Network Working Group L. Yong Internet-Draft Huawei USA Intended status: Standard Track T. Herbert Facebook Expires: September 2016 March 14, 2016 Generic UDP Encapsulation (GUE) for Secure Transport draft-hy-gue-4-secure-transport-03 Abstract This document specifies the ability of Generic UDP Encapsulation (GUE) to provide secure transport over IP networks and the Internet, including GUE header integrity protection and origin authentication and GUE payload encryption. These are optional features of GUE. Status of This Document This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 14, 2016. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Yong & Herbert [Page 1] Internet-Draft GUE for Secure Transport March 2016 Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction...................................................3 2. Terminology....................................................3 2.1. Requirements Language.....................................3 3. GUE Security...................................................3 4. GUE Payload Encryption.........................................5 5. Encapsulation/Decapsulation Operations.........................7 6. Considerations of Using Other Security Tunnel Mechanisms.......8 7. Security Considerations........................................9 7.1. GUE Security Field Usage..................................9 7.1.1. Cookies..............................................9 7.1.2. Secure hash..........................................9 8. IANA Considerations...........................................10 9. References....................................................10 9.1. Normative References.....................................10 9.2. Informative References...................................11 10. Authors' Addresses...........................................11 Yong & Herbert [Page 2] Internet-Draft GUE for Secure Transport March 2016 1. Introduction Generic UDP Encapsulation [GUE] is the protocol that specifies tunneling a network protocol over an IP network or Internet and a UDP tunnel. The tunneled network protocol is encapsulated in GUE header [GUE] at a tunnel encapsulator, transported as a regular IP packet, and decapsulated at the tunnel decapsulator. This draft specifies the security capabilities for GUE. One security capability is to provide origin authentication and integrity protection of the GUE header at tunnel end points to guarantee isolation between tunnels and mitigate Denial of Service attacks. Another capability is payload encryption that prevents the payload from eavesdropping, tampering, or message forgery. These security capabilities are specified as optional features of GUE. In theory, uses of GUE could leverage other existing tunnel mechanisms that provides secure transport over Internet such as DTLS [RFC6347] and IPsec[RFC4301]. Section 6 discusses the weakness to rely on another tunnel mechanism for GUE secure transport. 2. Terminology The terms defined in GUE [GUE] are used in this document. 2.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. GUE Security This document proposes to allocate two flag bits from GUE optional flag field as the Security flag for GUE integrity protection and authentication validation. GUE header format with Security Flag is shown in Figure 1. The second and third bits in GUE optional flag field are allocated for Security mechanism. Yong & Herbert [Page 3] Internet-Draft GUE for Secure Transport March 2016 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source port | Destination port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Ver|C| Hlen | Proto/Ctype |V|SEC| Undefined Flags |E| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Virtual Network ID (Optional) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Security Field ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1 GUE Header Format with Security Flag o 'V' Virtualization flag: This flag is designated for network virtualization overlay (NVO)[GUE4NVO]. o 'SEC' Security flags: Indicates presence of security field. To provide security capability, the flags MUST be set. Different sizes are allowed to allow different methods and extensibility. The use of the security field is expected to be negotiated out of band between two tunnel end points. Potential uses of the security field are discussed in Section of Security Considerations. o 00 - No security field o 01 - 64 bit security field o 10 - 128 bit security field o 11 - 256 bit security field The usage of the key fields in the GUE header [GUE] for the security mechanism is described as below: o Ver: Set to 0x0. Security option is designed for GUE version 0. o 'C' Control flag: When it set, control message presents and control processing MUST occur after security validation. o Hlen: length of optional fields (byte)/4. Note that Payload Transform function does not require a private field. Yong & Herbert [Page 4] Internet-Draft GUE for Secure Transport March 2016 o Proto/ctype: Contain the protocol of the encapsulated payload packet, i.e. next header when the C bit is not set. Contains a control message type when the C bit is set. The next header begins at the offset provided by Hlen. 'E' Extension flag. It is the last bit in the GUE header. For usage of Extension field see [GUE]. The security transport does not require use of any extension field. UDP header field must be set per [GUE]. The checksum and length implementation MUST be compliant with GUE implementation [GUE]. 4. GUE Payload Encryption The payload of a GUE packet can be secured using Datagram Transport Layer Security [RFC6347]. An encapsulator would apply DTLS to the GUE payload so that the payload packets are encrypted and the GUE header remains in plaintext. To differ encrypted payload from plaintext payload, the document proposes allocating one flag from GUE optional flag field for payload transformation indication and adding a 32 bit field when Payload Transform flag is set. Following format shows GUE header with Payload Transform flag, i.e. 'T' is set. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source port | Destination port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Ver|C| Hlen | Proto/Ctype |V|SEC|K|F|S|T| Flags |E| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | VNID, security, GUE checksum, fragmentation, ~ ~ Session (optional) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload Transform Field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2 GUE Header with Payload Transform Flag A 32 bits field in GUE header is for the payload transform function and MUST be presented when Payload Transform flag T is set and MUST Yong & Herbert [Page 5] Internet-Draft GUE for Secure Transport March 2016 NOT be presented when clear. The format of Payload Transform Field is in Figure 3. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Payload Type | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3 Payload Transform Field Format Type: Payload Transform Type or Code point. Each payload transform mechanism must have one code point registered in IANA. This document specifies: 0x01: for DTLS [RFC6347] 0x80~0xFF: for private payload transform types A private payload transform type can be used for experimental purpose or vendor proprietary mechanism. Payload Type: used to indicate the encrypted payload type. When encryption flag is set, next protocol in the base header should set to 59 ("No next header") for a data message and zero for a control message. The payload type (IP protocol or control message type) of the unencrypted paytload must be encoded in this field. The benefit of this rule is to prevent a middle box from inspecting the encrypted payload according to GUE next protocol. Assumption here is that a middle box may understand GUE base header but does not understand GUE option flag definitions. Reserved field for DTLS type MUST set to Zero. For other transformation type, the reserved field may be specified for a purpose. The usage of the key fields in the GUE header [GUE] for the payload encryption mechanism is described as below: o Ver: Set to 0x0. Payload transform option applies to version 0x0. o Control flag: When it set, control message presents SHOULD be encrypted except GUE base header. o Hlen: length of optional fields (byte)/4 o Proto/CType: Set to 59. The payload type is encoded in the payload encryption option field. Yong & Herbert [Page 6] Internet-Draft GUE for Secure Transport March 2016 o 'E' Extension flag. It is the last bit in the GUE header. For usage of Extension field see [GUE]. The payload encryption does not require use of any extension field. UDP header usage for payload encryption mechanism: UDP dst port SHOULD be filled with GUE port [GUE]; UDP src port MAY be filled with entropy or a random value. The checksum and length implementation MUST be compliant with GUE implementation [GUE]. 5. Encapsulation/Decapsulation Operations GUE secure transport mechanism applies to both IPv4 and IPv6 underlay networks. The outer IP address MUST be tunnel egress IP address (dst) and tunnel ingress IP address (src). GUE security option provides origin authentication and integrity to GUE based tunnel; GUE payload encryption provides payload privacy over an IP delivery network or Internet. Two functions are processed separately at tunnel end points. A GUE tunnel can use both functions or use one of them. When both encryption and security are required, an encapsulator must perform payload encryption first and then encapsulate the encrypted packet with security flag and encryption flag set in GUE header; the security field must be filled according Section 3 above; the encryption field must be filled according to Section 4 above; the decapsulator must decapsulate the packet first, then perform the authentication validation; if the validation is successful, it performs the payload decryption according the encryption information in the payload encryption field in the header; if the validation fails, the decapsulator must discard the packet and may generate an alert to the management system. These processing rules also apply when only one function, either encryption or security, is enabled, except another function is not performed as stated above. If GUE fragmentation is used in concert with the GUE security option and/or payload transform option, the security and playload transformation are performed after fragmentation at the encapsulator and before reassembly at the decapsulator. In order to get flow entropy from the payload, the encapsulator needs to get the flow entropy first before performing the payload encryption; then the flow entropy is inserted into UDP src port in the GUE header. DTLS [RFC6347] provides packet fragmentation capability. To avoid packet fragmentation performed multiple times at GUE encapsulator, GUE encapsulator SHOULD only perform the packet fragmentation at Yong & Herbert [Page 7] Internet-Draft GUE for Secure Transport March 2016 packet encapsulation process, i.e., not in payload encryption process. The encryption process should apply to GUE control packets. DTLS usage [RFC6347] is limited to a single DTLS session for any specific tunnel encapsulator/decapsulator pair (identified by source and destination IP addresses). Both IP addresses MUST be unicast addresses - multicast traffic is not supported when DTLS is used. A GUE tunnel decapsulator implementation that supports DTLS can establish DTLS session(s) with one or multiple tunnel encapsulators, and likewise a GUE tunnel encapsulator implementation can establish DTLS session(s) with one or multiple decapsulators. 6. Considerations of Using Other Security Tunnel Mechanisms GUE may rely on other secure tunnel mechanisms such as DTLS [RFC6347] for securing the whole GUE packet or IPsec [RFC4301] to achieve the secure transport over an IP network or Internet. IPsec [RFC4301] was designed as a network security mechanism, and therefore it resides at the network layer. As such, if the tunnel is secured with IPsec, the UDP header would not be visible to intermediate routers anymore in either IPsec tunnel or transport mode. The big drawback here prohibits intermediate routers to perform load balance based on the flow entropy in UDP header. In addition, this method prohibits any middle box function on the path. By comparison, DTLS [RFC6347] was designed with application security and can better preserve network and transport layer protocol information than IPsec [RFC4301]. Using DTLS to secure the GUE tunnel, both GUE header and payload will be encrypted. In order to differentiate plaintext GUE header from encrypted GUE header, the destination port of the UDP header between two must be different, which essentially requires another standard UDP port for GUE with DTLS. The drawback on this method is to prevent a middle box operation to GUE tunnel on the path. Use of two independent tunnel mechanisms such as GUE and DTLS to carry a network protocol over an IP network adds some overlap and process complex. For example, fragmentation will be done twice. As the result, a GUE tunnel SHOULD use the security mechanisms specified in this document to provide secure transport over an IP network or Internet when it is needed. GUE tunnel can be used as secure transport mechanism over an IP network and Internet. Yong & Herbert [Page 8] Internet-Draft GUE for Secure Transport March 2016 7. Security Considerations Encapsulation of network protocol in GUE should not increase security risk, nor provide additional security in itself. GUE requires that the source port for UDP packets should be randomly seeded to mitigate some possible denial service attacks. If the integrity and privacy of data packets being transported through GUE is a concern, GUE security and payload encryption SHOULD be used to remove the concern. If the integrity is the only concern, the tunnel may consider use of GUE security only for optimization. Likewise, if the privacy is the only concern, the tunnel may use GUE encryption function only. If GUE payload already provides secure mechanism, e.g., the payload is IPsec packets, it is still valuable to consider use of GUE secure mechanisms for the payload header privacy and the tunnel integrity. 7.1. GUE Security Field Usage The GUE security field should be used to provide integrity and authentication of the GUE header. Security negotiation (interpretation of security field, key management, etc.) is expected to be negotiated out of band between two communicating hosts. Two possible uses for this field are outlined below, a more precise specification is deferred to other documents. 7.1.1. Cookies The security field may be used as a cookie. This would be similar to cookie mechanism described in L2TP [RFC3931], and the general properties should be the same. The cookie may be used to validate the encapsulation. The cookie is a shared value between an encapsulator and decapsulator which should be chosen randomly and may be changed periodically. Different cookies may used for logical flows between the encapsulator and decapsulator, for instance packets sent with different VNIs in network virtualization [GUE4NVO] might have different cookies. 7.1.2. Secure hash Strong authentication of the GUE header can be provided using a secure hash. This may follow the model of the TCP authentication option [RFC5925]. In this case the security field holds a message digest for the GUE header (e.g. 16 bytes from MD5). The digest might be done over static fields in IP and UDP headers per negotiation (addresses, ports, and protocols). In order to provide enough Yong & Herbert [Page 9] Internet-Draft GUE for Secure Transport March 2016 entropy, a random salt value in each packet might be added, for instance the security field could be a 256 bit value which contains 128 bits of salt value, and a 128 bit digest value. The use of secure hashes requires shared keys which are presumably negotiated and rotated as needed out of band. 8. IANA Considerations This document requires IANA to allocate: Two bits in GUE option flag field for GUE Security. One bit in GUE option flag field for GUE Payload Transform. This document requires IANA to have a new registry for Encryption Type and require two code points for: 0x01: for DTLS [RFC6347] 0x80~0xFF: for private payload transform 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC2119, March 1997. [RFC3931] Lau, J., Townsley, W., et al, "Layer Tow Tunneling Protocol - Version 3 (L2TPv3)", RFC3931, 1999 [RFC4301] Kent, S., Seo, K., "Security Architecture for the Internet Protocol", RFC4301, December 2005 [RFC5925] Touch, J., et al, "The TCP Authentication Option", RFC5925, June 2010 [RFC6347] Rescoria, E., Modadugu, N., "Datagram Transport Layer Security Version 1.2", RFC6347, 2012. [GUE] Herbert, T., Yong, L., et al "Generic UNP Encapsulation", draft-ietf-nvo3-gue-00, work in progress. Yong & Herbert [Page 10] Internet-Draft GUE for Secure Transport March 2016 9.2. Informative References [GUE4NVO] Yong, L., and Herbert T., "Generic UNP Encapsulation for NVO", draft-hy-nvo3-gue-4-nvo-01, work in progress. 10. Authors' Addresses Lucy Yong Huawei USA Email: lucy.yong@huawei.com Tom Herbert Facebook 1 Hacker Way Menlo Park, CA 94052 US Email: tom@herbertland.com Yong & Herbert [Page 11]