1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
|
Internet Engineering Task Force (IETF) K. Pentikousis, Ed.
Request for Comments: 7717 EICT
Updates: 4656, 5357 E. Zhang
Category: Standards Track Y. Cui
ISSN: 2070-1721 Huawei Technologies
December 2015
IKEv2-Derived Shared Secret Key for
the One-Way Active Measurement Protocol (OWAMP) and
Two-Way Active Measurement Protocol (TWAMP)
Abstract
The One-Way Active Measurement Protocol (OWAMP) and Two-Way Active
Measurement Protocol (TWAMP) security mechanisms require that both
the client and server endpoints possess a shared secret. This
document describes the use of keys derived from an IKEv2 security
association (SA) as the shared key in OWAMP or TWAMP. If the shared
key can be derived from the IKEv2 SA, OWAMP or TWAMP can support
certificate-based key exchange; this would allow for more operational
flexibility and efficiency. The key derivation presented in this
document can also facilitate automatic key management.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7717.
Pentikousis, et al. Standards Track [Page 1]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 5
4.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5
4.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6
4.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7
5. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 7
5.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 7
5.2. Server Greeting Message Update . . . . . . . . . . . . . 8
5.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9
5.4. O/TWAMP over an IPsec Tunnel . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. Normative References . . . . . . . . . . . . . . . . . . 12
8.2. Informative References . . . . . . . . . . . . . . . . . 13
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
Pentikousis, et al. Standards Track [Page 2]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
1. Introduction
The One-Way Active Measurement Protocol (OWAMP) [RFC4656] and the
Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to
measure network performance parameters such as latency, bandwidth,
and packet loss by sending probe packets and monitoring their
experience in the network. In order to guarantee the accuracy of
network measurement results, security aspects must be considered.
Otherwise, attacks may occur and the authenticity of the measurement
results may be violated. For example, if no protection is provided,
an adversary in the middle may modify packet timestamps, thus
altering the measurement results.
According to [RFC4656] and [RFC5357], the OWAMP and TWAMP (O/TWAMP)
security mechanisms require that endpoints (i.e., both the client and
the server) possess a shared secret. In today's network deployments,
however, the use of pre-shared keys is far from optimal. For
example, in wireless infrastructure networks, certain network
elements (which can be seen as the two endpoints from an O/TWAMP
perspective) support certificate-based security. For instance,
consider the case in which one wants to measure IP performance
between an E-UTRAN Evolved Node B (eNB) and Security Gateway (SeGW),
both of which are 3GPP Long Term Evolution (LTE) nodes and support
certificate mode and the Internet Key Exchange Protocol version 2
(IKEv2).
The O/TWAMP security mechanism specified in [RFC4656] and [RFC5357]
supports the pre-shared key (PSK) mode only, hindering large-scale
deployment of O/TWAMP: provisioning and management of "shared
secrets" for massive deployments consumes a tremendous amount of
effort and is prone to human error. At the same time, recent trends
point to wider IKEv2 deployment that, in turn, calls for mechanisms
and methods that enable tunnel end-users, as well as operators, to
measure one-way and two-way network performance in a standardized
manner.
With IKEv2 widely deployed, employing shared keys derived from an
IKEv2 security association (SA) can be considered a viable
alternative through the method described in this document. If the
shared key can be derived from the IKEv2 SA, O/TWAMP can support
certificate-based key exchange and practically increase operational
flexibility and efficiency. The use of IKEv2 also makes it easier to
extend automatic key management.
In general, O/TWAMP measurement packets can be transmitted inside the
IPsec tunnel, as typical user traffic is, or transmitted outside the
IPsec tunnel. This may depend on the operator's policy and the
performance evaluation goal, and it is orthogonal to the mechanism
Pentikousis, et al. Standards Track [Page 3]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
described in this document. When IPsec is deployed, protecting
O/TWAMP traffic in unauthenticated mode using IPsec is one option.
Another option is to protect O/TWAMP traffic using the O/TWAMP
security established using the PSK derived from IKEv2 and bypassing
the IPsec tunnel.
Protecting unauthenticated O/TWAMP control and/or test traffic via
the Authentication Header (AH) [RFC4302] or Encapsulating Security
Payload (ESP) [RFC4303] cannot provide various security options,
e.g., it cannot authenticate part of an O/TWAMP packet as mentioned
in [RFC4656]. For measuring latency, a timestamp is carried in O/
TWAMP test traffic. The sender has to fetch the timestamp, encrypt
it, and send it. When the mechanism described in this document is
used, partial authentication of O/TWAMP packets is possible and
therefore the middle step can be skipped, potentially improving
accuracy as the sequence number can be encrypted and authenticated
before the timestamp is fetched. The receiver obtains the timestamp
without the need for the corresponding decryption step. In such
cases, protecting O/TWAMP traffic using O/TWAMP security but
bypassing the IPsec tunnel has its advantages.
This document specifies a method for enabling network measurements
between a TWAMP client and a TWAMP server. In short, the shared key
used for securing TWAMP traffic is derived from IKEv2 [RFC7296].
TWAMP implementations signal the use of this method by setting
IKEv2Derived (see Section 7). IKEv2-derived keys SHOULD be used
instead of shared secrets when O/TWAMP is employed in a deployment
using IKEv2. From an operations and management perspective
[RFC5706], the mechanism described in this document requires that
both the TWAMP Control-Client and Server support IPsec.
The remainder of this document is organized as follows. Section 4
summarizes O/TWAMP protocol operation with respect to security.
Section 5 presents the method for binding TWAMP and IKEv2 for network
measurements between the client and the server that both support
IKEv2. Finally, Section 6 discusses the security considerations
arising from the proposed mechanisms.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Pentikousis, et al. Standards Track [Page 4]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
3. Scope
This document specifies a method using keys derived from an IKEv2 SA
as the shared key in O/TWAMP. O/TWAMP implementations signal the use
of this method by setting IKEv2Derived (see Section 7).
4. O/TWAMP Security
Security for O/TWAMP-Control and O/TWAMP-Test are briefly reviewed in
the following subsections.
4.1. O/TWAMP-Control Security
O/TWAMP uses a simple cryptographic protocol that relies on
o AES-CBC for confidentiality
o HMAC-SHA1 truncated to 128 bits for message authentication
Three modes of operation are supported in the OWAMP-Control protocol:
unauthenticated, authenticated, and encrypted. In addition to these
modes, the TWAMP-Control protocol also supports a mixed mode, i.e.,
the TWAMP-Control protocol operates in encrypted mode while TWAMP-
Test protocol operates in unauthenticated mode. The authenticated,
encrypted, and mixed modes require that endpoints possess a shared
secret, typically a passphrase. The secret key is derived from the
passphrase using a password-based key derivation function PBKDF2
(PKCS #5) [RFC2898].
In the unauthenticated mode, the security parameters are left unused.
In the authenticated, encrypted, and mixed modes, the security
parameters are negotiated during the control connection
establishment.
Figure 1 illustrates the initiation stage of the O/TWAMP-Control
protocol between a Control-Client and a Server. In short, the
Control-Client opens a TCP connection to the Server in order to be
able to send O/TWAMP-Control commands. The Server responds with a
Server Greeting, which contains the Modes, Challenge, Salt, Count,
and MBZ ("MUST be zero") fields (see Section 3.1 of [RFC4656]). If
the Control-Client preferred mode is available, the client responds
with a Set-Up-Response message, wherein the selected Mode, as well as
the KeyID, Token, and Client initialization vector (IV) are included.
The Token is the concatenation of a 16-octet Challenge, a 16-octet
AES Session-key used for encryption, and a 32-octet HMAC-SHA1
Session-key used for authentication. The Token is encrypted using
AES-CBC.
Pentikousis, et al. Standards Track [Page 5]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
+----------------+ +--------+
| Control-Client | | Server |
+----------------+ +--------+
| |
|<------ TCP Connection-- ----->|
| |
|<------ Greeting message ------|
| |
|------- Set-Up-Response ------>|
| |
|<------ Server-Start ----------|
| |
Figure 1: Initiation of O/TWAMP-Control
Encryption uses a key derived from the shared secret associated with
KeyID. In the authenticated, encrypted, and mixed modes, all further
communication is encrypted using the AES Session-key and
authenticated with the HMAC Session-key. After receiving the Set-Up-
Response, the Server responds with a Server-Start message containing
the Server-IV. The Control-Client encrypts everything it transmits
through the just established O/TWAMP-Control connection using stream
encryption with Client-IV as the IV. Correspondingly, the Server
encrypts its side of the connection using Server-IV as the IV. The
IVs themselves are transmitted in cleartext. Encryption starts with
the block immediately following that containing the IV.
The AES Session-key and HMAC Session-key are generated randomly by
the Control-Client. The HMAC Session-key is communicated along with
the AES Session-key during O/TWAMP-Control connection setup. The
HMAC Session-key is derived independently of the AES Session-key.
4.2. O/TWAMP-Test Security
The O/TWAMP-Test protocol runs over UDP, using the Session-Sender and
Session-Reflector IP and port numbers that were negotiated during the
Request-Session exchange. O/TWAMP-Test has the same mode with O/
TWAMP-Control and all O/TWAMP-Test sessions inherit the corresponding
O/TWAMP-Control session mode except when operating in mixed mode.
The O/TWAMP-Test packet format is the same in authenticated and
encrypted modes. The encryption and authentication operations are,
however, different. Similarly, with the respective O/TWAMP-Control
session, each O/TWAMP-Test session has two keys: an AES Session-key
and an HMAC Session-key. However, there is a difference in how the
keys are obtained:
Pentikousis, et al. Standards Track [Page 6]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
O/TWAMP-Control: the keys are generated by the Control-Client and
communicated to the Server during the control connection
establishment with the Set-Up-Response message (as part of
the Token).
O/TWAMP-Test: the keys are derived from the O/TWAMP-Control keys and
the session identifier (SID), which serve as inputs to the
key derivation function (KDF). The O/TWAMP-Test AES Session-
key is generated using the O/TWAMP-Control AES Session-key,
with the 16-octet SID, for encrypting and decrypting the
packets of the particular O/TWAMP-Test session. The O/TWAMP-
Test HMAC Session-key is generated using the O/TWAMP-Control
HMAC Session-key, with the 16-octet SID, for authenticating
the packets of the particular O/TWAMP-Test session.
4.3. O/TWAMP Security Root
As discussed above, the O/TWAMP-Test AES Session-key and HMAC
Session-key are derived, respectively, from the O/TWAMP-Control AES
Session-key and HMAC Session-key. The AES Session-key and HMAC
Session-key used in the O/TWAMP-Control protocol are generated
randomly by the Control-Client, and encrypted with the shared secret
associated with KeyID. Therefore, the security root is the shared
secret key. Thus, for large deployments, key provision and
management may become overly complicated. Comparatively, a
certificate-based approach using IKEv2 can automatically manage the
security root and solve this problem, as we explain in Section 5.
5. O/TWAMP for IPsec Networks
This section presents a method of binding O/TWAMP and IKEv2 for
network measurements between a client and a server that both support
IPsec. In short, the shared key used for securing O/TWAMP traffic is
derived using IKEv2 [RFC7296].
5.1. Shared Key Derivation
In the authenticated, encrypted, and mixed modes, the shared secret
key MUST be derived from the IKEv2 SA. Note that we explicitly opt
to derive the shared secret key from the IKEv2 SA, rather than the
child SA, since it is possible that an IKEv2 SA is created without
generating any child SA [RFC6023].
When the shared secret key is derived from the IKEv2 SA, SK_d must be
generated first. SK_d must be computed as per [RFC7296].
Pentikousis, et al. Standards Track [Page 7]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
The shared secret key MUST be generated as follows:
Shared secret key = prf( SK_d, "IPPM" )
Wherein the string "IPPM" is encoded in ASCII and "prf" is a
pseudorandom function.
It is recommended that the shared secret key is derived in the IPsec
layer so that IPsec keying material is not exposed to the O/TWAMP
client. Note, however, that the interaction between the O/TWAMP and
IPsec layers is host internal and implementation specific.
Therefore, this is clearly outside the scope of this document, which
focuses on the interaction between the O/TWAMP client and server.
That said, one possible way could be the following: at the Control-
Client side, the IPsec layer can perform a lookup in the Security
Association Database (SAD) using the IP address of the Server and
thus match the corresponding IKEv2 SA. At the Server side, the IPsec
layer can look up the corresponding IKEv2 SA by using the Security
Parameter Indexes (SPIs) sent by the Control-Client (see
Section 5.3), and therefore extract the shared secret key.
If both the client and server do support IKEv2 but there is no
current IKEv2 SA, two alternative ways could be considered. First,
the O/TWAMP Control-Client initiates the establishment of the IKEv2
SA, logs this operation, and selects the mode that supports IKEv2.
Alternatively, the O/TWAMP Control-Client does not initiate the
establishment of the IKEv2 SA, logs an error for operational
management purposes, and proceeds with the modes defined in
[RFC4656], [RFC5357], and [RFC5618]. Again, although both
alternatives are feasible, they are in fact implementation specific.
If rekeying for the IKEv2 SA or deletion of the IKEv2 SA occurs, the
corresponding shared secret key generated from the SA MUST continue
to be used until the O/TWAMP session terminates.
5.2. Server Greeting Message Update
To trigger a binding association between the key generated from IKEv2
and the O/TWAMP shared secret key, the Modes field in the Server
Greeting Message (Figure 2) must support key derivation as discussed
in Section 5.1. Support for deriving the shared key from the IKEv2
SA is indicated by setting IKEv2Derived (see Section 7). Therefore,
when this method is used, the Modes value extension MUST be
supported.
Pentikousis, et al. Standards Track [Page 8]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Unused (12 octets) |
| |
|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Modes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Challenge (16 octets) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Salt (16 octets) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Count (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| MBZ (12 octets) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Server Greeting Format
The choice of this set of Modes values poses no backwards-
compatibility problems to existing O/TWAMP clients. Robust legacy
Control-Client implementations would disregard the fact that the
IKEv2Derived Modes bit in the Server Greeting is set. On the other
hand, a Control-Client implementing this method can identify that the
O/TWAMP Server contacted does not support this specification. If the
Server supports other Modes, as one could assume, the Control-Client
would then decide which Mode to use and indicate such accordingly as
per [RFC4656] and [RFC5357]. A Control-Client that is implementing
this method and decides not to employ IKEv2 derivation can simply
behave as a client that is purely compatible with [RFC4656] and
[RFC5357].
5.3. Set-Up-Response Update
The Set-Up-Response message Figure 3 is updated as follows. When an
O/TWAMP Control-Client implementing this method receives a Server
Greeting indicating support for Mode IKEv2Derived, it SHOULD reply to
the O/TWAMP Server with a Set-Up-Response that indicates so. For
Pentikousis, et al. Standards Track [Page 9]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
example, a compatible O/TWAMP Control-Client choosing the
authenticated mode with IKEv2 shared secret key derivation should set
the Mode bits as per Section 7.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mode |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| KeyID (80 octets) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Token (16 octets) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Client-IV (12 octets) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Set-Up-Response Message
The Security Parameter Index (SPI), as described in [RFC4301] and
[RFC7296], uniquely identifies the SA. If the Control-Client
supports shared secret key derivation for the IKEv2 SA, it will
choose the corresponding Mode value and carry SPIi and SPIr in the
KeyID field. SPIi and SPIr MUST be included in the KeyID field of
the Set-Up-Response Message to indicate the IKEv2 SA from which the
O/TWAMP shared secret key was derived. The length of SPI is 8
octets. Therefore, the first 8 octets of the KeyID field MUST carry
SPIi, and the second 8 octets MUST carry SPIr. The remaining bits of
the KeyID field MUST be set to zero.
An O/TWAMP Server implementation MUST obtain the SPIi and SPIr from
the first 16 octets and ignore the remaining octets of the KeyID
field. Then, the Control-Client and the Server can derive the shared
secret key based on the Mode value and SPI. If the O/TWAMP Server
cannot find the IKEv2 SA corresponding to the SPIi and SPIr received,
it MUST log the event for operational management purposes. In
addition, the O/TWAMP Server SHOULD set the Accept field of the
Server-Start message to the value 6 to indicate that the Server is
not willing to conduct further transactions in this O/TWAMP-Control
session since it cannot find the corresponding IKEv2 SA.
Pentikousis, et al. Standards Track [Page 10]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
5.4. O/TWAMP over an IPsec Tunnel
The IPsec Authentication Header (AH) [RFC4302] and Encapsulating
Security Payload (ESP) [RFC4303] provide confidentiality and data
integrity to IP datagrams. An IPsec tunnel can be used to provide
the protection needed for O/TWAMP Control and Test packets, even if
the peers choose the unauthenticated mode of operation. In order to
ensure authenticity and security, O/TWAMP packets between two IKEv2
systems SHOULD be configured to use the corresponding IPsec tunnel
running over an external network even when using the O/TWAMP
unauthenticated mode.
6. Security Considerations
As the shared secret key is derived from the IKEv2 SA, the key
derivation algorithm strength and limitations are as per [RFC7296].
The strength of a key derived from a Diffie-Hellman exchange using
any of the groups defined here depends on the inherent strength of
the group, the size of the exponent used, and the entropy provided by
the random number generator employed. The strength of all keys and
implementation vulnerabilities, particularly denial-of-service (DoS)
attacks are as defined in [RFC7296].
7. IANA Considerations
During the production of this document, the authors and reviewers
noticed that the TWAMP-Modes registry should describe a field of
single bit position flags, rather than the existing registry
construction with assignment of integer values. In addition, the
Semantics Definition column seemed to have spurious information in
it. The registry has been reformatted to simplify future
assignments. Thus, the contents of the TWAMP-Modes registry are as
follows:
Bit|Description |Semantics |Reference
Pos| |Definition |
---|------------------------------------------|------------|---------
0 Unauthenticated Section 3.1 [RFC4656]
1 Authenticated Section 3.1 [RFC4656]
2 Encrypted Section 3.1 [RFC4656]
3 Unauth. TEST protocol, Encrypted CONTROL Section 3.1 [RFC5618]
4 Individual Session Control [RFC5938]
5 Reflect Octets Capability [RFC6038]
6 Symmetrical Size Sender Test Packet Format [RFC6038]
Figure 4: TWAMP Modes
Pentikousis, et al. Standards Track [Page 11]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
The new description and registry management instructions follow.
Registry Specification: TWAMP-Modes are specified in TWAMP Server
Greeting messages and Set-Up-Response messages consistent with
Section 3.1 of [RFC5357]. Modes are indicated by setting single bits
in the 32-bit Modes field.
Registry Management: Because the "TWAMP-Modes" are based on only 32
bit positions with each position conveying a unique feature, and
because TWAMP is an IETF protocol, this registry must be updated only
by "IETF Review" as specified in [RFC5226]. IANA SHOULD allocate
monotonically increasing bit positions when requested.
Experimental Numbers: No experimental bit positions are currently
assigned in the Modes registry, as indicated in the initial contents
above.
In addition, per this document, a new entry has been added to the
TWAMP-Modes registry:
Bit|Description |Semantics |Reference
Pos| |Definition |
---|------------------------------------------|------------|---------
7 IKEv2Derived Mode Capability Section 5 RFC 7717
Figure 5: TWAMP IKEv2-Derived Mode Capability
For the new OWAMP-Modes registry, see the IANA Considerations in
[RFC7718].
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
Zekauskas, "A One-way Active Measurement Protocol
(OWAMP)", RFC 4656, DOI 10.17487/RFC4656, September 2006,
<http://www.rfc-editor.org/info/rfc4656>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
Pentikousis, et al. Standards Track [Page 12]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
[RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
RFC 5357, DOI 10.17487/RFC5357, October 2008,
<http://www.rfc-editor.org/info/rfc5357>.
[RFC5618] Morton, A. and K. Hedayat, "Mixed Security Mode for the
Two-Way Active Measurement Protocol (TWAMP)", RFC 5618,
DOI 10.17487/RFC5618, August 2009,
<http://www.rfc-editor.org/info/rfc5618>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <http://www.rfc-editor.org/info/rfc7296>.
[RFC7718] Morton, A., "Registries for the One-Way Active Measurement
Protocol (OWAMP)", RFC 7718, DOI 10.17487/RFC7718,
December 2015, <http://www.rfc-editor.org/info/rfc7718>.
8.2. Informative References
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2.0", RFC 2898,
DOI 10.17487/RFC2898, September 2000,
<http://www.rfc-editor.org/info/rfc2898>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <http://www.rfc-editor.org/info/rfc4301>.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
DOI 10.17487/RFC4302, December 2005,
<http://www.rfc-editor.org/info/rfc4302>.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, DOI 10.17487/RFC4303, December 2005,
<http://www.rfc-editor.org/info/rfc4303>.
[RFC5706] Harrington, D., "Guidelines for Considering Operations and
Management of New Protocols and Protocol Extensions",
RFC 5706, DOI 10.17487/RFC5706, November 2009,
<http://www.rfc-editor.org/info/rfc5706>.
[RFC5938] Morton, A. and M. Chiba, "Individual Session Control
Feature for the Two-Way Active Measurement Protocol
(TWAMP)", RFC 5938, DOI 10.17487/RFC5938, August 2010,
<http://www.rfc-editor.org/info/rfc5938>.
Pentikousis, et al. Standards Track [Page 13]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
[RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A
Childless Initiation of the Internet Key Exchange Version
2 (IKEv2) Security Association (SA)", RFC 6023,
DOI 10.17487/RFC6023, October 2010,
<http://www.rfc-editor.org/info/rfc6023>.
[RFC6038] Morton, A. and L. Ciavattone, "Two-Way Active Measurement
Protocol (TWAMP) Reflect Octets and Symmetrical Size
Features", RFC 6038, DOI 10.17487/RFC6038, October 2010,
<http://www.rfc-editor.org/info/rfc6038>.
Acknowledgements
We thank Eric Chen, Yaakov Stein, Brian Trammell, Emily Bi, John
Mattsson, Steve Baillargeon, Spencer Dawkins, Tero Kivinen, Fred
Baker, Meral Shirazipour, Hannes Tschofenig, Ben Campbell, Stephen
Farrell, Brian Haberman, and Barry Leiba for their reviews, comments,
and text suggestions.
Al Morton deserves a special mention for his thorough reviews and
text contributions to this document as well as the constructive
discussions over several IPPM meetings.
Pentikousis, et al. Standards Track [Page 14]
^L
RFC 7717 Shared Secret Key for O/TWAMP December 2015
Authors' Addresses
Kostas Pentikousis (editor)
EICT GmbH
EUREF-Campus Haus 13
Torgauer Strasse 12-15
10829 Berlin
Germany
Email: k.pentikousis@eict.de
Emma Zhang
Huawei Technologies
Huawei Building, No.3, Rd. XinXi
Haidian District, Beijing 100095
China
Email: emma.zhanglijia@huawei.com
Yang Cui
Huawei Technologies
Otemachi First Square 1-5-1 Otemachi
Chiyoda-ku, Tokyo 100-0004
Japan
Email: cuiyang@huawei.com
Pentikousis, et al. Standards Track [Page 15]
^L
|