Internet Engineering Task Force Vishwas Manral Internet-Draft IP Infusion Inc. Intended status: Standards Track Expires: December 30, 2009 June 30, 2009 MPLS-TP General Authentication TLV for G-ACH draft-manral-mpls-tp-oam-auth-tlv-00 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 1, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Manral Expires July 30, 2008 [Page 1] Internet-Draft Authentication TLV for ACH December 2009 Abstract This document defines a new generalized authentication TLV, to be used in the ACH header RFC5586 [2]. This can be used for both the MPLS and MPLS-TP networks. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. 1. Introduction The Generic Associated Channel (G-ACh) has been defined as a generalization of the pseudowire (PW) associated control channel to enable the realization of a control/communication channel associated with Multiprotocol Label Switching (MPLS) Label Switched Paths (LSPs), MPLS PWs, MPLS LSP segments, and MPLS sections between adjacent MPLS-capable devices. The G-ACH header is defined in [RFC5586] to augent maintainance functions in MPLS networks especially when they are used for packet transport services and transport network operations. Examples of these functions include performance monitoring, automatic protection switching, and support for management and signaling communication channels. The OAM requirements document states that "OAM messages MAY be authenticated to prove their origin and to make sure that they are destined for the receiving node". This document describes a generic way to provide origin authentication of application packets by defining a new G-ACH TLV. Manral Expires July 30, 2008 [Page 2] Internet-Draft Authentication TLV for ACH December 2009 2. Procedures The location of the ACH Authentication TLV in the ACH header is shown. The TLV can be located anywhere in the ACH TLV header (preceded or proceded by other). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 0 0 1|Version| Reserved | Channel Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ACH TLV Header | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ACH Authnetication TLV | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ zero or more other ACH TLVs ~ ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Any Application Message | ~ (i.e. Y.1731, BFD etc) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The structure of the ACH authentication TLV is as follows 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Auth TLV Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Auth Type | Auth Len | Auth Key ID | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Auth Key/Digest... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ~ ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ This is similar to the BFD Authentication defined in [3]. This section will be filled in a future version of the draft. Different applications based on the Channel type may process the ACH Authentication TLV. Each document which defines the channel type needs to define the behavior on processing the same (optional/ mandatory) and the required action. An application not supporting data origin authentication can use this mechanism for the purpose instead of defining its own proprietery mechanism. Manral Expires July 30, 2008 [Page 3] Internet-Draft Authentication TLV for ACH December 2009 3. Example Application [IEEE 802.1ag] and [ITU-T Y.1731] define OAM PDU's and procedures for Ethernet OAM. However they do not provide any data origin authentication mechanism. The OAM extensions [4] use the mechanism for MPLS-TP networks. However no origin authentiction mechanism to is defined. The ACH Authentication TLV can be used for the purpose. 4. Security Considerations The extensions defined in this document allows an application using the ACH header to provide data origin authentication. This can improve the security of packets in the network. Manral Expires July 30, 2008 [Page 4] Internet-Draft Authentication TLV for ACH December 2009 5. IANA Considerations ACH TLV type field for the G-ACH TLV header is required. IANA is requested to allocate the TLV type xxxx Generic Security TLV. 6. Acknowledgements TBD. 7. References 7.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Bocci, M., Vigoureux, M. and S. Bryant, "MPLS Generic Associated Channel", RFC5586, June 2009 [3] Katz, D. and D. Ward, "Bidirectional Forwarding Detection", draft-ietf-bfd-base, August 2009 7.2. Informative References [4] Vigoureux, M., Ward, D. and M. Betts, "Requirements for OAM in MPLS Transport Networks", draft-vigoureux-mpls-tp-oam-requirements, April 2009 Manral Expires July 30, 2008 [Page 5] Internet-Draft Authentication TLV for ACH December 2009 Authors' Addresses Vishwas Manral IP Infusion Inc., Bamankhola, Bansgali, Almora, Uttaranchal - 263601 India