| draft-ietf-mip6-cn-ipsec-03.txt | cn-ipsec-03-edits.txt | |||
|---|---|---|---|---|
| MIP6 Working Group F. Dupont | MIP6 Working Group F. Dupont | |||
| Internet-Draft CELAR | Internet-Draft CELAR | |||
| Intended status: Informational J-M. Combes | Intended status: Informational J-M. Combes | |||
| Expires: February 4, 2007 France Telecom DR&D | Expires: February 4, 2007 France Telecom DR&D | |||
| August 3, 2006 | August 3, 2006 | |||
| Using IPsec between Mobile and Correspondent IPv6 Nodes | Using IPsec between Mobile and Correspondent IPv6 Nodes | |||
| draft-ietf-mip6-cn-ipsec-03.txt | draft-ietf-mip6-cn-ipsec-03-edits.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 2, line 11 | skipping to change at page 2, line 11 | |||
| option validation (aka. triangular routing) and protection of | option validation (aka. triangular routing) and protection of | |||
| mobility signaling for route optimizations. The configuration | mobility signaling for route optimizations. The configuration | |||
| details for IPsec and IKE are also provided. | details for IPsec and IKE are also provided. | |||
| 1. Introduction | 1. Introduction | |||
| Mobile IPv6 documents [RFC3775][RFC3776] specifies IPsec [RFC4301] | Mobile IPv6 documents [RFC3775][RFC3776] specifies IPsec [RFC4301] | |||
| for the protection of the signaling between the mobile node (MN) and | for the protection of the signaling between the mobile node (MN) and | |||
| its home agent (HA), and the return routability procedure between the | its home agent (HA), and the return routability procedure between the | |||
| mobile node and its correspondent nodes (CN) for routing | mobile node and its correspondent nodes (CN) for routing | |||
| optimization. But any stronger mechanism (i.e., more secure than the | optimization. This document defines an alternative mechanism based on | |||
| return routability procedure) may be used, including of course IPsec | strong authentication and IPsec. | |||
| (cf. [RFC3775] Appendix 3 "New Authorization Methods"). | ||||
| This document specifies which IPsec configurations can be useful in a | This document specifies which IPsec configurations can be useful in a | |||
| Mobile IPv6 context and how they can validate home address options | Mobile IPv6 context and how they can validate home address options | |||
| (enabling triangular routing) and protect mobility signaling | (enabling triangular routing) and protect mobility signaling | |||
| (enabling routing optimization). It gives detailed IKE | (enabling routing optimization). It gives detailed IKE | |||
| [RFC2409][RFC4306] configuration guidelines for common cases. | [RFC2409][RFC4306] configuration guidelines for common cases. | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| IKE terminology is copied from IKEv2 [RFC4306]. | IKE terminology is copied from IKEv2 [RFC4306]. | |||
| 2. Applicability | 2. Applicability | |||
| The purpose of this document is not to replace the [RFC3775] return | The purpose of this document is not to replace the [RFC3775] return | |||
| routability procedure by the use of IPsec/IKE which has some | routability procedure by the use of IPsec/IKE. It is unrealistic to | |||
| authentication requirements which make its universal deployment more | expect credentials to be available for strong authentication between | |||
| than unrealistic. | any pair of communication hosts. | |||
| The idea is to enable the use of the superior security provided by | The idea is to enable the use of the superior security provided by | |||
| IPsec when it is already in use (i.e., comes at no extra cost), | IPsec when it is already in use (i.e., comes at no extra cost), | |||
| obstacles (i.e., authentication) to its use no more stand in the way, | obstacles (i.e., authentication) to its use no more stand in the way, | |||
| or simply when it can be considered as highly desirable. | or simply when it can be considered as highly desirable. | |||
| This mechanism should only be turned on by explicit configuration | ||||
| between specific peers. The mechanism does not support automatic | ||||
| capability negotiation at this time. | ||||
| 3. IPsec in a Mobile IPv6 context | 3. IPsec in a Mobile IPv6 context | |||
| This document considers only suitable IPsec security associations, | This document considers only suitable IPsec security associations, | |||
| i.e., anything which does not fulfill the following requirements is | i.e., anything which does not fulfill the following requirements is | |||
| out of scope: | out of scope: | |||
| - IPsec security association pairs MUST be between the mobile node | - IPsec security association pairs MUST be between the mobile node | |||
| and one of its correspondent nodes. | and one of its correspondent nodes. | |||
| - origin authentication, payload integrity and anti-replay services | - origin authentication, payload integrity and anti-replay services | |||
| MUST be selected. | MUST be selected. | |||
| - the traffic selectors MUST match exclusively the home address of | - the traffic selectors MUST match exclusively the home address of | |||
| skipping to change at page 3, line 45 | skipping to change at page 3, line 45 | |||
| CN does the home address option validation by successful IPsec | CN does the home address option validation by successful IPsec | |||
| processing of the packet. The care-of address in the source address | processing of the packet. The care-of address in the source address | |||
| field of the IPv6 header is not used by IPsec at all as the IPsec | field of the IPv6 header is not used by IPsec at all as the IPsec | |||
| policy checks happen against the home address. The CN continues to | policy checks happen against the home address. The CN continues to | |||
| send the packets via the home network until a binding update is | send the packets via the home network until a binding update is | |||
| processed. | processed. | |||
| 5. Routing Optimization | 5. Routing Optimization | |||
| A suitable IPsec security association can protect binding updates and | A suitable IPsec security association can protect binding updates and | |||
| acknowledgments. In binding updates the new requirements are: | acknowledgments. In Binding Updates the new requirements are: | |||
| - the H (home registration) and K (key management mobility | - Nonce Indices and Binding Authorization Data options SHOULD NOT be | |||
| capability) bits MUST be cleared. | ||||
| - Nonce indices and binding authorization data options SHOULD NOT be | ||||
| sent by the mobile node and MUST be ignored by the correspondent | sent by the mobile node and MUST be ignored by the correspondent | |||
| node. | node. | |||
| - when an alternate care-of address option is present and is not | - When an Alternate Care-of Address option is present, the alternate | |||
| checked using the state cookie mechanism [COOKIE], the alternate | ||||
| care-of address MUST match the source address in the IP header or | care-of address MUST match the source address in the IP header or | |||
| the home address itself. Any binding update which does not | the home address itself. Any Binding Update which does not | |||
| fulfill this requirement MUST be rejected. | fulfill this requirement MUST be rejected. | |||
| - as ESP can only protect the payload, an alternate care-of address | ||||
| option MUST be used in conjunction with ESP (cf. [RFC3775] section | ||||
| 11.7.1). | ||||
| In binding acknowledgments the new requirements are: | In Binding Acknowledgments the new requirements are: | |||
| - the K (key management mobility capability) bit MUST be cleared. | - Binding Authorization Data option SHOULD NOT be sent by the | |||
| - binding authorization data option SHOULD NOT be sent by the | ||||
| correspondent node and MUST be ignored by the mobile node. | correspondent node and MUST be ignored by the mobile node. | |||
| - "long" lifetime compatible with the IPsec policy (i.e., by default | ||||
| up to the IPsec security association lifetime) MAY be granted. | The use of the K (Key Management Mobility Capability) bit with | |||
| correspondent nodes is not defined. This bit is always set to zero | ||||
| on sending a Binding Update or Acknowledgment, and ignored on | ||||
| receipt. | ||||
| Note that a relatively "long" lifetime compatible with the IPsec | ||||
| policy (i.e., by default up to the IPsec security association | ||||
| lifetime) MAY be used with correspondent registrations, in | ||||
| contrast to the short lifetime required by standard RFC 3775 | ||||
| mechanisms. | ||||
| 6. IKE configurations | 6. IKE configurations | |||
| This document considers only IKE where it is used for mobility | This document considers only IKE where it is used for mobility | |||
| purpose. Peer addresses (addresses IKE runs over) are the addresses | purpose. Peer addresses (addresses IKE runs over) are the addresses | |||
| seen at the transport or application layer, i.e., when the mobile | seen at the transport or application layer, i.e., when the mobile | |||
| node uses its home address as the source of an IKE message, the | node uses its home address as the source of an IKE message, the | |||
| source address in the IP header can (should!) be a care-of address. | source address in the IP header can (should!) be a care-of address. | |||
| IKE MUST be run over the home address for the mobile node side when | IKE MUST be run over the home address for the mobile node side when | |||
| the home address is usable. The case where the home address in | the home address is usable. The case where the home address in | |||
| unusable is the subject of Appendix A. | unusable is the subject of Appendix A. | |||
| The home address MAY be used in (phase 1) mobile node Identification | The home address MAY be used in (phase 1) mobile node Identification | |||
| payloads. But this does not work well with dynamic home addresses, | payloads. But this does not work well with dynamic home addresses, | |||
| so when it is acceptable by the correspondent node policy, name based | so when it is acceptable by the correspondent node policy, name based | |||
| Identification (i.e., of type ID_FQDN or ID_RFC822_ADDR, [RFC4306] | Identification (i.e., of type ID_FQDN or ID_RFC822_ADDR, [RFC4306] | |||
| section 3.5) payloads SHOULD be used by the mobile node. | section 3.5) payloads SHOULD be used by the mobile node. | |||
| When the home address is bound to a public key, for instance when the | ||||
| home address is a Cryptographically Generated Addresses [RFC3972], | ||||
| the strong authentication MAY be replaced by an address ownership | ||||
| proof as described for instance in [IKECGA]. | ||||
| The IKE peer policy MAY restrict IPsec security associations to the | ||||
| protection of Mobile IPv6 signaling, i.e., restrict the traffic | ||||
| selectors to the mobility header "upper protocol" with at least | ||||
| binding update and acknowledgment message types. This SHOULD be the | ||||
| default policy when authentication or authorization can be considered | ||||
| as being weak, for instance when the previous paragraph is applied. | ||||
| 7. Security Considerations | 7. Security Considerations | |||
| IPsec is far more secure than the return routability procedure, thus | Where the means to create suitable IPsec security associations | |||
| it should be used where it is applicable. So this document can | exist, this mechanism provides origin authentication, integrity | |||
| increase at least the overall security of Mobile IPv6. | protection, replay protection and optional confidentiality services | |||
| for the Mobile IPv6 signalling. This improves the security over | ||||
| RFC 3775 route optimization, as the signaling packets in the latter | ||||
| are vulnerable to man-in-the-middle attacks. The implications of | ||||
| this vulnerability are subtle, however, given that an attacker in | ||||
| the same position is also capable of seeing all the payload packets | ||||
| and could launch other attacks with similar implications. For | ||||
| instance, such an attacker could see or modify the contents of | ||||
| payload packets not protected with end-to-end security and cause | ||||
| denial-of-service for others. However, the RFC 3775 mechanism | ||||
| allows such attacks in a short time window even after the attacker | ||||
| is no longer in a position to see the payload packets | ||||
| themselves. The mechanism defined in this specification removes | ||||
| this vulnerability, and is also secure independently of the | ||||
| possible vulnerabilities related to payload packets. | ||||
| Two points are worthy of special considerations: | However, unlike RFC 3775 this mechanism should only be used when | |||
| - no care-of address test is required when ingress filtering can | the correspondent node has good reason to trust the actions of the | |||
| reject fake care-of addresses from a rogue mobile node but a | mobile node. In particular, the correspondent node needs to be | |||
| correspondent node can use the return routability state cookie | certain that the mobile node will not launch flooding attacks | |||
| procedure to get extra insurance as well as for the support of | against a third party as described in [RODESIGN]. Without such | |||
| real alternate care-of addresses. | trust the only protection comes from the application of ingress | |||
| - in order to avoid granting any extra privilege by a side effect of | filtering in the network where the attacker resides. However, at | |||
| using IPsec, the peers (i.e., the mobile and correspondent nodes) | the moment ingress filtering has not been universally deployed. | |||
| may restrict the traffic selectors to the protection of mobility | This mechanism is vulnerable to flooding attacks as it does not | |||
| signaling only. This should be applied to any dubious cases, | verify the validity of a claimed new care-of address. | |||
| including by default when security administration is known to be | ||||
| too light. | In order to avoid granting extra privileges by a side effect this | |||
| mechanism, the application of this mechanism must not lead to | ||||
| allowing any new, previously unauthorized traffic to flow between | ||||
| the peers beyond mobility signaling with the Mobility Header (MH) | ||||
| protocol. The IKE peer policy MAY also restrict IPsec security | ||||
| associations to the protection of Mobile IPv6 signaling, i.e., | ||||
| restrict the traffic selectors to MH with at least Binding Update | ||||
| and Acknowledgment message types. | ||||
| 8. Acknowledgments | 8. Acknowledgments | |||
| The authors would like to thank many people for believing in IPsec as | The authors would like to thank many people for believing in IPsec as | |||
| a right way to secure Mobile IPv6. Special thanks to Wassim Haddad | a right way to secure Mobile IPv6. Special thanks to Wassim Haddad | |||
| and Claude Castelluccia for keeping our attention to special cases | and Claude Castelluccia for keeping our attention to special cases | |||
| where home addresses are derived from public keys. | where home addresses are derived from public keys. | |||
| 9. Changes from previous versions | 9. Possible Enhancements | |||
| A number of potential future enhancements of this method are | ||||
| possible, including, for instance, use of addresses bound to keys | ||||
| to avoid configuration effort or various mechanisms for the | ||||
| verification of care of addresses. See [IKECGA, COOKIE, ROENH] for | ||||
| some of these and related ideas. | ||||
| 10. Changes from previous versions | ||||
| To be removed prior to publication as an RFC. | To be removed prior to publication as an RFC. | |||
| An applicability section was added. | An applicability section was added. | |||
| The IKE running over a care-of address was moved to an appendix as it | The IKE running over a care-of address was moved to an appendix as it | |||
| is not at all the standard case. | is not at all the standard case. | |||
| The care-of address test annex was moved to its own document | The care-of address test annex was moved to its own document | |||
| [COOKIE]. | [COOKIE]. | |||
| Peer address clarification (thanks to Mohan Parthasarathy). Change | Peer address clarification (thanks to Mohan Parthasarathy). Change | |||
| SHOULD/MAY to MUST/MUST for mobile node peer address. | SHOULD/MAY to MUST/MUST for mobile node peer address. | |||
| 10. References | 11. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", RFC 2119, BCP 14, March 1997. | Requirement Levels", RFC 2119, BCP 14, March 1997. | |||
| [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange | [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange | |||
| (IKE)", RFC 2409, November 1998. | (IKE)", RFC 2409, November 1998. | |||
| [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support | [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support | |||
| skipping to change at page 6, line 46 | skipping to change at page 6, line 46 | |||
| June 2003. | June 2003. | |||
| [ORCHID] Nikander, P., Laganier, J., and F. Dupont, "An IPv6 Prefix | [ORCHID] Nikander, P., Laganier, J., and F. Dupont, "An IPv6 Prefix | |||
| for Overlay Routable Cryptographic Hash Identifiers | for Overlay Routable Cryptographic Hash Identifiers | |||
| (ORCHID)", draft-laganier-ipv6-khi-02.txt (work in | (ORCHID)", draft-laganier-ipv6-khi-02.txt (work in | |||
| progress), June 2006. | progress), June 2006. | |||
| [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", | [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", | |||
| RFC 3972, March 2005. | RFC 3972, March 2005. | |||
| [ROENH] Vogt, C., and Arkko, J. "A Taxonomy and Analysis of | ||||
| Enhancements to Mobile IPv6 Route Optimization", | ||||
| draft-irtf-mobopts-ro-enhancements-08.txt (work in | ||||
| progress), November 2006. | ||||
| [RODESIGN] Nikander, P., Arkko, J., Aura, T., Montenegro, G., and | ||||
| E. Nordmark, "Mobile IP Version 6 Route Optimization | ||||
| Security Design Background", RFC 4226, December 2005. | ||||
| Appendix A. IKE running over a care-of address | Appendix A. IKE running over a care-of address | |||
| In special circumstances where the home address can be unusable, like | In special circumstances where the home address can be unusable, like | |||
| when the home address is ORCHID [ORCHID] based and not routable, IKE | when the home address is ORCHID [ORCHID] based and not routable, IKE | |||
| must be run over a care-of address but this has many known drawbacks: | must be run over a care-of address but this has many known drawbacks: | |||
| - a care-of address can not be used for authentication nor | - a care-of address can not be used for authentication nor | |||
| authorization. | authorization. | |||
| - security associations do not survive handoffs. | - security associations do not survive handoffs. | |||
| - the establishment of transport mode IPsec security association | - the establishment of transport mode IPsec security association | |||
| End of changes. 16 change blocks. | ||||
| 51 lines changed or deleted | 82 lines changed or added | |||
This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||