HTTP/1.1 200 OK Date: Tue, 09 Apr 2002 04:11:43 GMT Server: Apache/1.3.20 (Unix) Last-Modified: Thu, 23 Mar 1995 23:00:00 GMT ETag: "2f53db-cd11-2f71fd70" Accept-Ranges: bytes Content-Length: 52497 Connection: close Content-Type: text/plain Network Working Group Randall Atkinson Internet Draft Naval Research Laboratory draft-ietf-ipsec-arch-00.txt 23 March 1995 Security Architecture for the Internet Protocol STATUS OF THIS MEMO This document is an Internet Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its working groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of 6 months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as "work in progress". This particular Internet Draft is a product of the IETF's IPng and IP Security working groups. It is intended that a future version of this draft be submitted to the IESG for publication as a standards-track RFC. 1. INTRODUCTION This memo describes the security mechanisms for IP version 4 (IPv4) and IP version 6 (IPv6) and the services that they provide. Each security mechanism is specified in a separate document. This document also describes key management requirements for systems implementing those security mechanisms. This document is not an overall Security Architecture for the Internet and is instead focused on IP-layer security. 1.1 Technical Definitions This section provides a few basic definitions that are applicable to this document. Other documents provide more definitions and background information. [VK83, HA94] Authentication The property of knowing that the data received is the same as the data that was sent and that the claimed sender is in fact Atkinson [Page 1] Internet Draft Security Architecture for IP 23 March 1995 the actual sender. Integrity The property of ensuring that data is transmitted from source to destination without undetected alteration. Confidentiality The property of keeping communications confidential so that intended participants can know what is being sent but unintended parties are unable to determine what is being sent. Encryption A mechanism commonly used to provide confidentiality. Non-repudiation The property of a receiver being able to prove that the sender of some data did in fact send the data even though the sender might later desire to deny ever having sent that data. SPI Acronym for "Security Parameters Index". An unstructured opaque index which is used in conjunction with the Destination Address to identify a particular Security Association. Security Association The set of security information relating to a given network connection or set of connections. This usually includes the cryptographic key, key lifetime, algorithm, algorithm mode, sensitivity level (e.g. Unclassified, Secret, Proprietary), the kind of security service is provided (authentication-only, Transport-Mode Encryption, Tunnel-Mode Encryption, or some combination), and possibly other data. This is described in detail below. Traffic Analysis The analysis of network traffic flow for the purpose of deducing information that is useful to an adversary. Examples of such information are frequency of transmission, the identities of the conversing parties, sizes of packets, Flow Identifiers used, etc. [Sch94] 1.2 Requirements Terminology In this document, the words that are used to define the significance of each particular requirement are usually capitalised. These words are: Atkinson [Page 2] Internet Draft Security Architecture for IP 23 March 1995 - MUST This word or the adjective "REQUIRED" means that the item is an absolute requirement of the specification. - SHOULD This word or the adjective "RECOMMENDED" means that there might exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before taking a different course. - MAY This word or the adjective "OPTIONAL" means that this item is truly optional. One vendor might choose to include the item because a particular marketplace requires it or because it enhances the product, for example; another vendor may omit the same item. 1.3 Typical Use The Authentication Header supports security between two or more hosts implementing AH, between two or more gateways implementing AH, and between a host or gateway implementing AH and a set of hosts or gateways. A security gateway is a system which acts as the communications gateway between external untrusted systems and trusted hosts on their own subnetwork. It also provides security services for the trusted hosts when they communicate with the external untrusted systems. A trusted subnetwork contains hosts and routers that trust each other not to engage in active or passive attacks and trust that the underlying communications channel (e.g. an Ethernet) isn't being attacked. Trusted systems always should be trustworthy, but in practice they often are not trustworthy. In the case where a security gateway is providing services on behalf of one or more hosts on a trusted subnet, the security gateway is responsible for establishing the security association on behalf of its trusted host and for providing security services between the security gateway and the external system(s). In this case, only the gateway need implement AH, while all of the systems behind the gateway on the trusted subnet may take advantage of AH services between the gateway and external systems. A gateway which receives a datagram containing a recognised sensitivity label from a trusted host should take that label's value into consideration when creating/selecting an SPI for use with AH between the gateway and the external destination. In such an environment, a gateway which receives a IP packet containing the ESP should appropriately label the decrypted packet that it forwards to the trusted host that is the ultimate destination. The IP Authentication Header should always be used on packets containing Atkinson [Page 3] Internet Draft Security Architecture for IP 23 March 1995 explicit sensitivity labels to ensure end-to-end label integrity. The ESP supports security between two or more hosts implementing ESP, between two or more gateways implementing ESP, and between a host or gateway implementing ESP and a set of hosts and/or gateways. A security gateway is a system which acts as the communications gateway between external untrusted systems and trusted hosts on their own subnetwork and provides security services for the trusted hosts when they communicate with external untrusted systems. A trusted subnetwork contains hosts and routers that trust each other not to engage in active or passive attacks and trust that the underlying communications channel (e.g. an Ethernet) isn't being attacked. Trusted systems always should be trustworthy, but in practice they often are not trustworthy. In the case where a security gateway is providing services on behalf of one or more hosts on a trusted subnet, the security gateway is responsible for establishing the security association on behalf of its trusted host and for providing security services between the security gateway and the external system(s). In this case, only the gateway need implement ESP, while all of the systems behind the gateway on the trusted subnet may take advantage of ESP services between the gateway and external systems. A gateway which receives a datagram containing a recognised sensitivity label from a trusted host should take that label's value into consideration when creating/selecting an SPI for use with ESP between the gateway and the external destination. In such an environment, a gateway which receives a IP packet containing the ESP should appropriately label the decrypted packet that it forwards to the trusted host that is the ultimate destination. The IP Authentication Header should always be used on packets containing explicit sensitivity labels to ensure end-to-end label integrity. If there are no security gateways present in the connection, then two end systems that implement ESP may also use it to encrypt only the user data (e.g. TCP or UDP) being carried between the two systems. ESP is designed to provide maximum flexibility so that users may select and use only the security that they desire and need. All routing headers and other data SHOULD normally be included within the encrypted IP datagram, even if the same data is in the unencrypted part of the IP datagram. If the encrypted IP datagram does contain routing headers, then the receiving system MUST ignore all routing information in the unencrypted portion of the received datagram and shall strictly rely on the routing information from the protected payload instead. If this rule is not strictly adhered to, then the system will be vulnerable to various kinds of All routing headers and other data SHOULD normally be included within the encrypted IP datagram, even if the same data is in the Atkinson [Page 4] Internet Draft Security Architecture for IP 23 March 1995 unencrypted part of the IP datagram. If the encrypted IP datagram does contain routing headers, then the receiving system MUST ignore all routing information in the unencrypted portion of the received datagram and shall strictly rely on the routing information from the protected payload instead. If this rule is not strictly adhered to, then the system will be vulnerable to various kinds of attacks, including source routing attacks. [Bel89][CB94][CERT95] 1.4 Security Associations The concept of a "Security Association" is fundamental to both the IP Encapsulating Security Payload and the IP Authentication Header. The combination of a given Security Parameter Index (SPI) and Destination Address uniquely identifies a particular "Security Association". An implementation of the Authentication Header MUST support this concept of a Security Association. An implementation MAY also support other parameters as part of a Security Association. A Security Association normally includes the parameters listed below, but might include additional parameters as well: - Authentication algorithm and algorithm mode being used with the IP Authentication Header [REQUIRED for AH implementations]. - Key(s) used with the authentication algorithm in use with the Authentication Header [REQUIRED for AH implementations]. - Encryption algorithm, algorithm mode, and transform being used with the IP Encapsulating Security Payload [REQUIRED for ESP implementations] - Key(s) used with the encryption algorithm in use with the Encapsulating Security Payload [REQUIRED for ESP implementations] - Presence/absence and size of a cryptographic synchronisation or initialisation vector field for the encryption algorithm [REQUIRED for ESP implementations] - Authentication algorithm and mode used with the ESP transform (if any is in use) [RECOMMENDED for ESP implementations]. - Authentication key(s) used with the authentication algorithm that is part of the ESP transform (if any) [RECOMMENDED for ESP implementations] - Lifetime of the key or time when key change should occur [RECOMMENDED for all implementations]. - Lifetime of the Security Association [RECOMMENDED for all implementations]. - Sensitivity level (for example, Secret or Unclassified) of the protected data inside the ESP payload [REQUIRED for those systems claiming to provide multi-level security, RECOMMENDED for all other systems] The sending host uses the sending userid and Destination Address to select an appropriate Security Association (and hence SPI value). The receiving host uses the combination of SPI value and Destination Atkinson [Page 5] Internet Draft Security Architecture for IP 23 March 1995 Address to distinguish the correct association. Hence, an AH implementation will always be able to use the SPI in combination with the 128-bit Destination Address to determine the security association and related security configuration data for all valid incoming packets. When a formerly valid Security Association becomes invalid, the destination system(s) SHOULD NOT immediately reuse that SPI value and instead SHOULD let that SPI value become stale before reusing it for some other Security Association. A security association is normally one-way. An authenticated communications session between two hosts will normally have two Security Parameter Indexes in use (one in each direction). The combination of a particular Security Parameter Index and a particular Destination Address uniquely identifies the Security Association. The Destination Address may be a unicast address or a multicast group address. The receiver-orientation of the Security Association implies that, in the case of unicast traffic, the destination system will normally select the SPI value. By having the destination select the SPI value, there is no potential for manually configured Security Associations that conflict with automatically configured (e.g. via a key management protocol) Security Associations. For multicast traffic, there are multiple destination systems but a single destination multicast group, so some system or person will need to select SPIs on behalf of that multicast group and then communicate the information to all of the legitimate members of that multicast group via mechanisms not defined here. Multiple senders to a multicast group MAY use a single Security Association (and hence Security Parameter Index) for all traffic to that group. In that case, the receiver only knows that the message came from a system knowing the security association data for that multicast group. A receiver cannot generally authenticate which system sent the multicast traffic when asymmetric algorithms are in use. Multicast traffic MAY also use a separate Security Association (and hence SPI) for each sender to the multicast group . If each sender has its own Security Association and asymmetric algorithms are used, then data origin authentication is also a provided service. 2. DESIGN OBJECTIVES This section describes some of the design objectives of this security architecture and its component mechanisms. The primary objective of this work is to ensure that IPv4 and IPv6 will have solid cryptographic security mechanisms available to users who desire security. Atkinson [Page 6] Internet Draft Security Architecture for IP 23 March 1995 These mechanisms are designed to avoid adverse impacts on Internet users who do not employ these security mechanisms for their traffic. These mechanisms are intended to be algorithm-independent so that the cryptographic algorithms can be altered without affecting the other parts of the implementation. These security mechanisms should be useful in enforcing a variety of security policies. Standard default algorithms (keyed MD5, DES CBC) are specified to ensure interoperability in the global Internet. The selected algorithms are the same as the standard default algorithms used in SNMPv2. 3. IP-LAYER SECURITY MECHANISMS There are two cryptographic security mechanisms for IP. The first is the Authentication Header which provides integrity and authentication without confidentiality. [Atk95a] The second is the Encapsulating Security Payload which always provides confidentiality, and (depending on algorithm and mode) might also provide integrity and authentication. [Atk95b] The two IP security mechanisms may used together or separately. These IP-layer mechanisms do not provide security against a number of traffic analysis attacks. However, there are several techniques outside the scope of this specification (e.g. bulk link encryption) that might be used to provide protection against traffic analysis. [VK83] 3.1 AUTHENTICATION HEADER The IP Authentication Header is designed to provide integrity and authentication for IP datagrams. It does this by computing a cryptographic authentication function over the IP datagram and using a secret authentication key in the computation. [Atk95a] The sender computes the authentication data just prior to sending the authenticated IP packet and the receiver verifies the correctness of the authentication data upon reception. Certain fields which must change in transit, such as the "TTL" (IPv4) or "Hop Limit" (IPv6) field, which is decremented on each hop, are omitted from the authentication calculation. However the omission of the Hop Limit field does not adversely impact the security provided. Non-repudiation might be provided by some authentication algorithms (e.g. asymmetric algorithms when both sender and receiver keys are used in the authentication calculation) used with the Authentication Header, but it is not necessarily provided by all authentication algorithms that might be used with the Authentication Header. The default authentication algorithm is keyed MD5, which, like all symmetric algorithms, cannot provide non-repudiation by itself. Atkinson [Page 7] Internet Draft Security Architecture for IP 23 March 1995 Confidentiality and traffic analysis protection are not provided by the Authenticaton Header. The IP Authentication Header holds authentication information for its IP datagram. This authentication information is calculated using all of the fields in the IP datagram which do not change during transit from the originator to the recipient. All IP headers, payloads, and the user data are included in this calculation. The only exception is that fields and options which need to change in transit (e.g. IPv6 Header's "Hop Count" or the IPv4 Header's "TTL") are omitted when the authentication data is calculated. Use of the Authentication Header will increase the IP protocol processing costs in participating systems and will also increase the communications latency. The increased latency is primarily due to the calculation of the authentication data by the sender and the calculation and comparison of the authentication data by each receiver for each IP datagram containing an Authentication Header (AH). The Authentication Header provides much stronger security than exists in most of the current Internet and should not affect exportability or significantly increase implementation cost. While the Authentication Header might be implemented by a security gateway on behalf of hosts on a trusted network behind that security gateway, this mode of operation is not encouraged. Instead, the Authentication Header should be used from origin to final destination. All IPv6-capable hosts MUST implement the IP Authentication Header with at least the MD5 algorithm using a 128-bit key. IPv4-systems claiming to implement the Authentication Header MUST implement the IP Authentication Header with at least the MD5 algorithm using a 128-bit key. An implementation MAY support other authentication algorithms in addition to keyed MD5. 3.2 ENCAPSULATING SECURITY PAYLOAD The IP Encapsulating Security Payload (ESP) seeks to provide integrity, authentication, and confidentiality to IP datagrams. [Atk95b] It does this by encapsulating either an entire IP datagram or only the upper-layer protocol data inside the ESP, encrypting most of the ESP contents, and then appending a new cleartext IP header to the now encrypted Encapsulating Security Payload. This cleartext IP header is used to carry the protected data through the internetwork. The recipient of the cleartext datagram removes and discards the cleartext IP header and cleartext IP options, decrypts the ESP, processes and then removes the ESP headers, and then processes the (now decrypted) original IP datagram or upper-layer protocol data as per the normal IP protocol specifications. Atkinson [Page 8] Internet Draft Security Architecture for IP 23 March 1995 3.2.1 Description of the ESP Modes There are two modes within ESP. The first mode, which is known as Tunnel-mode, encapsulates an entire IP datagram within the ESP header. The second mode, which is known as Transport-mode, encapsulates an upper-layer protocol (for example UDP or TCP) inside ESP and then prepends a cleartext IP header. 3.2.2 Usage of ESP ESP works between hosts, between a host and a security gateway, or between security gateways. This support for security gateways permits trustworthy networks behind a security gateway to omit encryption and thereby avoid the performance and monetary costs of encryption, while still providing confidentiality for traffic transiting untrustworthy network segments. When both hosts directly implement ESP and there is no intervening security gateway, then they may use the Transport-mode (where only the upper layer protocol data (e.g. TCP or UDP) is encrypted and there is no encrypted IP header). This mode reduces both the bandwidth consumed and the protocol processing costs for users that don't need to keep the entire IP datagram confidential. ESP works with both unicast and multicast traffic. 3.2.3 Performance Impacts of ESP The encapsulating security approach used by ESP can noticeably impact network performance in participating systems, but use of ESP should not adversely impact routers or other intermediate systems that are not participating in the particular ESP association. Protocol processing in participating systems will be more complex when encapsulating security is used, requiring both more time and more processing power. Use of encryption will also increase the communications latency. The increased latency is primarily due to the encryption and decryption required for each IP datagram containing an Encapsulating Security Payload. The precise cost of ESP will vary with the specifics of the implementation, including the encryption algorithm, key size, and other factors. Hardware implementations of the encryption algorithm are recommended when high throughput is desired. For interoperability throughout the worldwide Internet, all conforming implementations of the IP Encapsulting Security Payload MUST support the use of the Data Encryption Standard (DES) in Cipher-Block Chaining (CBC) Mode as detailed in the ESP specification. Other confidentiality algorithms and modes may also be implemented in addition to this mandatory algorithm and mode. Export of encryption and use of encryption are regulated in some countries. [OTA94] Atkinson [Page 9] Internet Draft Security Architecture for IP 23 March 1995 3.3 COMBINING SECURITY MECHANISMS In some cases the IP Authentication Header might be combined with the IP Encapsulating Security Protocol to obtain the desired security properties. The Authentication Header always provides integrity and authentication and can provide non-repudiation if used with certain authentication algorithms (e.g. RSA). The Encapsulating Security Payload always provides integrity and confidentiality and can also provide authentication if used with certain authenticating encryption algorithms. Adding the Authentication Header to a IP datagram prior to encapsulating that datagram using the Encapsulating Security Protocol might be desirable for users wishing to have strong integrity, authentication, confidentiality, and perhaps also for users who require strong non-repudiation. When the two mechanisms are combined, the placement of the IP Authentication Header makes clear which part of the data is being authenticated. Details on combining the two mechanisms are provided in the IP Encapsulating Security Payload specification. [At94b] 3.4 OTHER SECURITY MECHANISMS Protection from traffic analysis is not provided by any of the security mechanisms described above. It is unclear whether meaningful protection from traffic analysis can be provided economically at the Internet Layer and it appears that few Internet users are concerned about traffic analysis. One traditional method for protection against traffic analysis is the use of bulk link encryption. Another technique is to send false traffic in order to increase the noise in the data provided by traffic analysis. Reference [VK83] discusses traffic analysis issues in more detail. 4. KEY MANAGEMENT The Key Management protocol that will be used with IP layer security is not specified in this document. However, because the key management protocol is coupled to the other security mechanisms only via the Security Parameters Index (SPI), those other security mechanisms have been defined in two companion documents. [Atk95a, Atk95b] Support for key management methods where the key management data is carried within the IP layer is not a design objective for these IP-layer security mechanisms. Instead these IP-layer security mechanisms will primarily use key management methods where the key management data will be carried by an upper layer protocol, such as UDP or TCP, on some specific port number or where the key management data will be distributed manually. This design permits clear decoupling of the key management mechanism Atkinson [Page 10] Internet Draft Security Architecture for IP 23 March 1995 from the other security mechanisms, and thereby permits one to substitute new and improved key management methods without having to modify the implementations of the other security mechanisms. This separation of mechanism is clearly wise given the long history of subtle flaws in published key management protocols. [NS78, NS81] What follows in this section is a brief discussion of a few alternative approaches to key management. Mutually consenting systems may additionally use other key management approaches by private prior agreement. 4.1 Manual Key Distribution The simplest form of key management is manual key management, where a person manually configures each system with its own key and also with the keys of other communicating systems. This is quite practical in small, static environments but does not scale. It is not a viable medium-term or long-term approach, but might be appropriate and useful in many environments in the near-term. For example, within a small LAN it is entirely practical to manually configure keys for each system. Within a single administrative domain it is practical to configure keys for each router so that the routing data can be protected and to reduce the risk of an intruder breaking into a router. Another case is where an organisation has an encrypting firewall between the internal network and the Internet at each of its sites and it connects two or more sites via the Internet. In this case, the encrypting firewall might selectively encrypt traffic for other sites within the organisation using a manually configured key, while not encrypting traffic with other destinations. It also might be appropriate when only selected communications need to be secured. 4.2 Some Existing Key Management Techniques There are a number of key management algorithms that have been described in the public literature. Needham & Schroeder have proposed a key management algorithm which relies on a centralised key distribution system. [NS78, NS81] This algorithm is used in the Kerberos Authentication System developed at MIT under Project Athena. [KB93] More recently, Diffie and Hellman have devised an algorithm which does not require a centralised key distribution system. [DH76] Unfortunately, the original Diffie-Hellman technique is vulnerable to an active "man in the middle" attack. However, this vulnerability can be mitigated by using signed keys to authentically bootstrap into the Diffie-Hellman exchange. 4.3 Automated Key Distribution Widespread deployment and use of IP security will require an Internet-standard scalable key management protocol. Ideally such a Atkinson [Page 11] Internet Draft Security Architecture for IP 23 March 1995 protocol would support a number of protocols in the Internet protocol suite, not just IP security. There is work underway within the IETF to add signed host keys to the Domain Name System [EK94] The DNS keys enable the originating party would to authenticate key management messages with the other key management party using an asymmetric algorithm. The two parties would then have an authenticatible communications channel that could be used to create a shared session key using Diffie-Hellman or other means. [DH76] 4.4 Keying Approaches for IP There are two keying approaches for IP. The first approach, called host-oriented keying, has all users on host 1 share the same key for use on traffic destined for all users on host 2. The second approach, called user-oriented keying, lets user A on host 1 have a unique session key for its traffic destined for host 2; that session key is not shared with other users on host1. User A on host 1 might have more than one key for its traffic destined for host 2. For example, its ftp session might use a different key than its telnet session. In systems claiming to provide multi-level security, user A will typically have at least one key per sensitivity level in use (e.g. one key for UNCLASSIFIED traffic, a second key for SECRET traffic, and a third key for TOP SECRET traffic). In many cases, a single computer system will have at least two mutually suspicious users A and B that do not trust each other. When host-oriented keying is used and mutually suspicious users exist, it is possible for user A to determine the host-oriented key via well known methods, such as a Chosen Plaintext attack. Once user A has improperly obtained the key in use, user A can then either read user B's encrypted traffic or forge traffic from user B. When user-oriented keying is used, this kind of attack from one user onto another user's traffic is not possible. Hence, support for user-oriented keying must be present in all IP implementations, as is described in the "IP Key Management Requirements" section below. 4.5 Multicast Key Distribution Multicast key distribution is an active research area in the published literature as of this writing. For multicast groups having relatively few members, manual key distribution or multiple use of existing unicast key distribution algorithms such as modified Diffie-Hellman appears feasible. For very large groups, new scalable techniques will be needed. The use of Core-Based Trees (CBT) to provide session key management as well as multicast routing might be an approach used in the future. [BFC93] Atkinson [Page 12] Internet Draft Security Architecture for IP 23 March 1995 4.6 IP Key Management Requirements This section defines key management requirements for all IPv6 implementations and for those IPv4 implementations that implement the IP Authentication Header, the IP Encapsulating Security Payload, or both. It applies equally to the IP Authentication Header and the IP Encapsulating Security Payload. All such implementations MUST support manual key management. All such implementations SHOULD support an Internet standard key management protocol once the latter is defined. All such implementations MUST support the configuration and use of user-oriented keying for traffic originating at that system. Systems MAY additionally permit the configuration of host-oriented keying for traffic originating at that system as an added feature to make manual key distribution easier and give the system administrator more flexibility. A device that encrypts or authenticates IP packets originated on other systems, for example a dedicated IP encryptor or an encrypting gateway, cannot generally provide user-oriented keying for traffic originating on other systems. Hence, such systems MUST implement support for host-oriented keying for traffic originating on other systems. Such systems MAY additionally implement support for user-oriented keying for traffic originating on other systems. The method by which keys are configured on a particular system is implementation-defined. A flat file containing security association identifiers and the security parameters, including the key(s), is an example of one possible method for manual key distribution. An IP system MUST take reasonable steps to protect the keys and other security association information from unauthorised examination or modification because all of the security lies in the keys. 5. USAGE This section describes the possible use of the security mechanisms provided by IP in several different environments and applications in order to give the implementer and user a better idea of how these mechanisms can be used to reduce security risks. 5.1 USE WITH FIREWALLS Firewalls are not uncommon in the current Internet. [CB94] While many dislike their presence because they restrict connectivity, they are unlikely to disappear in the near future. Both of these IP mechanisms can be used to increase the security provided by firewalls. Firewalls used with IP often need to be able to parse the headers and options to determine the transport protocol (e.g. UDP or TCP) in use and the port number for that protocol. Firewalls can still be Atkinson [Page 13] Internet Draft Security Architecture for IP 23 March 1995 used with the Authentication Header, but a firewall that is not party to the applicable Security Association will not normally be able to decrypt an encrypted upper-layer protocol to view the protocol or port number needed to perform per-packet filtering. Firewalls can use the Authentication Header to gain assurance that the data (e.g. source, destination, transport protocol, port number) being used for access control decisions is correct and authentic. Authentication might be performed not only within an organisation or campus but also end to end with remote systems across the Internet. This use of the Authentication Header with IP provides much more assurance that the data being used for access control decisions is authentic. Organisations with two or more sites that are interconnected using commercial IP service might wish to use a selectively encrypting firewall. If an encrypting firewall were placed between each site of the Foo Company and the commercial IP service provider, the firewall could provide an encrypted IP tunnel among all of the Foo Company's sites. It could also encrypt traffic between the Foo Company and its suppliers, customers, and other affiliates. Traffic with the NIC, with public Internet archive, or some other organisations might not be encrypted because of the unavailability of a standard key management protocol or as a deliberate choice to facilitate better communications, improved network performance, and increased connectivity. Such a practice could easily protect the organisation's sensitive traffic from eavesdropping and modification. Some organisations (e.g. governments) might wish to use a fully encrypting firewall to provide a protected virtual network over commercial IP service. The difference between that and a bulk IP encryption device is that a fully encrypting firewall would provide filtering of the decrypted traffic as well as providing encryption of IP packets. 5.3 USE WITH IP MULTICAST In the past several years, the Multicast Backbone (MBONE) has grown rapidly. IETF meetings and other conferences are now regularly multicast with real-time audio, video, and whiteboards. Many people are now using teleconferencing applications based on IP Multicast in the Internet or in private internal networks. Others are using IP multicasting to support distributed simulation or other applications. Hence it is important that the security mechanisms in IP be suitable for use in an environment where multicast is the general case. The Security Parameters Indexes (SPIs) used in the IP security mechanisms are receiver-oriented, making them well suited for use in IP multicast. [Atk95a, Atk95b] Unfortunately, most currently published Atkinson [Page 14] Internet Draft Security Architecture for IP 23 March 1995 multicast key distribution protocols do not scale well. However, there is active research in this area. As an interim step, a multicast group could repeatedly use a secure unicast key distribution protocol to distribute the key to all members or the group could pre-arrange keys using manual key distribution. 5.4 USE TO PROVIDE QOS PROTECTION The recent IAB Security Workshop identified Quality of Service protection as an area of significant interest. [BCCH] The two IP security mechanisms are intended to provide good support for real-time services as well as multicasting. This section describes one possible approach to providing such protection. The Authentication Header can be used, with appropriate key management, to provide authentication of packets. This authentication is potentially important in packet classification within routers. The IPv6 Flow Identifier could act as a Low-Level Identifier (LLID). Used together, packet classification within routers becomes straightforward if the router is provided with the appropriate key material. For performance reasons the routers might authenticate only every Nth packet rather than every packet, but this is still a significant improvement over capabilities in the current Internet. Quality of service provisioning is likely to also use the Flow ID in conjunction with a resource reservation protocol, such as RSVP. Thus, the authenticated packet classification can be used to help ensure that each packet receives appropriate handling inside routers. 5.5 USE IN COMPARTMENTED OR MULTI-LEVEL NETWORKS A multi-level secure (MLS) network is one where a single network is used to communicate data at different sensitivity levels (e.g. Unclassified and Secret). Many governments have significant interest in MLS networking. [DIA] The IP security mechanisms have been designed to support MLS networking. MLS networking requires the use of strong Mandatory Access Controls (MAC) which ordinary users are incapable of controlling or violating. Mandatory Access Controls differ from Discretionary Access Controls in this respect. The Authentication Header can be used to provide strong authentication among hosts in a single-level network. The Authentication Header can also be used to provide strong assurance for both mandatory access control decisions in multi-level networks and discretionary access control decisions in all kinds of networks. If IP sensitivity labels are used and confidentiality is not considered necessary within the particular operational environment, the Authentication Header is used to provide authentication for the entire packet, including cryptographic binding of the sensitivity level to the IP header and user data. This is a significant improvement over labelled IPv4 networks where the label is trusted even though it is Atkinson [Page 15] Internet Draft Security Architecture for IP 23 March 1995 not trustworthy because there is no authentication or cryptographic binding of the label to the IP header and user data. The Encapsulating Security Payload can be combined with appropriate key policies to provide full multi-level secure networking. In this case each key must be used only at a single sensitivity level and compartment. For example, Key "A" might be used only for sensitive Unclassified packets, while Key "B" is used only for Secret/No-compartments traffic, and Key "C" is used only for Secret/No-Foreign traffic. The sensitivity level of the protected traffic must not dominate the sensitivity level of the key used to protect that traffic. In sensitive environments, appropriate organisational policies will dictate the actual key management policy and also the set of algorithms that are appropriate for use. In such environments, the ability to communicate between the Internet and the hosts handling sensitive data might not be desirable. Hence, systems only handling sensitive information might not implement the Internet standard algorithms and instead only have algorithms approved by appropriate policies for such use. Such systems would not be fully conforming to the IP Encapsulating Security Payload specification with regard to implementation of the mandatory Internet algorithm, but those users might not be concerned about that non-conformance. Encryption is very useful and desirable even when all of the hosts are within a protected environment. The Internet-standard encryption algorithm could be used, in conjuction with appropriate key management, to provide strong Discretionary Access Controls (DAC) in conjunction with either implicit sensitivity labels or explicit sensitivity labels (such as IPSO provides for IPv4 [Ken91]). Some environments might consider the Internet-standard encryption algorithm sufficiently strong to provide Mandatory Access Controls (MAC). Full encryption SHOULD be used for all communications between multi-level computers or compartmented mode workstations even when the computing environment is considered to be protected. 6. SECURITY CONSIDERATIONS This entire draft discusses the Security Architecture for the Internet Protocol. It is not a general security architecture for the Internet, but is instead focused on the IP layer. Users need to understand that the quality of the security provided by the mechanisms provided by these two IP security mechanisms depends completely on the strength of the implemented cryptographic algorithms, the strength of the key being used, the correct implementation of the cryptographic algorithms, the security of the Atkinson [Page 16] Internet Draft Security Architecture for IP 23 March 1995 key management protocol, and the correct implementation of IP and the several security mechanisms in all of the participating systems. The security of the implementation is in part related to the security of the operating system which embodies the security implementations. For example, if the operating system does not keep the private cryptologic keys (that is, all symmetric keys and the private asymmetric keys) confidential, then traffic using those keys will not be secure. If any of these is incorrect or insufficiently secure, little or no real security will be provided to the user. Because different users on the same system might not trust each other, each user or each session should usually be keyed separately. This will also tend to increase the work required to cryptanalyse the traffic since not all traffic will use the same key. Certain security properties (e.g. traffic analysis protection) are not provided by any of these mechanisms. One possible approach to traffic analysis protection is appropriate use of link encryption. [VK83] Users must carefully consider which security properties they require and take active steps to ensure that their needs are met by these or other mechanisms. Certain applications (e.g. electronic mail) probably need to have application-specific security mechanisms. Application-specific security mechanisms are out of the scope of this document. Users interested in electronic mail security should consult the RFCs describing the Internet's Privacy-Enhanced Mail system. Users concerned about other application-specific mechanisms should consult the online RFCs to see if suitable Internet Standard mechanisms exist. ACKNOWLEDGEMENTS Many of the concepts here are derived from or were influenced by the US Government's SDNS security protocol specifications, the ISO/IEC's NLSP specification, or from the proposed swIPe security protocol. [SDNS, ISO, IB93, IBK93] The work done for SNMP Security and SNMPv2 Security influenced the choice of default cryptological algorithms and modes. [GM93] Steve Bellovin, Steve Deering, Richard Hale, George Kamis, Phil Karn, Frank Kastenholz, Perry Metzger, Dave Mihelcic, Hilarie Orman and Bill Simpson provided careful critiques of early versions of this draft. REFERENCES [Atk95a] Randall Atkinson, IP Authentication Header, Internet Draft, draft-atkinson-ipng-auth-01.txt, 20 March 1995. [Atk95b] Randall Atkinson, IP Encapsulating Security Payload, Internet Draft, draft-atkinson-ipng-esp-01.txt, 20 March 1995. [BCCH94] R. Braden, D. Clark, S. Crocker, & C. Huitema, "Report of IAB Atkinson [Page 17] Internet Draft Security Architecture for IP 23 March 1995 Workshop on Security in the Internet Architecture", RFC-1636, DDN Network Information Center, June 1994. [BFC93] A. Ballardie, P. Francis, & J. Crocroft, "Core Based Trees: An Architecture for Scalable Inter-Domain Multicast Routing", Proceedings of ACM SIGCOMM 93, ACM Computer Communications Review, Volume. 23, Number 4, October 1993, pp. 85-95. [CB94] William R. Cheswick & Steven M. Bellovin, Firewalls & Internet Security, Addiwon-Wesley, Reading, MA, 1994. [DIA] US Defense Intelligence Agency, "Compartmented Mode Workstation Specification", Technical Report DDS-2600-6243-87. [DH76] W. Diffie & M. Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, Vol. IT-22, No. 6, November 1976, pp. 644-654. [EK94] D. Eastlake III & C. Kaufman, "Domain Name System Protocol Security Extensions", Internet Draft, March 1994. [GM93] J. Galvin & K. McCloghrie, Security Protocols for version 2 of the Simple Network Management Protocol (SNMPv2), RFC-1446, DDN Network Information Center, April 1993. [HA94] N. Haller & R. Atkinson, "On Internet Authentication", RFC-1704, DDN Network Information Center, October 1994. [Hin94] Bob Hinden (Editor), Internet Protocol version 6 (IPv6) Specification, draft-hinden-ipv6-spec-00.txt, October 1994. [ISO] ISO/IEC JTC1/SC6, Network Layer Security Protocol, ISO-IEC DIS 11577, International Standards Organisation, Geneva, Switzerland, 29 November 1992. [IB93] John Ioannidis and Matt Blaze, "Architecture and Implementation of Network-layer Security Under Unix", Proceedings of USENIX Security Symposium, Santa Clara, CA, October 1993. [IBK93] John Ioannidis, Matt Blaze, & Phil Karn, "swIPe: Network-Layer Security for IP", presentation at the Spring 1993 IETF Meeting, Columbus, Ohio. [Ken91] Steve Kent, US DoD Security Options for the Internet Protocol, RFC-1108, DDN Network Information Center, November 1991. [Ken93] Steve Kent, Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management, RFC-1422, DDN Network Atkinson [Page 18] Internet Draft Security Architecture for IP 23 March 1995 Information Center, 10 February 1993. [KB93] J. Kohl & B. Neuman, The Kerberos Network Authentication Service (V5), RFC-1510, DDN Network Information Center, 10 September 1993. [NS78] R.M. Needham & M.D. Schroeder, "Using Encryption for Authentication in Large Networks of Computers", Communications of the ACM, Vol. 21, No. 12, December 1978, pp. 993-999. [NS81] R.M. Needham & M.D. Schroeder, "Authentication Revisted", ACM Operating Systems Review, Vol. 21, No. 1., 1981. [OTA94] US Congress, Office of Technology Assessment, "Information Security & Privacy in Network Environments", OTA-TCT-606, Government Printing Office, Washington, DC, September 1994. [Sch94] Bruce Schneier, Applied Cryptography, Section 8.6, John Wiley & Sons, New York, NY, 1994. [SDNS] SDNS Secure Data Network System, Security Protocol 3, SP3, Document SDN.301, Revision 1.5, 15 May 1989, published in NIST Publication NIST-IR-90-4250, February 1990. [VK83] V.L. Voydock & S.T. Kent, "Security Mechanisms in High-level Networks", ACM Computing Surveys, Vol. 15, No. 2, June 1983. DISCLAIMER The views expressed in this note are those of the author and are not necessarily those of his employer. The Naval Research Laboratory has not passed judgement on the merits, if any, of this work. The author and his employer specifically disclaim responsibility for any problems arising from correct or incorrect implementation or use of this design. AUTHOR INFORATION Randall Atkinson Information Technology Division Naval Research Laboratory Washington, DC 20375-5320 USA Voice: (DSN) 354-8590 Fax: (DSN) 354-7942 Atkinson [Page 19]