| IPSECME | D. Migault, Ed. |
| Internet-Draft | Orange |
| Intended status: Standards Track | T. Guggemos, Ed. |
| Expires: January 4, 2015 | Orange / LMU Munich |
| July 3, 2014 |
Diet-ESP: Generating compressed IV and SN
draft-mglt-ipsecme-diet-esp-iv-generation-00.txt
Diet-ESP describes how to compress the various ESP fields, thanks to the Diet-ESP Context. This document describes how the IV fields that belong to the encrypted payload can be compressed.
The document describes the extensions of the the Diet-ESP Context as well as the compression protocol.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2015.
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in[RFC2119].
Diet-ESP [I-D.mglt-ipsecme-diet-esp] describes how to compress ESP fields. Fields are compressed according to a Diet-ESP Context. Diet-ESP has been described as a specific ROHC [RFC5795] framework that has no IR, IR-DYN nor any feed back ROHC message. It works in the Unidirectional mode of operation (U mode), and all necessary parameters are transmitted via the Diet-ESP Context that is negotiated between the two peers. As a result Diet-ESP defines a very specific and simplified ROHC framework which makes possible to implement Diet-ESP without implementing the whole ROHC.
In fact, Diet-ESP avoids ROHC complexity as a lot of parameters have already been negotiated with IKEv2 [RFC5996].
The Initialization Vector (IV) is defined as a input for AES encryption and decryption. In order to provide the appropriated IV value AES-CBC [RFC3602] and AES-CTR [RFC3686] sends the IV in each IP packet as shown in figure Figure 1. In fact the output of AES-CTR and AES-CBC outputs a payload where the encrypted data is appended to the IV.
The IV MUST have to properties 1) they MUST be unpredictable by someone observing the network, then 2) the IV MUST be unique. The size of the IV differs depending on the encryption algorithm. AES-CTR has an 8 byte IV and AES-CBC a 16 byte IV.
This document defines a way to avoid sending the IV in each packet. Instead peers agree on a suite of pseudo random bytes. This makes the IV predictable by both peers only, and random to the rest of the world. As the IV can be derived by both peers, it may be removed completely from each IP packet. Another way is to only provide the LSB of the generated IV so receiver can better identify the appropriated IV used for decryption.
Note that the ICV of standard ESP [RFC4303] and Diet-ESP ICV includes the whole IV. As a result, the IV MUST be restored prior to the ICV check.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
| Security Parameters Index (SPI) | ^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Sequence Number | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | |Int.
~ Initialization Vector (variable) ~ |Cov-
| | |ered
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | |
~ Encrypted Payload (variable) ~ |
| | v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------
| |
~ Authentication Data (variable) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: The IV in the ESP payload.
Section 4 describes the new parameters for the Diet-ESP Context. Section 5 describes how the Pseudo Random Function is derived, and Section 6 describes the protocol.
To enable the compression of the IV, the Diet-ESP context defined in [I-D.mglt-ipsecme-diet-esp] is extended with to values:
The Pseudo Random Function (PRF) is defined from the Pseudo Random Function Transform in Section 2.13 [RFC5996]. Unless specified otherwise PRF_AES128_XCBC [RFC4434] is the default Pseudo Random Function Transform.
The PRF "prf+" described in Section 2.13 [RFC5996] takes two arguments designated as K and S. In this document K is the encryption key and S is the authentication key appended to the string "IV random generation". The string results in non null S value even if no integrity algorithms are negotiated.
IV generation and compression is performed only and only if IV_COMPRESSION is set. Otherwise, the IV is embedded into the packet and sent on the wire as described in [RFC4303].
When IV_COMPRESSION is set, the PRD is defined as described in Section 5. On the sending part, the ICV or Diet-ESP ICV is computed, the IV is compressed to its LSB, before it is sent on the wire. On te receiver part, the IV is decompress prior to the ICV check, then decryption is performed with the decompressed IV.
There are no IANA consideration for this document.
The current draft represents the work of Tobias Guggemos while his internship at Orange [GUGG14] .
Diet-ESP is a joint work between Orange and Ludwig-Maximilians-Universitaet Munich. We thank Daniel Palomares and Carsten Bormann for their useful remarks, comments and guidance.
| [GUGG14] | Guggemos, TG., "Diet-ESP: Applying IP-Layer Security in Constrained Environments (Masterthesis)", September 2014. |
[draft-mglt-ipsecme-diet-esp-IV-generation-00.txt]: First version published.