Internet DRAFT - draft-thomson-tcpinc-dtls
draft-thomson-tcpinc-dtls
TCPINC M. Thomson
Internet-Draft Mozilla
Intended status: Standards Track July 3, 2014
Expires: January 4, 2015
A DTLS Extension for TCP
draft-thomson-tcpinc-dtls-00
Abstract
Opportunistic security is provided for TCP using a modified DTLS.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Thomson Expires January 4, 2015 [Page 1]
Internet-Draft DTLS for TCP July 2014
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. DTLS Layering . . . . . . . . . . . . . . . . . . . . . . . . 3
3. DTLS Record Protection Option . . . . . . . . . . . . . . . . 4
3.1. DTLS Record Protection Flags . . . . . . . . . . . . . . 4
3.2. Protection Option Kinds . . . . . . . . . . . . . . . . . 4
4. Modified DTLS AEAD Operation . . . . . . . . . . . . . . . . 4
4.1. TCP Pseudoheader Construction . . . . . . . . . . . . . . 5
4.2. TCP Header Construction . . . . . . . . . . . . . . . . . 6
4.3. Forbid NAPT . . . . . . . . . . . . . . . . . . . . . . . 7
5. DTLS Role Selection . . . . . . . . . . . . . . . . . . . . . 7
6. Design Characteristics . . . . . . . . . . . . . . . . . . . 8
6.1. Interaction with TCP Fast Open . . . . . . . . . . . . . 8
6.2. Zero Length DTLS Data . . . . . . . . . . . . . . . . . . 8
6.3. Unauthenticated Acknowledgments . . . . . . . . . . . . . 8
6.4. Interaction with DTLS Replay Protection . . . . . . . . . 9
6.5. TCP Keep-Alive . . . . . . . . . . . . . . . . . . . . . 9
6.6. Unprotected RST Segments . . . . . . . . . . . . . . . . 9
6.7. Cipher Suite Selection . . . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7.1. NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.2. Acknowledgments and Congestion Window Protection . . . . 10
7.3. Traffic Redirection . . . . . . . . . . . . . . . . . . . 10
7.4. Peer Authentication . . . . . . . . . . . . . . . . . . . 10
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8.1. Registration of DTLS Record Protection Option Kind . . . 11
8.2. Registry for DTLS Record Protection Flags . . . . . . . . 11
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. Normative References . . . . . . . . . . . . . . . . . . 12
9.2. Informative References . . . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction
TCP [RFC0793] is a widely used protocol.
As part of a general "secure all the things" effort, the IETF is
defining opportunistic security options for all the protocols it
maintains. Opportunistic security ensures that we accelerate the
eventual heat death of the universe, and discourages certain classes
of attack [RFC7258].
Opportunistic approaches are the most practical way to ensure wider
deployment of security because they don't immediately depend on
solving hard problems like authentication.
Thomson Expires January 4, 2015 [Page 2]
Internet-Draft DTLS for TCP July 2014
In that spirit, reusing existing security protocols reduces the cost
to implement, deploy and analyse new protocol modifications. TLS
[RFC5246] and DTLS [RFC6347] represent the current best in class
security protocols.
This specification defines how DTLS can be used to protect TCP. This
addresses the requirements outlined in [I-D.bellovin-tcpsec]. A
small modification to the TCP record layer allows for the protection
of the TCP pseudo header, with an allowance for NAPT (editor: why
does Bellovin even suggest that protection of IP/port is even
feasible?) and per-option opt-out.
In addition, all the features of DTLS are made available:
o Cipher suite negotiation and agility
o Years of security analysis
o Downgrade protection in the handshake
o Session bindings
o Optional peer authentication
o A range of available extensions
In addition to this, new upgrades to DTLS can be trivially added.
Thus, improvements to algorithms or the DTLS handshake are entirely
portable.
1.1. Terminology
The usual. [RFC2119] explains what those are.
2. DTLS Layering
This extension to TCP places a continuous sequence of DTLS records as
the payload of TCP. These records provide confidentiality and
integrity protection for their content, plus integrity protection for
the TCP header and pseudoheader.
An option negotiates the use of this extension. This option is added
to the SYN message to indicate support, and to the ACK message to
indicate acceptance.
Once enabled, all DTLS records, including handshake messages, are
carried as TCP data. The data for the protected TCP stream is the
concatenated content of DTLS messages.
Thomson Expires January 4, 2015 [Page 3]
Internet-Draft DTLS for TCP July 2014
TCP clients are automatically entered into the DTLS client role; and
TCP servers automatically enter the DTLS server role. Where TCP
simultaneous open is used, a lottery determines the roles Section 5.
3. DTLS Record Protection Option
This option is used to negotiate the use of DTLS. It is assigned a
TCP option kind of 0xTBD Section 8.
The format of the DTLS record protection option is a single octet
flags field, followed by a list of protected option kinds.
3.1. DTLS Record Protection Flags
The content of the flags field is a bit pattern of features. The
following features are defined in this document:
o FORBID_NAPT: Bit 0 (the first and most significant bit of the
first octet) being set indicates that DTLS protection is to be
extended to addressing elements, see Section 4.3.
A client can set these bits to request the defined alterations to the
protocol. A server can accept these alterations by including these
in its ACK message, or it can reject the alterations by clearing the
bit.
All bits in this option MUST be set to zero unless they are
explicitly understood. A sender MUST remove trailing octets that
have all zero values from the option.
An IANA registry is established to maintain these bits Section 8.2.
3.2. Protection Option Kinds
The DTLS record protection option includes a list of the TCP options
that are covered by DTLS integrity protection, each occupying a
single octet. Just as TCP options are terminated by a zero octet,
this list is terminated by a zero value.
Any data following this list is reserved for extension and MUST be
ignored.
4. Modified DTLS AEAD Operation
This mechanism MUST be used with an Authenticated Encryption with
Additional Data (AEAD) mode. The DTLS record layer is modified to
provide integrity protection for the TCP pseudoheader and header by
including this as part of the additional data.
Thomson Expires January 4, 2015 [Page 4]
Internet-Draft DTLS for TCP July 2014
An important characteristic of this is that records are protected as
though each individual DTLS record is part of a unique TCP segment.
This ensures that repacketization by middleboxes does not result in
records being marked as invalid.
TCP middleboxes can, and sometimes do, split or coalesce TCP
segments. This affects the calculation of the authenticated data
that is input to the AEAD protection.
To prevent this from invalidating integrity checks unnecessarily, the
associated data passed to the AEAD algorithm contains a modified
value of the TCP header and pseudoheader.
For a sender that transmits a single DTLS record in each TCP segment
with only protected TCP options, this demands no additional
calculation. However, a receiver needs to construct the TCP header
and pseudoheader. The length of this packet is based on the length
of the DTLS record, with the value of protected TCP options being
extracted from the TCP header of the segment that carries the first
byte of the DTLS record.
In TLS and DTLS, the additional data that is protected by the AEAD
function is [RFC5246]:
additional_data = seq_num + TLSCompressed.type +
TLSCompressed.version + TLSCompressed.length;
where "+" denotes concatenation.
This specification expands the fields that are protected to include a
constructed TCP pseudoheader and header as follows:
tcp_additional_data = pseudoheader + tcp_header +
additional_data;
Construction of the "pseudoheader" and "tcp_header" portions of the
authenticated data are described in the following sections.
4.1. TCP Pseudoheader Construction
The pseudoheader that is used for AEAD input depends on the IP
version in use, for IPv4 [RFC0793], with length of fields in bits
shown in parentheses:
pseudoheader_v4 = source_address(32) + destination_address(32) +
zero(8) + protocol(8) + tcp_length(16)
Or for IPv6 [RFC2460]:
Thomson Expires January 4, 2015 [Page 5]
Internet-Draft DTLS for TCP July 2014
pseudoheader_v6 = source_address(128) + destination_address(128) +
tcp_length(32) + zero(24) + protocol(8)
In both cases, the value for "tcp_length" is derived by constructing
a TCP header as described in Section 4.2.
The values for "source_address" and "destination_address" are
replaced with zero bits, unless the FORBID_NAPT flag is enabled.
Setting these values to zero permits the use of NAPT devices.
4.2. TCP Header Construction
In order to ensure that the protocol is robust in the presence of
middleboxes, unprotected TCP options are removed from the TCP header
before applying protection.
tcp_header = source_port(16) + destination_port(16) +
sequence_number(32) + acknowledgement_number(32) +
data_offset(4) + flags(12) + window(16) +
checksum(16) + urgent_pointer(16) + options(?)
The following construction rules apply:
source_port and destination_port: These fields MUST be replaced with
zero bits unless the FORBID_NAPT flag is enabled for the session.
Setting these values to zero permits the use of port translation.
sequence_number: This field MUST be set to the sequence number
corresponding to the first octet of the DTLS record. If multiple
segments are combined into a single packet, this will be different
to the sequence number that appears in the TCP header.
acknowledgement_number and window: These fields MUST be replaced
with zero bits. Removing the acknowledgement and congestion
window from integrity protection does provide some opportunities
to an on-path attacker Section 7.2.
data_offset: The data offset MUST be set to the size of the modified
TCP header.
flags: The reserved and flags part of the TCP header is protected.
checksum: This field MUST be replaced with zero bits, just as it is
when the TCP checksum is calculated.
urgent_pointer: The urgent pointer is protected.
Thomson Expires January 4, 2015 [Page 6]
Internet-Draft DTLS for TCP July 2014
options: The set of options that are included under protection are
included. Options that are not protected are removed.
Section 3.2 described how options are selected for protection.
The list of options is terminated with an option of kind 0x0 and
padding to a multiple of 32 bits with zero octets.
This construction permits the addition and removal of options by
middleboxes, as long as they are not in the list of options that are
protected. It also permits repacketization and acknowledgment.
4.3. Forbid NAPT
The DTLS record protection option Section 3 contains a FORBID_NAPT
bit that can be used to signal that network address and port
translation (NAPT) is forbidden.
If the FORBID_NAPT option is not set, addressing information is
replaced with zero values. This is the IP (v4 or v6) address fields
in the pseudoheader, and the source and destination port numbers.
Why anyone in their right mind would do this is beyond me, but it's
in the requirements and this would seem to be sufficient to address
those, albeit by making the whole mechanism more complex.
5. DTLS Role Selection
Ordinarily, the role of DTLS client is assumed by the peer that sends
the first TCP SYN packet (the TCP client), and the role of DTLS
server is assumed by the peer that responds (the TCP server).
Peers that perform a TCP simultaneous open - that is, where both
peers simultaneously send SYN packets to open a connection, often to
work around middlebox limitations - are assigned client and server
roles in DTLS based on the following rules.
If only one peer provides a DTLS handshake in TCP fast open data
[I-D.ietf-tcpm-fastopen], then that peer becomes the client. Note
that including the DTLS handshake message in the initial SYN packet
is only safe if there is a previous confirmation from a server that
it supports this protocol (see Section 6.1).
If neither or both peers provide the DTLS handshake option, then the
peer that selects the numerically highest value for their
ClientRandom assumes the client role. In the absence of the DTLS
handshake option, role allocations are not determined until a
ClientHello message is exchanged.
Thomson Expires January 4, 2015 [Page 7]
Internet-Draft DTLS for TCP July 2014
6. Design Characteristics
This section outlines a number of considerations that allow this
protocol to actually be implemented.
6.1. Interaction with TCP Fast Open
TCP fast open [I-D.ietf-tcpm-fastopen] can be used to mitigate the
additional latency cost imposed by the DTLS handshake. However, this
represents a risk, since the payload of the initial packet is
directly passed to an application if the opportunistic security
option is not negotiated.
Adding data to an initial SYN is therefore only possible if there is
a previous indication that a server supports the combination of TCP
fast open and opportunistic security in combination.
A server that provides a TCP fast open cookie for an encrypted
connection MUST accept encryption on future connections with that
cookie, or reject the connection. This ensures that clients are able
to send a DTLS handshake message in the initial SYN packet.
6.2. Zero Length DTLS Data
[RFC5246], Section 6.2 notes that the TLS record layer protects non-
zero length blocks. This use of DTLS requires that frames be
permitted to be empty, relying solely on integrity protection of the
associated data.
This does not mean that the TCP segment contains no data, since it
will contain the DTLS record header (including the explicit nonce,
if any, and any bits produced by the AEAD cipher to ensure
integrity).
6.3. Unauthenticated Acknowledgments
TCP segments that only acknowledge receipt of data, or update the
receive window do not require authentication, since the corresponding
fields are not protected. These frames can be accepted and
processed, as long as only the receive window is updated.
By the same logic, protection of the TCP window scaling option
[RFC1323] and the selective acknowledgment (SACK) option [RFC2018]
are not made mandatory. These SHOULD NOT be added to the list of
protected options Section 3.2.
Thomson Expires January 4, 2015 [Page 8]
Internet-Draft DTLS for TCP July 2014
6.4. Interaction with DTLS Replay Protection
TCP segment retransmission and reassembly requires that a sender be
able to retransmit. These frames will be retransmitted with the same
data, including the DTLS serial number. To avoid having
retransmissions erroneously discarded, any DTLS replay protection
needs to allow for replay of records that appear in unacknowledged
segments.
6.5. TCP Keep-Alive
This protocol does not protect TCP keep-alive segments [RFC1122];
that is, segments that are sent purely to ensure that the connection
is maintained through middleboxes. These can contain a single junk
byte from just prior to the start of the congestion window. These
segments are discarded without being validated.
This differs from [I-D.bittau-tcp-crypt], which protects keep-alive
segments. Protection ensures that an attacker is unable to prolong
the lifetime of a connection that is otherwise unwanted.
Since an unwanted connection can be terminated with an authenticated
segment that bears a FIN or RST bit, this concern is unwarranted.
6.6. Unprotected RST Segments
Existing TCP implementations, particularly middleboxes, rely TCP RST
to terminate connections. If RST authentication is required, then it
becomes impossible for a node which is not part of the association
(either because it is a middlebox or because it is a legitimate
endpoint which has lost state) to terminate the connection. An
implementation MAY choose to respect an unauthenticated RST to permit
these uses.
(Note: we may want to provide an option that the middlebox can
include in a RST to prove that it is on-path to make this a little
easier to accept.)
6.7. Cipher Suite Selection
Implementations MUST support the TLS_BLAH_WITH_BLAH_BLAH cipher
suite.
Implementations MUST NOT offer non-AEAD modes and MUST terminate the
connection if a non-AEAD mode if one is erroneously offered.
Thomson Expires January 4, 2015 [Page 9]
Internet-Draft DTLS for TCP July 2014
7. Security Considerations
None of this document mandates any level of authentication for peers,
which opens up all sorts of active attacks.
7.1. NAPT
The choice to protect a TCP connection from addressing modification
prevents network address and port translation from altering the
addressing information on a connection. Unfortunately, this is a
procedure that much of the Internet relies on. Enabling this feature
is likely to break a lot of uses, but failure to use it exposes the
connection to trivial re-routing attacks.
In the absence of peer authentication, and where there is a high
level of assurance that no NAPT is being used for a communications
path, this protection might be used. Of course, any protection this
provides is trivially circumvented by an on-path attacker.
7.2. Acknowledgments and Congestion Window Protection
This design permits a middlebox to generate acknowledgments and to
perform repacketization. This opens a number of denial of service
avenues for malicious middleboxes. Falsifying window advertisements
can cause a sender to send more packets than might otherwise be sent.
Similarly, sending a reduced acknowledgment sequence number can cause
excessive retransmission. In a similar fashion, retransmissions can
be suppressed by sending inflated acknowledgment sequence numbers.
These are options that are already available to an on-path attacker.
7.3. Traffic Redirection
Without the FORBID_NAPT flag enabled, it's possible for a middlebox
to rewrite addressing information so that this flow. If only
authenticated RST and FIN segments are accepted by the TCP stack, the
target of this flow - who doesn't have access to the traffic keys -
is unable to do anything to end the flow of data.
This isn't particularly interesting as an attack, since we have to
assume that any middlebox capable of this is also capable of just
generating the same volume of packets toward the victim.
7.4. Peer Authentication
In order to have this deployed, peers will have to avoid relying on
authentication. That means that this is open to active attacks.
Thomson Expires January 4, 2015 [Page 10]
Internet-Draft DTLS for TCP July 2014
Implementations might consider using some form of key continuity.
Clients SHOULD avoid key continuity for different servers to avoid
tracking by correlating keying material. Full continuity might be
more applicable for servers, where key continuity does not create any
special tracking ability.
(This probably needs work.)
8. IANA Considerations
This document registers a new TCP option kind, and establishes a
registry to maintain its contents.
8.1. Registration of DTLS Record Protection Option Kind
This document registers the DTLS record protection option with a TCP
option kind of 0xTBD.
The format of this option is described in Section 3
8.2. Registry for DTLS Record Protection Flags
IANA will maintain a registry of "TCP DTLS Record Protection Flags"
under the "Service Names and Transport Protocol Port Numbers" group
of registries.
This registry controls a contiguous space starting from bit 0 to 2023
(inclusive). New registrations in this registry require IETF review
[RFC5226], with the following information:
Bit Number: The bit number being assigned
Purpose: A brief description of the feature.
Specification: A reference to the specification that defines the
feature.
The initial contents of this registry are:
Bit Number: 0
Purpose: Enables protection of addressing information.
Specification: This document.
Thomson Expires January 4, 2015 [Page 11]
Internet-Draft DTLS for TCP July 2014
9. References
9.1. Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC
793, September 1981.
[RFC1122] Braden, R., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, October 1989.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012.
9.2. Informative References
[I-D.bellovin-tcpsec]
Bellovin, S., "Problem Statement and Requirements for a
TCP Authentication Option", draft-bellovin-tcpsec-01 (work
in progress), July 2007.
[I-D.bittau-tcp-crypt]
Bittau, A., Boneh, D., Hamburg, M., Handley, M., Mazieres,
D., and Q. Slack, "Cryptographic protection of TCP Streams
(tcpcrypt)", draft-bittau-tcp-crypt-04 (work in progress),
February 2014.
[I-D.ietf-tcpm-fastopen]
Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
Fast Open", draft-ietf-tcpm-fastopen-09 (work in
progress), July 2014.
[RFC1323] Jacobson, V., Braden, B., and D. Borman, "TCP Extensions
for High Performance", RFC 1323, May 1992.
Thomson Expires January 4, 2015 [Page 12]
Internet-Draft DTLS for TCP July 2014
[RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP
Selective Acknowledgment Options", RFC 2018, October 1996.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, May 2014.
Author's Address
Martin Thomson
Mozilla
Email: martin.thomson@gmail.com
Thomson Expires January 4, 2015 [Page 13]