Internet-Draft | EAP over IP | July 2023 |
Bidgoli | Expires 11 January 2024 | [Page] |
Extensible Authentication Protocol (EAP) is described in [RFC3748]. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. IEEE802.1X-2004 clarifies some aspect of the EAP over Layer 2 PDUs. IEEE802.1X-2010 introduces MACsec Key Agreement Protocol (MKA) which uses EAPOL. In IEEE 802.1X-2010 the existing EAPOL (EAP over LANs) PDU formats have not been modified, but additional EAPOL PDUs have been added to support MKA. MKA is used for discovering peers and their mutual authentication, to agree the secrete keys (SAKs) used by MACsec for symmetric shared key cryptography. This document describes procedures to transport EAP and ultimately MKA PDUs over a IP network to distribute SAKs for symmetric key cryptography.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Currently, most encryption protocols use Public Key Infrastructure (PKI) to distribute symmetric shared keys. Current PKIs algorithms and key lengths are vulnerable to post quantum computers attacks such as "steal/harvest now, decrypt later" and most highly secure organizations are looking for options of quantum safe key distribution.¶
IEEE802.1X-2010 introduces MKA which comprises a secure fully distributed point-to-point or multipoint-to-multipoint transport and a number of applications of that transport, including the distribution of SAKs by an elected key server using AES Key Wrap. MKA is fully described in section 9 of IEEE802.1X-2010. One of the strengths of MKA is using AES ciphers in CMAC mode with key length of 256 as a Key Wrap for the SAK. It is widely accepted that AES ciphers with key length of 256 are safe Post-quantum Cryptography (PQC). IEEE802.1X-2010 farther explains in section 9.3.3 that the keys derived for AES cipher is from a secure Connectivity Association Key (CAK) and a Key Derivation Function (KDF), the CAK can be drived from multiple methods including Pre-shared keys (PSKs), as an example these PSKs can be manually configured and consist of a 64 Hex string for CMAC-AES-256 key wrap.¶
As it can be seen MKA can be a PQC protocol to distribute symmetric shared keys within a network.¶
As such, it would be ideal to extend EAP and MKA into IP networks to allow MKA to distribute symmetric shared keys within an IP domain. This document describes a simple method to identify EAP packet with in a IP network and process them according, including MKA PDUs.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
802.1x-2010 section 9 explains the MKA (MACSec Key Agreement Protocol) in detail. The first and most important note is section 9.4 last paragraph which points out that MKA is designed for mutual authentication of participants in a connectivity association (CA), and can be used for any application.¶
Section 9 of IEEE802.1x-2010 also points out that MKA:¶
1. allows PEERs to discover each other and authenticate each other via the CAK, and agree on a symmetric secret keys (SAKs) used by the application.¶
2. MKA protects the distributed SAKs via AES Key wrap, and more importantly a PQC AES-256 key wrap¶
3. The SAK is created by the Key Server and distributed to the PEERs with in the connectivity association, section 9 of the IEEE802.1x-2010 describes the key server selection.¶
4. MKA manages the SAK installation which is used by the application that secure the data transmitted and received.¶
5. The root of key hierarchy for any given instance of MKA is the secure CAK. Each CAK is identified by CA key NAME (CKN) that allows each of the MKA participants to select which CAK to use to process a received MKA PDUs.¶
As such it is ideal to use MKA to authenticate peers and distribute symmetric keys in a PQC fashion even in an IP network. As an example MKA over IP can be used for signaling symmetric keys for proprietary MPLS encryption or such.¶
To distribute MKA over an IP network there is two concerns to be solved:¶
1. How to identify the MKA PDUs with in an IP domain¶
2. How to transport MKA PDUs from one PEER to another¶
To solve the first problem of identifying EAP or MKA PDUs with in an IP domain, the destination PEER needs to identify this packet as an MKA packet and extract it to be processed as described in IEEE802.1X-2010. To identify the PDU as a MKA PDU with in IP domain, UDP can be used. More precisely, a specific UDP port assigned to MKA, to identify MKA PDUs uniquely in the network. This UDP port can be configured network wide, or it can be a well known UDP port assigned by IANA. UDP is ideal for this MKA identification, as it is best effort protocol and does not have a retransmission mechanism as TCP does, in case of lost packets. This is ideal for MKA as it has a heart beat build in to it, where if few MKA packets are lost, it would bring the MKA session down.¶
Any IP address family (AF) can be used to transport the MKA over UDP through the IP domain. The source IP can be the loopback IP address used by the application and the destination IP can be the loopback IP used by the application on the PEER. Of course the IP protocol will be set to UDP. With this method when the packet arrives on the PEER router, the UDP port can be examined and the packet processed accordingly. In this case the UDP packet will identify the PDU as a MKA PDU and will extract it to the MKA application to authenticate the PEER and extract the symmetric key by decrypting the key wrap via the CAK that is identified by the CKN and AES-256 using CMAC. From this point on the symmetric key can be used by the application to encrypt the datapath. As an example if the symmetric key size is 256 is can be used with AES algorithm to create a PQC secure datapath for the application.¶
The packet format reuses the entire 802.1x packet format as described in the IEEE802.1X-2010 (i.e. it reuses the packet format that follows the Ethernet header with ethertype (0x888e) minus the Ethernet header.). Doing so will allow the routers that have implementations of MACsec and MKA, to leverag the current EAPoL and MKA implementations, and extend these implemention to be used to process the EAP over IP packet. As an example by removing the IP and UDP header and sending the 802.1x-2010 packet (with type MKA) to the MKA application to process the MKA PDU without reinventing the wheel.¶
As such the final packet format is Ethernet header with ethertype of (IP) followed by IP header with protocol (UDP) where the UDP port is a well known MKA UDP port or a a UDP port that is assigned within the network to identify the MKA PDU.¶
Assign a UDP port for EAP over IP identification.¶
NA¶