Internet DRAFT - draft-jiang-6man-cga-sec-option
draft-jiang-6man-cga-sec-option
Internet Engineering Task Force S. Jiang
Internet-Draft Huawei Technologies Co., Ltd
Intended status: Standards Track D. Zhang
Expires: July 18, 2015 Alibaba Co., Ltd
S. Krishnan
Ericsson
January 14, 2015
CGA SEC Option for Secure Neighbor Discovery Protocol
draft-jiang-6man-cga-sec-option-01
Abstract
A Cryptographically Generated Address is an IPv6 addresses binding
with a public/private key pair. It is a vital component of Secure
Neighbor Discovery (SeND) protocol. The current SeND specifications
are lack of procedures to specify the Sec bits. A new SEC option is
defined accordingly to address this issue.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 18, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Jiang, et al. Expires July 18, 2015 [Page 1]
Internet-Draft SEC RA OPTION January 2015
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2
3. CGA SEC Option . . . . . . . . . . . . . . . . . . . . . . . 3
4. Host Behavior . . . . . . . . . . . . . . . . . . . . . . . . 3
5. Security Considerations . . . . . . . . . . . . . . . . . . . 3
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
8.1. Normative References . . . . . . . . . . . . . . . . . . 4
8.2. Informative References . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction
Cryptographically Generated Addresses (CGA, [RFC3972]) are used to
make sure that the sender of a Neighbor Discovery message is the
"owner" of the claimed address. Although it is not mandatory, it is
a vital component of Secure Neighbor Discovery (SeND, [RFC3971])
protocol. After CGA has been defined, as an independent security
property, many other CGA usages have been proposed and defined, such
as Enhanced Route Optimization for Mobile IPv6 [RFC4866], Site
Multihoming by IPv6 Intermediation (SHIM6) [RFC5533], etc.
SEC bits are an important parameter in the generation of CGAs.
Particularly, SEC values are used to artificially introduce
additional difficulty in the CGA generation process in order to
provide additional protection against brute force attacks.
Therefore, in different environments, host may be required to use
different SEC bits in the generation of their CGAs. However, the
base SeND protocol fails to distribute the SEC values to the hosts.
As a result, the network administration cannot propagate any
requirements regarding to SEC value of host-generated CGA addresses.
In order to fill this gap, a new CGA SEC Option, is defined in this
document.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Jiang, et al. Expires July 18, 2015 [Page 2]
Internet-Draft SEC RA OPTION January 2015
3. CGA SEC Option
CGA SEC Option is used to indicate on link hosts the lowest CGA SEC
value they SHOULD use. It SHOULD be contained in and only in the
Router Advertisement Message [RFC4861].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_CGA_SEC_OPTION | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SEC bits |
+-+-+-+-+-+-+-+-+
option-code OPTION_CGA_SEC_OPTION (TBA1)
option-len 1.
SEC bits The value of SEC bits is specified in [RFC3972].
4. Host Behavior
On receiving the CGA SEC Option with a recommended SEC value, a host
SHOULD use a CGA with the recommended or higher SEC value. If
choosing a CGA with a SEC value lower than the recommended, the host
MAY take the risk that it is not able to use full network
capabilities. The network may consider the hosts that use CGAs with
lower SEC values as unsecure users and decline some or all network
services.
5. Security Considerations
This document extends SeND with a CGA SEC Option to transprot SEC
bits used in the generation of GCAs, which enables administrators to
specify and adjust the security level of the CGAs used in the
network. Apart from that, this approach does not introduce any
significant changes to the underlying security issues considered in
Section 9 of [RFC3971].
6. IANA Considerations
This document defines a new Neighbor Discovery Protocol options,
which must be assigned an Option Type value within the IPv6 Neighbor
Discovery Option Formats table of Internet Control Message Protocol
version 6 (ICMPv6) Parameters (http://www.iana.org/assignments/
icmpv6-parameters):
Jiang, et al. Expires July 18, 2015 [Page 3]
Internet-Draft SEC RA OPTION January 2015
Type | Description | Reference
---------+------------------+---------------
TBA1 | CGA SEC option | This document
7. Acknowledgements
The authors would like to thanks the valuable comments made by
members of 6man WG.
This document was produced using the xml2rfc tool [RFC2629].
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
Neighbor Discovery (SEND)", RFC 3971, March 2005.
[RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)",
RFC 3972, March 2005.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007.
8.2. Informative References
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999.
[RFC4866] Arkko, J., Vogt, C., and W. Haddad, "Enhanced Route
Optimization for Mobile IPv6", RFC 4866, May 2007.
[RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
Shim Protocol for IPv6", RFC 5533, June 2009.
Authors' Addresses
Sheng Jiang
Huawei Technologies Co., Ltd
Q14, Huawei Campus, No.156 Beiqing Road
Hai-Dian District, Beijing, 100095
P.R. China
Email: jiangsheng@huawei.com
Jiang, et al. Expires July 18, 2015 [Page 4]
Internet-Draft SEC RA OPTION January 2015
Dacheng Zhang
Alibaba Co., Ltd
9th Floor, A Area, Wentelai World Finance Centre, 1 West Dawang Road
Chaoyang District, Beijing, 100095 100025
P.R. China
Email: dacheng.zdc@alibaba-inc.com
Suresh Krishnan
Ericsson
8400 Decarie Blvd.
Town of Mount Royal, QC
Canada
Phone: +1 514 345 7900 x42871
Email: suresh.krishnan@ericsson.com
Jiang, et al. Expires July 18, 2015 [Page 5]