PPP Working Group Pat R. Calhoun INTERNET-DRAFT 3Com Corporation Category: Internet Draft W. Mark Townsley Title: draft-ietf-pppext-l2tp-sec-00.txt IBM Corporation Date: June 1997 Expires: December 1997 Layer Two Tunneling Protocol "L2TP" Security Extensions for Non-IP networks Status of this Memo This document is an Internet-Draft. Internet-Drafts are working doc- uments of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute work- ing documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months. Internet-Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet- Drafts as reference material or to cite them other than as a ``work- ing draft'' or ``work in progress.'' To learn the current status of any Internet-Draft, please check the 1id-abstracts.txt listing contained in the Internet-Drafts Shadow Directories on ds.internic.net, nic.nordu.net, ftp.nisc.sri.com, or munnari.oz.au. Abstract The L2TP Document [1] defines the base protocol which describes the method of tunneling PPP [2] data. The spec states that the security mechanism used over an IP network is to use the IETF's IPSEC protocols. L2TP was designed in such a way as to be able to run over any underlying layer (i.e. Frame Relay, ATM, etc.). This document specifies extensions to the L2TP protocol in order to provide authentication and integrity of individual packets in a tunneled session over a non-IP network. It does not intend to provide a mechanism for encryption of packets. Calhoun expires January 1997 [Page 1] INTERNET DRAFT June 1997 1.0 Introduction The L2TP protocol specification describes that the IPSEC protocols MUST be used over an IP network. However, since L2TP can work over ANY link layer, there is no method of ensuring security over those links (if that link layer does not in turn provide its own security protocol). This document will describe how authentication of L2TP packets will be handled over non-IP networks. 1.1 Conventions The following language conventions are used in the items of specifi- cation in this document: o MUST, SHALL, or MANDATORY -- This item is an absolute requirement of the specification. o SHOULD or RECOMMEND -- This item should generally be followed for all but exceptional circumstances. o MAY or OPTIONAL -- This item is truly optional and may be followed or ignored according to the needs of the implementor. Calhoun expires January 1997 [Page 2] INTERNET DRAFT June 1997 2.0 L2TP Security Header Format The L2TP Header has been modified in order to accommodate the new Authentication extension. The header has a 'K' bit which indicates that the authentication extension is present in the header. This header is formatted: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |T|1|1|1|1|K|0| | Ver | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Tunnel ID | Call ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ns | Nr | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initialization Vector | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initialization Vector | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initialization Vector | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initialization Vector | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Integrity Check | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Integrity Check | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Integrity Check | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Type AVP... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... (8 bytes) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ In order for the Authentication Extension to be present, the 'K' bit MUST be 1. The Initialization Vector field MUST contain a random 128 bit value. The MIC (Message Integrity Check) contains the most significant 96 bits of the HMAC-MD5 algorithm [3][4]. The behavior of the 'K' bit is identical on both the control and data channel. Calhoun expires January 1997 [Page 3] INTERNET DRAFT June 1997 2.0 Protection Against Attacks This section will define certain methods of protecting against specific known types of attacks. 2.1 Denial of Service Attacks There currently exists a Denial of Service Attack whereby a malicious host can issue a stream of Start-Control-Connection-Request messages to an L2TP host on a network. Although an implementation MUST time-out when a Start-Control-Connection-Connected has not been received within a given window, there is still a possibility that if the messages were received fast enough the L2TP host would deplete its Control Connection Control Blocks. This form of attack is aggravated when the malicious host sends the packets with a random source IP address. One form of protection against this attack is to have a local list of trusted hosts, however this does not scale very well when providing a roaming service from anywhere on the Internet. Furthermore, enforcing a security policy based on a source address is a very weak form of protection. Another method of protecting against this form of attack is to have the 'K' bit set in the initial Start-Control-Connection-Request message. The message would be signed with the common secret (or key, see below for more details). This scheme will ensure that only authenticated Start-Control-Connection-Requests will be accepted, making this type of attack very inconvenient for a malicious user to create. In order for this scheme to be successful, it is imperative that the base specification require that a base implementation which does not support any extensions MUST reject a Start-Control-Connection-Request message with a 'K' bit set. 2.2 Replay Attacks One common attack is the replay attack. This requires that a malicious user gain access to the network where packets are routed. Calhoun expires January 1997 [Page 4] INTERNET DRAFT June 1997 There are two different types of replay attacks in the current L2TP protocol. The first is that since a secret is a long lived key (known as the master key), a malicious user can retrieve the Stop-Control-Connection-Request message from two L2TP peers and replay it at a later date when an L2TP tunnel is active between both peers. This form of attack is further complicated by the fact that the malicious user must inject the packet when the sequence number in the replayed packet is within the window of the receiver. This can be achieved using a brute force type attack by constantly sending the packet until the L2TP host accepts it. One more complication for the malicious user is the fact that the Tunnel and Call identifiers MUST be the same in the new session being attacks. This is not impossible, but improbable if the Tunnel and Call IDs are randomly generated. The second type of attack occurs when a user attempts to replay data packets being tunneled. One good example of a packet to replay would be a LCP Terminate Request message from a previous session. In this case, again, the Tunnel and the Call IDs MUST be identical for the L2TP peer to accept the packet. However, if a malicious user was to simply snoop the network and replay valid data packets from the current session it could potentially create some form of denial of service for the user. A good example of such a packet would be a TCP FIN packet (which are very common when using the WEB which have many short-lived connections). Since most TCP implementations do not have random initial sequence numbers, this is a very simple attack. In order to protect against such an attack it is recommended that the L2TP flow control mechanism be enabled on the data path. This will offer protection since a replay packet would only be accepted once the window "rolled" over. 2.3 Compromise of the Master Key Since tunnels may be long-lived and frequent, it is possible for the master key to be compromised. A malicious user could gain many valid samples and given enough resources could guess the master key. This is a very serious problem which must be addressed. One possible and simple method to protect against this is to have both L2TP peers generate a session key when a tunnel is created. This key would be transmitted in the Calhoun expires January 1997 [Page 5] INTERNET DRAFT June 1997 Start-Control-Connection-Request and the appropriate -Reply message. Furthermore, a L2TP host would generate a new key whenever it's Sn value would "roll" over. This would create a new security association between both peers, and protect against compromise of the master key. This scheme would also protect against the replay of the data packet described above since the key would be changed once the Sequence number reached zero, making the replayed packet non- authenticated. 3.0 Security Association Negotiation This section will define the new message type and AVP which are required for the security extensions of the L2TP protocol. 3.1 Start-Control-Connection-Request/-Reply Session Key 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1|0|0|0| Length | 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ? | Encoded Session Key... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ A new AVP MAY be present in the tunnel initiation messages. When present, the L2TP peer is indicating that a session key is to be used to perform the message digest functions. It is encoded as the Attribute ?, Mandatory, with the indicated number of bytes representing the session key. This AVP is optional. When present the MIC in the L2TP header is computed using the decoded Session Key and the key is encoded as follows: encodedKey = MD5( IV | Master Key ) Xor Session Key and decoded as follows: decodedKey = MD5( IV | Master Key ) Xor encodedKey Calhoun expires January 1997 [Page 6] INTERNET DRAFT June 1997 3.1 Renegotiate-Security-Association The Renegotiate-Security-Association message type is an L2TP control message used to renegotiate a new security association. It can be sent after establishment of the control connection. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | L2TP Control Message Header | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Renegotiate Security Association | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Session Key | +-+-+-+-+-+-+-+-+ Renegotiate-Security-Association 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1|0|0|0| 8 | 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0 | ? | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Message Type AVP contains a Value of ?, indicating Renegotiate-Security-Association. The Flags indicate a mandatory option. Details associated with this security renegotiation session follow in additional AVP's within the packet. Session Key 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1|0|0|0| Length | 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ? | Encoded Session Key... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Session Key AVP contains a new session key for a control channel. It is encoded as the Attribute ?, Mandatory, with the indicated number of bytes representing the session key. This AVP is mandatory. Calhoun expires January 1997 [Page 7] INTERNET DRAFT June 1997 When present the MIC in the L2TP header is computed using the decoded Session Key and the key is encoded as follows: encodedKey = MD5( IV | Previous Key ) Xor Session Key and decoded as follows: decodedKey = MD5( IV | Previous Key ) Xor encodedKey 4.0 Acknowledgments I would like to thank Baiju Patel from Intel Corp. and Sumit Vakil for their assistance. 5.0 Contacts Pat R. Calhoun 3Com Corporation 1800 Central Ave. Mount Prospect, Il, 60056 pcalhoun@usr.com (847) 342-6898 W. Mark Townsley IBM Corporation 700 Park Office Drive Research Triangle Park, NC 27709 wmt@raleigh.ibm.com (919) 543-7522 6.0 References [1] K. Hamzeh, T. Kolar, M. Littlewood, G. Singh Pall, J. Taarud, A. J. Valencia, W. Verthein "Layer Two Tunneling Protocol (L2TP)", Internet draft, March 1997 [2] W. Simpson, "The Point-to-Point Protocol (PPP)", RFC 1661, 07/21/1994 [3] H. Krawczyk, M. Bellare, R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997 [4] R. Rivest, "The MD5 Message-Digest Algorithm", RFC 1321, 04/16/1992 Calhoun expires January 1997 [Page 8]