idnits 2.17.00 (12 Aug 2021) /tmp/idnits55660/draft-ietf-lsvr-l3dl-signing-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 12, 2021) is 463 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-09) exists of draft-ietf-lsvr-l3dl-07 -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Bush 3 Internet-Draft Arrcus & IIJ 4 Intended status: Standards Track R. Housley 5 Expires: August 16, 2021 Vigil Security 6 R. Austein 7 Arrcus 8 February 12, 2021 10 Layer-3 Discovery and Liveness Signing 11 draft-ietf-lsvr-l3dl-signing-02 13 Abstract 15 The Layer-3 Discovery and Liveness protocol OPEN PDU may contain a 16 public key and a certificate, which can be used to verify signatures 17 on subsequent PDUs. This document describes two mechanisms based on 18 digital signatures, one that is Trust On First Use (TOFU), and one 19 that uses a trust anchor signture over the public key to provide 20 authentication as well as session integrity. 22 Requirements Language 24 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 25 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 26 "OPTIONAL" in this document are to be interpreted as described in BCP 27 14 [RFC2119] [RFC8174] when, and only when, they appear in all 28 capitals, as shown here. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on August 16, 2021. 47 Copyright Notice 49 Copyright (c) 2021 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (https://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 65 2. Signature Algorithm Identifiers . . . . . . . . . . . . . . . 3 66 3. Trust On First Use Method . . . . . . . . . . . . . . . . . . 3 67 3.1. Signing a PDU . . . . . . . . . . . . . . . . . . . . . . 4 68 3.2. Verifying the OPEN PDU . . . . . . . . . . . . . . . . . 4 69 3.3. Verifying Other PDUs . . . . . . . . . . . . . . . . . . 5 70 4. Public Key Infrastructure Method . . . . . . . . . . . . . . 5 71 4.1. Signing OPEN PDU with PKI . . . . . . . . . . . . . . . . 6 72 4.2. Verifying OPEN PDU with PKI . . . . . . . . . . . . . . . 6 73 5. Local Policy . . . . . . . . . . . . . . . . . . . . . . . . 6 74 6. NEWKEY, Key Roll . . . . . . . . . . . . . . . . . . . . . . 6 75 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 76 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 77 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 78 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 79 9.2. Informative References . . . . . . . . . . . . . . . . . 9 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 82 1. Introduction 84 The Layer-3 Discovery and Liveness protocol [I-D.ietf-lsvr-l3dl] OPEN 85 PDU contains an algorithm identifier, a key, and a L3DL certificate, 86 which can be used to verify signatures on subsequent PDUs. This 87 document describes two methods of key generation and signing for use 88 by L3DL, Trust On First Use (TOFU) and a PKI-based mechanism to 89 provide authentication as well as session integrity. 91 The Key in the OPEN PDU SHOULD be the public key of an asymmetric key 92 pair. The sender signs with the private key, of course. The device 93 sending the OPEN PDU may use one key for all links, a different key 94 for each link, or some mix(es) thereof. 96 In the TOFU method the key sent in the OPEN PDU is generated on the 97 sending device, is believed without question by the receiver, and 98 used to verify all subsequent PDUs from the same sender with the same 99 public key and algorithm. 101 With the PKI method, an enrollment step is performed. The public key 102 is signed by the the operational environment's trust anchor. In this 103 way, the relying party can be confident that the public key is under 104 control of the identified L3DL protocol entity. 106 As part of enrollment or before hand, all relying parties must have 107 received the trust anchor in an authentic manner. 109 To the receiver verifying signatures on PDUs, the two methods are 110 indistinguishable; the key provided in the OPEN PDU is used to verify 111 the signatures of subsequent PDUs. The difference that PKI-based 112 keys may be verified against the trust anchor when the OPEN PDU is 113 received. 115 In the PKI method the public key in the OPEN PDU MUST be verified 116 against the trust anchor for the operational domain. The OPEN PDU 117 public key is then used to verify all subsequent PDUs in the session. 118 A mechanism for 'rolling' from the current public key to a fresh one 119 is described in Section 6. 121 2. Signature Algorithm Identifiers 123 To avoid the creation of yet another IANA registry for digital 124 signature algorithm identifiers, this specification makes use of the 125 existing IANA registry for "DNS Security Algorithm Numbers" [IANA]. 126 In this registry, each signature algorithm is identified by an 8-bit 127 value. The entries in this registry with "Y" in the "Zone Signing" 128 column are appropriate for use with this protocol. 130 For interoperability, all implementations of this protocol MUST 131 support the RSASHA256 algorithm (identified by the value 8). 132 Implementation MAY support any other registered "Zone Signing" 133 signature algorithms. 135 3. Trust On First Use Method 137 There are three parts to using a key: signing PDUs, verifying the 138 OPEN PDU, and verifying subsequent PDUs. 140 3.1. Signing a PDU 142 All signed PDUs are generated in the same way: 144 o Compose the PDU, with all fields including "Sig Algo" and 145 "Signature Length" set, but omitting the trailing "Signature" 146 field itself. The Certificate Length should be zero and the 147 Certificate field should be empty. This is the "message to be 148 signed" for purposes of the signature algorithm. 150 o Generate the signature as specified for the chosen algorithm, 151 using the private key of the asymmetric key pair. In general, 152 this will involve first hashing the "message to be signed" then 153 signing the hash, but the precise details may vary with the 154 specific signature algorithm. The result will be a sequence of 155 octets, the length of which MUST be equal to the value in the 156 "Signature Length" field. 158 o Construct the complete message by appending the signature octets 159 to the otherwise complete message composed above. 161 In the case of the OPEN PDU, the message to be signed will include 162 the public member of the asymmetric keypair, but as far as the 163 signature algorithm is concerned that's just payload, no different 164 from any other PDU content. 166 3.2. Verifying the OPEN PDU 168 The process for verifying an OPEN PDU is slightly different from the 169 process for verifying other PDU types, because the OPEN PDU also 170 establishes the session key. 172 o Verify that the PDU is syntactically correct, and extract the Auth 173 Type, Key, Sig Type, and Signature fields. 175 o Verify that Auth Type and Sig Type refer to the same algorithm 176 suite, and that said algorithm suite is one that the 177 implementation understands. 179 o Construct the "message to be verified" by truncating the PDU to 180 remove the Signature field (in practice this should not require 181 copying any data, just subtract the signature length from the PDU 182 length). 184 o Verify the message constructed above against the public key using 185 the rules for the specific signature suite. 187 o Record Auth Type and Key as this sessions's authentication type 188 and session key, for use in verifying subseuqent PDUs. 190 If any of the above verification steps fail, generate an error using 191 error code 2 ("Authorization failure in OPEN"). 193 3.3. Verifying Other PDUs 195 The process for verifying non-OPEN PDUs is slightly simpler, but 196 follows the same basic pattern as for OPEN PDUs. 198 o Verify that the PDU is syntactically correct, and extract the Sig 199 Type and Signature fields. 201 o Verify that Sig Type refers to the same algorithm suite as the 202 Auth Type recorded during verification of the OPEN PDU. 204 o Construct the "message to be verified" by truncating the PDU to 205 remove the Signature field. 207 o Verify the message constructed above against the recorded session 208 key using the rules for the specific signature suite. 210 If any of the above verification steps fail, generate an error using 211 error code 3 ("Signature failure in PDU"). 213 4. Public Key Infrastructure Method 215 Using a PKI is almost the same as using TOFU, but with one additional 216 step: during verification of an OPEN PDU, after extracting the Key 217 field from the PDU but before attempting to use it to verify the OPEN 218 PDU signature, the receiver MUST verify the received key against the 219 PKI to confirm that it's an authorized key. 221 Generating an OPEN PDU using the PKI method requires a certificate, 222 which must be supplied via out of band configuration. The 223 certificate is a signature of the public key to be sent in the Key 224 field of the OPEN PDU, signed by the trust anchor private key. 226 Verifying an OPEN PDU using the PKI method requires the public key of 227 the trust anchor, which the receiver uses to verify the certificate, 228 thereby demonstrating that the supplied public key represents an 229 authorized L3DL speaker in this administrative domain. 231 We use the term "certificate" here in the generic sense, not as 232 defined in [RFC5280]. X.509 certificates are not used here; X.509 233 certificates are more complicated than needed for L3DL. The L3DL 234 certificates are just signatures of one key (the public key supplied 235 in the Key field of the OPEN PDU) that can be verified by another 236 trusted public key (the trust anchor). 238 4.1. Signing OPEN PDU with PKI 240 Generating and signing the OPEN PDU with the PKI method is almost the 241 same as in Section 3.1. The only difference is that the PKI method 242 MUST supply the appropriate certificate in the Certificate field. 244 Note that the Auth Type field applies to both the Key and Certificate 245 fields. That is: the certificate uses the same certificate suite as 246 the session keys, L3DL does not support cross-algorithm-suite 247 certification. 249 4.2. Verifying OPEN PDU with PKI 251 Verifying the OPEN PDU with PKI is similar to verifying with TOFU as 252 described in Section 3.2, but includes one critical extra step: 254 After extracting the Key field from the PDU but before verifying the 255 Signature, extract the Certificate field and verfiy that the 256 Certificate is a valid signature of the Key field, according to the 257 rules for the signature suite specified by Auth Type. If this step 258 fails, handle as in Section 3.2. 260 5. Local Policy 262 Whether to use TOFU, PKI, or no signatures at all is a matter of 263 local policy, to be decided by the operator. The useful policy 264 combinations for Key and Certificate are probably: 266 o Not signing: sender need not sign, receiver does not check. 268 o Require TOFU: sender MUST supply key and receiver MUST check, but 269 L3DL certificates not needed and ignored if sent. 271 o Allow TOFU: sender MUST supply key and receiver MUST check, 272 receiver SHOULD check certificate if supplyed by sender. 274 o Require PKI: sender MUST supply key and L3DL certificate, receiver 275 MUST check signature and verify the L3DL certificate. 277 6. NEWKEY, Key Roll 279 Modern key management allows for agility in 'rolling' to a new key or 280 even algorithm in case of key expiry, key compromise, or merely 281 prudence. Declaring a new key with an L3DL OPEN PDU would cause 282 serious churn in topology as a new OPEN PDU may cause a withdraw of 283 previously announced encapsulations. Therefore, a gentler rekeying 284 is needed. 286 Prior to 'rolling' to a new key or new algorithm, a new public/ 287 private key pair is generated. If PKI is being used, then the trust 288 anchor also signs the new public key to create a new L3DL 289 certificate. 291 0 1 2 3 292 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 293 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 294 | Type = 8 | Payload Length | New Key Type | 295 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 296 | New Key Length | New Key ... | 297 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 298 | | New Cert Length | 299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 300 | New Certificate ... | 301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 302 | Old Key Type | Old Signature Length | | 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 304 | Old Signature ... | 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 307 The New Key Type, New Key Length, New Key, New Cert Length, and New 308 Certificate fields declare the replacement algorithm, key, and L3DL 309 certificate. 311 The NEWKEY PDU is signed using the current (soon to be old) algorithm 312 and key. 314 The sender and the receiver should be cautious of signature algorithm 315 downgrade attacks. 317 To avoid possible race conditions, the receiver SHOULD accept 318 signatures using either the new or old key for a configurable time 319 (default 30 seconds). This is intended to accommodate situations 320 such as senders with high peer out-degree and a single per-device 321 asymmetric key. 323 If the sender does not receive an ACK in the normal window, including 324 retransmission, then the sender MAY choose to allow a session reset 325 by either issuing a new OPEN PDU or by letting the receiver 326 eventually have a signature failure (error code 3) on a PDU. 328 The rekeying operation changes the session key and the associated 329 algorithm described in Section 3.3. The NEWKEY PDU itself is 330 verified using the old algorithm and session key. After the NEWKEY 331 PDU has been accepted, subsequent PDUs are verified with the new 332 algorithm and the new session key. 334 7. Security Considerations 336 The TOFU method requires a leap of faith to accept the key in the 337 OPEN PDU, as it can not be verified against any authority. Hence it 338 is jokingly referred to as Married On First Date. The assurance it 339 does provide is that subsequent signed PDUs are from the same peer. 340 And data integrity is a positive side effect of the signature 341 covering the payload. 343 The PKI method offers assurance that the L3DL certificate, and hence 344 the public key, provided in the OPEN PDU are authorized by a central 345 authority, e.g. the network's security team. The onward assurance of 346 talking to the same peer and data integrity are the same as in the 347 TOFU method. 349 With the PKI method, automated device provisioning could restrict 350 which L3DL certificates are allowed from which peers on a per 351 interface basis. This would complicate key rolls. Where one draws 352 the line between rigidity, flexibility, and security varies. 354 The REKEY PDU is open to abuse to create a signature algorithm 355 downgrade attack. 357 8. IANA Considerations 359 This document requests the IANA create a new entry in the L3DL PDU 360 Type registry as follows: 362 PDU 363 Code PDU Name 364 ---- ------------------- 365 8 NEWKEY 367 This document requests the IANA add registry entries for "TOFU - 368 Trust On First Use" and "PKI" to the L3DL-Signature-Type registry as 369 follows: 371 Number Name 372 ------ ------------------- 373 1 TOFU - Trust On First Use 374 2 PKI 376 9. References 378 9.1. Normative References 380 [I-D.ietf-lsvr-l3dl] 381 Bush, R., Austein, R., and K. Patel, "Layer 3 Discovery 382 and Liveness", draft-ietf-lsvr-l3dl-07 (work in progress), 383 January 2021. 385 [IANA] "DNS Security Algorithm Numbers", 386 . 389 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 390 Requirement Levels", BCP 14, RFC 2119, 391 DOI 10.17487/RFC2119, March 1997, 392 . 394 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 395 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 396 May 2017, . 398 9.2. Informative References 400 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 401 Housley, R., and W. Polk, "Internet X.509 Public Key 402 Infrastructure Certificate and Certificate Revocation List 403 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 404 . 406 Authors' Addresses 408 Randy Bush 409 Arrcus & IIJ 410 5147 Crystal Springs 411 Bainbridge Island, WA 98110 412 United States of America 414 Email: randy@psg.com 416 Russ Housley 417 Vigil Security, LLC 418 516 Dranesville Road 419 Herndon, VA 20170 420 USA 422 Email: housley@vigilsec.com 423 Rob Austein 424 Arrcus, Inc. 426 Email: sra@hactrn.net