Internet-Draft | LISP ECDSA AA | March 2023 |
Farinacci & Nordmark | Expires 6 September 2023 | [Page] |
This draft describes how LISP control-plane messages can be individually authenticated and authorized without a a priori shared-key configuration. Public-key cryptography is used with no new PKI infrastructure required.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 6 September 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The LISP architecture and protocols [RFC9300] introduces two new numbering spaces, Endpoint Identifiers (EIDs) and Routing Locators (RLOCs) which provide an architecture to build overlays on top of the underlying Internet. Mapping EIDs to RLOC-sets is accomplished with a Mapping Database System. EIDs and RLOCs come in many forms than just IP addresses, using a general syntax that includes Address Family Identifier (AFI) [RFC1700]. Not only IP addresses, but other addressing information have privacy requirements. Access to private information is granted only to those who are authorized and authenticated. Using asymmetric keying with public key cryptography enforces authentication for entities that read from and write to the mapping system. The proposal described in this document takes advantage of the latest in Elliptic Curve Cryptography.¶
In this proposal the EID is derived from a public key, and the corresponding private key is used to authenticate and authorize Map-Register messages. Thus only the owner of the corresponding private key can create and update mapping entries from the EID. Furthermore, the same approach is used to authenticate Map-Request messages. This in combination with the mapping database containing authorization information for Map-Requests is used to restrict which EIDs can lookup up the RLOCs for another EID.¶
This specification introduces how to use the Distinguished-Name AFI [AFI] and the [RFC8060] LCAF JSON Type to encode public keys and signatures in the LISP mapping database. The information in the mapping database is used to verify cryptographic signatures in LISP control-plane messages such as the Map-Request and Map-Register.¶
LISP already has several message authentication mechanisms. They can be found in [RFC9301], [RFC9303], and [RFC8061]. The mechanisms in this draft are providing a more granular level of authentication as well as a simpler way to manage keys and passwords.¶
A client of the mapping system can be authenticated using public-key cryptography. The client is required to have a private/public key-pair where it uses the private-key to sign Map-Requests and Map-Registers. The server, or the LISP entity, that processes Map-Requests and Map-Registers uses the public-key to verify signatures.¶
The following describes how the mapping system is used to implement the public-key crypto system:¶
When a private/public key-pair is created for a node, its IPv6 EID is pre-determined based on the public key generated. Note if the key-pair is compromised or is changed for the node, a new IPv6 EID is assigned for the node.¶
The sha256 [RFC6234] hex digest function is used to compute the hash. The hash is run over the following hex byte string:¶
<iid><prefix><pubkey>¶
Where each field is defined to be:¶
The public-key hash is used to construct the Crypto-EID and Hash-EID.¶
A Hash-EID is formatted in an EID-record as a Distinguished-Name AFI as specified in [I-D.ietf-lisp-name-encoding]. The format of the string is:¶
EID-record: 'hash-<hash-eid>'¶
Where <hash-eid> is a public-key hash as described in Section 4. The RLOC-record to encode and store the public-key is in LCAF JSON Type format of the form:¶
RLOC-record: '{ "public-key" : "<pubkey-base64>" }'¶
Where <pubkey-base64> is a base64 [RFC4648] encoding of the public-key generated for the system that is assigned the Hash-EID.¶
Since the Hash-EID is formatted as a distinguished-name AFI, the format of the <hash-eid> for EID 'hash-<hash-eid>' needs to be specified. The format will be an IPv6 address [RFC3513] where colons are used between quad-nibble characters when the hash bit length is a multiple of 4. And when the hash bit length is not a multiple of 4 but a multiple of 2, a leading 2 character nibble-pair is present. Here are some examples for different hash bit lengths:¶
Crypto-EID: 2001:5::1111:2222:3333:4444, hash length 64: Hash-EID is: 'hash-1111:2222:3333:4444' Crypto-EID: 2001:5::11:22:33:44, hash length 64: Hash-EID is: 'hash-0011:0022:0033:0044' Crypto-EID: 2001:5:aaaa:bbbb:1111:2222:3333:4444, hash length 80: Hash-EID is: 'hash-bbbb:1111:2222:3333:4444' Crypto-EID: 2001:5:aaaa:bbbb:1111:2222:3333:4444, hash length 72: Hash-EID is: 'hash-bb:1111:2222:3333:4444' Crypto-EID: 2001:5:aaaa:bbbb:1111:22:33:4444, hash length 72: Hash-EID is: 'hash-bb:1111:0022:0033:4444'¶
Note when leading zeroes exist in a IPv6 encoded quad between colons, the zeros are included in the quad for the Hash-EID string.¶
The entity that creates the hash, the entity that registers the Crypto-EID and the Map-Server that uses the hash for Hash-EID lookups MUST agree on the hash bit length.¶
Key generation, message authentication with digital signatures, and signature verification will use the Elliptic Curve Digital Signature Algorithm or ECDSA [X9.62]. For key generation curve 'NIST256p' is used and recommended.¶
Signatures are computed over signature data that depends on the type of LISP message sent. See Section 8 and Section 9 for each message type. The signature data is passed through a sha256 hash function before it is signed or verified.¶
When a ETR registers its Crypto-EID or any EID type to the mapping system, it builds a LISP Map-Register message. The mapping includes an EID-record which encodes the Crypto-EID, or any EID type, and an RLOC-set. One of the RLOC-records in the RLOC-set includes the the ETR's signature and signature-ID. The RLOC-record is formatted with a LCAF JSON Type, in the following format:¶
{ "signature" : "<signature-base64>", "signature-id" : "<signer-id>" }¶
Where <signature-base64> is a base64 [RFC4648] encoded string over the following ascii [RFC0020] string signature data:¶
[<iid>]<crypto-eid>¶
Where <iid> is the decimal value of the instance-ID the Crypto-EID is registering to and the <crypto-eid> is in the form of [RFC3513] where quad-nibbles between colons ARE NOT zero-filled.¶
The Map-Server that process an EID-record with a Crypto-EID and a RLOC-record with a signature extracts the public-key hash value from the Crypto-EID to build a Hash-EID. The Map-Server looks up the Hash-EID in the mapping system to obtain the public-key RLOC-record. The Map-Server verifies the signature over the signature data to determine if it should accept the EID-record registration.¶
When an xTR (an ITR, PITR, or RTR), sends a Map-Request to the mapping system to request the RLOC-set for a Crypto-EID, it signs the Map-Request so it can authenticate itself to the Map-Server the Crypto-EID is registered to. The Map-Request target-EID field will contain the Crypto-EID and the source-EID field will contain an LCAF JSON Type string with the following signature information:¶
{ "source-eid" : "<seid>", "signature-id" : "<signer-id>", "signature" : "<signature-base64>" }¶
Where <signer-id> is an IPv6 encoded string according to [RFC3513] where quad-nibbles between colons ARE NOT zero-filled. The <seid> is the source EID from the data packet that is invoking the Map-Request or the entire key/value pair for "source-eid" can be excluded when a data packet did not invoke the Map-Request (i.e. lig or an API request). The <signer-id> is the IPv6 Crypto-EID of the xTR that is providing the Map-Request signature.¶
The signature string <signature-base64> is a base64 [RFC4648] encoded string over the following signature data:¶
<nonce><source-eid><crypto-eid>¶
Where <nonce> is a hex string [RFC0020] of the nonce used in the Map-Request and the <source-eid> and <crypto-eid> are hex strings [RFC0020] of an IPv6 address in the form of [RFC3513] where quad-nibbles between colons ARE NOT zero-filled. When <seid> is not included in the Map-Request, string "0::0" is used for <source-eid>.¶
When a Map-Server originates a Map-Notify message either as an acknowledgment to a Map-Register message, as a solicited [I-D.ietf-lisp-pubsub] notification, or an unsolicited [RFC8378] notification, the receiver of the Map-Notify can verify the message is from an authenticated Map-Server.¶
An RLOC-record similar to the one used to sign Map-Register messages is used to sign the Map-Notify message:¶
{ "signature" : "<signature-base64>", "signature-id" : "<signer-id>" }¶
Where the "signature-id" is an IPv6 crypto-EID used by the Map-Server to sign the RLOC-record. The signature data and the encoding format of the signature is the same as for a Map-Register message. See details in Section 8.¶
A receiver of a Map-Notify message will lookup the signature-id in the mapping system to obtain a public-key to verify the signature. The Map-Notify is accepted only if the verification is successful.¶
The mechanisms described within this document can be used to sign other types of LISP messages. And for further study is how to use these mechanisms to sign LISP encapsulated data packets in a compressed manner to reduce data packet header overhead.¶
In addition to authenticating other types of LISP messages, other types of EID-records can be encoded as well and is not limited to IPv6 EIDs. It is possible for a LISP xTR to register and request non IPv6 EIDs but use IPv6 Crypto-EIDs for the sole purpose of signing and verifying EID-records.¶
Examples of other EID types that can be authenticated in Map-Request and Map-Register messages are:¶
EID-Type | Format Definition |
---|---|
IPv4 address prefixes | [RFC1123] |
Distinguished-Names | [I-D.ietf-lisp-name-encoding] |
Geo-Coordinates | [I-D.farinacci-lisp-geo] |
LCAF defined EIDs | [RFC8060] |
When a Crypto-EID is being used for IPv6 communication, it is implicit that the owner has the right to use the EID since it was generated from the key-pair provisioned for the owner. For other EID types that are not directly associated with signature keys, they must be validated for use by the mapping system they are registered to. This policy information for the mapping system must be configured in the Map-Servers the EID owner registers to or a signed authorization provided by a third-party entity.¶
To achieve signed authorization, an entity that allows another entity to register an EID, must authorize the registering entity. It does so by adding RLOC-records to the registering entity's Hash-EID public-key mapping. The format of the RLOC-record is a JSON encoded record as follows:¶
{ "allow-eid" : "<eid>", "signature-id" : "<signer-id>", "signature" : "<signature-base64>" }¶
The format of the <signer-id> and <signature-base64> values are the same as described in Section 8. The <eid> value is in the same string format as the signature data described in Section 8. For other non-IPv6 EID types, the conventions in [RFC8060] are used. In all cases, the string encoding format of instance-ID '[<iid>]' prepended is to the EID string.¶
This entry is added to the RLOC-set of the registering entity's Hash-EID 'hash-<hash>' registration. The authorizing entity does signs the Map-Register and sends it with merge-semantics. The Map-Server accepts the registration after the signature is verified and merges the RLOC-record into the existing RLOC-set. The 'signature' is optional and when not included means the authorizing entity has not yet allowed the registering entity to register the EID <eid>. Note multiple entities can register RLOC-records with the same <eid> meaning that signature verification for all of them is required before the Map-Server accepts the registration.¶
When the Map-Server receives a Map-Register for <eid>, it looks up 'hash-<hash>' EID in the mapping system. If not found, the Map-Register EID-record is not processed and the next EID-record is retrieved from the Map-Register message, if it exists. If the Hash-EID entry is found, the registering entity's signature is verified first. If the verification fails, the Map-Register EID-record is not accepted. Otherwise, a search for the RLOC-set is done to look for all matches of the EID being registered with <eid>, for those entries found, if any of them do not have a "signature" JSON item, the EID-record is not accepted. Otherwise, the signature-id is looked up in the mapping system to retrieve the public-key of the authorizing entity. If the verification is successful, then a lookup for the next RLOC-record signature-id is done. Only when all signature verifications are verified, the Map-Register EID-record is accepted.¶
The Map-Server should reject an RLOC-record with a signature-id that contains the Hash-EID of the entry disallowing a registering entity to self authorize itself.¶
Here is an example of a Hash-EID mapping stored in the mapping system:¶
EID-record: [1000]'hash-1111:2222:3333:4444', RLOC-Set (count is 4): RLOC-record: { "public-key" : "<pubkey-base64>" } RLOC-record: { "allow-eid" : "[1000]1.1.1.1/32", "signature" : "<sig>", "signature-id" : "[1000]2001:5:3::1111" } RLOC-record: { "allow-eid" : "[1000]1.1.1.1/32", "signature" : "<sig>", "signature-id" : "[1000]2001:5:3::2222" } RLOC-record: { "allow-eid" : "37-16-46-N-121-52-4-W", "signature-id" : "[1000]2001:5:3::5555" }¶
This mapping stores the public-key of the registering entity with Hash-EID 1111:2222:3333:4444. The registering entry registered this RLOC-record. There are two authorizing entities, :1111 and :2222, who allow it to register IPv4 EID 1.1.1.1/32. They each registered their respective RLOC-records. And a third authorizing entity :5555 that registers an RLOC-record that has not yet authorized the registering entity to register Geo-Coordinate 37-16-46-N-121-52-4-W. Note the mapping and the signature-IDs are all within the context of instance-ID 1000.¶
The mechanisms within this specification are intentionally using accepted practices and state of the art public-key cryptography.¶
Crypto-EIDs can be made private when control messages are encrypted, for instance, using [RFC8061].¶
The topological or physical location of a Crypto-EID is only available to the other Crypto-EIDs that register in the same LISP Instance-ID and have their corresponding Hash-EIDs registered.¶
This draft doesn't address reply attacks directly. If a man-in-the- middle captures Map-Register messages, it could send such captured packets at a later time which contains signatures of the source. In which case, the Map-Server verifies the signature as good and interprets the contents to be valid where in fact the contents can contain old mapping information. This problem can be solved by encrypting the contents of Map-Registers using a third-party protocol like DTLS [RFC6347] or LISP-Crypto [RFC8061] directly by encapsulating Map-Registers in LISP data packets (using port 4341).¶
Map-Reply message signatures and authentication are not in scope for this document. This document focuses on authentication between xTRs and mapping system components. Map-Reply authentication, which is performed between xTRs is described in [RFC9303].¶
Since there are no new packet formats introduced for the functionality in this specification, there are no specific requests for IANA.¶
A special thanks goes to Sameer Merchant and Colin Cantrell for their ideas and technical contributions to the ideas in this draft.¶
[RFC Editor: Please delete this section on publication as RFC.]¶