field, subtracting the
CksumLen. The Length field is filled with the length-
without-checksum value and the CksumLen field is zeroed out.
Then, the packet without checksum (offset from 0 to length-
without-checksum minus 1 of the received packet) and the
checksum (offset from length-without-checksum to the last) are
passed to the verify_mic function. If verification fails, the
message MUST be dropped.
The KINK header is followed immediately by a series of
Type/Length/Value fields, defined in section 4.2.
4.1. KINK Alignment Rules
KINK has the following rules regarding alignment and padding:
o All length fields MUST reflect the actual number of octets in
the structure; i.e., they do not account for padding bytes
required by KINK alignments.
o KINK headers, payloads, and the Cksum field MUST be aligned on
4-octet boundaries.
Sakane, et al. Standards Track [Page 15]
^L
RFC 4430 KINK March 2006
o Variable length fields (except the Cksum field) MUST always
start immediately after the last octet of the previous field.
That is, they are not aligned to 4-octet boundaries.
4.2. KINK Payloads
Immediately following the header, there is a list of
Type/Length/Value (TLV) payloads. There can be any number of
payloads following the header. Each payload MUST begin with a
payload header. Each payload header is built on the generic payload
header. Any data immediately follows the generic header. Payloads
are all implicitly aligned to 4-octet boundaries, though the payload
length field MUST accurately reflect the actual number of octets in
the payload.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload Length |
+---------------+---------------+---------------+---------------+
| value (variable) |
+---------------+---------------+---------------+---------------+
Figure 6: Format of a KINK Payload
Fields:
o Next Payload (1 octet) -- The type of the next payload.
NextPayload Value
---- -----
KINK_DONE 0
KINK_AP_REQ 1
KINK_AP_REP 2
KINK_KRB_ERROR 3
KINK_TGT_REQ 4
KINK_TGT_REP 5
KINK_ISAKMP 6
KINK_ENCRYPT 7
KINK_ERROR 8
RESERVED TO IANA 9 - 127
Private Use 128 - 255
Next Payload type KINK_DONE denotes that the current payload
is the final payload in the message.
o RESERVED (1 octet) -- Reserved and MUST be set to zero by a
sender, MUST be ignored by a receiver.
Sakane, et al. Standards Track [Page 16]
^L
RFC 4430 KINK March 2006
o Payload Length (2 octets) -- The length of this payload,
including the type and length fields.
o Value (variable) -- This value of this field depends on the
type.
4.2.1. KINK_AP_REQ Payload
The KINK_AP_REQ payload relays a Kerberos AP-REQ to the responder.
The AP-REQ MUST request mutual authentication.
This document does not specify how to generate the principal name.
That is, complete principal names may be stored in local policy,
Fully Qualified Domain Names (FQDNs) may be converted to principal
names, IP addresses may be converted to principal names by secure
name services, etc., but see the first paragraph of the Security
Considerations section.
If the peer's principal name for the KINK service is generated from
an FQDN, the principal name, which the initiator starts from, will be
"kink/fqdn@REALM"; where "kink" is a literal string for the KINK
IPsec service, "fqdn" is the fully qualified domain name of the
service host, and "REALM" is the Kerberos realm of the service. A
principal name is case sensitive, and "fqdn" part MUST be lowercase
as described in [KERBEROS].
The value field of this payload has the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload Length |
+---------------+---------------+---------------+---------------+
| EPOCH |
+---------------------------------------------------------------+
| |
~ AP-REQ ~
| |
+---------------------------------------------------------------+
Figure 7: KINK_AP_REQ Payload
Fields:
o Next Payload, RESERVED, Payload Length -- Defined in the
beginning of this section.
Sakane, et al. Standards Track [Page 17]
^L
RFC 4430 KINK March 2006
o EPOCH -- The absolute time at which the creator of the AP-REQ
has valid SA information. Typically, this is when the KINK
keying daemon started if it does not retain SA information
across restarts. The value in this field is the least
significant 4 octets of so-called POSIX time, which is the
elapsed seconds (but without counting leap seconds) from
1970-01-01T00:00:00 UTC. For example, 2038-01-19T03:14:07 UTC
is represented as 0x7fffffff.
o AP-REQ -- The value field of this payload contains a raw
Kerberos AP-REQ.
4.2.2. KINK_AP_REP Payload
The KINK_AP_REP payload relays a Kerberos AP-REP to the initiator.
The AP-REP MUST be checked for freshness as described in [KERBEROS].
The value field of this payload has the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload Length |
+---------------+---------------+---------------+---------------+
| EPOCH |
+---------------------------------------------------------------+
| |
~ AP-REP ~
| |
+---------------------------------------------------------------+
Figure 8: KINK_AP_REP Payload
Fields:
o Next Payload, RESERVED, Payload Length -- Defined in the
beginning of this section.
o EPOCH -- The absolute time at which the creator of the AP-REP
has valid SA information. Typically, this is when the KINK
keying daemon started if it does not retain SA information
across restarts. The value in this field is the least
significant 4 octets of so-called POSIX time, which is the
elapsed seconds (but without counting leap seconds) from
1970-01-01T00:00:00 UTC. For example, 2038-01-19T03:14:07 UTC
is represented as 0x7fffffff.
Sakane, et al. Standards Track [Page 18]
^L
RFC 4430 KINK March 2006
o AP-REP -- The value field of this payload contains a raw
Kerberos AP-REP.
4.2.3. KINK_KRB_ERROR Payload
The KINK_KRB_ERROR payload relays Kerberos type errors back to the
initiator. The initiator MUST be prepared to receive any valid
Kerberos error type [KERBEROS].
KINK implementations SHOULD make use of a KINK Cksum field when
returning KINK_KRB_ERROR and the appropriate service key is
available. Especially in the case of clock skew errors, protecting
the error at the server creates a better user experience because it
does not require clocks to be synchronized. However, many Kerberos
implementations do not make it easy to obtain the session key in
order to protect error packets. For unauthenticated Kerberos errors,
the initiator MAY choose to act on them, but SHOULD take precautions
against make-work kinds of attacks.
Note that KINK does not make use of the text or e_data field of the
Kerberos error message, though a compliant KINK implementation MUST
be prepared to receive them and MAY log them.
The value field of this payload has the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload Length |
+---------------+---------------+---------------+---------------+
| |
~ KRB-ERROR ~
| |
+---------------------------------------------------------------+
Figure 9: KINK_KRB_ERROR Payload
Fields:
o Next Payload, RESERVED, Payload Length -- Defined in the
beginning of this section.
o KRB-ERROR -- The value field of this payload contains a raw
Kerberos KRB-ERROR.
Sakane, et al. Standards Track [Page 19]
^L
RFC 4430 KINK March 2006
4.2.4. KINK_TGT_REQ Payload
The KINK_TGT_REQ payload provides a means to get a TGT from the peer
in order to obtain a User-to-User service ticket from the KDC.
The value field of this payload has the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload Length |
+---------------+---------------+---------------+---------------+
| |
~ PrincName (variable) ~
| |
+---------------------------------------------------------------+
Figure 10: KINK_TGT_REQ Payload
Fields:
o Next Payload, RESERVED, Payload Length -- Defined in the
beginning of this section.
o PrincName -- The name of the principal that the initiator
wants to communicate with. It is assumed that the initiator
knows the responder's principal name (including the realm
name) in the same way as the non-User-to-User case. The TGT
returned MUST NOT be an inter-realm TGT and its cname and
crealm MUST match the requested principal name, so that the
initiator can rendezvous with the responder at the responder's
realm.
PrincName values are octet string representations of a
principal and realm name formatted just like the octet string
used in the "NAME" component of Generic Security Service
Application Program Interface (GSS-API) [RFC2743] exported
name token for the Kerberos V5 GSS-API mechanism [RFC1964].
See RFC 1964, section 2.1.3.
If the responder is not the requested principal and is unable to get
a TGT for the name, it MAY return a KRB_AP_ERR_NOT_US. If the
administrative policy prohibits returning a TGT, it MAY return a
KINK_U2UDENIED.
Sakane, et al. Standards Track [Page 20]
^L
RFC 4430 KINK March 2006
4.2.5. KINK_TGT_REP Payload
The value field of this payload contains the TGT requested in a
previous KINK_TGT_REQ payload of a GETTGT command.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload Length |
+---------------+---------------+---------------+---------------+
| |
~ TGT (variable) ~
| |
+---------------------------------------------------------------+
Figure 11: KINK_TGT_REP Payload
Fields:
o Next Payload, RESERVED, Payload Length -- Defined in the
beginning of this section.
o TGT -- The Distinguished Encoding Rules (DER)-encoded TGT of
the responder.
4.2.6. KINK_ISAKMP Payload
The value field of this payload has the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload Length |
+---------------+-------+-------+---------------+---------------+
| InnerNextPload| QMMaj | QMMin | RESERVED |
+---------------+-------+-------+---------------+---------------+
| Quick Mode Payloads (variable) |
+---------------+---------------+---------------+---------------+
Figure 12: KINK_ISAKMP Payload
Fields:
o Next Payload, RESERVED, Payload Length -- Defined in the
beginning of this section.
o InnerNextPload -- First payload type of the inner series of
ISAKMP payloads.
Sakane, et al. Standards Track [Page 21]
^L
RFC 4430 KINK March 2006
o QMMaj -- The major version of the inner payloads. MUST be set
to 1.
o QMMin -- The minor version of the inner payloads. MUST be set
to 0.
The KINK_ISAKMP payload encapsulates the IKE Quick Mode (phase 2)
payloads to take the appropriate action dependent on the KINK
command. There may be any number of KINK_ISAKMP payloads within a
single KINK message. While [IKE] is somewhat fuzzy about whether
multiple different SAs may be created within a single IKE message,
KINK explicitly requires that a new ISAKMP header be used for each
discrete SA operation. In other words, a KINK implementation MUST
NOT send multiple Quick Mode transactions within a single KINK_ISAKMP
payload.
The purpose of the Quick Mode version is to allow backward
compatibility with IKE and ISAKMP if there are subsequent revisions.
At the present time, the Quick Mode major and minor versions are set
to one and zero (1.0), respectively. These versions do not
correspond to the ISAKMP version in the ISAKMP header. A compliant
KINK implementation MUST support receipt of 1.0 payloads. It MAY
support subsequent versions (both sending and receiving), and SHOULD
provide a means to resort back to Quick Mode version 1.0 if the KINK
peer is unable to process future versions. A compliant KINK
implementation MUST NOT mix Quick Mode versions in any given
transaction.
4.2.7. KINK_ENCRYPT Payload
The KINK_ENCRYPT payload encapsulates other KINK payloads and is
encrypted using the session key and the algorithm specified by its
etype. This payload MUST be the final one in the outer payload chain
of the message. The KINK_ENCRYPT payload MUST be encrypted before
the final KINK checksum is applied.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload Length |
+---------------+---------------+---------------+---------------+
| InnerNextPload| RESERVED2 |
+---------------+---------------+---------------+---------------+
| Payload (variable) |
+---------------+---------------+---------------+---------------+
Figure 13: KINK_ENCRYPT Payload
Sakane, et al. Standards Track [Page 22]
^L
RFC 4430 KINK March 2006
Fields:
o Next Payload, RESERVED, Payload Length -- Defined in the
beginning of this section. This payload is the last one in a
message, and accordingly, the Next Payload field must be
KINK_DONE (0).
o InnerNextPload -- First payload type of the inner series of
encrypted KINK payloads.
o RESERVED2 -- Reserved and MUST be zero when sent, MUST be
ignored when received.
The coverage of the encrypted data begins at InnerNextPload so that
the first payload's type is kept confidential. Thus, the number of
encrypted octets is PayloadLength - 4.
The format of the encryption payload follows the normal Kerberos
semantics. Its content is the output of an encrypt function defined
in the Encryption Algorithm Profile section of [KCRYPTO]. Parameters
such as encrypt function itself, specific-key, and initial state are
defined with the etype. The encrypt function may have padding in
itself and there may be some garbage data at the end of the decrypted
plaintext. A KINK implementation MUST be prepared to ignore such
padding after the last sub-payload inside the KINK_ENCRYPT payload.
Note that each encrypt function has its own integrity protection
mechanism. It is redundant with the checksum in the KINK header, but
this is unavoidable because it is not always possible to remove the
integrity protection part from the encrypt function.
4.2.8. KINK_ERROR Payload
The KINK_ERROR payload type provides a protocol-level mechanism of
returning an error condition. This payload should not be used for
either Kerberos-generated errors or DOI-specific errors that have
their own payloads defined. The error code is in network order.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload Length |
+---------------+---------------+---------------+---------------+
| ErrorCode |
+---------------+---------------+---------------+---------------+
Figure 14: KINK_ERROR Payload
Sakane, et al. Standards Track [Page 23]
^L
RFC 4430 KINK March 2006
Fields:
o Next Payload, RESERVED, Payload Length -- Defined in the
beginning of this section.
o ErrorCode -- One of the following values in the network byte
order:
ErrorCode Value Purpose
--------- ----- -------------------
KINK_OK 0 No error detected
KINK_PROTOERR 1 The message was malformed
KINK_INVDOI 2 Invalid DOI
KINK_INVMAJ 3 Invalid Major Version
RESERVED 4
KINK_INTERR 5 An unrecoverable internal error
KINK_BADQMVERS 6 Unsupported Quick Mode Version
KINK_U2UDENIED 7 Returning a TGT is prohibited
RESERVED TO IANA 8 - 8191
Private Use 8192 - 16383
RESERVED 16384 -
The responder MUST NOT return KINK_OK. When received, the initiator
MAY act as if the specific KINK_ERROR payload were not present. If
the initiator supports multiple Quick Mode versions or DOIs,
KINK_BADQMVERS or KINK_INVDOI is received, and the Cksum is verified,
then it MAY retry with another version or DOI. A responder SHOULD
return a KINK error with KINK_INVMAJ, when it receives an unsupported
KINK version number in the header. When KINK_U2UDENIED is received,
the initiator MAY retry with the non-User-to-User mode (if it has not
yet been tried).
In general, the responder MAY choose to return these errors in reply
to unauthenticated commands, but SHOULD take care to avoid being
involved in denial of service attacks. Similarly, the initiator MAY
choose to act on unauthenticated errors, but SHOULD take care to
avoid denial of service attacks.
Sakane, et al. Standards Track [Page 24]
^L
RFC 4430 KINK March 2006
5. Differences from IKE Quick Mode
KINK directly uses ISAKMP payloads to negotiate SAs. In particular,
KINK uses IKE phase 2 payload types (aka Quick Mode). In general,
there should be very few changes necessary to an IKE implementation
to establish the SAs, and unless there is a note to the contrary in
the memo, all capabilities and requirements in [IKE] MUST be
supported. IKE phase 1 payloads MUST NOT be sent.
Unlike IKE, KINK defines specific commands for creation, deletion,
and status of SAs, mainly to facilitate predictable SA
creation/deletion (see sections 3.2 and 3.3). As such, KINK places
certain restrictions on what payloads may be sent with which
commands, and some additional restrictions and semantics of some of
the payloads. Implementors should refer to [IKE] and [ISAKMP] for
the actual format and semantics. If a particular IKE phase 2 payload
is not mentioned here, it means that there are no differences in its
use.
o The Security Association Payload header for IP is defined in
section 4.6.1 of [IPDOI]. For this memo, the Domain of
Interpretation MUST be set to 1 (IPsec) and the Situation
bitmap MUST be set to 1 (SIT_IDENTITY_ONLY). All other fields
are omitted (because SIT_IDENTITY_ONLY is set).
o KINK also expands the semantics of IKE in that it defines an
optimistic proposal for CREATE commands to allow SA creation to
complete in two messages.
o IKE Quick Mode (phase 2) uses the hash algorithm used in main
mode (phase 1) to generate the keying material. For this
purpose, KINK MUST use a pseudo-random function determined by
the etype of the session key.
o KINK does not use the HASH payload at all.
o KINK allows the Nonce payload Nr to be optional to facilitate
optimistic keying.
Sakane, et al. Standards Track [Page 25]
^L
RFC 4430 KINK March 2006
5.1. Security Association Payloads
KINK supports the following SA attributes from [IPDOI]:
class value type
-------------------------------------------------
SA Life Type 1 B
SA Life Duration 2 V
Encapsulation Mode 4 B
Authentication Algorithm 5 B
Key Length 6 B
Key Rounds 7 B
Refer to [IPDOI] for the actual definitions of these attributes.
5.2. Proposal and Transform Payloads
KINK directly uses the Proposal and Transform payloads with no
differences. KINK, however, places additional relevance to the first
proposal and first transform of each conjugate for optimistic keying.
5.3. Identification Payloads
The Identification payload carries information that is used to
identify the traffic that is to be protected by the SA that will be
established. KINK restricts the ID types, which are defined in
section 4.6.2.1 of [IPDOI], to the following values:
ID Type Value
------- -----
ID_IPV4_ADDR 1
ID_IPV4_ADDR_SUBNET 4
ID_IPV6_ADDR 5
ID_IPV6_ADDR_SUBNET 6
ID_IPV4_ADDR_RANGE 7
ID_IPV6_ADDR_RANGE 8
5.4. Nonce Payloads
The Nonce payload contains random data that MUST be used in key
generation. It MUST be sent by the initiating KINK peer, and MAY be
sent by the responding KINK peer. See section 7 for the discussion
of its use in key generation.
Sakane, et al. Standards Track [Page 26]
^L
RFC 4430 KINK March 2006
5.5. Notify Payloads
Notify payloads are used to transmit several informational data, such
as error conditions and state transitions to a peer. For example,
notification information transmit can be error messages specifying
why an SA could not be established. It can also be status data that
a process managing an SA database wishes to communicate with a peer
process.
Types in the range 0 - 16383 are intended for reporting errors
[ISAKMP]. An implementation receiving a type in this range that it
does not recognize in a response MUST assume that the corresponding
request has failed entirely. Unrecognized error types in a request
and status types in a request or response MUST be ignored, and they
SHOULD be logged. Notify payloads with status types MAY be added to
any message and MUST be ignored if not recognized. They are intended
to indicate capabilities, and as part of SA negotiation are used to
negotiate non-cryptographic parameters.
The table below lists the Notification messages and their
corresponding values. PAYLOAD-MALFORMED denotes some error types
defined by [ISAKMP]. Hence INVALID-PROTOCOL-ID, for example, is not
used in this document. INVALID-MAJOR-VERSION and INVALID-MINOR-
VERSION are not used because KINK_BADQMVERS is used to tell the
initiator that the version of IKE is not supported.
NOTIFY MESSAGES - ERROR TYPES Value
----------------------------- -----
INVALID-PAYLOAD-TYPE 1
Sent if the ISAKMP payload type is not recognized. It is also
sent when the KE payload is not supported by the responder.
Notification Data MUST contains the one-octet payload type.
INVALID-SPI 11
Sent if the responder has an SPI indicated by the initiator in
case of CREATE flow, or if the responder does not have an SPI
indicated by the initiator in case of DELETE flow.
NO-PROPOSAL-CHOSEN 14
Sent if none of the proposals in the SA payload was
acceptable.
Sakane, et al. Standards Track [Page 27]
^L
RFC 4430 KINK March 2006
PAYLOAD-MALFORMED 16
Sent if the KINK_ISAKMP payload received was invalid because
some type, length, or value was out of range. It is also sent
when the request was rejected for reason that was not matched
with other error types.
5.6. Delete Payloads
KINK directly uses ISAKMP Delete payloads with no changes.
5.7. KE Payloads
IKE requires that perfect forward secrecy (PFS) be supported through
the use of the KE payload. KINK retains the ability to use PFS, but
relaxes the requirement from must implement to SHOULD implement. The
reasons are described in the Security Considerations section.
6. Message Construction and Constraints for IPsec DOI
All commands, responses, and acknowledgements are bound together by
the XID field of the message header. The XID is normally a
monotonically incrementing field, and is used by the initiator to
differentiate between outstanding requests to a responder. The XID
field does not provide replay protection as that functionality is
provided by the Kerberos mechanisms. In addition, commands and
responses MUST use a cryptographic checksum over the entire message
if the two peers share a key via a ticket exchange.
In all cases in this section, if a message contains a KINK_AP_REQ or
KINK_AP_REP payload, other KINK payloads MAY be encapsulated in a
KINK_ENCRYPT payload.
6.1. REPLY Message
The REPLY message is a generic reply that MUST contain either a
KINK_AP_REP, a KINK_KRB_ERROR, or a KINK_ERROR payload. REPLY
messages MAY contain additional DOI-specific payloads such as ISAKMP
payloads that are defined in the following sections.
6.2. ACK Message
ACKs are sent only when the ACKREQ bit is set in a REPLY message. An
ACK message MUST contain an AP-REQ payload and no other payload.
Sakane, et al. Standards Track [Page 28]
^L
RFC 4430 KINK March 2006
6.3. CREATE Message
This message initiates an establishment of new security
association(s). The CREATE message must contain an AP-REQ payload
and any DOI-specific payloads.
CREATE KINK Header
KINK_AP_REQ
[KINK_ENCRYPT]
KINK_ISAKMP payloads
SA Payload
Proposal Payloads
Transform Payloads
Nonce Payload (Ni)
[KE]
[IDci, IDcr]
[Notification Payloads]
Replies are of the following forms:
REPLY KINK Header
KINK_AP_REP
[KINK_ENCRYPT]
KINK_ISAKMP payloads
SA Payload
Proposal Payloads
Transform Payload
[Nonce Payload (Nr)]
[KE]
[IDci, IDcr]
[Notification Payloads]
Note that there MUST be at least a single proposal payload and a
single transform payload in REPLY messages. There will be multiple
proposal payloads only when an SA bundle is negotiated. Also: unlike
IKE, the Nonce payload Nr is not required, and if it exists, an
acknowledgement must be requested to indicate that the initiator's
outgoing SAs must be modified. If any of the first proposals are not
chosen by the recipient, it SHOULD include the Nonce payload.
KINK, like IKE, allows the creation of many SAs in one create
command. If any of the optimistic proposals are not chosen by the
responder, it MUST request an ACK.
If an IPsec DOI-specific error is encountered, the responder must
reply with a Notify payload describing the error:
Sakane, et al. Standards Track [Page 29]
^L
RFC 4430 KINK March 2006
REPLY KINK Header
KINK_AP_REP
[KINK_ENCRYPT]
[KINK_ERROR]
KINK_ISAKMP payloads
[Notification Payloads]
If the responder finds a Kerberos error for which it can produce a
valid authenticator, the REPLY takes the following form:
REPLY KINK Header
KINK_AP_REP
[KINK_ENCRYPT]
KINK_KRB_ERROR
Finally, if the responder finds a Kerberos or KINK type of error for
which it cannot create an AP-REP, it MUST reply with a lone
KINK_KRB_ERROR or KINK_ERROR payload:
REPLY KINK Header
[KINK_KRB_ERROR]
[KINK_ERROR]
6.4. DELETE Message
This message indicates that the sending peer has deleted or will
shortly delete Security Association(s) with the other peer.
DELETE KINK Header
KINK_AP_REQ
[KINK_ENCRYPT]
KINK_ISAKMP payloads
Delete Payloads
[Notification Payloads]
There are three forms of replies for a DELETE. The normal form is:
REPLY KINK Header
KINK_AP_REP
[KINK_ENCRYPT]
[KINK_ERROR]
KINK_ISAKMP payloads
Delete Payloads
[Notification Payloads]
If an IPsec DOI-specific error is encountered, the responder must
reply with a Notify payload describing the error:
Sakane, et al. Standards Track [Page 30]
^L
RFC 4430 KINK March 2006
REPLY KINK Header
KINK_AP_REP
[KINK_ENCRYPT]
[KINK_ERROR]
KINK_ISAKMP payloads
[Notification Payloads]
If the responder finds a Kerberos error for which it can produce a
valid authenticator, the REPLY takes the following form:
REPLY KINK Header
KINK_AP_REP
[KINK_ENCRYPT]
KINK_KRB_ERROR
If the responder finds a KINK or Kerberos type of error, it MUST
reply with a lone KINK_KRB_ERROR or KINK_ERROR payload:
REPLY KINK Header
[KINK_KRB_ERROR]
[KINK_ERROR]
6.5. STATUS Message
The STATUS command is used in two ways:
1) As a means to relay an ISAKMP Notification message.
2) As a means of probing a peer whether its epoch has changed for
dead peer detection.
STATUS contains the following payloads:
KINK Header
KINK_AP_REQ
[[KINK_ENCRYPT]
KINK_ISAKMP payload
[Notification Payloads]]
There are three forms of replies for a STATUS. The normal form is:
REPLY KINK Header
KINK_AP_REP
[[KINK_ENCRYPT]
[KINK_ERROR]
KINK_ISAKMP payload
[Notification Payloads]]
Sakane, et al. Standards Track [Page 31]
^L
RFC 4430 KINK March 2006
If the responder finds a Kerberos error for which it can produce a
valid authenticator, the REPLY takes the following form:
REPLY KINK Header
KINK_AP_REP
[KINK_ENCRYPT]
KINK_KRB_ERROR
If the responder finds a KINK or Kerberos type of error, it MUST
reply with a lone KINK_KRB_ERROR or KINK_ERROR payload:
REPLY KINK Header
[KINK_KRB_ERROR]
[KINK_ERROR]
6.6. GETTGT Message
A GETTGT command is only used to carry a Kerberos TGT and is not
related to SA management; therefore, it contains only KINK_TGT_REQ
payload and does not contain any DOI-specific payload.
There are two forms of replies for a GETTGT. In the normal form,
where the responder is allowed to return its TGT, the REPLY contains
KINK_TGT_REP payload. If the responder is not allowed to return its
TGT, it MUST reply with a KINK_ERROR payload.
7. ISAKMP Key Derivation
KINK uses the same key derivation mechanisms defined in section 5.5
of [IKE], which is:
KEYMAT = prf(SKEYID_d, [g(qm)^xy |] protocol | SPI | Ni_b [| Nr_b])
The following differences apply:
o prf is the pseudo-random function corresponding to the session
key's etype. They are defined in [KCRYPTO].
o SKEYID_d is the session key in the Kerberos service ticket
from the AP-REQ. Note that subkeys are not used in KINK and
MUST be ignored if received.
o Both Ni_b and Nr_b are the part of the Nonce payloads (Ni and
Nr, respectively) as described in section 3.2 of [IKE]. Nr_b
is optional, which means that Nr_b is treated as if a zero
length value was supplied when the responder's nonce (Nr) does
not exist. When Nr exists, Nr_b MUST be included in the
calculation.
Sakane, et al. Standards Track [Page 32]
^L
RFC 4430 KINK March 2006
Note that g(qm)^xy refers to the keying material generated when KE
payloads are supplied using Diffie-Hellman key agreement. This is
explained in section 5.5 of [IKE].
The rest of the key derivation (e.g., how to expand KEYMAT) follows
IKE. How to use derived keying materials is up to each service
(e.g., section 4.5.2 of [IPSEC]).
8. Key Usage Numbers for Kerberos Key Derivation
Kerberos encrypt/decrypt functions and get_mic/verify_mic functions
require "key usage numbers". They are used to generate specific keys
for cryptographic operations so that different keys are used for
different purposes/objects. KINK uses two usage numbers, listed
below.
Purpose Usage number
------- ------------
KINK_ENCRYPT payload (for encryption) 39
Cksum field (for checksum) 40
9. Transport Considerations
KINK uses UDP on port 910 to transport its messages. There is one
timer T which SHOULD take into consideration round-trip
considerations and MUST implement a truncated exponential back-off
mechanism. The state machine is simple: any message that expects a
response MUST retransmit the request using timer T. Since Kerberos
requires that messages be retransmitted with new times for replay
protection, the message MUST be re-created each time including the
checksum of the message. Both commands and replies with the ACKREQ
bit set are kept on retransmit timers. When a KINK initiator
receives a REPLY with the ACKREQ bit set, it MUST retain the ability
to regenerate the ACK message for the transaction for a minimum of
its full retransmission timeout cycle or until it notices that
packets have arrived on the newly constructed SA, whichever comes
first.
When a KINK peer retransmits a message, it MUST create a new Kerberos
authenticator for the AP-REQ so that the peer can differentiate
between replays and dropped packets. This results in a potential
race condition when a retransmission occurs before an in-flight reply
is received/processed. To counter this race condition, the
retransmitting party SHOULD keep a list of valid authenticators that
are outstanding for any particular transaction.
Sakane, et al. Standards Track [Page 33]
^L
RFC 4430 KINK March 2006
When a KINK peer retransmits a command, it MUST use the same ticket
within the retransmissions. This is to avoid race conditions on
using different keys, which result in different KEYMATs between an
initiator and a responder. For this reason, (1) an initiator MUST
obtain a ticket whose lifetime is greater than the initiator's
maximum transaction time including timeouts, or (2) it MUST continue
to use the same ticket within a set of retransmissions, and iff it
receives an error (most likely KRB_AP_ERR_TKT_EXPIRED) from the
responder, it starts a new transaction with a new ticket.
10. Security Considerations
The principal names are the identities of the KINK services, but the
traffic protected by SAs are identified by DOI-specific selectors (IP
addresses, port numbers, etc.). This may lead to a breakaway of
SA-protected data from authentication. For example, if two different
hosts claim that they have the same IP address, it may be impossible
to predict which principal's key protects the data. Thus, an
implementation must take care for the binding between principal names
and the SA selectors.
Sending errors without cryptographic protection must be handled very
carefully. There is a trade-off between wanting to be helpful in
diagnosing a problem and wanting to avoid being a dupe in a denial of
service attack.
KINK cobbles together and reuses many parts of both Kerberos and IKE,
the latter which in turn is cobbled together from many other memos.
As such, KINK inherits many of the weaknesses and considerations of
each of its components. However, KINK uses only IKE phase 2 payloads
to create and delete SAs; the security considerations which pertain
to IKE phase 1 may be safely ignored. However, being able to ignore
IKE's authentication phase necessarily means that KINK inherits all
of the security considerations of Kerberos authentication as outlined
in [KERBEROS]. For one, a KDC, like an Authentication,
Authorization, and Accounting (AAA) server, is a point of attack and
all that implies. Much has been written about various shortcomings
and mitigations of Kerberos, and they should be evaluated for any
deployment.
KINK's use of Kerberos presents a couple of considerations. First,
KINK explicitly expects that the KDC will provide adequate entropy
when it generates session keys. Second, Kerberos is used as a user
authentication protocol with the possibility of dictionary attacks on
user passwords. This memo does not describe a particular method to
avoid these pitfalls, but recommends that suitable randomly generated
Sakane, et al. Standards Track [Page 34]
^L
RFC 4430 KINK March 2006
keys should be used for the service principals such as using the
-randomkey option with MIT's "kadmin addprinc" command as well as for
clients when that is practical.
Kerberos does not currently provide perfect forward secrecy in
general. KINK with the KE payload can provide PFS for a service key
from a Kerberos key, but the KE is not mandatory because of the
computational cost. This is a trade-off and operators can choose the
PFS over the cost, and vice versa. KINK itself should be secure from
offline analysis from compromised principal passphrases if PFS is
used, but from an overall system's standpoint, the existence of other
Kerberized services that do not provide PFS makes this a less than
optimal situation.
11. IANA Considerations
The IANA has assigned a well-known port number for KINK.
The IANA has created a new registry for KINK parameters, and has
registered the following identifiers.
KINK Message Types (section 4)
KINK Next Payload Types (section 4.2)
KINK Error Codes (section 4.2.8)
Changes and additions to this registry follow the policies described
below. Their meanings are described in [BCP26].
o Using the numbers in the "Private Use" range is Private Use.
o Assignment from the "RESERVED TO IANA" range needs Standards
Action, or non-standards-track RFCs with Expert Review.
(Though the full specification may be a public and permanent
document of a standards body other than IETF, an RFC referring
it is needed.)
o Other change requires Standards Action.
12. Forward Compatibility Considerations
KINK can accommodate future versions of Quick Mode through the use of
the version field in the ISAKMP payload as well as new domains of
interpretation. In this memo, the only supported Quick Mode version
is 1.0, which corresponds to [IKE]. Likewise, the only DOI supported
is the IPsec domain of interpretation [IPDOI]. New Quick Mode
versions and DOIs MUST be described in subsequent memos.
Sakane, et al. Standards Track [Page 35]
^L
RFC 4430 KINK March 2006
KINK implementations MUST reject ISAKMP versions that are greater
than the highest currently supported version with a KINK_BADQMVERS
error type. A KINK implementation that receives a KINK_BADQMVERS
message SHOULD be capable of reverting back to version 1.0.
12.1. New Versions of Quick Mode
The IPsec working group is defining the next-generation IKE protocol
[IKEv2], which does not use Quick Mode, but it is similar to the one
in IKEv1. The difference between the two is summarized in Appendix A
of [IKEv2]. Each of them must be considered in order to use IKEv2
with KINK.
12.2. New DOI
The KINK message header contains a field called "Domain of
Interpretation (DOI)" to allow other domains of interpretation to use
KINK as a secure transport mechanism for keying.
As one example of a new DOI, the MSEC working group defined the Group
Domain of Interpretation [GDOI], which defines a few new messages,
which look like ISAKMP messages, but are not defined in ISAKMP.
In order to carry GDOI messages in KINK, the DOI field in the KINK
header would indicate that GDOI is being used, instead of IPSEC-DOI,
and the KINK_ISAKMP payload would contain the payloads defined in the
GDOI document rather than the payloads used by [IKE] Quick Mode. The
version number in the KINK_ISAKMP header is related to the DOI in the
KINK header, so a maj.min version 1.0 under DOI GDOI is different
from a maj.min version 1.0 under DOI IPSEC-DOI.
13. Related Work
The IPsec working group has defined a number of protocols that
provide the ability to create and maintain cryptographically secure
SAs at layer three (i.e., the IP layer). This effort has produced
two distinct protocols:
o a mechanism for encrypting and authenticating IP datagram
payloads that assumes a shared secret between the sender and
receiver
o a mechanism for IPsec peers to perform mutual authentication
and exchange keying material
The IPsec working group has defined a peer-to-peer authentication and
keying mechanism, IKE (RFC 2409). One of the drawbacks of a peer-
to-peer protocol is that each peer must know and implement a site's
Sakane, et al. Standards Track [Page 36]
^L
RFC 4430 KINK March 2006
security policy, which in practice can be quite complex. In
addition, the peer-to-peer nature of IKE requires the use of Diffie-
Hellman (DH) to establish a shared secret. DH, unfortunately, is
computationally quite expensive and prone to denial of service
attacks. IKE also relies on X.509 certificates to realize scalable
authentication of peers. Digital signatures are also computationally
expensive, and certificate-based trust models are difficult to deploy
in practice. While IKE does allow for a pre-shared key, key
distribution is required between all peers -- an O(n^2) problem --
which is problematic for large deployments.
14. Acknowledgements
Many have contributed to the KINK effort, including our working group
chairs Derek Atkins and Jonathan Trostle. The original inspiration
came from CableLab's PacketCable effort, which defined a simplified
version of Kerberized IPsec, including Sasha Medvinsky, Mike Froh,
and Matt Hur and David McGrew. The inspiration for wholly reusing
IKE phase 2 is the result of Tero Kivinen's document suggesting
grafting Kerberos authentication onto Quick Mode.
15. References
15.1. Normative References
[BCP26] Narten, T. and H. Alvestrand, "Guidelines for Writing
an IANA Considerations Section in RFCs", BCP 26, RFC
2434, October 1998.
[IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[IPDOI] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", RFC 2407, November 1998.
[IPSEC] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[ISAKMP] Maughan, D., Schertler, M., Schneider, M., and J.
Turner, "Internet Security Association and Key
Management Protocol (ISAKMP)", RFC 2408, November 1998.
[ISAKMP-REG] IANA, "Internet Security Association and Key Management
Protocol (ISAKMP) Identifiers",
<http://www.iana.org/assignments/isakmp-registry>.
[KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications
for Kerberos 5", RFC 3961, February 2005.
Sakane, et al. Standards Track [Page 37]
^L
RFC 4430 KINK March 2006
[KERBEROS] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC
4120, July 2005.
[RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
RFC 1964, June 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
15.2. Informative References
[GDOI] Baugher, M., Weis, B., Hardjono, T., and H. Harney,
"The Group Domain of Interpretation", RFC 3547, July
2003.
[IKEv2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
[PKINIT] Zhu, L. and B. Tung, "Public Key Cryptography for
Initial Authentication in Kerberos", Work in Progress,
February 2006.
[REQ4KINK] Thomas, M., "Requirements for Kerberized Internet
Negotiation of Keys", RFC 3129, June 2001.
[RFC793] Postel, J., "Transmission Control Protocol", STD 7, RFC
793, September 1981.
[RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000.
Sakane, et al. Standards Track [Page 38]
^L
RFC 4430 KINK March 2006
Authors' Addresses
Shoichi Sakane
Yokogawa Electric Corporation
2-9-32 Nakacho, Musashino-shi,
Tokyo 180-8750 Japan
EMail: Shouichi.Sakane@jp.yokogawa.com
Ken'ichi Kamada
Yokogawa Electric Corporation
2-9-32 Nakacho, Musashino-shi,
Tokyo 180-8750 Japan
EMail: Ken-ichi.Kamada@jp.yokogawa.com
Michael Thomas
Cisco Systems
170 West Tasman Drive
San Jose, CA 95134
EMail: mat@cisco.com
Jan Vilhuber
Cisco Systems
170 West Tasman Drive
San Jose, CA 95134
EMail: vilhuber@cisco.com
Sakane, et al. Standards Track [Page 39]
^L
RFC 4430 KINK March 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Sakane, et al. Standards Track [Page 40]
^L
|
