IPSEC Working Group Bill Sommerfeld INTERNET-DRAFT Hewlett Packard draft-ietf-ipsec-inline-isakmp-01.txt March 1997 Inline Keying within the ISAKMP Framework. STATUS OF THIS MEMO This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this document is unlimited. This particular Internet Draft is being published in order to focus discussion on protocols for lightweight inline keying in the context of ISAKMP/Oakley. It is intended that this version will raise more questions than it answers; there many ways to do inline keying and the author does not pretend to have all the answers. A future version of this draft might become suitable for submission to the IESG as a standards track protocol. ABSTRACT The current proposal for IP-layer key management [ISAKMP, OAKLEY, ISAOAK] has fairly high overhead. Before a security association can be established, at least one pair of messages need to be exchanged between the communicating peers. For efficiency, this suggests that ISAKMP setup should be infrequent. However, general principles of Sommerfeld Expires 1 October 1997 [Page 1] Internet Draft draft-ietf-ipsec-inline-isakmp-01.txt March 1997 key management suggest that individual keys should be used as little as practical and changed as frequently as possible. Steve Bellovin has suggested that, ideally, different security associations should be used for each different transport-level connection[BADESP]. This document discusses a way of structuring a protocol to permit this to happen with minimal overhead, both in round-trip delay at connection setup, and in bandwidth once the connection is established. The general concept of inline or in-band keying here was inspired by SKIP[SKIP]. However, SKIP's approach is burdened by the addition of an extra intermediate header of perhaps 20 to 28 bytes to every protected packet, which doubles the bandwidth overhead of protected traffic compared with ESP with fixed keying. In order to minimise the per-packet overhead, an inline keying header should be used only until the desired security association is established, at which point the peers will fall back to pure ESP/AH. IN-BAND SECURITY ASSOCIATION SETUP AH and ESP security associations are identified by a 32-bit identifier known as an SPI, which is assigned by the receiving end of the association. This makes it difficult to create a new security association at the request of a traffic originator without at least one round trip. However, most packets are sent either in response to another packet, or in the expectation that a response will be received. We can exploit this, by having the sender allocate an SPI for return traffic, and include a message informing the recipient of it in the first message. The reponse to this message can also contain a return SPI, so further packets in the conversation can be directed to the appropriate security association for the conversation. There are at least two applications for this protocol. Hosts may wish to use separate SPIs for separate transport-layer connections. Similarly, routers doing tunnel-mode ESP may wish to establish separate SPIs for each active host-pair they tunnel. In the former case, for a typical TCP exchange, the in-band keying headers would piggyback on the SYN and SYN/ACK packets, and would then be absent from subsequent traffic. No explicit acknowledgement of the creation of the new SPI is needed, as use of the reply-SPI by the peer would (implicitly) acknowledge the key change. Sommerfeld Expires 1 October 1997 [Page 2] Internet Draft draft-ietf-ipsec-inline-isakmp-01.txt March 1997 No explicit retransmission of in-band-keying requests is needed; if the upper-level protocol retransmits before the full SPI pair is created, the inline keying header is included in the retransmission. PACKET PROCESSING Some additional logic needs to be added to an implementation's outbound and inbound policy engines. As this protocol has not yet been implemented, the following is necessarily vague; suggestions on how to improve it are welcomed. When sending a packet, if there isn't a valid outbound SPI we want to use to reach the peer, and we have reason to believe the peer accepts inline keying headers, we look up the inbound SPI we want our peer to use (or create it if it's nonexistant) and insert an in-band keying header in the outbound packet. On the other hand, if there is a valid outbound SPI, we use it. If there isn't a valid inbound SPI for a response, we create the inbound SPI we want to receive replies on and insert an in-band-keying header in the outbound packet, then send it using the outbound SPI. If an inbound packet contains a valid in-band-keying header with a reply SPI in it, we create an outbound SPI with the appropriate TTL, and then process the rest of the packet. PARENT SPI PARAMETERS The parent SPI must have the following parameters specified or negotiated: - a shared secret - the pseudo-random function (prf) to be used for key derivation. - the algorithm to be used for encryption, and any algorithm-specific parameters (other than the key). - the algorithm to be used for message integrity protection, and any algorithm-specific parameters (other than the key). ESTABLISHING THE PARENT SPI. This scheme can only "spawn" new SPIs from old SPIs; therefore, there needs to be a way to establish the "parent" SPI. There are several possible alternatives: One of the ISAKMP exchanges could be used to establish the parent SPI. Another alternative, very similar to SKIP, would be for each system Sommerfeld Expires 1 October 1997 [Page 3] Internet Draft draft-ietf-ipsec-inline-isakmp-01.txt March 1997 to publish a certificate containing a Diffie-Hellman public key, a "well known" SPI, and the additional parent-SPI parameters listed above. The shared secret actually used in the inline-keying protocol would depend on the source address of the packet. It is not clear whether this variation is of interest and is included only for completeness. ENCODING OPTIONS There are a number of potential ways of encoding this protocol, with different advantages and disadvantages; at this point, it is not clear which way is best. The primary areas of variability include: - how the SPI-creation message is framed - what is contained in the SPI-creation message - how the user payload "along for the ride" is protected. In order to minimize complexity, in the end, there should only be one answer for each of these questions. Several requirements on the encoding exist: 1) the SPI-creation message must be optional 2) there should be some "cryptographic distance" between the three kinds of keys involved: - the key(s) used to authenticate and/or encrypt the user payload which is along for the ride - the key(s) used to authenticate the SPI-creation message - the key(s) used by the newly-created reply SPI. 3) there should be as much commonality in encoding between this protocol and the various sub-protocols of ESP and ISAKMP with similar functionality. 4) the inline keying header should be small. FRAMING Three alternatives suggest themselves: - special-case encoding within an ESP transform, perhaps using a bit out of the pad length by mutual agreement between the communicating peers. - a new IP-layer protocol - use of the "IPv6 destination options" IP-layer protocol. Sommerfeld Expires 1 October 1997 [Page 4] Internet Draft draft-ietf-ipsec-inline-isakmp-01.txt March 1997 Using a new IP-layer protocol seems cleanest, though there has been strong opposition to it from some implementors. The use of the IPv6 destination options protocol would limits the size of a single option to no more than 255 octets, which may be a significant constraint. REPLY-SPI-CREATION CONTENTS There are essentially two possibilities for the reply-SPI-creation message: either an encapsulated quick mode message, or a custom message simpler than, but similar to quick mode. Encapsulating ISAKMP/Oakley A simpler, but less efficient, alternative would be to encapsulate various ISAKMP/Oakley quick-mode messages as the reply-SPI-creation message. Custom Format Notation here is derived from the notation used in the Oakley draft. We assume the existance of a shared secret, sSPI between the communicating parties, and a parent SPI corresponding to the shared secret. This can be established in a number of ways, which will be discussed later. Fields: reply-SPI reply-SPI-scope reply-SPI-lifetime reply-SPI-nonce reply-SPI-parameters peer-SPI-nonce spi-creation-fields is a set of fields which tell the receiver how to create an outbound SPI for reponses to the payload of this datagram. This set includes: Reply-SPI is the number of an SPI created by the sender for responses to this packet. Reply-SPI-scope indicates the scope of the reply SPI; exact encoding is TBS and should probably be similar to the way the scope is handled in [DOI]. The scope should be able to select among (at least) four possible scopes: host-range, host, protocol, protocol+port. Reply-SPI-lifetime is the lifetime (exact encoding TBS), of the Sommerfeld Expires 1 October 1997 [Page 5] Internet Draft draft-ietf-ipsec-inline-isakmp-01.txt March 1997 newly-created SPI. A similar encoding to the one used by [DOI] should be used here. reply-SPI-parameters are other parameters of the newly created SPI, including the algorithm, and any algorithm-specific parameters. An encoding similar to the one used by [DOI] should be used. Peer-spi-nonce is either all zeros, or the peer's reply-SPI-nonce. The key(s) associated with the newly-created SPI are derived from: prf (sSPI, reply-TAG | peer-spi-nonce | reply-spi-nonce | reply-SPI) reply-TAG is a well-known constant, TBD. sSPI is the shared secret associated with the parent SPI. prf(a, b) is a pseudo-random function as in Oakley; the exact function to use is a parameter of the parent SPI. It may be desirable to include other fields from the header in both of the key-derivation hashes. KEYING OF THE USER PAYLOAD If the "parent" algorithm is judged to be sufficently strong, the initial user payload could simply be encrypted using the ESP in the parent SPI. However, the use of inline keying seems to suggest a desire to segregate different communications under different keys. A extension to ESP suggests itself. We can negotiate the addition of a "key generation nonce" to the cleartext part of the ESP header, and then generate the key for encrypting the ciphertext portion of the packet using a keyed hash of the shared secret and the nonce: prf (sSPI, current-packet-nonce | SPI | other) sSPI is the SPI's shared secret; current-packet-nonce is a 128-bit random value generated by the sender (ideally different for each packet). "SPI" is the numeric SPI value. "other" are any additional fields which might make sense to include in the key-generation hash. Sommerfeld Expires 1 October 1997 [Page 6] Internet Draft draft-ietf-ipsec-inline-isakmp-01.txt March 1997 MISCELLANEOUS ISSUES There are a number of miscellaneous problems which arise as a result of constructing a protocol of this form. None of them seem to be particularly insurmountable. These considerations are based on the author's experience with vaguely similar security protocols. Interaction With MTU Discovery Because insertion of the inline keying header will change the size of the packet, there are likely to be interactions between this protocol and MTU discovery when the first packet triggering the creation of a new SA pair is near maximum size. Several potential solutions come to mind: 1) With some cooperation between layers, it may be possible to reduce the amount of data in the outbound packet (this may be possible for TCP; it's almost certainly not possible for other protocols). 2) MTU discovery could be deferred, by sending the packet with DF cleared. Neither of these seem really satisfactory; suggestions on how to handle this case are welcomed. SPI expiration and clock skew. This section perhaps belongs as an appendix to the a future version of the Internet DOI specification [DOI]. Inline SPI's expire after a defined time. Since relative timestamps are used in the protocol, clocks synchronized in phase are not assumed; however, some minimal accuracy in frequency is assumed. It is assumed here that SPI timestamps are maintained in absolute form internally and converted to and from relative form only for use over the network. The explicit expiration time of the SPI indicates the time after which the sender should no longer send to that SPI. The recipient should still honor inbound packets to that SPI for an additional grace period of: K1 * MSL + K2 * nominal-lifetime where "MSL" is the maximum lifetime of a packet in the network as in TCP, "K1" is a fudge factor allowing some margin around MSL, and "K2" is a fudge factor allowing for a difference in clock frequency between systems. Sommerfeld Expires 1 October 1997 [Page 7] Internet Draft draft-ietf-ipsec-inline-isakmp-01.txt March 1997 Proposed default values: MSL: 120 (same as TCP) K1: 2 (same as TCP) K2: 1/32 (allow for ~3% frequency difference) It may be useful for debugging purposes to allow these parameters to be adjusted. With the above constants, a nominal 10-minute SPI would be valid for about 14 minutes; and a nominal 2-hour SPI would be valid for approximately 2 hours and 8 minutes. EXAMPLE The following is a simplified example of the messages involved in setting up a new SPI pair using inline keying. A lot of detail has been omitted to clarify the presentation. Assume per-connection inline keying is in use between two hosts A and B, with a security association X existing from A to B. A wishes to establish a TCP connection to B. Because per-connection keying is in use, A would first create a new inbound SPI "Y", and send: ESP [A-to-B, inline[N1, seq 0, Y], TCP [port 4352 to 21, SYN]] Upon receipt, B creates a new outbound SPI "Y", and a new inbound SPI "Z", and hands off the TCP packet to its TCP. It then responds with: ESP [Y, inline[N2, seq 0, Z], TCP [port 21 to 4352, SYN+ACK]] Upon receipt, A creates a new outbound SPI "Z". Receipt of a packet on spi Y acknowleges receipt of the inline-keying message, so subsequent messages for this connection do not contain an inline keying header, so A responds with: ESP [Z, TCP [port 4352 to 21, ACK, data1]] Similarly, B responds with: ESP [Y, TCP [port 21 to 4352, ACK, data2]] and the conversation would continue like this until the TCP connection closed. SECURITY CONSIDERATIONS Sommerfeld Expires 1 October 1997 [Page 8] Internet Draft draft-ietf-ipsec-inline-isakmp-01.txt March 1997 This entire document concerns key management for the IP security protocols. This protocol does not provide for Perfect Forward Secrecy by itself, but if used in conjunction with ISAKMP, may provide a reasonable engineering tradeoff between security and performance. As with Oakley's Quick Mode, this protocol can consume the entropy of the shared secret[ISAOAK]. Implementors should take note of this fact and be able to limit the number of inline-keying messages allowed per shared secret. This draft does not proscribe such a limit. REFERENCES [BADESP] Bellovin, S., "Problem Areas for the IP Security Protocols", Proceedings of the Sixth Usenix UNIX security symposium, July 1996 (available from ftp://ftp.research.att.com/dist/smb/badesp.ps) [AH] Atkinson, R., "IP Encapsulating Security Payload (ESP)", RFC1826, August 1995. [DOI] Piper, D., "The Internet IP Security Domain Of Interpretation for ISAKMP", version 1, draft-ietf-ipsec- ipsec-doi-00.txt. [ESP] Atkinson, R., "IP Encapsulating Security Payload (ESP)", RFC1827, August 1995. [IPSEC] Randall Atkinson, "Security Architecture for the Internet Protocol", Internet Draft draft-ietf-ipsec-arch-sec-01.txt, 10 November 1996 [ISAKMP] Maughhan, D., Schertler, M., Schneider, M., and Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)", version 6, draft-ietf-ipsec-isakmp-06.{ps,txt}. [ISAOAK] Harkins, D., Carrel, D., "The resolution of ISAKMP with Oakley", draft-ietf-ipsec-isakmp-oakley-02.txt. [OAKLEY] Orman, H., "The Oakley Key Determination Protocol", version 1, draft-ietf-ipsec-oakley-01.txt. [SKIP] Aziz, A., Markson, T., Prafullchandra, H., "Simple Key- Management For Internet Protocols", draft-ietf-ipsec- skip-07.txt. AUTHOR'S ADDRESS: Sommerfeld Expires 1 October 1997 [Page 9] Internet Draft draft-ietf-ipsec-inline-isakmp-01.txt March 1997 Bill Sommerfeld Hewlett Packard 300 Apollo Drive Chelmsford MA 01824 Telephone: +1 508 436 4352 Sommerfeld Expires 1 October 1997 [Page 10]