Internet DRAFT - draft-templin-omni-send
draft-templin-omni-send
Network Working Group F. Templin, Ed.
Internet-Draft Boeing Research & Technology
Updates: RFC3971 (if approved) January 22, 2021
Intended status: Standards Track
Expires: July 26, 2021
Secure NEighbor Discovery (SEND) over OMNI Interfaces
draft-templin-omni-send-03
Abstract
The Overlay Multilink Network Interface (OMNI) specification can be
used by nodes on public Internetworks when a suitable security
service is provided to authenticate IPv6 Neighbor Discovery (IPv6 ND)
control messages. The basic OMNI security service for transmission
of IPv6 ND messages over public Internetworks uses a Hashed Message
Authentication Code (HMAC) based on a shared secret. This document
specifies use of the Secure NEighbor Discovery (SEND) protocol over
OMNI interfaces which can provide a more flexible and robust service.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 26, 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Templin Expires July 26, 2021 [Page 1]
�
Internet-Draft OMNI SEND January 2021
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. SEND Over OMNI Interfaces . . . . . . . . . . . . . . . . . . 3
3.1. Processing Rules for Senders . . . . . . . . . . . . . . 4
3.2. Processing Rules for Receivers . . . . . . . . . . . . . 5
4. SEND/CGA Updates . . . . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1. Normative References . . . . . . . . . . . . . . . . . . 7
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Using Host Identity Tags (HITs) with OMNI/SEND . . . 9
Appendix B. Using HIP-based Authentication Instead of SEND/CGA . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction
The Overlay Multilink Network Interface (OMNI) specification
[I-D.templin-6man-omni-interface] can be used by nodes on public
Internetworks when a suitable security service is provided to
authenticate IPv6 Neighbor Discovery (IPv6 ND) control messages
[RFC4861][RFC8200]. The basic OMNI security service for transmission
of IPv6 ND messages over public Internetworks uses a Hashed Message
Authentication Code (HMAC) based on a shared secret. This document
specifies use of the Secure NEighbor Discovery (SEND) protocol over
OMNI interfaces which can provide a more flexible and robust service.
The HMAC-based security service may be adequate when all OMNI access
routers can be provisioned with a shared secret for all potential
clients. However, the service may not be scalable and/or agile
enough for all environments, e.g., when the population of clients
grows and/or changes dynamically. Moreover, it is client-server
oriented, and may be too cumbersome for general-purpose use between
opportunistic neighbor pairs.
The Secure NEighbor Discovery (SEND) protocol [RFC3971] and
Cryptographically Generated Addresses (CGA) [RFC3972] were designed
to provide authentication services for IPv6 ND messaging over links
of all varieties, including wireless. SEND requires that the CGA
appear as the IPv6 ND message source or target address (see:
Templin Expires July 26, 2021 [Page 2]
�
Internet-Draft OMNI SEND January 2021
Section 5.1.1 of [RFC3971]) where it will be covered by the RSA
signature. Since OMNI interfaces use only non-CGA source and target
addresses, however, this specification updates [RFC3971] by allowing
CGAs to appear elsewhere in the message.
The use of SEND over OMNI interfaces offers the opportunity for a
certificate-based security service for large and dynamically changing
populations of mobile nodes within a bounded service domain. The
service domain can be as large as a major public Internetwork, and
can even span multiple disjoint Internetworks when appropriate
peering arrangements are in place. The remainder of this document
specifies the operation of SEND over OMNI interfaces.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. SEND Over OMNI Interfaces
The HMAC-based authentication option specified in
[I-D.templin-6man-omni-interface] is distinguished by the two-octet
code 0x0001 immediately following the UDP/IP encapsulation headers.
The first octet 0x00 indicates that a message preamble option
follows, while the second octet 0x01 is a 'type' field that
identifies the HMAC-based authentication option. Following the
authentication option (and any other preamble options present), the
IPv6 ND message itself begins and includes any necessary SEND
options.
This specification allows CGAs to appear in a location other than the
source or target address of the IPv6 ND message. In particular, this
specification defines a new "Cryptographically Generated Address
(CGA)" sub-option for the OMNI option (see Section 10 of
[I-D.templin-6man-omni-interface]) formatted as follows:
Templin Expires July 26, 2021 [Page 3]
�
Internet-Draft OMNI SEND January 2021
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sub-Type=TBD | Sub-length=16 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ .
. .
. Cryptographically-Generated Address (CGA) (128 bits) .
. .
. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Cryptographically-Generated Address (CGA) Sub-option
o Sub-Type is set to "TBD".
o Sub-Length is set to 16 (i.e., the length of the CGA).
o Cryptographically-Generated Address (CGA) is a 128 bit IPv6
address generated as specified in [RFC3972].
With this sub-option, OMNI nodes can place their CGAs inside the OMNI
option instead of as the source or target address of the IPv6 ND
message (note that this represents an update to Section 5.1.1 of
[RFC3971]). The processing rules for senders and receivers are
discussed in the following Sections.
3.1. Processing Rules for Senders
Per the OMNI specification [I-D.templin-6man-omni-interface], a
mobile node (MN) may be pre-provisioned with a Mobile Network Prefix
(MNP) (e.g., 2001:db8:1:2::/64) which it uses to form an MNP-based
OMNI Link Local Address (LLA) and MNP-based CGA. Otherwise, the MN
obtains an MNP through an initial IPv6 ND message-based bootstrapping
exchange with an Access Router (AR) while using a temporary LLA and
LLA-based CGA using the prefix fe80::/64.
The MN sends IPv6 ND messages with an OMNI option that includes its
CGA in a CGA sub-option as shown in Figure 1. The MN also includes
any necessary SEND options (e.g., CGA parameters, RSA signature,
Nonce, Timestamp, etc.) per [RFC3971] while observing the updates
discussed in Section 4. The RSA signature option MUST appear later
in the IPv6 ND message options after the OMNI option so that the
signature properly covers the CGA. The MN then sets the IPv6 source,
destination and target (when present) to appropriate non-CGA
addresses, and sends the message to the neighbor.
Templin Expires July 26, 2021 [Page 4]
�
Internet-Draft OMNI SEND January 2021
When an initial bootstrapping exchange is required, the temporary
LLA's statistical uniqueness properties allow for optimistic
operation while the LLA-based CGA's uniqueness properties are
irrelevant since it will never be used as an IPv6 packet header
address. Following bootstrapping, the MN forms an MNP-based OMNI LLA
and MNP-based CGA from its newly-obtained MNP and retains them for
future IPv6 ND messaging. These addresses are assured to be unique
within the domain, since the MNP is uniquely delegated to the MN.
OMNI link ARs are assigned administrative OMNI LLAs that are
guaranteed to be unique on the link, but they receive no MNPs of
their own. Therefore, ARs will generate only LLA-based CGAs and use
them for all SEND operations. While it is possible that two or more
ARs may generate duplicate LLA-based CGAs, each AR will apply its own
unique private key signature such that robust IPv6 ND message
authentication is supported. For these reasons (and for the reasons
explained for MNs above) no Duplicate Address Detection (DAD) testing
of CGAs is necessary.
3.2. Processing Rules for Receivers
When an OMNI node receives an IPv6 ND message from a neighbor, if
both the HMAC and SEND authentication services appear in the same
message the node SHOULD process the SEND authentication credentials
and ignore the HMAC credentials. If only one authentication service
is present, the node SHOULD process the credentials according to the
included service. If no authentication services are present (or, if
the SEND service is present but the RSA signature option appears
before the OMNI option) the node SHOULD regard the IPv6 ND message as
unsecured.
When the CGA sub-option is included in the OMNI option and the RSA
signature option appears later in the IPv6 ND message options, the
node verifies the signature per [RFC3971] while observing the updates
discussed in Section 4. In any case, if the IPv6 ND message includes
an incorrect authentication code the node SHOULD discard the message.
4. SEND/CGA Updates
Since their original publications, several important updates to the
SEND [RFC3971] and CGA [RFC3972] specifications have been published
and are observed as follows:
o [RFC4581] defines a format for the CGA parameter data structure
extension field. While no extensions are introduced in this
document, any future updates to this document that introduce
extensions MUST observe this format.
Templin Expires July 26, 2021 [Page 5]
�
Internet-Draft OMNI SEND January 2021
o [RFC4982] introduces support for multiple hash algorithms in CGAs.
The hash algorithm is identified by a value in the Sec bits of the
CGA itself, which must be registered in the IANA "CGA SEC"
registry. This document requests a new CGA SEC value "TBD2" for
the SHA-256 hash algorithm (see: Section 5 and Section 6).
o [RFC6494] defines a certificate profile that supersedes the
profile for Router Authorization Certificates. Certificates used
in SEND over OMNI interfaces MUST conform to this new certificate
profile and MAY conform to the original profile.
o [RFC6495] specifies Subject Key Identifier (SKI) Name Type Fields
for SEND, which apply also to this document.
o [RFC6980] analyzes the security implications of employing IPv6
fragmentation with IPv6 ND messages (especially with regards to
SEND) and updates [RFC4861] such that use of the IPv6
Fragmentation Header is forbidden in all ND messages. OMNI
interfaces honor [RFC6980] by employing the OMNI Adaptation Layer
(OAL) [I-D.templin-6man-omni-interface] to transport IPv6 ND
messages no larger than the OMNI interface MTU without causing an
IPv6 Fragmentation Header to appear within the IPv6 ND message
itself.
5. IANA Considerations
IANA is instructed to allocate a new "OMNI option Sub-Type values"
registry codepoint for the Cryptographically Generated Address (CGA)
sub-option (value TBD).
IANA is instructed to allocate a new "CGA SEC" registry codepoint for
SHA-256 (value TBD2).
6. Security Considerations
The OMNI specification [I-D.templin-6man-omni-interface] provides an
HMAC authentication service that can be used for basic client-server
authentication based on shared secrets. The SEND service discussed
in this document uses X.509 public keys which provide a more flexible
and extensible security service, especially for use on large OMNI
links that support a dynamically changing collection of many MNs.
[RFC6273] provides a hash threat analysis for SEND that concludes:
"Current attacks on hash functions do not constitute any practical
threat to the digital signatures used in SEND (both in the RSA
signature option and in the X.509 certificates). Attacks on CGAs,
as described in [RFC4982], will compromise the security of SEND
Templin Expires July 26, 2021 [Page 6]
�
Internet-Draft OMNI SEND January 2021
and they need to be addressed by encoding the hash algorithm
information into the CGA as specified in [RFC4982]."
For this reason, implementations MUST use the SHA-256 hash algorithm
for CGAs, as indicated by the value TBD2 appearing in the CGA Sec
field (see: Section 5). Future documents MAY specify additional hash
algorithm values for the CGA Sec field.
OMNI nodes assign CGAs to their OMNI interfaces but do not use them
as IPv6 source, destination or target addresses, nor as node
identifiers. Instead, OMNI nodes place the CGA in IPv6 ND message
OMNI options, use non-CGA addresses for IPv6 packet addressing, and
use Universally Unique IDentifiers (UUIDs) [RFC4122][RFC6487] for
node identification purposes.
The series of consecutively-numbered RFCs beginning with [RFC6480]
and extending to [RFC6495] establishes standards and operational
practices for secure Internet routing. The series includes updates
cited in Section 4 that establish SEND as an integral component of
the architecture. OMNI interfaces that use SEND over public
Internetworks therefore observe these same principles.
7. Acknowledgements
This work is aligned with the NASA Safe Autonomous Systems Operation
(SASO) program under NASA contract number NNA16BD84C.
This work is aligned with the FAA as per the SE2025 contract number
DTFAWA-15-D-00030.
This work is aligned with the Boeing Commercial Airplanes (BCA)
Internet of Things (IoT) and autonomy programs.
This work is aligned with the Boeing Information Technology (BIT)
MobileNet program.
8. References
8.1. Normative References
[I-D.templin-6man-omni-interface]
Templin, F. and T. Whyman, "Transmission of IP Packets
over Overlay Multilink Network (OMNI) Interfaces", draft-
templin-6man-omni-interface-68 (work in progress), January
2021.
Templin Expires July 26, 2021 [Page 7]
�
Internet-Draft OMNI SEND January 2021
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3971] Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander,
"SEcure Neighbor Discovery (SEND)", RFC 3971,
DOI 10.17487/RFC3971, March 2005,
<https://www.rfc-editor.org/info/rfc3971>.
[RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)",
RFC 3972, DOI 10.17487/RFC3972, March 2005,
<https://www.rfc-editor.org/info/rfc3972>.
[RFC4581] Bagnulo, M. and J. Arkko, "Cryptographically Generated
Addresses (CGA) Extension Field Format", RFC 4581,
DOI 10.17487/RFC4581, October 2006,
<https://www.rfc-editor.org/info/rfc4581>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
DOI 10.17487/RFC4861, September 2007,
<https://www.rfc-editor.org/info/rfc4861>.
[RFC4982] Bagnulo, M. and J. Arkko, "Support for Multiple Hash
Algorithms in Cryptographically Generated Addresses
(CGAs)", RFC 4982, DOI 10.17487/RFC4982, July 2007,
<https://www.rfc-editor.org/info/rfc4982>.
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for
X.509 PKIX Resource Certificates", RFC 6487,
DOI 10.17487/RFC6487, February 2012,
<https://www.rfc-editor.org/info/rfc6487>.
[RFC6494] Gagliano, R., Krishnan, S., and A. Kukec, "Certificate
Profile and Certificate Management for SEcure Neighbor
Discovery (SEND)", RFC 6494, DOI 10.17487/RFC6494,
February 2012, <https://www.rfc-editor.org/info/rfc6494>.
[RFC6495] Gagliano, R., Krishnan, S., and A. Kukec, "Subject Key
Identifier (SKI) SEcure Neighbor Discovery (SEND) Name
Type Fields", RFC 6495, DOI 10.17487/RFC6495, February
2012, <https://www.rfc-editor.org/info/rfc6495>.
[RFC6980] Gont, F., "Security Implications of IPv6 Fragmentation
with IPv6 Neighbor Discovery", RFC 6980,
DOI 10.17487/RFC6980, August 2013,
<https://www.rfc-editor.org/info/rfc6980>.
Templin Expires July 26, 2021 [Page 8]
�
Internet-Draft OMNI SEND January 2021
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200,
DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>.
8.2. Informative References
[I-D.ietf-drip-rid]
Moskowitz, R., Card, S., Wiethuechter, A., and A. Gurtov,
"UAS Remote ID", draft-ietf-drip-rid-06 (work in
progress), December 2020.
[I-D.templin-duid-ipv6]
Templin, F., "The IPv6 Address-based DHCPv6 Unique
Identifier (DUID-V6ADDR)", draft-templin-duid-ipv6-01
(work in progress), January 2021.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>.
[RFC6273] Kukec, A., Krishnan, S., and S. Jiang, "The Secure
Neighbor Discovery (SEND) Hash Threat Analysis", RFC 6273,
DOI 10.17487/RFC6273, June 2011,
<https://www.rfc-editor.org/info/rfc6273>.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480,
February 2012, <https://www.rfc-editor.org/info/rfc6480>.
[RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T.
Henderson, "Host Identity Protocol Version 2 (HIPv2)",
RFC 7401, DOI 10.17487/RFC7401, April 2015,
<https://www.rfc-editor.org/info/rfc7401>.
Appendix A. Using Host Identity Tags (HITs) with OMNI/SEND
Section 4 of [RFC3971] states:
"This specification also allows a node to use non-CGAs with
certificates that authorize their use. However, the details of
such use are beyond the scope of this specification and are left
for future work."
Templin Expires July 26, 2021 [Page 9]
�
Internet-Draft OMNI SEND January 2021
The Host Identity Tag (HIT) [RFC7401] is an example of a non-CGA that
is also obtained through a cryptographic hash of the node's public
key. HITs (and their derivatives known as "Hierarchical HITs"
[I-D.ietf-drip-rid]) have several important properties:
"The HIT is 128 bits long and has the following three key
properties: i) it is the same length as an IPv6 address and can be
used in fixed address-sized fields in APIs and protocols; ii) it
is self-certifying (i.e., given a HIT, it is computationally hard
to find a Host Identity key that matches the HIT); and iii) the
probability of a HIT collision between two hosts is very low;
hence, it is infeasible for an attacker to find a collision with a
HIT that is in use. [RFC7401]"
Should IETF consensus determine that (H)HITs represent a preferred
solution, the same mechanisms described for CGAs in this document can
be used to enable OMNI interface SEND security operations while using
(H)HITs. Namely, a new OMNI sub-option will be defined for the
purpose of carrying a 128-bit (H)HIT as the sub-option of an OMNI
option. The processing rules for senders and receivers specified in
Section 3 will be applied in the same fashion as for CGAs, with the
exception that the IPv6 ND CGA option which includes the node's
public key (and other information) will be associated with the (H)HIT
instead of with a CGA. Most importantly, the (H)HIT would be covered
under the RSA signature applied to the IPv6 ND message thereby
allowing receivers to verify proof of ownership.
Use of the (H)HIT as a node identifier can also be considered per
future IETF consensus determinations. If the IETF determines that an
(H)HIT can be used as a node identifier (i.e., instead of a UUID) the
specification of a new Dynamic Host Configuration Protocol for IPv6
(DHCPv6) Device Unique IDentifier (DUID) type may be indicated (see:
[I-D.templin-duid-ipv6]).
Appendix B. Using HIP-based Authentication Instead of SEND/CGA
[RFC7401] specifies the Host Identity Protocol, version 2 (HIPv2) and
is intended as a comprehensive protocol suite which in many ways
overlaps with the intended use cases for OMNI. However, IPv6 ND
control messages over OMNI interfaces could be secured using selected
elements of [RFC7401] without incorporating all aspects of the
specification.
In particular, the HOST_ID and HIP_SIGNATURE parameters specified in
Sections 5.2.9 and 5.2.14 of [RFC7401] could be incorporated as new
sub-options of the OMNI option, and the SIGNATURE calculation and
verification procedures specified in Section 6.4 could be adapted for
Templin Expires July 26, 2021 [Page 10]
�
Internet-Draft OMNI SEND January 2021
signing IPv6 ND messages in the manner similar to that currently
prescribed by [RFC3971].
The [RFC7401] message authentication methods could therefore be used
with OMNI interfaces instead of employing SEND/CGA. Furthermore, the
(H)HIT could be used as an OMNI node identifier instead of a UUID as
discussed in the previous section.
Author's Address
Fred L. Templin (editor)
Boeing Research & Technology
P.O. Box 3707
Seattle, WA 98124
USA
Email: fltemplin@acm.org
Templin Expires July 26, 2021 [Page 11]
