Internet Engineering Task Force (IETF) D. FarinacciInternet-DraftRequest for Comments: 8061 lispers.netIntended status:Category: Experimental B. WeisExpires: April 17, 2017 ciscoISSN: 2070-1721 Cisco SystemsOctober 14, 2016 LISPJanuary 2017 Locator/ID Separation Protocol (LISP) Data-Plane Confidentialitydraft-ietf-lisp-crypto-10Abstract This document describes a mechanism for encryptingLISPtraffic encapsulatedtraffic.using the Locator/ID Separation Protocol (LISP). The design describes how key exchange is achieved using existing LISP control-plane mechanisms as well as how to secure the LISPdata-planedata plane from third-party surveillance attacks. Status of This Memo ThisInternet-Draftdocument issubmitted in full conformance with the provisions of BCP 78not an Internet Standards Track specification; it is published for examination, experimental implementation, andBCP 79. Internet-Drafts are working documentsevaluation. This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are amaximumcandidate for any level ofsix monthsInternet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 17, 2017.http://www.rfc-editor.org/info/rfc8061. Copyright Notice Copyright (c)20162017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Notation . . . . . . . . . . . . . . . . . . . .43 3. Definition of Terms . . . . . . . . . . . . . . . . . . . . .43 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 4 6. Encoding and Transmitting Key Material . . . . . . . . . . . 5 7. Shared KeysusedUsed for theData-PlaneData Plane . . . . . . . . . . . . .87 8. Data-Plane Operation . . . . . . . . . . . . . . . . . . . .109 9. Procedures for Encryption and Decryption . . . . . . . . . .1110 10. Dynamic Rekeying . . . . . . . . . . . . . . . . . . . . . .1211 11. Future Work . . . . . . . . . . . . . . . . . . . . . . . . .1312 12. Security Considerations . . . . . . . . . . . . . . . . . . .1312 12.1. SAAG Support . . . . . . . . . . . . . . . . . . . . . .1312 12.2. LISP-Crypto Security Threats . . . . . . . . . . . . . .1413 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . .1413 14. References . . . . . . . . . . . . . . . . . . . . . . . . .1514 14.1. Normative References . . . . . . . . . . . . . . . . . .1514 14.2. Informative References . . . . . . . . . . . . . . . . .16 Appendix A.15 Acknowledgments . . . . . . . . . . . . . . . . . .17. . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .2016 1. Introduction This document describes a mechanism for encryptingLISP encapsulatedLISP-encapsulated traffic. The design describes how key exchange is achieved using existing LISP control-plane mechanisms as well as how to secure the LISPdata-planedata plane from third-party surveillance attacks. The Locator/ID Separation Protocol [RFC6830] defines a set of functions for routers to exchange information used to map from non- routable Endpoint Identifiers (EIDs) to routable Routing Locators (RLOCs). LISP Ingress Tunnel Routers (ITRs) and Proxy Ingress Tunnel Routers (PITRs) encapsulate packets to Egress Tunnel Routers (ETRs) andReencapsulatingRe-encapsulating Tunnel Routers (RTRs). Packets that arrive at the ITR or PITR may not be encrypted, which means no protection or privacy of the data is added. When the source host encrypts the data stream, encapsulated packets do not need to be encrypted by LISP. However, when plaintext packets are sent by hosts, this design can encrypt the user payload to maintain privacy on the path between the encapsulator (the ITR or PITR) to a decapsulator (ETR or RTR). The encrypted payload is unidirectional. However, return traffic uses the same procedures but with different key values by the same xTRs or potentially different xTRs when the paths between LISP sites are asymmetric. This document has the following requirements (as well as the general requirements from [RFC6973]) for the solution space: o Do not require a separate Public Key Infrastructure (PKI) that is out of scope of the LISP control-plane architecture. o The budget for key exchange MUST be one round-trip time. That is, only atwo packettwo-packet exchange can occur. o Use symmetric keying so faster cryptography can be performed in the LISP data plane. o Avoid a third-party trust anchor if possible. o Provide for rekeying when secret keys are compromised. o Support Authenticated Encryption with packet integrity checks. o Support multiple cipher suites so new crypto algorithms can be easily introduced. Satisfying the above requirements provides the following benefits: o Avoiding a PKI reduces the operational cost of managing a secure network. Key management is distributed and independent from any other infrastructure. o Packet transport is optimized due tolessfewer packet headers. Packet loss is reduced by a more efficient key exchange. o Authentication and privacy are provided with a single mechanism thereby providing lessper packetper-packet overhead and therefore more resource efficiency. 2. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Definition of Terms AEAD: Authenticated Encryption withAdditionalAssociated Data[RFC5116].[RFC5116] ICV: Integrity CheckValue.Value LCAF: LISP Canonical Address Format([LCAF]).[RFC8060] xTR: A general reference to ITRs, ETRs, RTRs, andPxTRs.PxTRs 4. Overview The approach proposed in this document istoNOT to rely on the LISP mapping system (or any otherkey infrastructurekey-infrastructure system) to store security keys. This will provide for a simpler and more secure mechanism. Secret shared keys will be negotiated between the ITR and the ETR in Map-Request and Map-Reply messages. Therefore, when an ITR needs to obtain the RLOC of an ETR, it will get security material to compute a shared secret with the ETR. The ITR can compute3 shared-secretsthree shared secrets per ETR the ITR is encapsulating to. When the ITR encrypts a packet before encapsulation, it will identify the key it used for the crypto calculation so the ETR knows which key to use for decrypting the packet after decapsulation. By using key-ids in the LISP header, we can also get fast rekeying functionality. The key management described in thisdocumemntdocument is unidirectional from the ITR (the encapsulator) to the ETR (the decapsultor). 5. Diffie-Hellman Key Exchange LISP will use a Diffie-Hellman [RFC2631] key exchange sequence and computation for computing a shared secret. The Diffie-Hellman parameters will be passed via Cipher Suite code-points in Map-Request and Map-Reply messages. Here is a brief description howDiff-HellmanDiffie-Hellman works: +----------------------------+---------+----------------------------+ | ITR | | ETR | +------+--------+------------+---------+------------+---------------+ |Secret| Public | Calculates | Sends | Calculates | Public |Secret| +------|--------|------------|---------|------------|--------|------+ | i | p,g | | p,g --> | | | e | +------|--------|------------|---------|------------|--------|------+ | i | p,g,I |g^i mod p=I | I --> | | p,g,I | e | +------|--------|------------|---------|------------|--------|------+ | i | p,g,I | | <-- E |g^e mod p=E | p,g | e | +------|--------|------------|---------|------------|--------|------+ | i,s |p,g,I,E |E^i mod p=s | |I^e mod p=s |p,g,I,E | e,s | +------|--------|------------|---------|------------|--------|------+Public-key exchangePublic-Key Exchange forcomputingComputing ashared private keyShared Private Key [DH] Diffie-Hellman parameters 'p' and 'g' must be the same values used by the ITR and ETR. The ITR computespublic-keypublic key 'I' and transmits 'I' in a Map-Request packet. When the ETR receives the Map-Request, it uses parameters 'p' and 'g' to compute the ETR's public key 'E'. The ETR transmits 'E' in a Map-Reply message. At this point, the ETR has enough information to compute 's', the shared secret, by using 'I' as the base and the ETR's private key 'e' as the exponent. When the ITR receives the Map-Reply, it uses the ETR'spublic-keypublic key 'E' with the ITR's private key 'i' to compute the same 's' shared secret the ETR computed. The value 'p' is used as a modulus to create the width of the shared secret 's' (see Section 6). 6. Encoding and Transmitting Key Material The Diffie-Hellman key material is transmitted in Map-Request and Map-Reply messages. Diffie-Hellman parameters are encoded in the LISP Security Type LCAF[LCAF].[RFC8060]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AFI = 16387 | Rsvd1 | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 11 | Rsvd2 | 6 + n | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Count | Rsvd3 | Cipher Suite | Rsvd4 |R| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Length | Public Key Material ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Public Key Material | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AFI = x | Locator Address ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Cipher Suitefield containsField Contains DH Key Exchange and Cipher/Hash Functions The 'Key Count' field encodes the number of {'Key-Length', 'Key- Material'} fields included in the encoded LCAF. The maximum number of keys that can be encodedare 3,is three, each identified by key-id 1, followed by key-id 2, and finally key-id 3. The 'R' bit is not used for thisuse-caseuse case of the Security Type LCAF but is reserved for [LISP-DDT] security. Therefore, the R bit SHOULD be transmitted as 0 and MUST be ignored on receipt. Cipher Suite 0: Reserved Cipher Suite1:1 (LISP_2048MODP_AES128_CBC_SHA256): Diffie-Hellman Group: 2048-bit MODP [RFC3526] Encryption: AES with 128-bit keys in CBC mode [AES-CBC] Integrity: Integrated with[AES-CBC]AEAD_AES_128_CBC_HMAC_SHA_256 [AES-CBC] IV length: 16 bytes KDF: HMAC-SHA-256 Cipher Suite2:2 (LISP_EC25519_AES128_CBC_SHA256): Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] Encryption: AES with 128-bit keys in CBC mode [AES-CBC] Integrity: Integrated with[AES-CBC]AEAD_AES_128_CBC_HMAC_SHA_256 [AES-CBC] IV length: 16 bytes KDF: HMAC-SHA-256 Cipher Suite3:3 (LISP_2048MODP_AES128_GCM): Diffie-Hellman Group: 2048-bit MODP [RFC3526] Encryption: AES with 128-bit keys in GCM mode [RFC5116] Integrity: Integrated with[RFC5116]AEAD_AES_128_GCM [RFC5116] IV length: 12 bytes KDF: HMAC-SHA-256 Cipher Suite4:4 (LISP_3072MODP_AES128_GCM): Diffie-Hellman Group: 3072-bit MODP [RFC3526] Encryption: AES with 128-bit keys in GCM mode [RFC5116] Integrity: Integrated with[RFC5116]AEAD_AES_128_GCM [RFC5116] IV length: 12 bytes KDF: HMAC-SHA-256 Cipher Suite5:5 (LISP_256_EC25519_AES128_GCM): Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] Encryption: AES with 128-bit keys in GCM mode [RFC5116] Integrity: Integrated with[RFC5116]AEAD_AES_128_GCM [RFC5116] IV length: 12 bytes KDF: HMAC-SHA-256 Cipher Suite6:6 (LISP_256_EC25519_CHACHA20_POLY1305): Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519] Encryption: Chacha20-Poly1305 [CHACHA-POLY] [RFC7539] Integrity: Integrated with[CHACHA-POLY]AEAD_CHACHA20_POLY1305 [CHACHA-POLY] IV length: 8 bytes KDF: HMAC-SHA-256 The "Public Key Material" field contains the public key generated by one of the Cipher Suites defined above. The length of thekeykey, inoctetsoctets, is encoded in the "Key Length" field. When an ITR, PITR, or RTR sends a Map-Request, they will encode their own RLOC in the Security Type LCAF format within the ITR-RLOCs field. Whenaan ETR or RTR sends a Map-Reply, they will encode their RLOCs in Security Type LCAF format within the RLOC-record field of each EID- record supplied. If an ITR, PITR, or RTR sends a Map-Request with the Security Type LCAF included and the ETR or RTR does not want to have encapsulated traffic encrypted, they will return a Map-Reply with no RLOC records encoded with the Security Type LCAF. This signals to the ITR,PITRPITR, or RTR not to encrypt traffic (it cannot encrypt trafficanywaysanyway since no ETRpublic-keypublic key was returned). Likewise, if an ITR or PITRwishwishes to include multiple key-ids in theMap-RequestMap-Request, but the ETR or RTRwishwishes to use some but not all of the key-ids,they returnit returns a Map-Reply only for those key-idsthey wishit wishes to use. 7. Shared KeysusedUsed for theData-PlaneData Plane When an ITR or PITR receives a Map-Reply accepting the Cipher Suite sent in the Map-Request, it is ready to createdata planedata-plane keys. The same process is followed by the ETR or RTR returning the Map-Reply. The first step is to create a shared secret, using the peer's shared Diffie-Hellman Public Key Material combined with the device's own private keyingmaterialmaterial, as described in Section 5. TheDiffie-HellmanDiffie- Hellman parameters usedisare defined in the cipher suite sent in theMap- RequestMap-Request and copied into the Map-Reply. The resulting shared secret is used to compute an AEAD-key for the algorithms specified in the cipher suite. A Key Derivation Function (KDF) in countermodemode, as specified by[NIST-SP800-108][NIST-SP800-108], is used to generate the data-plane keys. The amount of keying material that is derived depends on the algorithms in the cipher suite. The inputs to the KDF are as follows: o KDF function. This is HMAC-SHA-256 in thisdocumentdocument, but generally specified in each Cipher Suite definition. o A key for the KDF function. This is the computed Diffie-Hellman shared secret. o Context that binds the use of the data-plane keys to this session. The context is made up of the following fields, which are concatenated and provided as the data to be acted upon by the KDF function. Context: o A counter, represented as a two-octet value in network byte order. o The null-terminated string "lisp-crypto". o The ITR's nonce from the Map-Request the cipher suite was included in. o The number of bits of keying material required (L), represented as a two-octet value in network byte order. The counter value in the context is first set to 1. When the amount of keying material exceeds the number of bits returned by the KDF function, then the KDF function is called again with the same inputs except that the counter increments for each call. When enough keying material is returned, it is concatenated and used to create keys. For example, AES with 128-bit keys requires 16 octets (128 bits) of keying material, and HMAC-SHA1-96 requires another 16 octets (128 bits) of keying material in order to maintain a consistent128-bits128 bits of security. Since 32 octets (256 bits) of keying material are required, and the KDF function HMAC-SHA-256 outputs 256 bits, only one call is required. The inputs are as follows: key-material = HMAC-SHA-256(dh-shared-secret, context) where: context = 0x0001 || "lisp-crypto" || <itr-nonce> || 0x0100 In contrast, a cipher suite specifying AES with 256-bit keys requires 32 octets (256 bits) of keying material, and HMAC-SHA256-128 requires another 32 octets (256 bits) of keying material in order to maintain a consistent256-bits256 bits of security. Since 64 octets (512 bits) of keying material are required, and the KDF function HMAC-SHA-256 outputs 256 bits, two calls are required. key-material-1 = HMAC-SHA-256(dh-shared-secret, context) where: context = 0x0001 || "lisp-crypto" || <itr-nonce> || 0x0200 key-material-2 = HMAC-SHA-256(dh-shared-secret, context) where: context = 0x0002 || "lisp-crypto" || <itr-nonce> || 0x0200 key-material = key-material-1 || key-material-2 If the key-material is longer than the required number of bits (L), then only the most significant L bits are used. From the derived key-material, the most significant 256 bits are used for the AEAD-key by AEAD ciphers. The 256-bit AEAD-key is divided into a 128-bit encryption key and a 128-bit integrity check key internal to the cipher used by the ITR. 8. Data-Plane Operation The LISP encapsulation header [RFC6830] requires changes to encode the key-id for the key being used for encryption. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / | Source Port = xxxx | Dest Port = 4341 | UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ | UDP Length | UDP Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ L / |N|L|E|V|I|R|K|K| Nonce/Map-Version |\ \ I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |A S \ | Instance ID/Locator-Status-Bits | |D P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |/ | Initialization Vector (IV) | I E +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ C n / | | V c | | | r | Packet Payload with EID Header ... | | y | | | p \ | |/ t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ K-bitsindicate when packet is encryptedIndicate When a Packet Is Encrypted andwhich key usedWhich Key Is Used When the KK bits are 00, the encapsulated packet is not encrypted. When the value of the KK bitsareis 1, 2, or 3, it encodes the key-id of the secret keys computed during the Diffie-HellmanMap-Request/ Map-ReplyMap-Request/Map- Reply exchange. When the KK bits are not 0, the payload is prepended with an Initialization Vector (IV). The length of the IV field is based on the cipher suite used. Since all cipher suites defined in this document do Authenticated Encryption with Associated Data (AEAD), an ICV field does not need to be present in the packet since it is included in the ciphertext. The Additional Data (AD) used for the ICV is shown above and includes the LISP header, the IVfieldfield, and the packet payload. When an ITR or PITR receives a packet to be encapsulated, the device will first decide what key to use, encode the key-id into the LISP header, and use that key to encrypt all packet data that follows the LISP header. Therefore, the outer header, UDP header, and LISP header travel as plaintext.ThereAt the time of writing, there is an open working group item to discuss if the data encapsulation header needs change for encryption or any new applications. This document proposes changes to the existing header so experimentation can continue without making large changes to thedata-planedata plane at this time. This document allocates2two bits of the previously unused3three flag bits (note the R-bit above is still a reserved flagbitbit, as documented in [RFC6830]) for the KK bits. 9. Procedures for Encryption and Decryption When an ITR, PITR, or RTRencapsulateencapsulates a packet andhavehas already computed an AEAD-key (detailed insectionSection 7) that is associated with a destination RLOC, the following encryption and encapsulation procedures are performed: 1. The encapsulator creates an IV and prepends the IV value to the packet being encapsulated. For GCM and Chacha cipher suites, the IV is incremented for every packet (beginning with a value of 1 in the first packet) and sent to the destination RLOC. For CBC cipher suites, the IV is a new random number for every packet sent to the destination RLOC. For the Chacha cipher suite, the IV is an 8-byte random value that is appended to a 4-byte counter that is incremented for every packet (beginning with a value of 1 in the first packet). 2. Next encrypt with cipher function AES or Chacha20 using the AEAD- key over the packet payload following the AEAD specification referenced in the cipher suite definition. This does not include the IV. The IV must be transmitted as plaintext so the decrypter can use it as input to the decryption cipher. The payload should be padded to an integral number of bytes a block cipher may require. The result of the AEAD operation may contain an ICV, the size of which is defined by the referenced AEAD specification. Note that the AD(i.e.(i.e., the LISP header exactly as will be prepended in the next step and the IV) must be given to the AEAD encryption function as the "associated data" argument. 3. Prepend the LISP header. The key-id field of the LISP header is set to the key-id value that corresponds to key-pair used for the encryption cipher. 4. Lastly, prepend the UDP header and outer IP header onto the encrypted packet and send packet to destination RLOC. When an ETR, PETR, or RTRreceivereceives an encapsulated packet, the following decapsulation and decryption procedures are performed: 1. The outer IP header, UDP header, LISP header, and IV field are stripped from the start of the packet. The LISP header and IV are retained and given to the AEAD decryption operation as the "associated data" argument. 2. The packet is decrypted using the AEAD-key and the IV from the packet. The AEAD-key is obtained from a local-cache associated with the key-id value from the LISP header. The result of the decryption function is a plaintext packet payload if the cipher returned a verified ICV. Otherwise, the packet is invalid and is discarded. If the AEAD specification included an ICV, the AEAD decryption function will locate the ICV in the ciphertext and compare it to a version of the ICV that the AEAD decryption function computes. If the computed ICV is different than the ICV located in the ciphertext, then it will be considered tampered. 3. If the packet was not tampered with, the decrypted packet is forwarded to the destination EID. 10. Dynamic Rekeying Since multiple keys can be encoded in both control and data messages, an ITR can encapsulate and encrypt with a specific key while it is negotiating other keys with the same ETR. As soon as an ETR or RTR returns a Map-Reply, it should be prepared to decapsulate and decrypt using the new keys computed with the new Diffie-Hellman parameters received in the Map-Request and returned in the Map-Reply. RLOC-probing can be used to change keys or cipher suites by the ITR at any time. And when an initial Map-Request is sent to populate the ITR's map-cache, the Map-Request flows across the mapping system where a single ETR from the Map-Reply RLOC-set will respond. If the ITR decides to use the other RLOCs in the RLOC-set, it MUST send a Map-Request directly to negotiate security parameters with the ETR. This process may be used to test reachability from an ITR to an ETR initially when a map-cache entry is added for the first time, so an ITR can get both reachability status and keys negotiated with one Map-Request/Map-Reply exchange. A rekeying event is defined to be when an ITR or PITR changes the cipher suite orpublic-keypublic key in the Map-Request. The ETR or RTR compares the cipher suite andpublic-keypublic key it last received from the ITR for the key-id, and if any value has changed, it computes a newpublic-keypublic key and cipher suite requested by the ITR from the Map-Request and returns it in the Map-Reply. Now a new shared secret is computed and can be used for the key-id for encryption by the ITR and decryption by the ETR. When the ITR or PITR starts this process of negotiating a new key, it must not use the corresponding key-id in encapsulated packets until it receives a Map-Reply from the ETR with the same cipher suite value it expects (the values it sent in a Map- Request). Note when RLOC-probing continues to maintain RLOC reachability and rekeying is not desirable, the ITR or RTR can either not include the Security Type LCAF in the Map-Request or supply the same key material as it received from the last Map-Reply from the ETR or RTR. This approach signals to the ETR or RTR that no rekeying event is requested. 11. Future Work For performance considerations, newer Elliptic-Curve Diffie-Hellman (ECDH) groups can be used as specified in [RFC4492] and [RFC6090] to reduce CPU cycles required to compute shared secret keys. For better security considerations as well as to be able to build faster software implementations, newer approaches to ciphers and authentication methods will be researched and tested. Some examples are Chacha20 and Poly1305 [CHACHA-POLY] [RFC7539]. 12. Security Considerations 12.1. SAAG Support The LISP working group received security advice and guidance from the Security Area Advisory Group (SAAG). The SAAG has been involved early in the designprocessprocess, and their input and reviews have been included in this document. Comments from the SAAG included: 1. Do not use asymmetric ciphers in thedata-plane.data plane. 2. Consider adding ECDH early in the design. 3. Add cipher suites because ciphers are created more frequently than protocols that use them. 4. Consider the newer AEAD technology so authentication comes with doing encryption. 12.2. LISP-Crypto Security Threats Since ITRs and ETRs participate in key exchange over a public non- secure network, aman-in-the-middleman in the middle (MITM) could circumvent the key exchange and compromise data-plane confidentiality. This can happen when the MITM is acting as a Map-Replier, provides its own public key so the ITR and the MITM generate a shared secret keyamong each other.between them. If the MITM is in the data path between the ITR and ETR, it can use the shared secret key to decrypt traffic from the ITR. Since LISP can secure Map-Replies by the authentication process specified in [LISP-SEC], the ITR can detect when a MITM has signed a Map-Reply for an EID-prefix for which it is notauthoritative for.authoritative. When an ITR determines that the signature verification fails, it discards and does not reuse the key exchange parameters, avoids using the ETR for encapsulation, and issues a severe log message to the network administrator. Optionally, the ITR can send RLOC-probes to the compromised RLOC to determine if can reach the authoritative ETR. And when the ITR validates the signature of a Map-Reply, it can begin encrypting and encapsulating packets to the RLOC of ETR. 13. IANA Considerations This document describes a mechanism for encryptingLISP encapsulatedLISP-encapsulated packets based on Diffie-Hellman key exchange procedures. During theexchangeexchange, the devices have to agree on a Cipher Suite to be used(i.e.(i.e., the cipher and hash functions used to encrypt/decrypt and to sign/verify packets). The 8-bit Cipher Suite field is reserved for such purpose in the security material section of the Map-Request and Map-Reply messages.This document requestsIANAto create and maintainhas created a new registry (as outlined in [RFC5226])entitledtitled "LISP Crypto Cipher Suite". Initial values for the registry are provided below. Future assignments are to be made on a "First Come, FirstCome First Served Basis.Served" basis [RFC5226]. +-----+--------------------------------------------+------------+ |Value| Suite |DefinitionReference | +-----+--------------------------------------------+------------+ | 0 | Reserved | Section 6 | +-----+--------------------------------------------+------------+ | 1 | LISP_2048MODP_AES128_CBC_SHA256 | Section 6 | +-----+--------------------------------------------+------------+ | 2 | LISP_EC25519_AES128_CBC_SHA256 | Section 6 | +-----+--------------------------------------------+------------+ | 3 | LISP_2048MODP_AES128_GCM | Section 6 | +-----+--------------------------------------------+------------+ | 4 | LISP_3072MODP_AES128_GCMM-3072| Section 6 | +-----+--------------------------------------------+------------+ | 5 | LISP_256_EC25519_AES128_GCM | Section 6 | +-----+--------------------------------------------+------------+ | 6 | LISP_256_EC25519_CHACHA20_POLY1305 | Section 6 | +-----+--------------------------------------------+------------+ LISP Crypto Cipher Suites 14. References 14.1. Normative References[LCAF] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical Address Format", draft-ietf-lisp-lcaf-13.txt (work in progress).[NIST-SP800-108]"NationalNational Institute of Standards and Technology, "Recommendation for Key Derivation Using PseudorandomFunctions NIST SP800-108"",Functions", NIST Special Publication SP 800-108, DOI 10.6028/NIST.SP.800-108, October 2009. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, DOI 10.17487/RFC2631, June 1999, <http://www.rfc-editor.org/info/rfc2631>. [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC 3526, DOI 10.17487/RFC3526, May 2003, <http://www.rfc-editor.org/info/rfc3526>. [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, DOI 10.17487/RFC4492, May 2006, <http://www.rfc-editor.org/info/rfc4492>. [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, <http://www.rfc-editor.org/info/rfc5116>. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, DOI 10.17487/RFC5226, May 2008, <http://www.rfc-editor.org/info/rfc5226>. [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/RFC6090, February 2011, <http://www.rfc-editor.org/info/rfc6090>. [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The Locator/ID Separation Protocol (LISP)", RFC 6830, DOI 10.17487/RFC6830, January 2013, <http://www.rfc-editor.org/info/rfc6830>. [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013, <http://www.rfc-editor.org/info/rfc6973>. [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, <http://www.rfc-editor.org/info/rfc7539>. [RFC8060] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical Address Format (LCAF)", RFC 8060, DOI 10.17487/RFC8060, January 2017, <http://www.rfc-editor.org/info/rfc8060>. 14.2. Informative References [AES-CBC] McGrew, D., Foley, J., and K. Paterson, "Authenticated Encryption with AES-CBC and HMAC-SHA",draft-mcgrew-aead- aes-cbc-hmac-sha2-05.txt (workWork inprogress).Progress, draft-mcgrew-aead-aes-cbc-hmac-sha2-05, July 2014. [CHACHA-POLY] Langley,A.,A. and W. Chang, "ChaCha20 and Poly1305 based Cipher Suites for TLS",draft-agl-tls-chacha20poly1305-04 (workWork inprogress).Progress, draft-agl-tls- chacha20poly1305-04, November 2013. [CURVE25519] Bernstein, D., "Curve25519: new Diffie-Hellman speed records",Publication http://www.iacr.org/cryptodb/archive/2006/ PKC/3351/3351.pdf.DOI 10.1007/11745853_14, <http://www.iacr.org/cryptodb/archive/2006/ PKC/3351/3351.pdf>. [DH] Wikipedia, "Diffie-Hellman key exchange",Wikipedia http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange.January 2017, <https://en.wikipedia.org/w/index.php?title=Diffie%E2%80%9 3Hellman_key_exchange&oldid=759611604>. [LISP-DDT] Fuller, V., Lewis, D., Ermaagan, V., and A. Jain, "LISP Delegated Database Tree",draft-fuller-lisp-ddt-04 (workWork inprogress).Progress, draft-fuller- lisp-ddt-04, September 2012. [LISP-SEC] Maino, F., Ermagan, V., Cabellos, A., and D. Saucez,"LISP-Secuirty"LISP-Security (LISP-SEC)",draft-ietf-lisp-sec-10 (workWork inprogress). Appendix A.Progress, draft-ietf- lisp-sec-12, November 2016. Acknowledgments The authors would like to thank Dan Harkins, Joel Halpern, Fabio Maino, Ed Lopez, Roger Jorgensen, and Watson Ladd for their interest, suggestions, and discussions about LISP data-plane security. An individual thank you to LISP WGchairChair Luigi Iannone for shepherding this document as well as contributing to the IANA Considerations section. The authors would like to give a special thank you to Ilari Liusvaara for his extensive commentary and discussion. He has contributed his security expertise to make lisp-crypto as secure as the state of the art in cryptography. In addition, the support and suggestions from the SAAG working group were helpful andappreciative.appreciated. Authors' Addresses Dino Farinacci lispers.net San Jose, California 95120USAUnited States of America Phone: 408-718-2001 Email: farinacci@gmail.com Brian WeisciscoCisco Systems 170 West Tasman Drive San Jose, California 95124-1706USAUnited States of America Phone: 408-526-4796 Email: bew@cisco.com