Internet DRAFT - draft-hb-intarea-eap-mka

draft-hb-intarea-eap-mka







Network Working Group                                    H. Bidgoli, Ed.
Internet-Draft                                                     Nokia
Intended status: Standards Track                               N. Morris
Expires: 1 September 2024                                        Verizon
                                                               N. Cocker
                                                                  Redhat
                                                        29 February 2024


                              MKA over IP
                      draft-hb-intarea-eap-mka-00

Abstract

   Extensible Authentication Protocol (EAP) is described in [RFC3748].
   EAP typically runs directly over data link layers such as Point-to-
   Point Protocol (PPP) or IEEE 802, without requiring IP.
   IEEE802.1X-2004 clarifies some aspect of the EAP over Layer 2 PDUs.
   IEEE802.1X-2010 introduces MACsec Key Agreement Protocol (MKA) which
   uses EAPOL.  In IEEE 802.1X-2010 the existing EAPOL (EAP over LANs)
   PDU formats have not been modified, but additional EAPOL PDUs have
   been added to support MKA.  MKA is used for discovering peers and
   their mutual authentication, to agree the secrete keys (SAKs) used by
   MACsec for symmetric shared key cryptography.  This document
   describes procedures to transport EAP and ultimately MKA PDUs over a
   IP network to distribute SAKs for symmetric key cryptography.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 1 September 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.



Bidgoli, et al.         Expires 1 September 2024                [Page 1]

Internet-Draft                 MKA over IP                 February 2024


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions used in this document . . . . . . . . . . . . . .   3
   3.  EAP over IP . . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Use of UDP to identify MKA  . . . . . . . . . . . . . . .   4
     3.2.  IP header . . . . . . . . . . . . . . . . . . . . . . . .   4
     3.3.  Security Channel Identifier . . . . . . . . . . . . . . .   4
     3.4.  Packet format . . . . . . . . . . . . . . . . . . . . . .   5
   4.  IANA Consideration  . . . . . . . . . . . . . . . . . . . . .   5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   5
   7.  Informative References  . . . . . . . . . . . . . . . . . . .   5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   Currently, most encryption protocols use Public Key Infrastructure
   (PKI) to distribute symmetric shared keys.  Current PKIs algorithms
   and key lengths are vulnerable to post quantum computers attacks such
   as "steal/harvest now, decrypt later" and most highly secure
   organizations are looking for options of quantum safe key
   distribution.

   IIEEE802.1X-2010 introduces MKA, a secure fully distributed point-to-
   point or multipoint-to-multipoint transport.  MKA consists of a
   number of applications for that transport, including the distribution
   of SAKs by an elected key server using AES Key Wrap.. It is widely
   accepted that AES ciphers with key length of 256 are safe Post-
   quantum Cryptography (PQC).  IEEE802.1X-2010 farther explains in
   section 9.3.3 that the keys derived for AES cipher is from a secure
   Connectivity Association Key (CAK) and a Key Derivation Function
   (KDF), the CAK can be drived from multiple methods including Pre-
   shared keys (PSKs), as an example these PSKs can be manually
   configured via a secure management connection and consist of a 64 Hex
   string for CMAC-AES-256 key wrap.

   With those attributes in mind, MKA can be a PQC protocol to
   distribute symmetric shared keys within a network.



Bidgoli, et al.         Expires 1 September 2024                [Page 2]

Internet-Draft                 MKA over IP                 February 2024


   As such, it would be ideal to extend EAP and MKA into IP networks to
   allow MKA to distribute symmetric shared keys within an IP domain.
   This document describes a simple method to identify EAP packet with
   in a IP network and process them according, including MKA PDUs.

2.  Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  EAP over IP

   802.1x-2010 section 9 explains the MKA (MACSec Key Agreement
   Protocol) in detail.  The first and most important note is in the
   last paragraph of section 9.4 which points out that MKA is designed
   for mutual authentication of participants in a connectivity
   association (CA), and can be used for any application.

   Section 9 of IEEE802.1x-2010 also points out that MKA:

   1. allows PEERs to discover each other and authenticate each other
   via the CAK, and agree on a symmetric secret keys (SAKs) used by the
   application.

   2.  MKA protects and distributes SAKs via AES Key wrap, and more
   importantly a PQC AES-256 key wrap

   3.  The SAK is created by the Key Server and distributed to the PEERs
   with in the connectivity association, section 9 of the
   IEEE802.1x-2010 describes the key server selection.

   4.  MKA manages the SAK installation which is used by the
   applications that secure the data transmitted and received.

   5.  The root of key hierarchy for any given instance of MKA is the
   secure CAK.  Each CAK is identified by the CA key NAME (CKN) that
   allows each of the MKA participants to select which CAK to use to
   process a received MKA PDUs.

   These attributes are ideal to use MKA to authenticate peers and
   distribute symmetric keys in a PQC fashion even in an IP or MPLS
   network.  As an example MKA over IP can be used for signaling
   symmetric keys for proprietary MPLS encryption or such.

   To distribute MKA over an IP network there is two concerns to be
   solved:




Bidgoli, et al.         Expires 1 September 2024                [Page 3]

Internet-Draft                 MKA over IP                 February 2024


   1.  How to identify the MKA PDUs with in an IP domain

   2.  How to transport MKA PDUs from one PEER to another

3.1.  Use of UDP to identify MKA

   To solve the first problem of identifying EAP or MKA PDUs within an
   IP domain, the destination PEER needs to identify this packet as an
   MKA packet and extract it, to be processed as described in
   IEEE802.1X-2010.  To identify the PDU as a MKA PDU within IP domain,
   UDP can be used.  More precisely, a specific UDP port assigned to
   MKA, to identify MKA PDUs uniquely in the network.  This UDP port can
   be a random UDP port chosen by the provider, or it can be a well
   known UDP port assigned by IANA, either case it has to be same
   network wide.  UDP is ideal for this MKA identification, as it is
   best effort protocol and does not have a retransmission mechanism as
   TCP does, in case of lost packets.  MKA fits well with this use-case
   because it has a heartbeat built in, where loss of MKA packets would
   bring the MKA session down.

3.2.  IP header

   Any IP address family (AF) can be used to transport the MKA over UDP
   through the IP domain.  The source IP can be the loopback IP address
   used by the source of the application and the destination IP can be
   the loopback IP used by the application on its PEER.  Of course the
   IP protocol will be set to UDP.  With this method when the packet
   arrives on the PEER router, the UDP port can be examined and the
   packet processed accordingly.  In this case the UDP packet will
   identify the PDU as a MKA PDU and will extract it to the MKA
   application to authenticate the PEER and extract the SAK by
   decrypting the key wrap via the CAK that is identified by the CKN and
   CMAC AES-256.  From this point on the SAK can be used by the
   application to encrypt the datapath.  As an example, if the symmetric
   key size is 256 it can be used with the AES algorithm to create a PQC
   secure datapath for the application.

3.3.  Security Channel Identifier

   MACsec uses the PORT ID as its security channel Identifier (SCI).
   The SCI, for IP or MPLS applications can be modified based on the
   application requirements and how the application flow can be uniquely
   identified within the network.  As an example for MPLS the SCI can be
   a unique encryption SID that identifies the encrypting node within
   the network and the MPLS flowID or tunnelID within that encrypting
   node.  The assignment of SCI for different IP/MPLS applications is
   beyond the scope of this document.




Bidgoli, et al.         Expires 1 September 2024                [Page 4]

Internet-Draft                 MKA over IP                 February 2024


3.4.  Packet format

   The packet format reuses the entire 802.1x packet format as described
   in the IEEE802.1X-2010 (i.e. it reuses the packet format that follows
   the Ethernet header with ethertype (0x888e) minus the Ethernet
   header.).  Doing so will allow the routers that have implementations
   of MACsec and MKA, to leverage the current EAPoL and MKA
   implementations, and extend these implemention to be used to process
   the EAP over IP packet.  An example of this without reinventing the
   wheel would be to remove the IP and UDP headers and send the
   802.1x-2010 packet (with type MKA) to the MKA application to process
   the MKA PDU.

   As such the final packet format is Ethernet header with ethertype of
   (IP) followed by IP header with protocol (UDP) where the UDP port is
   a well known MKA UDP port or a a UDP port that is assigned within the
   network to identify the MKA PDU.

4.  IANA Consideration

   Assign a UDP port for EAP over IP identification.

5.  Security Considerations

   NA

6.  Acknowledgments


7.  Informative References

   [RFC2119]  "S. Bradner "Key words for use in RFCs to Indicate
              Requirements Levels"".

   [RFC3748]  "B. Aboda, L. Blunk, J. Vollbrecht, J.Carlson "Extensible
              Authentication Protocol"", June 2004.

Authors' Addresses

   Hooman Bidgoli (editor)
   Nokia
   Ottawa
   Canada
   Email: hooman.bidgoli@nokia.com







Bidgoli, et al.         Expires 1 September 2024                [Page 5]

Internet-Draft                 MKA over IP                 February 2024


   Nicklous Morris
   Verizon
   United States of America
   Email: nicklous.morris@verizonwireless.com


   Nabeel Cocker
   Redhat
   New York,
   United States of America
   Email: ncocker@redhat.com








































Bidgoli, et al.         Expires 1 September 2024                [Page 6]