1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
|
Internet Engineering Task Force (IETF) D. Farinacci
Request for Comments: 8061 lispers.net
Category: Experimental B. Weis
ISSN: 2070-1721 Cisco Systems
February 2017
Locator/ID Separation Protocol (LISP) Data-Plane Confidentiality
Abstract
This document describes a mechanism for encrypting traffic
encapsulated using the Locator/ID Separation Protocol (LISP). The
design describes how key exchange is achieved using existing LISP
control-plane mechanisms as well as how to secure the LISP data plane
from third-party surveillance attacks.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8061.
Farinacci & Weis Experimental [Page 1]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
2. Requirements Notation ...........................................4
3. Definition of Terms .............................................4
4. Overview ........................................................4
5. Diffie-Hellman Key Exchange .....................................5
6. Encoding and Transmitting Key Material ..........................6
7. Shared Keys Used for the Data Plane .............................8
8. Data-Plane Operation ...........................................10
9. Procedures for Encryption and Decryption .......................11
10. Dynamic Rekeying ..............................................12
11. Future Work ...................................................13
12. Security Considerations .......................................14
12.1. SAAG Support .............................................14
12.2. LISP-Crypto Security Threats .............................14
13. IANA Considerations ...........................................15
14. References ....................................................16
14.1. Normative References .....................................16
14.2. Informative References ...................................17
Acknowledgments ...................................................18
Authors' Addresses ................................................18
Farinacci & Weis Experimental [Page 2]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
1. Introduction
This document describes a mechanism for encrypting LISP-encapsulated
traffic. The design describes how key exchange is achieved using
existing LISP control-plane mechanisms as well as how to secure the
LISP data plane from third-party surveillance attacks.
The Locator/ID Separation Protocol [RFC6830] defines a set of
functions for routers to exchange information used to map from
non-routable Endpoint Identifiers (EIDs) to routable Routing Locators
(RLOCs). LISP Ingress Tunnel Routers (ITRs) and Proxy Ingress Tunnel
Routers (PITRs) encapsulate packets to Egress Tunnel Routers (ETRs)
and Re-encapsulating Tunnel Routers (RTRs). Packets that arrive at
the ITR or PITR may not be encrypted, which means no protection or
privacy of the data is added. When the source host encrypts the data
stream, encapsulated packets do not need to be encrypted by LISP.
However, when plaintext packets are sent by hosts, this design can
encrypt the user payload to maintain privacy on the path between the
encapsulator (the ITR or PITR) to a decapsulator (ETR or RTR). The
encrypted payload is unidirectional. However, return traffic uses
the same procedures but with different key values by the same xTRs or
potentially different xTRs when the paths between LISP sites are
asymmetric.
This document has the following requirements (as well as the general
requirements from [RFC6973]) for the solution space:
o Do not require a separate Public Key Infrastructure (PKI) that is
out of scope of the LISP control-plane architecture.
o The budget for key exchange MUST be one round-trip time. That is,
only a two-packet exchange can occur.
o Use symmetric keying so faster cryptography can be performed in
the LISP data plane.
o Avoid a third-party trust anchor if possible.
o Provide for rekeying when secret keys are compromised.
o Support Authenticated Encryption with packet integrity checks.
o Support multiple Cipher Suites so new crypto algorithms can be
easily introduced.
Farinacci & Weis Experimental [Page 3]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
Satisfying the above requirements provides the following benefits:
o Avoiding a PKI reduces the operational cost of managing a secure
network. Key management is distributed and independent from any
other infrastructure.
o Packet transport is optimized due to fewer packet headers. Packet
loss is reduced by a more efficient key exchange.
o Authentication and privacy are provided with a single mechanism
thereby providing less per-packet overhead and therefore more
resource efficiency.
2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Definition of Terms
AEAD: Authenticated Encryption with Associated Data [RFC5116]
ICV: Integrity Check Value
LCAF: LISP Canonical Address Format [RFC8060]
xTR: A general reference to ITRs, ETRs, RTRs, and PxTRs
4. Overview
The approach proposed in this document is NOT to rely on the LISP
mapping system (or any other key-infrastructure system) to store
security keys. This will provide for a simpler and more secure
mechanism. Secret shared keys will be negotiated between the ITR and
the ETR in Map-Request and Map-Reply messages. Therefore, when an
ITR needs to obtain the RLOC of an ETR, it will get security material
to compute a shared secret with the ETR.
The ITR can compute three shared secrets per ETR the ITR is
encapsulating to. When the ITR encrypts a packet before
encapsulation, it will identify the key it used for the crypto
calculation so the ETR knows which key to use for decrypting the
packet after decapsulation. By using key-ids in the LISP header, we
can also get fast rekeying functionality.
The key management described in this document is unidirectional from
the ITR (the encapsulator) to the ETR (the decapsultor).
Farinacci & Weis Experimental [Page 4]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
5. Diffie-Hellman Key Exchange
LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and
computation for computing a shared secret. The Diffie-Hellman
parameters will be passed via Cipher Suite code-points in Map-Request
and Map-Reply messages.
Here is a brief description how Diffie-Hellman works:
+----------------------------+---------+----------------------------+
| ITR | | ETR |
+------+--------+------------+---------+------------+---------------+
|Secret| Public | Calculates | Sends | Calculates | Public |Secret|
+------|--------|------------|---------|------------|--------|------+
| i | p,g | | p,g --> | | | e |
+------|--------|------------|---------|------------|--------|------+
| i | p,g,I |g^i mod p=I | I --> | | p,g,I | e |
+------|--------|------------|---------|------------|--------|------+
| i | p,g,I | | <-- E |g^e mod p=E | p,g | e |
+------|--------|------------|---------|------------|--------|------+
| i,s |p,g,I,E |E^i mod p=s | |I^e mod p=s |p,g,I,E | e,s |
+------|--------|------------|---------|------------|--------|------+
Public-Key Exchange for Computing a Shared Private Key [DH]
Diffie-Hellman parameters 'p' and 'g' must be the same values used by
the ITR and ETR. The ITR computes public key 'I' and transmits 'I'
in a Map-Request packet. When the ETR receives the Map-Request, it
uses parameters 'p' and 'g' to compute the ETR's public key 'E'. The
ETR transmits 'E' in a Map-Reply message. At this point, the ETR has
enough information to compute 's', the shared secret, by using 'I' as
the base and the ETR's private key 'e' as the exponent. When the ITR
receives the Map-Reply, it uses the ETR's public key 'E' with the
ITR's private key 'i' to compute the same 's' shared secret the ETR
computed. The value 'p' is used as a modulus to create the width of
the shared secret 's' (see Section 6).
Farinacci & Weis Experimental [Page 5]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
6. Encoding and Transmitting Key Material
The Diffie-Hellman key material is transmitted in Map-Request and
Map-Reply messages. Diffie-Hellman parameters are encoded in the
LISP Security Key LCAF Type [RFC8060].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AFI = 16387 | Rsvd1 | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 11 | Rsvd2 | 6 + n |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Count | Rsvd3 | Cipher Suite | Rsvd4 |R|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Length | Public Key Material ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... Public Key Material |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AFI = x | Locator Address ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cipher Suite Field Contains DH Key Exchange and Cipher/Hash Functions
The Key Count field encodes the number of {'Key-Length',
'Key-Material'} fields included in the encoded LCAF. The maximum
number of keys that can be encoded is three, each identified by
key-id 1, followed by key-id 2, and finally key-id 3.
The R bit is not used for this use case of the Security Key LCAF Type
but is reserved for [LISP-DDT] security. Therefore, the R bit SHOULD
be transmitted as 0 and MUST be ignored on receipt.
Farinacci & Weis Experimental [Page 6]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
Cipher Suite 0:
Reserved
Cipher Suite 1 (LISP_2048MODP_AES128_CBC_SHA256):
Diffie-Hellman Group: 2048-bit MODP [RFC3526]
Encryption: AES with 128-bit keys in CBC mode [AES-CBC]
Integrity: Integrated with AEAD_AES_128_CBC_HMAC_SHA_256 [AES-CBC]
IV length: 16 bytes
KDF: HMAC-SHA-256
Cipher Suite 2 (LISP_EC25519_AES128_CBC_SHA256):
Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
Encryption: AES with 128-bit keys in CBC mode [AES-CBC]
Integrity: Integrated with AEAD_AES_128_CBC_HMAC_SHA_256 [AES-CBC]
IV length: 16 bytes
KDF: HMAC-SHA-256
Cipher Suite 3 (LISP_2048MODP_AES128_GCM):
Diffie-Hellman Group: 2048-bit MODP [RFC3526]
Encryption: AES with 128-bit keys in GCM mode [RFC5116]
Integrity: Integrated with AEAD_AES_128_GCM [RFC5116]
IV length: 12 bytes
KDF: HMAC-SHA-256
Cipher Suite 4 (LISP_3072MODP_AES128_GCM):
Diffie-Hellman Group: 3072-bit MODP [RFC3526]
Encryption: AES with 128-bit keys in GCM mode [RFC5116]
Integrity: Integrated with AEAD_AES_128_GCM [RFC5116]
IV length: 12 bytes
KDF: HMAC-SHA-256
Cipher Suite 5 (LISP_256_EC25519_AES128_GCM):
Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
Encryption: AES with 128-bit keys in GCM mode [RFC5116]
Integrity: Integrated with AEAD_AES_128_GCM [RFC5116]
IV length: 12 bytes
KDF: HMAC-SHA-256
Cipher Suite 6 (LISP_256_EC25519_CHACHA20_POLY1305):
Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
Encryption: Chacha20-Poly1305 [CHACHA-POLY] [RFC7539]
Integrity: Integrated with AEAD_CHACHA20_POLY1305 [CHACHA-POLY]
IV length: 8 bytes
KDF: HMAC-SHA-256
Farinacci & Weis Experimental [Page 7]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
The Public Key Material field contains the public key generated by
one of the Cipher Suites defined above. The length of the key, in
octets, is encoded in the Key Length field.
When an ITR, PITR, or RTR sends a Map-Request, they will encode their
own RLOC in the Security Key LCAF Type format within the ITR-RLOCs
field. When an ETR or RTR sends a Map-Reply, they will encode their
RLOCs in Security Key LCAF Type format within the RLOC-record field
of each EID-record supplied.
If an ITR, PITR, or RTR sends a Map-Request with the Security Key
LCAF Type included and the ETR or RTR does not want to have
encapsulated traffic encrypted, they will return a Map-Reply with no
RLOC-records encoded with the Security Key LCAF Type. This signals
to the ITR, PITR, or RTR not to encrypt traffic (it cannot encrypt
traffic anyway since no ETR public key was returned).
Likewise, if an ITR or PITR wishes to include multiple key-ids in the
Map-Request, but the ETR or RTR wishes to use some but not all of the
key-ids, it returns a Map-Reply only for those key-ids it wishes to
use.
7. Shared Keys Used for the Data Plane
When an ITR or PITR receives a Map-Reply accepting the Cipher Suite
sent in the Map-Request, it is ready to create data-plane keys. The
same process is followed by the ETR or RTR returning the Map-Reply.
The first step is to create a shared secret, using the peer's shared
Diffie-Hellman Public Key Material combined with the device's own
private keying material, as described in Section 5. The Diffie-
Hellman parameters used are defined in the Cipher Suite sent in the
Map-Request and copied into the Map-Reply.
The resulting shared secret is used to compute an AEAD-key for the
algorithms specified in the Cipher Suite. A Key Derivation Function
(KDF) in counter mode, as specified by [NIST-SP800-108], is used to
generate the data-plane keys. The amount of keying material that is
derived depends on the algorithms in the Cipher Suite.
The inputs to the KDF are as follows:
o KDF function. This is HMAC-SHA-256 in this document, but
generally specified in each Cipher Suite definition.
o A key for the KDF function. This is the computed Diffie-Hellman
shared secret.
Farinacci & Weis Experimental [Page 8]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
o Context that binds the use of the data-plane keys to this session.
The context is made up of the following fields, which are
concatenated and provided as the data to be acted upon by the KDF
function. A Context is made up of the following components:
* A counter, represented as a two-octet value in network byte
order.
* The null-terminated string "lisp-crypto".
* The ITR's nonce from the Map-Request the Cipher Suite was
included in.
* The number of bits of keying material required (L), represented
as a two-octet value in network byte order.
The counter value in the context is first set to 1. When the amount
of keying material exceeds the number of bits returned by the KDF
function, then the KDF function is called again with the same inputs
except that the counter increments for each call. When enough keying
material is returned, it is concatenated and used to create keys.
For example, AES with 128-bit keys requires 16 octets (128 bits) of
keying material, and HMAC-SHA1-96 requires another 16 octets (128
bits) of keying material in order to maintain a consistent 128 bits
of security. Since 32 octets (256 bits) of keying material are
required, and the KDF function HMAC-SHA-256 outputs 256 bits, only
one call is required. The inputs are as follows:
key-material = HMAC-SHA-256(dh-shared-secret, context)
where: context = 0x0001 || "lisp-crypto" || <itr-nonce> || 0x0100
In contrast, a Cipher Suite specifying AES with 256-bit keys requires
32 octets (256 bits) of keying material, and HMAC-SHA256-128 requires
another 32 octets (256 bits) of keying material in order to maintain
a consistent 256 bits of security. Since 64 octets (512 bits) of
keying material are required, and the KDF function HMAC-SHA-256
outputs 256 bits, two calls are required.
Farinacci & Weis Experimental [Page 9]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
key-material-1 = HMAC-SHA-256(dh-shared-secret, context)
where: context = 0x0001 || "lisp-crypto" || <itr-nonce> || 0x0200
key-material-2 = HMAC-SHA-256(dh-shared-secret, context)
where: context = 0x0002 || "lisp-crypto" || <itr-nonce> || 0x0200
key-material = key-material-1 || key-material-2
If the key-material is longer than the required number of bits (L),
then only the most significant L bits are used.
From the derived key-material, the most significant 256 bits are used
for the AEAD-key by AEAD ciphers. The 256-bit AEAD-key is divided
into a 128-bit encryption key and a 128-bit integrity check key
internal to the cipher used by the ITR.
8. Data-Plane Operation
The LISP encapsulation header [RFC6830] requires changes to encode
the key-id for the key being used for encryption.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ | Source Port = xxxx | Dest Port = 4341 |
UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ | UDP Length | UDP Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
L / |N|L|E|V|I|R|K|K| Nonce/Map-Version |\ \
I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |A
S \ | Instance ID/Locator-Status-Bits | |D
P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |/
| Initialization Vector (IV) | I
E +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C
n / | | V
c | | |
r | Packet Payload with EID Header ... | |
y | | |
p \ | |/
t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
K-bits Indicate When a Packet Is Encrypted and Which Key Is Used
Farinacci & Weis Experimental [Page 10]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
When the KK bits are 00, the encapsulated packet is not encrypted.
When the value of the KK bits is 1, 2, or 3, it encodes the key-id of
the secret keys computed during the Diffie-Hellman
Map-Request/Map-Reply exchange. When the KK bits are not 0, the
payload is prepended with an Initialization Vector (IV). The length
of the IV field is based on the Cipher Suite used. Since all Cipher
Suites defined in this document do Authenticated Encryption with
Associated Data (AEAD), an ICV field does not need to be present in
the packet since it is included in the ciphertext. The Additional
Data (AD) used for the ICV is shown above and includes the LISP
header, the IV field, and the packet payload.
When an ITR or PITR receives a packet to be encapsulated, the device
will first decide what key to use, encode the key-id into the LISP
header, and use that key to encrypt all packet data that follows the
LISP header. Therefore, the outer header, UDP header, and LISP
header travel as plaintext.
At the time of writing, there is an open working group item to
discuss if the data encapsulation header needs change for encryption
or any new applications. This document proposes changes to the
existing header so experimentation can continue without making large
changes to the data plane at this time. This document allocates two
bits of the previously unused three flag bits (note the R-bit above
is still a reserved flag bit, as documented in [RFC6830]) for the KK
bits.
9. Procedures for Encryption and Decryption
When an ITR, PITR, or RTR encapsulates a packet and has already
computed an AEAD-key (detailed in Section 7) that is associated with
a destination RLOC, the following encryption and encapsulation
procedures are performed:
1. The encapsulator creates an IV and prepends the IV value to the
packet being encapsulated. For GCM and ChaCha20 Cipher Suites,
the IV is incremented for every packet (beginning with a value of
1 in the first packet) and sent to the destination RLOC. For CBC
Cipher Suites, the IV is a new random number for every packet
sent to the destination RLOC. For the ChaCha20 Cipher Suite, the
IV is an 8-byte random value that is appended to a 4-byte counter
that is incremented for every packet (beginning with a value of 1
in the first packet).
2. Next encrypt with cipher function AES or ChaCha20 using the AEAD-
key over the packet payload following the AEAD specification
referenced in the Cipher Suite definition. This does not include
the IV. The IV must be transmitted as plaintext so the decrypter
Farinacci & Weis Experimental [Page 11]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
can use it as input to the decryption cipher. The payload should
be padded to an integral number of bytes a block cipher may
require. The result of the AEAD operation may contain an ICV,
the size of which is defined by the referenced AEAD
specification. Note that the AD (i.e., the LISP header exactly
as will be prepended in the next step and the IV) must be given
to the AEAD encryption function as the "associated data"
argument.
3. Prepend the LISP header. The key-id field of the LISP header is
set to the key-id value that corresponds to key-pair used for the
encryption cipher.
4. Lastly, prepend the UDP header and outer IP header onto the
encrypted packet and send packet to destination RLOC.
When an ETR, PETR, or RTR receives an encapsulated packet, the
following decapsulation and decryption procedures are performed:
1. The outer IP header, UDP header, LISP header, and IV field are
stripped from the start of the packet. The LISP header and IV
are retained and given to the AEAD decryption operation as the
"associated data" argument.
2. The packet is decrypted using the AEAD-key and the IV from the
packet. The AEAD-key is obtained from a local-cache associated
with the key-id value from the LISP header. The result of the
decryption function is a plaintext packet payload if the cipher
returned a verified ICV. Otherwise, the packet is invalid and is
discarded. If the AEAD specification included an ICV, the AEAD
decryption function will locate the ICV in the ciphertext and
compare it to a version of the ICV that the AEAD decryption
function computes. If the computed ICV is different than the ICV
located in the ciphertext, then it will be considered tampered.
3. If the packet was not tampered with, the decrypted packet is
forwarded to the destination EID.
10. Dynamic Rekeying
Since multiple keys can be encoded in both control and data messages,
an ITR can encapsulate and encrypt with a specific key while it is
negotiating other keys with the same ETR. As soon as an ETR or RTR
returns a Map-Reply, it should be prepared to decapsulate and decrypt
using the new keys computed with the new Diffie-Hellman parameters
received in the Map-Request and returned in the Map-Reply.
Farinacci & Weis Experimental [Page 12]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
RLOC-probing can be used to change keys or Cipher Suites by the ITR
at any time. And when an initial Map-Request is sent to populate the
ITR's map-cache, the Map-Request flows across the mapping system
where a single ETR from the Map-Reply RLOC-set will respond. If the
ITR decides to use the other RLOCs in the RLOC-set, it MUST send a
Map-Request directly to negotiate security parameters with the ETR.
This process may be used to test reachability from an ITR to an ETR
initially when a map-cache entry is added for the first time, so an
ITR can get both reachability status and keys negotiated with one
Map-Request/Map-Reply exchange.
A rekeying event is defined to be when an ITR or PITR changes the
Cipher Suite or public key in the Map-Request. The ETR or RTR
compares the Cipher Suite and public key it last received from the
ITR for the key-id, and if any value has changed, it computes a new
public key and Cipher Suite requested by the ITR from the Map-Request
and returns it in the Map-Reply. Now a new shared secret is computed
and can be used for the key-id for encryption by the ITR and
decryption by the ETR. When the ITR or PITR starts this process of
negotiating a new key, it must not use the corresponding key-id in
encapsulated packets until it receives a Map-Reply from the ETR with
the same Cipher Suite value it expects (the values it sent in a Map-
Request).
Note when RLOC-probing continues to maintain RLOC reachability and
rekeying is not desirable, the ITR or RTR can either not include the
Security Key LCAF Type in the Map-Request or supply the same key
material as it received from the last Map-Reply from the ETR or RTR.
This approach signals to the ETR or RTR that no rekeying event is
requested.
11. Future Work
For performance considerations, newer Elliptic-Curve Diffie-Hellman
(ECDH) groups can be used as specified in [RFC4492] and [RFC6090] to
reduce CPU cycles required to compute shared secret keys.
For better security considerations as well as to be able to build
faster software implementations, newer approaches to ciphers and
authentication methods will be researched and tested. Some examples
are ChaCha20 and Poly1305 [CHACHA-POLY] [RFC7539].
Farinacci & Weis Experimental [Page 13]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
12. Security Considerations
12.1. SAAG Support
The LISP working group received security advice and guidance from the
Security Area Advisory Group (SAAG). The SAAG has been involved
early in the design process, and their input and reviews have been
included in this document.
Comments from the SAAG included:
1. Do not use asymmetric ciphers in the data plane.
2. Consider adding ECDH early in the design.
3. Add Cipher Suites because ciphers are created more frequently
than protocols that use them.
4. Consider the newer AEAD technology so authentication comes with
doing encryption.
12.2. LISP-Crypto Security Threats
Since ITRs and ETRs participate in key exchange over a public
non-secure network, a man in the middle (MITM) could circumvent the
key exchange and compromise data-plane confidentiality. This can
happen when the MITM is acting as a Map-Replier and provides its own
public key so the ITR and the MITM generate a shared secret key
between them. If the MITM is in the data path between the ITR and
ETR, it can use the shared secret key to decrypt traffic from the
ITR.
Since LISP can secure Map-Replies by the authentication process
specified in [LISP-SEC], the ITR can detect when a MITM has signed a
Map-Reply for an EID-prefix for which it is not authoritative. When
an ITR determines that the signature verification fails, it discards
and does not reuse the key exchange parameters, avoids using the ETR
for encapsulation, and issues a severe log message to the network
administrator. Optionally, the ITR can send RLOC-probes to the
compromised RLOC to determine if the authoritative ETR is reachable.
And when the ITR validates the signature of a Map-Reply, it can begin
encrypting and encapsulating packets to the RLOC of ETR.
Farinacci & Weis Experimental [Page 14]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
13. IANA Considerations
This document describes a mechanism for encrypting LISP-encapsulated
packets based on Diffie-Hellman key exchange procedures. During the
exchange, the devices have to agree on a Cipher Suite to be used
(i.e., the cipher and hash functions used to encrypt/decrypt and to
sign/verify packets). The 8-bit Cipher Suite field is reserved for
such purpose in the security material section of the Map-Request and
Map-Reply messages.
IANA has created a new registry (as outlined in [RFC5226]) titled
"LISP Crypto Cipher Suite". Initial values for the registry are
provided below. Future assignments are to be made on a "First Come,
First Served" basis [RFC5226].
+-----+--------------------------------------------+------------+
|Value| Suite | Reference |
+-----+--------------------------------------------+------------+
| 0 | Reserved | Section 6 |
+-----+--------------------------------------------+------------+
| 1 | LISP_2048MODP_AES128_CBC_SHA256 | Section 6 |
+-----+--------------------------------------------+------------+
| 2 | LISP_EC25519_AES128_CBC_SHA256 | Section 6 |
+-----+--------------------------------------------+------------+
| 3 | LISP_2048MODP_AES128_GCM | Section 6 |
+-----+--------------------------------------------+------------+
| 4 | LISP_3072MODP_AES128_GCM | Section 6 |
+-----+--------------------------------------------+------------+
| 5 | LISP_256_EC25519_AES128_GCM | Section 6 |
+-----+--------------------------------------------+------------+
| 6 | LISP_256_EC25519_CHACHA20_POLY1305 | Section 6 |
+-----+--------------------------------------------+------------+
LISP Crypto Cipher Suites
Farinacci & Weis Experimental [Page 15]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
14. References
14.1. Normative References
[NIST-SP800-108]
National Institute of Standards and Technology,
"Recommendation for Key Derivation Using Pseudorandom
Functions", NIST Special Publication SP 800-108,
DOI 10.6028/NIST.SP.800-108, October 2009.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method",
RFC 2631, DOI 10.17487/RFC2631, June 1999,
<http://www.rfc-editor.org/info/rfc2631>.
[RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)",
RFC 3526, DOI 10.17487/RFC3526, May 2003,
<http://www.rfc-editor.org/info/rfc3526>.
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)", RFC 4492,
DOI 10.17487/RFC4492, May 2006,
<http://www.rfc-editor.org/info/rfc4492>.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
<http://www.rfc-editor.org/info/rfc5116>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
Curve Cryptography Algorithms", RFC 6090,
DOI 10.17487/RFC6090, February 2011,
<http://www.rfc-editor.org/info/rfc6090>.
[RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
Locator/ID Separation Protocol (LISP)", RFC 6830,
DOI 10.17487/RFC6830, January 2013,
<http://www.rfc-editor.org/info/rfc6830>.
Farinacci & Weis Experimental [Page 16]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973,
DOI 10.17487/RFC6973, July 2013,
<http://www.rfc-editor.org/info/rfc6973>.
[RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015,
<http://www.rfc-editor.org/info/rfc7539>.
[RFC8060] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical
Address Format (LCAF)", RFC 8060, DOI 10.17487/RFC8060,
February 2017, <http://www.rfc-editor.org/info/rfc8060>.
14.2. Informative References
[AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated
Encryption with AES-CBC and HMAC-SHA", Work in Progress,
draft-mcgrew-aead-aes-cbc-hmac-sha2-05, July 2014.
[CHACHA-POLY]
Langley, A. and W. Chang, "ChaCha20 and Poly1305 based
Cipher Suites for TLS", Work in Progress,
draft-agl-tls-chacha20poly1305-04, November 2013.
[CURVE25519]
Bernstein, D., "Curve25519: new Diffie-Hellman speed
records", DOI 10.1007/11745853_14,
<http://www.iacr.org/cryptodb/archive/2006/
PKC/3351/3351.pdf>.
[DH] Wikipedia, "Diffie-Hellman key exchange", January 2017,
<https://en.wikipedia.org/w/index.php?title=Diffie%E2%80%9
3Hellman_key_exchange&oldid=759611604>.
[LISP-DDT] Fuller, V., Lewis, D., Ermagan, V., Jain, A., and A.
Smirnov, "LISP Delegated Database Tree", Work in
Progress, draft-ietf-lisp-ddt-08, September 2016.
[LISP-SEC] Maino, F., Ermagan, V., Cabellos, A., and D. Saucez,
"LISP-Security (LISP-SEC)", Work in Progress,
draft-ietf-lisp-sec-12, November 2016.
Farinacci & Weis Experimental [Page 17]
^L
RFC 8061 LISP Data-Plane Confidentiality February 2017
Acknowledgments
The authors would like to thank Dan Harkins, Joel Halpern, Fabio
Maino, Ed Lopez, Roger Jorgensen, and Watson Ladd for their interest,
suggestions, and discussions about LISP data-plane security. An
individual thank you to LISP WG Chair Luigi Iannone for shepherding
this document as well as contributing to the IANA Considerations
section.
The authors would like to give a special thank you to Ilari Liusvaara
for his extensive commentary and discussion. He has contributed his
security expertise to make lisp-crypto as secure as the state of the
art in cryptography.
In addition, the support and suggestions from the SAAG working group
were helpful and appreciated.
Authors' Addresses
Dino Farinacci
lispers.net
San Jose, California 95120
United States of America
Phone: 408-718-2001
Email: farinacci@gmail.com
Brian Weis
Cisco Systems
170 West Tasman Drive
San Jose, California 95124-1706
United States of America
Phone: 408-526-4796
Email: bew@cisco.com
Farinacci & Weis Experimental [Page 18]
^L
|
