IETF P. McCann
Internet-Draft
Intended status: Standards Track S. Gilbert
Expires: June 10, 2011 Motorola, Inc.
December 7, 2010
Authenticated Middlebox Traversal with the Pickle Packet
draft-mccann-picklepacket-01
Abstract
This document describes the Pickle Packet, a message that can be used
to coordinate the opening of a transport connection with various
middleboxes that may lie on the path. It contains the DNS names of
both the initiator and the responder of the connection and some
authentication data. Because the authentication data uses public key
cryptography, any middlebox can independently authenticate the
initiator and make a policy decision whether to allow or deny the
flow based on the DNS names. The Pickle Packet allows for
middleboxes to establish state such as firewall pinholes or security
associations that can be used to filter out unwanted traffic.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 10, 2011.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
McCann & Gilbert Expires June 10, 2011 [Page 1]
�
Internet-Draft Pickle Packet December 2010
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Bearer Packet Filtering . . . . . . . . . . . . . . . . . 3
1.1.1. Filter using Network and Transport Header . . . . . . 3
1.1.2. Attack Detection Through Counting Packets . . . . . . 4
1.1.3. Filter Using Cookie Value . . . . . . . . . . . . . . 4
1.1.4. Cryptographic Header MAC . . . . . . . . . . . . . . . 4
1.1.5. Cryptographic Header and Payload MAC . . . . . . . . . 5
1.2. Requirements Language . . . . . . . . . . . . . . . . . . 5
2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 5
3. Pickle Packet Structure . . . . . . . . . . . . . . . . . . . 10
3.1. Payload Block Types . . . . . . . . . . . . . . . . . . . 14
3.1.1. Message Source/Destination Block . . . . . . . . . . . 14
3.1.2. Vouch-by-Reference Information Block . . . . . . . . . 18
3.1.3. Point-of-Contact Address Block . . . . . . . . . . . . 19
3.1.4. Binding Distribution Restriction Block . . . . . . . . 22
3.1.5. Authentication Results/Request . . . . . . . . . . . . 24
3.1.6. Application Data Block . . . . . . . . . . . . . . . . 27
3.1.7. Public Key Signature Block . . . . . . . . . . . . . . 27
3.1.8. Symmetric Key Signature Block . . . . . . . . . . . . 29
3.1.9. Symmetric Key Encryption Parameters Block . . . . . . 31
3.1.10. Pickle Fragment Block . . . . . . . . . . . . . . . . 32
4. Domain Name System Binding . . . . . . . . . . . . . . . . . . 32
4.1. Representation of Public Keys in DNS . . . . . . . . . . . 32
4.2. Vouch-by-Reference Records . . . . . . . . . . . . . . . . 34
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 35
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35
7. Security Considerations . . . . . . . . . . . . . . . . . . . 35
8. Normative References . . . . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36
McCann & Gilbert Expires June 10, 2011 [Page 2]
�
Internet-Draft Pickle Packet December 2010
1. Introduction
1.1. Bearer Packet Filtering
A middle box which processes pickle packets can be used to ensure
that packets which are unwanted by the destination host are either
filtered out or forwarded using a lower packet scheduling priority
than packets which are wanted. Unwanted packets could consist of
those from malicious or infected senders which are part of a Denial-
of-Service (DoS) attack, or they may be from legitimate senders but
sent when either a communication channel on the path or the
destination host are congested. Compatibility with senders not
capable of generating pickle packets is possible using a lenient
filtering policy which forwards their packets with a lower scheduling
priority. To prevent congestion of a particular communication
channel by a DoS attack, a middlebox may be located just prior to
that channel. This is shown in Figure 1.
+--------------+
|sources of DoS|
|attack packets|
+--------------+
|
|
+--------+ V congestible +-----------+
|original| +----------+ +---------+ channel |ultimate |
|sender |-->|IP network|-->|middlebox|-------------->|destination|
+--------+ +----------+ +---------+ +-----------+
Figure 1: Middlebox Mitigates Traffic Congestion DoS Attack
Several mechanisms are supported for packet filtering. When no
network congestion is detected along the path and end host, and no
attack is believed to be occurring, middleboxes may use lightweight
mechanisms to identify those packets which have been authorized for
forwarding. If a middlebox or the end host detects congestion or an
attack, it may signal the sender to indicate that a more robust
technique should be used to identify its packets as part of a desired
traffic flow. These mechanisms are described below.
1.1.1. Filter using Network and Transport Header
Once a flow is authorized, the middlebox can simply open a pinhole
for that flow with no additional security. This would provide a
basic level of assurance similar to existing firewalls that protect
private networks by requiring a node on the inside to initiate a
connection and refusing all outside-initiated connections. The IP
source and destination addresses, the transport protocol ID, and the
McCann & Gilbert Expires June 10, 2011 [Page 3]
�
Internet-Draft Pickle Packet December 2010
source and destination port numbers of UDP or TCP packets (the five-
tuple) can be used to identify packets which are part of a desired
flow. If the middlebox detects that some malicious node has learned
the five-tuple parameters and is exploiting a pinhole to send DoS
traffic, it can escalate the protection to one of the mechanisms
outlined below.
1.1.2. Attack Detection Through Counting Packets
An ESTABLISH pickle packet received by a middlebox contains PCOUNT,
the number of subsequent DATA or BARE packets of the traffic flow
which the middlebox may forward without having received another
ESTABLISH pickle packet for the flow. The middlebox should maintain
a count of the number of remaining packets which may be forwarded.
If the count reaches zero, local policy of the middlebox should be
used to determine whether the subsequent packets on that flow should
be dropped or should be forwarded using low packet scheduling
priority. Under normal circumstances the count of subsequent packets
which are authorized to be forwarded should not reach zero. The
original packet sender is responsible for sending enough ESTABLISH
packets and high enough PCOUNT values so that under the expected
packet loss rates the authorized packets are allowed to traverse the
middlebox. If the middlebox detects packets of an authorized flow
being deprioritized or dropped due to the count value reaching zero,
it should decide whether a DoS attack is suspected and if so, it can
escalate the protection to one of the mechanisms outlined below. The
packet count attack detection mechanism may be used in combination
with other techniques.
1.1.3. Filter Using Cookie Value
Because an off-path attacker may learn the five-tuple, a slightly
more robust protection mechanism is for the middlebox to demand that
the sender insert a chosen number (a "cookie" value) into all DATA
packets. This would enable the middlebox to quickly recognize which
packets were generated by someone with access to the data path, and
which came from weak off-path attackers. A packet of the flow which
does not contain the expected cookie value in the DATA packet header
would be treated as non authentic and the middlebox would update its
estimate regarding whether or not an attack is occurring.
1.1.4. Cryptographic Header MAC
An on-path attacker may be able to read the cookie value from packets
in flight. A more robust but more computationally expensive approach
is to distribute a shared secret between the sender and the
middlebox, and to construct a Message Authentication Code (MAC) that
covers the header fields of the DATA packets. This value would
McCann & Gilbert Expires June 10, 2011 [Page 4]
�
Internet-Draft Pickle Packet December 2010
change on every DATA packet and so it would be difficult for an
attacker to construct a new packet that would validate. The
inclusion of a nonce value in the header would prevent the attacker
from replaying valid packets, if the middlebox can keep state about
previously seen packets. However, an attacker with the power to
intercept, delay, and/or drop valid packets might be able to use the
header hash to attach a different payload to the message. To defend
against these forms of DoS attack, a MAC over the header and payload
is required, as described below.
1.1.5. Cryptographic Header and Payload MAC
This approach also relies on a shared secret distributed between
sender and middlebox, but here the MAC covers the entire packet, not
just the header. Combined with a nonce in the header, and if the
middlebox has the ability to keep state about the packets that have
already been seen, this technique would make it extremely difficult
for an attacker to spoof a valid data packet or to replay a valid
data packet and have it accepted by the middlebox. This technique
would be the most robust but also the most computationally expensive.
1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
2. Protocol Overview
The message sequence chart in Figure 2 shows an example of the
signaling which occurs when a pickle packet capable client begins a
TCP session with a pickle packet capable server. The path traversed
by bearer packets includes middlebox 1, which is near the client, and
middlebox 2, which is near the server. In this example the entities
are assumed to have not communicated recently and therefore
information which could be locally cached must instead be retrieved
from a remote entity. Cacheable information includes: the public key
of an entity which is looked up at a DNS server; the reputation of an
entity which is looked up at the vouching service; and a shared
secret created by a Diffie Hellman key exchange between a pair of
network entities and used to create message authentication codes sent
between them. In this section comments will given regarding the
messages of the example to help explain the operation of the
protocol.
McCann & Gilbert Expires June 10, 2011 [Page 5]
�
Internet-Draft Pickle Packet December 2010
Network Entities and their symbolic identifiers:
Client.net Mbox1 DNSc Vouch DNSs Mbox2 Server.net
C M1 Dc V Ds M2 S
Sequence of Messages:
Left Dir Right msg# content
-----------------------------
M2 <- S 1) REGISTER (S,Ds)
Ds <- M2 2) Lookup Server.net
Ds -> M2 3) Public Key PKs
V <- M2 4) Lookup Server.net
V -> M2 5) Good reputation: Server.net
M2 -> S 6) REFLECT (M2,S) external IP
Ds <- S 7) Lookup Mbox2.net
Ds -> S 8) Public Key PKm2
V <- S 9) Lookup Mbox2.net
V -> S 10) Good reputation: Mbox2.net
M2 <- S 11) REGISTER (S,M2) external IP
Ds <- M2 12) REGISTER (M2,Ds) external IP
Ds -> M2 13) REFLECT (Ds,M2) registered
M2 -> S 14) REFLECT (M2,S) registered
Steps 1) through 14) by S, M2, and Ds
may also be performed by C, M1, and Dc if
C wants to receive inbound connection
attempts.
C -> Ds 15) lookup Server.net
C <- Ds 16) IP w.x.y.z Public Key PKs
C -> M1 17) ESTABLISH (C, S) TCP SYN
C <- M1 18) REFLECT (M1, C)
M1 -> M2 19) ESTABLISH (M1, S) TCP SYN
Dc <- M2 20,21) lookup mbox1.net, client.net
Dc -> M2 22,23) Public KeysPKm1, PKc
V <- M2 24,25) Lookup client.net, mbox1.net
V -> M2 26) Good reputation: client.net, mbox1.net
M1 <- M2 27) REFLECT (M2, M1)
M2 -> S 28) ESTABLISH (M2, S) TCP SYN
M2 <- S 29) REFLECT (S, M2) SYN ACK
M1 <- M2 30) REFLECT (M2, M1) SYN ACK
C <- M1 31) REFLECT (M1, C) SYN ACK
Figure 2: Message Sequence Chart If Parties Initially Unknown to Each
Other
1) The first REGISTER message is sent by Server.net towards the DNS
server which it is configured to use in order to bind its name to its
McCann & Gilbert Expires June 10, 2011 [Page 6]
�
Internet-Draft Pickle Packet December 2010
current IP address. Along the way, the REGISTER discovers pickle
packet middle boxes. Registering via Mbox2 also tells the middlebox
that Server.net is capable of processing pickle packets at the
included address and that the middlebox does not need to act as a
pickle packet proxy. Message 1 contains a pickle packet header as
shown in Section 3, in which the message type field is REGISTER, the
message source and destination block is included and its field values
(shown in Section 3.1.1) are Server.net, and DNSs. The Point-of-
Contact Block shown in Figure 6 is also included. The DNS server
which Server.net is configured to use should be on a network
accesible to all clients with which Server.net wants to communicate,
e.g., it should be on the public Internet. Middlebox M2 is on the
path between Server.net and the public Internet so it will intercept
and process the REGISTER message.
2) Because Mbox2 has had no previous contact with Server.net, Mbox2
sends message 2 to request the public key of Server.net from the DNS
server. Mbox2 uses the public key to validate the Address
Registration Block.
3) The public key of Server.net is returned from the DNS server. The
public key is protected either with DNSSEC or DNSCurve to validate
the binding between the name and public key.
4,5) Mbox2 checks the reputation vouching service regarding
Server.net and determines that it is not believed to be an infected
or malicious host. If the reputation had been bad, Mbox2 may use
local policy information to decide that Server.net should be
prevented from sending or receiving traffic via Mbox2 until
remediation steps have been taken and the reputation has improved.
6) The REFLECT message from Mbox2 to Server.net contains a Point-of-
Contact Address Block (whose format is shown in Figure 6) which in
this example has a registration Status Code (Table 4) of MIDBOX which
indicates that Mbox2 is performing IP address translation for packets
traversing it and that the registration message was not forwarded to
the DNS server. The IP address, protocol, and port number
information on the external interface of Mbox2 is returned in the PoC
Address Block, so that Server.net can resubmit the registration
request with this updated point of contact information in a new
request.
7,8) Because Server.net has had no previous contact with Mbox2,
Server.net sends message 7 to the DNS server to request the public
key of MBox2 and receives the response in message 8.
9,10) Because Server.net has had no prior contact with Mbox2 and does
not know its reputation, Server.net chooses a vouching service which
McCann & Gilbert Expires June 10, 2011 [Page 7]
�
Internet-Draft Pickle Packet December 2010
Mbox2 had indicated would vouch for it in its Address Registration
Reply Block of Message 6. The vouching service selected is one of
which Server.net was already aware and which it trusts. The response
indicates that Mbox2 has a good reputation.
11) Server.net sends a new registration request to the IP address of
the DNS server, DNSs. The pickle-layer message source and
destination block (Section 3.1.1) is included. This time its
destination field value is set to Mbox2 because Server.net knows that
Mbox2 will be the first middlebox to process the pickle packet
containing the registration request and that the field should be set
correctly to enable the use of Message Authentication Codes between
adjacent pickle packet capable entities in the hop by hop processing
of a pickle packet.
12) Mbox2 performs its role as a Network Address Translater and also
processes the pickle packet Registration request, updating the
pickle-layer message source and destination fields to Mbox2 and DNSs.
It forwards a REGISTER on to DNSs.
13) DNSs sends a REFLECT message (Table 2) to Mbox2 containing the
Point-of-Contact Address Block (Figure 6) which has a registration
Status Code (Table 4) of ACCEPTED, indicating that DNSs has accepted
the registration and will publish the binding for Server.net. The
Reply Block contains the Point of Contact IP Address, Protocol, Port
Number, the Public Key, and the Name of DNSs.
14) MBox2 propagates the REFLECT on to Server.net.
Note that Client.net may perform signaling (not shown explicitly in
Figure 2) comparable to that performed by Server.net in messages 1
through 14, if it wants to be reachable by incoming ESTABLISH
messages.
15) Client.net decides that it wants to open a connection to
Server.net. It starts by looking up Server.net's IP address and
public key. The public key and IP address binding is protected
either with DNSSEC or DNSCurve to prevent tampering.
16) Ds returns the public key and IP address of Server.net.
17) Client.net sends an ESTABLISH message toward the IP address
returned from DNS, including itself as source and Server.net as
destination in the Message Source/Destination block (shown in
Section 3.1.1). It includes the name of a vouching service that will
vouch for it in a Vouch-by-Reference Information block
(Section 3.1.2). It signs the message with its public key by
including a Public Key Signature block (Section 3.1.7). The message
McCann & Gilbert Expires June 10, 2011 [Page 8]
�
Internet-Draft Pickle Packet December 2010
is encapsulated inside a TCP SYN segment.
18) Mbox1 intercepts the ESTABLISH message and validates the public
key signature of Client.net. Mbox1 may need to query the DNS for
Client.net's public key and reputation (not shown), or it may already
have a relationship established with Client.net. It decides that it
wants to see symmetric key MACs on the subsequent DATA packets from
Client.net. It returns A REFLECT with an Authentication Restuls/
Request block (Section 3.1.5) containing the client's Flow Nonce and
a forward HMAC Request payload using the format shown in Figure 13.
On the other hand, if Mbox1 doesn't need to check DATA packets for
authenticity, message 18 may be omitted.
19) After validating Client.net's ESTABLISH message, Mbox1 constructs
its own ESTABLISH message by inserting a new Message Source/
Destination block at the top of the message (containing its own name
as the source and Server.net as the destination) and appending a
Vouch-by-Reference Information block, an Authentication Results/
Request block, and a Public Key Signature block to the end of the
message (after Client.net's Public Key Signature block). It sends
the ESTABLISH on toward Server.net.
20-26) Mbox2 intercepts the ESTABLISH message on its way to
Server.net. At this point the ESTABLISH message contains the names
and signatures of both Client.net and Mbox1. Mbox2 queries the DNS
to retrieve the public keys of Client.net and Mbox1, and makes a
policy decision about whether either is allowed to establish
connections to Server.net. To do so, it may choose one or more of
the vouching services given in either Vouch-by-Reference Information
block and send additional reputation queries to those vouching
services.
27) Mbox2 decides that it wants to see symmetric key MACs from Mbox1
on all DATA packets. It sends a REFLECT back to Mbox1 containing a
Mac Request payload using the format shown in Figure 13. On the
other hand, if Mbox2 doesn't need to check DATA packets for
authenticity, message 27 may be omitted.
28) Mbox2 inserts its own Message Source/Destination block at the top
of the message and appends its own Vouch-by-Reference Information,
Authentication Results/Request, and Public Key Signature to the
ESTABLISH and forwards it on to Server.net.
29) Server.net decides to accept the connection (possibly after
retrieving public keys and checking reputations for Client.net,
Mbox1, and Mbox2) and sends a REFLECT encapsulated in a TCP SYN ACK
segment back to Mbox2. It inserts a Message Source/Destination block
at the top of the message with Source=Server.net and
McCann & Gilbert Expires June 10, 2011 [Page 9]
�
Internet-Draft Pickle Packet December 2010
Destination=Client.net, and copies all of the blocks from the
ESTABLISH message into a REFLECT which it then sends back toward
Mbox2.
30) Mbox2 passes the REFLECT on to Mbox1.
31) Mbox1 passes the REFLECT on to Client.net, and data traffic may
proceed.
The 31 messages depicted in Figure 2 may seem like a lot of overhead.
However, keep in mind that two separate activities are described: in
the first, Server.net makes its point-of-contact known to Mbox2 and
the rest of the network. In the second, Client.net is establishing a
connection. Note that the DNS lookups performed by Client.net at the
beginning of the connection are necessary today, even without the
pickle packet protocol; we merely include some additional information
(public keys). Also, the ESTABLISH message happens at the same time
as the TCP SYN would in the non-pickle packet case, and middleboxes
that don't want to validate subsequent DATA packets don't need to
generate the REFLECT messages numbered 18 and 27. The DNS queries
for public keys and reputations in messages 20-26 are likely to be
comparable to what a server that is logging connections does today
(i.e., TCPWrappers or webserver logs). Finally, the final set of
REFLECT messages that travel from Server.net to Client.net are
piggybacked on the TCP SYN ACK and do not add any additional round-
trips.
3. Pickle Packet Structure
Pickle Packets masquerade as ordinary transport packets belonging to
the flow for which they apply. Signaling information is included by
starting the transport payload with a magic number, 0x501c4ble. This
embedding into the transport payload can be thought of as a way to
extend the transport options field for those transports that have one
or to insert a transport options field for those transports that do
not. The extension is not backwards compatible with existing
transport implementations; it MUST be used only when the sender is
assured that it will be stripped out before the packet is presented
to the transport layer implementation. The pickle header appears
exactly once at the start of each transport segment data and does not
count as payload for the purpose of calculating transport header
sequence numbers. Ordinary bearer data that does not begin with the
magic number and that doesn't require any additional protection (such
as pickle-layer cookies, MACs, or encryption) may be sent exactly as
they are today, with no additional pickle-layer overhead. These are
called BARE packets.
McCann & Gilbert Expires June 10, 2011 [Page 10]
�
Internet-Draft Pickle Packet December 2010
A pickle packet that does contain signaling, cookies, MACs, encrypted
payload, or payload that begins with the magic number is shown in
Figure 3.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// IP Header //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Transport Header //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Pickle Packet Magic Number (0x501c4b1e) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cookie |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Msg Type |M|S|H| L | Rsvd| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Timestamp (If S=0, not present) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message ID/Nonce (If S=0 & M=0 & FragOffset=0, not present) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| Fragment Signature |
+ If S=0, this is not present. +
| If L=00, this is only 4 bytes. |
+ If L=01, this is 12 bytes. +
| If L=10, this is 20 bytes (as shown). |
+ If L=11, this is 32 bytes +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// //
// Fragment Payload Data //
// //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Layout of a Pickle Packet
The first four bytes are the Pickle Packet Magic Number, which
indicates that the remainder of the packet should be interpreted as a
pickle packet. The next four bytes in the pickle packet are a Cookie
value that can be used to filter packets or otherwise identify a flow
and an associated security context. The Message Type field is one
byte. The next octet is a flags field with 5 bits currently assigned
meaning and 3 bits reserved. The 'M' (More Fragments) bit is set to
1 if there are more fragments to follow this one. The 'S' (Signature
McCann & Gilbert Expires June 10, 2011 [Page 11]
�
Internet-Draft Pickle Packet December 2010
Present) bit is set to 1 if a Fragment Signature is present. The 'H'
(Header Cover Only) controls whether the Fragment Signature is
calculated over the entire message ('H'=0, starting with the Pickle
Packet Magic Number and ending with the last octet of Fragment
Payload Data, treating the Fragment Signature as all-zeroes for the
purpose of calculating the HMAC) or just the header fields ('H'=1,
covering the Pickle Packet Magic Number though the Message ID/Nonce).
The two 'L' (Signature Length) bits control the length of the
Fragment Signature field. L0 is the left bit and L1 is the right
bit. The meaning of different combinations of these bits is shown in
Table 1.
+----+----+---------------------------------------------------------+
| L0 | L1 | Description |
+----+----+---------------------------------------------------------+
| 0 | 0 | Fragment Signature is the first 4 octets of an |
| | | HMAC-SHA-1. |
| 0 | 1 | Fragment Signature is the first 12 octets of an |
| | | HMAC-SHA-1. |
| 1 | 0 | Fragment Signature is all 20 octets of an HMAC-SHA-1. |
| 1 | 1 | Fragment Signature is all 32 octets of an HMAC-SHA-256. |
+----+----+---------------------------------------------------------+
Table 1: Fragment Signature Size Options
When 'S'=0, the values of the 'L' bits are reserved for future use
and 'L' MUST be set to 00 and MUST be ignored upon receipt by
implementations that conform to this version of the specification.
The Fragment Offset field is a 16-bit integer describing the offset
of the first byte of the fragment payload within the larger pickle
packet message, in units of 8 octets. All fragments of the same
message MUST have the same Message Type, Message Timestamp (if
present), Message ID/Nonce, and the same setting for the 'S', 'H',
and 'L' bits.
The Fragment Signature, when present ('S'=1) is the (possibly
truncated) output of an HMAC. The HMAC uses a key derived from the
shared secret generated from ECDH on the two keypairs indexed by the
enclosed Message Source/Destination Block. If no Message Source/
Destination Block is included, then the HMAC key is indicated by the
Cookie value in the header (see Section 3.1.1). The HMAC covers the
data fields as given by the 'H' bit.
The Message Timestamp is a 32-bit value representing the number of
seconds since midnight UTC on January 1, 1970 at the time the message
was generated. It is omitted if a signature is not present ('S' is
McCann & Gilbert Expires June 10, 2011 [Page 12]
�
Internet-Draft Pickle Packet December 2010
zero). The Message ID/Nonce is used both to identify different
fragments of the same message as well as to provide freshness for the
calculation of the Fragment Signature. It is omitted if neither
signatures nor fragmentation is in use ('S' is zero AND 'M' is zero
AND Fragment Offset is zero).
Allowed message types are given in Table 2.
+------+-----------+------------------------------------------------+
| Msg | Name | Description |
| Type | | |
+------+-----------+------------------------------------------------+
| n/a | BARE | A plain packet of the given transport |
| | | protocol, with no pickle fields. If pickle |
| | | packets are multiplexed on the same transport |
| | | connection, the transport payload of a BARE |
| | | packet MUST NOT begin with 0x501c4b1e. |
| 1 | REGISTER | Publish a DNS entry with contact information, |
| | | and/or create forwarding state at intervening |
| | | middleboxes. This message MUST have 'S'=1, |
| | | 'H'=0, and 'L'=10 or 11. |
| 2 | ESTABLISH | Create state at each middlebox along the path. |
| | | This message MUST have 'S'=1, 'H'=0, and |
| | | 'L'=10 or 11. |
| 3 | REFLECT | Response to ESTABLISH, gives the recipient |
| | | identity information for downstream |
| | | middleboxes. This message MUST have 'S'=1, |
| | | 'H'=0, and 'L'=10 or 11. |
| 4 | DATA | Contains a pickled fragment of a transport |
| | | data segment encapsulated in an Application |
| | | Data Block Header (and possibly other block |
| | | types). This message may have any setting of |
| | | 'S', 'H', and 'L' bits that are acceptable to |
| | | the recipient. |
| 5 | RAWDATA | Contains a pickled fragment of a transport |
| | | data segment with no encapsulating block |
| | | header (note that RAWDATA still contains the |
| | | pickle packet header given in Figure 3). This |
| | | message may have any setting of 'S', 'H', and |
| | | 'L' bits that are acceptable to the recipient. |
+------+-----------+------------------------------------------------+
Table 2: Pickle Packet Message Types
McCann & Gilbert Expires June 10, 2011 [Page 13]
�
Internet-Draft Pickle Packet December 2010
3.1. Payload Block Types
Except for a BARE packet or a RAWDATA packet, a message consists of
one or more blocks, each of which is in Type, Length, Value format.
The Block Type field comes first and is 2 bytes long followed by a 2
byte Length field followed by Length number of value bytes. The
Block Type and Length fields are NOT included when calculating
Length. The allowed block types are shown in Table 3.
+------------+-----------------------------------------------------+
| Block Type | Name |
+------------+-----------------------------------------------------+
| 0x0001 | Message Source/Destination (Section 3.1.1) |
| 0x0002 | Vouch-by-Reference Information (Section 3.1.2) |
| 0x0003 | Point-of-Contact Address (Section 3.1.3) |
| 0x0004 | Binding Distribution Restriction (Section 3.1.4) |
| 0x0005 | Authentication Results/Request (Section 3.1.5) |
| 0x0006 | Application Data (Section 3.1.6) |
| 0x0007 | Public Key Signature (Section 3.1.7) |
| 0x0008 | Symmetric Key Signature (Section 3.1.8) |
| 0x0009 | Symmetric Key Encryption Parameters (Section 3.1.9) |
| 0x000a | Pickle Fragment (Section 3.1.10) |
+------------+-----------------------------------------------------+
Table 3: Block Types
The following subsections give the format of each block type.
3.1.1. Message Source/Destination Block
The Message Source/Destination block gives the name of the message
sender (a previous middlebox, possibly the original sender) and the
message recipient (one of the following middleboxes, possibly the
ultimate destination). These fields index the two keypairs used to
derive the symmetric key used in the Fragment Signature calculation.
McCann & Gilbert Expires June 10, 2011 [Page 14]
�
Internet-Draft Pickle Packet December 2010
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Type = Msg Src/Dest | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Flow Nonce +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Source DNS Name //
// (includes key selector and "_pickle") //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Destination DNS Name //
// (includes key selector and "_pickle") //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Message Source/Destination Block
The Flow Nonce is a 64-bit number chosen by the Source. Each DNS
Name MUST be of the form "selector._pickle.name.example.com", where
"selector" is a string of DNS labels pointing to a particular public
key, "_pickle" is the literal label "_pickle", and "name.example.com"
is a hostname. Each DNS name is a NULL-terminated string with ASCII
"." characters separating the labels. The final label of each name
may or may not have a terminating "." before the NULL. The NULL-
terminated Destination DNS Name is followed by an additional zero to
three NULL characters to align it on a 4-byte boundary. Each of
Source and Destination DNS Name can be used to lookup a TXT record
containing a public key. The format of the TXT record is given in
Section 4. Each node wishing to receive incoming connections MUST
publish a DNS TXT record at an empty selector (the name
"_pickle.name.example.com") containing its most preferred public key
and a Challenge value. This record MAY in turn point to a next-
preferred public key and Challenge value and so on.
The sender MUST ensure that the Source and Destination DNS Name
fields point at two compatible (same named curve) public keys both of
whose usage fields are set to "keyAgreement". The Cookie value of
the initial message of a flow is set to the low-order 32 bits of the
Challenge (c=) value from the TXT record indicated by Destination DNS
Name.
Before initiating a flow, the Source looks up a compatible
Destination's public key TXT record and computes a long term shared
McCann & Gilbert Expires June 10, 2011 [Page 15]
�
Internet-Draft Pickle Packet December 2010
secret (LTSS) by running Elliptic Curve Cofactor Diffie-Hellman (as
specified in Section 5.7.1.2 of NIST SP 800-56A [2]) on its own
private key and the Destination's public key. This is a static (non-
ephemeral) Diffie-Hellman computation. The Sender then chooses a
random 64-bit Flow Nonce of its own, and computes a 64 octet Master
Session Key (MSK) by computing:
SHA-512( 0x00000001 || LTSS || "Pickle MSK" || IDu || FNu ||
IDv || CHv )
Here 0x00000001 is 3 zero octets followed by a single octet with
value 1; LTSS is the Long-Term Shared Secret resulting from ECDH;
"Pickle MSK" is the literal ASCII string; IDu is two bytes indicating
the length (big-endian) of the Source DNS Name followed by the actual
Source DNS Name encoded in the same manner it appeared in the Message
Source/Destination Block; FNu is the Flow Nonce chosen by the Source
(which appears in the Flow Nonce field of the Message Source/
Destination block); IDv is two bytes indicating the length (big-
endian) of the Destination DNS Name followed by the actual
Destination DNS Name encoded in the same manner it appeared in the
Message Source/Destination Block; and CHv is the Challenge value that
appeared in the Destination's TXT public key record. This Key
Derivation Function (KDF) is compliant with the form given in Section
5.8.1 of NIST SP 800-56A [2].
To compute the fragment signature, the Source derives an HMAC key
from the MSK by computing
SHA-512( 0x00000001 || MSK || "Pickle HMAC Key" )
and truncating the value so that it is the same length as the hash
function used to compute the fragment signature (i.e., 20 octets when
L=00, 01, or 10, and 32 octets when L=11). When truncating, the
high-order (left-most) octets are removed so that the least-order 20
or 32 octets remain.
The first message from a Source to a Destination always uses the low-
order 32 bits from the Destination's Challenge value in the Cookie
field of the pickle packet header, and always includes a Message
Source/Destination Block. However, upon receiving a response from
the Destination (or a middlebox on the path to the Destination) that
includes a Flow Nonce chosen by the Destination (or middlebox),
subsequent messages include the low-order 32 bits of the new Flow
Nonce in the Cookie field, and recompute the MSK using the new Flow
Nonce in place of the Challenge value:
SHA-512( 0x00000001 || LTSS || "Pickle MSK" || IDu || FNu ||
IDv || FNv )
McCann & Gilbert Expires June 10, 2011 [Page 16]
�
Internet-Draft Pickle Packet December 2010
Here FNv is the Flow Nonce chosen by Destination and returned in a
REFLECT message. Once this new MSK is computed, a new HMAC key is
also computed and used for subsequent messages referring to the same
flow. The new Cookie value in the header tells the Destination which
HMAC key should be used to validate the fragment signature. Once the
flow is established in this way, the Message Source/Destination Block
may be omitted from future messages.
Note that although the Source may intend to reach a particular
Destination, some middlebox along the path may intercept the message
and interpose itself in the communication. In this case, the
middlebox makes its presence known (e.g., by inserting new Message
Source/Destination, Authentication Results/Request (Section 3.1.5),
and Public Key Signature (Section 3.1.7) blocks) and chooses a Flow
Nonce whose low-order 32 bits are different from any Flow Nonce
chosen by upstream middleboxes. The middlebox then has the option of
returning a REFLECT message immediately (requesting that the Source
re-send the message with the middlebox as the new Destination), or of
passing the message through toward the Destination. In this latter
case, the middlebox would insert its own Source/Destination block as
the first block in the message, moving the existing Source/
Destination block to second place. It would put its own name in the
Source field and either copy the original Destination or substitute
the name of a next-hop pickle-aware middlebox that it knows about.
The middlebox would compute its own HMAC key for use with the
Destination (or next-hop pickle-aware middlebox) and recompute the
Fragment Signature.
Upon receipt of a REFLECT message with the new middlebox's name and
Flow Nonce, the Source recomputes ECDH to construct a new LTSS
between itself and the middlebox. Subsequent signaling messages
pertaining to the flow then use the middlebox's Flow Nonce as a
Cookie and use the corresponding HMAC key to compute the fragment
signature. Note that a middlebox might not care to validate the HMAC
signatures on every DATA and RAWDATA packet. It makes its wishes
known by its inclusion or exclusion of a MAC Request list in its
newly inserted Path Record. Subsequent DATA and RAWDATA messages may
therefore have a Cookie value chosen by a downstream box multiple
pickle-aware hops removed from the Source; intervening middleboxes
would simply pass the packets through because they would not possess
the HMAC secret needed to validate them.
BARE packets may be sent only in the case where no middlebox nor the
ultimate destination has requested that cookies or MACs be added to
the data packets.
McCann & Gilbert Expires June 10, 2011 [Page 17]
�
Internet-Draft Pickle Packet December 2010
3.1.2. Vouch-by-Reference Information Block
The VBR-Info block gives information about a reputation service that
will vouch for the given domain. The body consists of four elements.
First is the cookie value of the entity for which vouching is
offered. A verifier should match the cookie to the low-order 32 bits
of a Flow Nonce in a Message Source/Destination block, and take the
Source name as the vouchee. The NSuffLabels field is an integer
giving the number of suffix labels from that Source to construct a
name for which vouching is offered. Together, the cookie and the
NSuffLabels fields play the role of the "md=" field of RFC5518 [3].
Second is the Sitn ("Situation") field which is a 4-bit numeric code
giving the context of the communication; it plays the role of the
"mc=" field from RFC5518. The correspondence between the numeric
codes and the string values returned from a vouch-by-reference query
are given in Section 4.2. Finally, a sequence of NULL-terminated DNS
names are given indicating vouching services in which the indicated
suffix can be looked up. These play the role of the "mv=" field from
RFC5518. The final NULL-terminated string is followed by zero to
three additional NULL characters to align the next block on a 4-byte
boundary.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Type = VBR-Info | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cookie of the vouchee |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NSuffLabels | Sitn | Rsvd | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ List of NULL-terminated +
// DNS names of vouching domains //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: VBR-Info Block
Any middlebox through which the request passes can use one or more of
the vouching domains as given in Section 4.2. Similar to an e-mail
reputation system, the Source can be held responsible for the
Situation ("mc=") labeling of his transport connections through
after-action auditing adjudicated by the vouching domain. We define
some additional string values for situations and their corresponding
numeric codes in Section 4.2.
McCann & Gilbert Expires June 10, 2011 [Page 18]
�
Internet-Draft Pickle Packet December 2010
3.1.3. Point-of-Contact Address Block
The Point-of-Contact Address Block is used in REGISTER messages to
indicate the address at which the given node can be reached. It is
also returned in a REFLECT message by the DNS server or middlebox
accepting or rejecting the REGISTER. It may also appear in REFLECT
messages sent in response to an ESTABLISH, in which case it has the
effect of redirecting the initiator to the new point of contact. In
a REGISTER, this block occurs following a Message Source/Destination
Block giving the DNS name to be registered in the Source field and
the DNS server or middlebox name in the Destination field. While the
node is expected to already have a relationship with its nameserver,
it may not have a relationship with some middlebox on the path
between the registrant and nameserver. Therfore this block SHOULD be
followed by a Public Key Signature block enabling any middlebox to
validate the request.
The format of the Point-of-Contact Address Block is given in
Figure 6.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Type = PoC Address | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|F|G| Rsvd | Status | Address Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Variable-Length Address //
// (format depends on Address Type) //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: Point-of-Contact Address Block
The Lifetime field indicates the number of seconds for which the
registration is desired/granted. The 'F' (Force) bit is set to 1 if
and only if the registrant wants to force the registration to succeed
even in the case where the IP Point-of-Contact address is different
from the eventual source of the REGISTER message as it arrives at the
Nameserver (some non-pickle-aware NAT on the path may have mapped the
address). The 'G' (LeGacy) bit is set to 1 if and only if all
connections need to be routed through the given Protocol and Port
Number (some non-pickle-aware NAT on the path may have been
configured with port forwarding but cannot route based on the
destination name in an ESTABLISH message).
McCann & Gilbert Expires June 10, 2011 [Page 19]
�
Internet-Draft Pickle Packet December 2010
The Status field is used in a REFLECT message to give the status of
the REGISTER request. It MUST be set to zero and ignored by the
recipient in a REGISTER message. It can be one of the values given
in Table 4.
+------+----------+-------------------------------------------------+
| Code | Name | Description |
+------+----------+-------------------------------------------------+
| 1 | ACCEPTED | The REGISTER was accepted and the binding |
| | | published. |
| 2 | ADDRDIFF | The REGISTER was not accepted because the |
| | | source of the REGISTER message did not match |
| | | the Point-of-Contact address and the 'F' bit |
| | | was not set to 1. |
| 3 | MIDBOX | The REGISTER was intercepted by a middlebox |
| | | that does address translation, and is offering |
| | | the translated address in the Point-of-Contact |
| | | field. |
| 4 | REDIRECT | The REGISTER or ESTABLISH should be re-sent to |
| | | the address given in the Point-of-Contact |
| | | field. |
+------+----------+-------------------------------------------------+
Table 4: Registration Status Codes
If Status is set to ACCEPTED, then the registration was successful.
The Variable-Length Address field contains contact information of the
Destination with which the binding was registered; the Destination
agrees to manage the binding as indicated in the Binding Distribution
Restriction block included with the message. The contact information
may used by the node in subsequent REGISTER messages for the same
name in order to provide an anchor point through which ESTABLISH
messages will be routed. A non-zero Protocol and Port Number means
that the Recipient is listening for pickle packets only on the given
Protocol and Port. A zero Protocol and Port Number means that the
Recipient can see pickle packets on any port using either UDP or TCP.
If Stat is set to ADDRDIFF, it means that the Address field of the
REGISTER was different from the source address of the REGISTER and
the 'F' bit was clear. For the case of an IP-based REFLECT, the
Variable-length Address field in the REFLECT contains the actual IP
protocol number, source port number, and source address as received
by the replying node. This could mean that a legacy NAT is on the
path, which might preclude the registrant from receiving pickle
packets. The registrant should arrange to have at least one port
forwarded to him via the NAT, in which case he can re-send the
registration with the 'G' bit set. In the case of a link-layer
REFLECT, the Address field contains the actual source MAC address
McCann & Gilbert Expires June 10, 2011 [Page 20]
�
Internet-Draft Pickle Packet December 2010
seen by the replying node.
If Stat is set to MIDBOX, it means that a pickle-aware middlebox that
does address translation saw the REGISTER and is willing to forward
ESTABLISH messages toward the registrant. However, the registrant
needs to send another REGISTER with a new Point-of-Contact address
reflecting the externally visible IP address of the middlebox if it
wants to reach the Destination given in the Message Source/
Destination block. The Protocol, Port Number, and Point-of-Contact
fields contain the external contact information of the middlebox. A
zero Protocol and Port Number means that the middlebox can see pickle
packets on any port using either UDP or TCP.
The Address Type field indicates the format of the Variable-Length
Address field. It can take one of the values given in
+------+---------+--------------------------------------------------+
| Type | Name | Description |
+------+---------+--------------------------------------------------+
| 1 | IPv4 | An IP Protocol number (e.g., 6 for TCP or 17 for |
| | | UDP) followed by a Port number followed by an |
| | | IPv4 address. |
| 2 | IPv6 | An IP Protocol number (e.g., 6 for TCP or 17 for |
| | | UDP) followed by a Port number followed by an |
| | | IPv6 address. |
| 3 | 48-bit | 6 octets containing a 48-bit IEEE MAC address. |
| | IEEE | |
| | MAC | |
| 4 | EUI-64 | A 64-bit Endpoint Unique Identifier. |
+------+---------+--------------------------------------------------+
Table 5: Address Type Values
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | Reserved | Port Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: IP Version 4 Address
McCann & Gilbert Expires June 10, 2011 [Page 21]
�
Internet-Draft Pickle Packet December 2010
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | Reserved | Port Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| IPv6 Address |
+ +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 8: IP Version 6 Address
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 48-bit IEEE MAC Address |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | padding (set to zero, ignored)|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9: IEEE MAC Address
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ 64-bit EUI-64 Identifier +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10: EUI-64 Address
3.1.4. Binding Distribution Restriction Block
A node that registers a binding for a name may wish to restrict the
parties to whom the binding is distributed, and may also want to
limit the parties that may contact it with an ESTABLISH through
upstream middleboxes. The Binding Distribution Restriction Block may
be included in a REGISTER message. The format of a Binding
Distribution Restriction Block is shown in Figure 11.
McCann & Gilbert Expires June 10, 2011 [Page 22]
�
Internet-Draft Pickle Packet December 2010
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Block Type = Bind Dis Restrict | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Zero or more whitelisted DNS suffixes //
// (list terminated with an extra bare NULL) //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Zero or more whitelisted vouching DNS Names //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Zero or more blacklisted DNS suffixes //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Zero or more blacklisted vouching DNS Names //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Zero or more 2nd class whitelisted DNS suffixes //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Zero or more 2nd class whitelisted vouching DNS Names //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 11: Binding Distribution Restriction Block
First is a list of zero or more whitelisted DNS suffixes. Any node
with a DNS name having one of the given suffixes should be given full
access to the binding, i.e., the values of the Protocol, Port Number,
and Point-of-Contact Address should be distributed to them if they
query or send an ESTABLISH message. Next is a list of vouching
services that serve whitelists indirectly, i.e., anyone listed by the
vouching service should have the same privileges as if their DNS
suffix was listed.
Following the first set of whitelists is a set of blacklists. Any
node with a name suffix on the suffix list or with a name listed in
one of the given (anti-)vouching services MUST NOT be given binding
information and their ESTABLISH messages MUST NOT be forwarded.
Following the two blacklists is a set of "2nd-class" whitelists. A
McCann & Gilbert Expires June 10, 2011 [Page 23]
�
Internet-Draft Pickle Packet December 2010
node with a name suffix on the suffix list or with a name listed in
one of the vouching services SHOULD NOT be given the binding
information; however, ESTABLISH messages from them SHOULD be
forwarded by the nameserver to the registered contact information.
3.1.5. Authentication Results/Request
The Authentication Results/Request block is used to indicate that a
node has validated certain signatures in the pickle message, and to
request that other nodes insert an HMAC signature for it on
subsequent DATA or RAWDATA packets. For example, a middlebox would
insert this block when propagating an ESTABLISH or REGISTER message
indicating that it had validated the signature of the original
message source and that the vouching service satisfied the middlebox
of the original source's good reputation. The middlebox could also
request that the source and ultimate destination insert HMAC
signatures for the middlebox to verify before it passes traffic. The
format of the Authentication Results/Request block is shown in
Figure 12.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Type = Auth Res/Req | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cookie of middlebox inserting this block |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Requested/Authorized PCOUNT | Status | NValid |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// List of NValid cookies of previous middleboxes whose //
// signatures were validated by and whose vouching //
// services satisfied this middlebox. //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Sequence of HMAC Requests, //
// each having format given below. //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 12: Authentication Results/Request Block
First is the cookie value of the middlebox that is constructing this
block. It is taken from the low-order 32 bits of the Flow Nonce
appearing in the Message Source/Destination block that has the
middlebox as the Source. Next is a Requested/Authorized PCOUNT,
which is the number of packets for which the box is requesting/
McCann & Gilbert Expires June 10, 2011 [Page 24]
�
Internet-Draft Pickle Packet December 2010
authorizing with this particular signaling exchange. For example, a
given middlebox might send a REFLECT indicating that the original
source is allowed to send 1000 packets before it must generate
another ESTABLISH message refreshing the connection. Next is a
Status field that takes on one of the values in Table 6.
+------+------------+-----------------------------------------------+
| Code | Name | Description |
+------+------------+-----------------------------------------------+
| 1 | ACCEPTED | The middlebox has accepted the flow and is |
| | | propagating the ESTABLISH message. |
| | | Subsequent messages should be signed as |
| | | indicated by the HMAC Requests. This value |
| | | is also used by the original source to |
| | | request that the connection be accepted. |
| 2 | HMACNEEDED | The middlebox has not accepted the flow |
| | | because needed HMACs were missing. |
| | | Subsequent messages should be signed as |
| | | indicated by the HMAC Requests. |
| 3 | REFUSED | The middlebox refused the connection. |
| 4 | BADTOPO | The middlebox cannot forward the ESTABLISH |
| | | message because it would require downstream |
| | | nodes to have visibility to topology that |
| | | should be hidden. |
+------+------------+-----------------------------------------------+
Table 6: Authorization Status Values
Following the Status field is a one-byte integer representing the
number of signatures that have been validated by the middlebox. A
sequence of NValid 32-bit numbers appears next; each is a cookie
value taken from the signature (symmetric HMAC or asymmetric public
key signature) that was validated. Following the list of cookies is
a sequence of HMAC Requests, each formatted as given in Figure 13 or
Figure 14.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0|S|H| L | Rsvd| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cookie of the entity from which the signature is requested. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 13: Format of a Forward HMAC Request
McCann & Gilbert Expires June 10, 2011 [Page 25]
�
Internet-Draft Pickle Packet December 2010
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1|S|H| L | Rsvd| MSD Skip Cnt | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cookie of the entity from which the signature is requested. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 14: Format of a Reverse HMAC Request
A forward HMAC request is a request for one of the preceding
middleboxes (e.g., one of those that has seen and processed the
ESTABLISH message already) to insert an HMAC-based signature on
subsequent DATA and RAWDATA packets. It consists of a flag byte (the
first bit of which must be zero) containing an (S, H, L) triple.
These flags inform the recipient what kind of signature it should
insert; they have the same meaning as the (S, H, L) flags from the
pickle packet header (Figure 3). The rest of the bits in the first
word are reserved and MUST be set to zero by the sender and MUST be
ignored upon receipt. The second word of the forward HMAC request is
the cookie value of the preceding node that should insert the
requested signatures. Recall that each node must select a Flow Nonce
whose low-order 32 bits differ from those of every other Flow Nonce
chosen by upstream nodes.
A reverse HMAC request is a request for one of the following
middleboxes (e.g., one of those that has not yet seen the ESTABLISH
message) to insert an HMAC signature in DATA and RAWDATA packets that
flow back towards the connection initiator. It consists of a flag
byte (the fist bit of which must be one) containing an (S, H, L)
triple. These flags are interpreted the same way as for a forward
HMAC request. However, because the downstream nodes may not have yet
chosen a unique Flow Nonce, and the Challenge values in their public
key records are not guaranteed to be unique, the desired signature
source must sometimes be indicated by name instead of by Cookie. The
MSD Skip Count field gives the number of Message Source/Destination
blocks to skip (counting from the MSD block inserted by the middlebox
indicated in the first field of the Authentication Results/Request
block). After arriving at the proper Message Source/Destination
block, the Destination DNS name is the indicated node from which
signatures are requested. If the node from which a signature is
desired has not yet chosen a unique Flow Nonce, then the Cookie field
is then set to the low-order 32 bits of the Destination's Challenge
value from his public key DNS TXT record (Section 4.1). Otherwise,
the Cookie is set to the low-order 32 bits of the node's chosen Flow
Nonce. If the MSD Skip Count is equal to or greater than the number
of Message Source/Destination blocks including and following the one
inserted by the requesting node, it means that the Cookie field is
McCann & Gilbert Expires June 10, 2011 [Page 26]
�
Internet-Draft Pickle Packet December 2010
the sole determinant of the downstream node.
Any middlebox that forwards an ESTABLISH or REGISTER message MAY hide
the topology behind it by stripping out Authentication Results/
Request blocks and signature blocks from the end of a message along
with the corresponding Message Source/Destination blocks from the
beginning of the message. A middlebox MUST NOT strip out any
Authentication Result/Request blocks that request reverse HMACs from
nodes further downstream of it. If such blocks exist, and the policy
of the middlebox is to hide that topology, then its only choice is to
respond to the ESTABLISH with a REFLECT containing status code
BADTOPO.
REFLECT messages normally contain copies of all the Authentication
Results/Request blocks that were received in the ESTABLISH or
REGISTER message. Nodes MUST NOT strip out any Authentication
Result/Request blocks from REFLECT messages that they are forwarding.
However, the ultimate destination node (or the last pickle-packet
aware node) MAY strip out blocks in accordance with the previous
paragraph before generating its own Authentication Results/Request
for inclusion in the REFLECT.
3.1.6. Application Data Block
The Application Data Block contains up to 64k of application data
intended to be carried from the connection initiator to the ultimate
destination. It can appear only in DATA messages and at most once.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Type = AppData | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Application Data //
// //
// //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 15: Application Data Block
3.1.7. Public Key Signature Block
Nodes will typically append a public key signature to a pickle packet
as it is generated or as it passes through a middlebox. The format
of a public key signature block is given in Figure 16.
McCann & Gilbert Expires June 10, 2011 [Page 27]
�
Internet-Draft Pickle Packet December 2010
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Type = Pub Key Sig | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signer Cookie |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Timestamp |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Key Selector of Signer //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ +
| Signature made with private key and algorithm corresponding |
+ to Key Selector and DNS Name +
| (typically an R and S value for ECC) |
+ +
| |
+ +
| |
+ +
| |
+ +
| |
+ +
| |
+ +
| |
+ +
| |
+ +
| |
+ +
| |
+ +
| |
+ +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 16: Public Key Signature Block
McCann & Gilbert Expires June 10, 2011 [Page 28]
�
Internet-Draft Pickle Packet December 2010
A Public Key Signature block starts with a Signer Cookie, which
indicates the identity of the signer by matching against the low-
order 32-bits of the Flow Nonce in the sequence of Message Source/
Destination blocks at the top of the message. Next is a Timestamp
value indicating the number of seconds since midnight on Jan 1, 1970
UTC. Next is a NULL-terminated string giving the key selector of the
key used to compute the signature; a verifier can lookup the key by
constructing "selector._pickle.hostname", where "hostname" is the
host portion of the Source name in the Message Source/Destination
block. The NULL-terminated key selector is followed by zero to three
additional NULL characters to align the signature field on a 4-byte
boundary. The Signature is constructed by computing a compression
function over all previous blocks starting with the first Message
Source/Destination block inserted by the signer, if any, or the first
block that is not a Message Source/Destination block, otherwise, and
continuing through to the last padding NULL following the key
selector.
3.1.8. Symmetric Key Signature Block
The Symmetric Key Signature Block is constructed in the same manner
as the Fragment Signature in the pickle packet header, except that it
is indexed by both a Signer Cookie and a Receiver Cookie to indicate
which shared secret is used, and does not contain a Msg Type or
Fragment Offset field. The (S, H, L) triple is taken from the HMAC
Request block that caused this signature to be generated.
McCann & Gilbert Expires June 10, 2011 [Page 29]
�
Internet-Draft Pickle Packet December 2010
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Type = SymmetricSig | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signer Cookie |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Receiver Cookie |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Timestamp (if S=0, this is not present) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message ID/Nonce (if S=0, this is not present) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| Symmetric Signature |
+ If S=0, this is not present. +
| If L=00, this is only 4 bytes. |
+ If L=01, this is 12 bytes. +
| If L=10, this is 20 bytes (as shown). |
+ If L=11, this is 32 bytes +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 17: Symmetric Key Signature Block
The secret key used to compute the PDU Signature is derived in the
same way as it would be for a Fragment Signature between the two
nodes. The Signer Cookie is the low-order 4 bytes from the Flow
Nonce generated by the sender when the flow was established. The
Receiver Cookie is the low-order 4 bytes from the Flow Nonce
generated by the receiver when the flow was established. If H=1, the
signature covers only this block starting with the Block Type field
and ending with the final byte of the Message ID/Nonce. If H=0, the
signature covers all the previous message data starting with the
first Message Source/Destination block inserted by the signer, if
any, and the first block that is not a Message Source/Destination
block otherwise, and continuing through the rest of the message
payload and ending with the Message ID/Nonce field of the Symmetric
Key Signature Block itself.
The Symmetric Key Signature Block is needed to satisfy certain kinds
of MAC Requests where the outer Fragment Signature is being used for
some other purpose (i.e., to satisfy a request for an intervening
middlebox).
McCann & Gilbert Expires June 10, 2011 [Page 30]
�
Internet-Draft Pickle Packet December 2010
3.1.9. Symmetric Key Encryption Parameters Block
The Symmetric Key Encryption Parameters Block indicates that the
payload of the very next block is encrypted under a private key using
AES-256-CTR mode. Only the payload of the next block is encrypted,
not the Block Type and Length fields.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Type = Encr Params | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sender Cookie |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Receiver Cookie |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| CTR-mode Nonce / Initialization Vector |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 18: Symmetric Key Encryption Parameters Block
The two parties to the encryption are given by the Sender Cookie and
Receiver Cookie; these are the low-order 4 bytes of the Flow Nonces
chosen by the encryptor and decryptor, respectively. The CTR-mode
Nonce / Initialization Vector is 96-bits and is used to salt the AES-
256 cipher for CTR mode. This Nonce is concatenated with a 32-bit
counter and repeatedly enciphered by AES-256 to form the stream of
pseudo-random bits that is then XORed with the plaintext to produce
the ciphertext. The secret key used in the AES cipher will be
derived from the MSK between the two parties, by computing one of the
following functions:
SHA-256( 0x00000001 || MSK || 0x0009 || "Downstream Pickle
Encryption Key" )
SHA-256( 0x00000001 || MSK || 0x0009 || "Upstream Pickle
Encryption Key" )
The first form is used for messages that flow "downstream"; i.e., the
direction from the connection initiator (sender of the ESTABLISH or
REGISTER message) toward the responder. The second form is used for
messages that flow "upstream".
Note that an encrypted block using keys derived from a shared secret
McCann & Gilbert Expires June 10, 2011 [Page 31]
�
Internet-Draft Pickle Packet December 2010
generated with a pair of static keypairs does NOT provide perfect
forward secrecy because no ephemeral key exchange takes place.
3.1.10. Pickle Fragment Block
The Pickle Fragment Block encapsulates a fragment of a pickle
message. It can be used to encapsulate one pickle message inside
another.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Type = Pickle Frag | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| A Pickle fragment, including a Pickle header starting |
+ with the Pickle magic number +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 19: Pickle Fragment Block
4. Domain Name System Binding
It is expected that endpoints and pickle packet middleboxes will
obtain the public keys of peer entities through queries to the DNS.
The pickle packet fields described above as containing a key selector
and name will be of the form
selector._pickle.name.example.com
where "selector" is an arbitrary string of legal DNS labels chosen by
the host "name.example.com" to point to a given public key. A node
that wishes to receive incoming connections MUST publish a public key
in a DNS TXT record with an empty selector, e.g.,
"_pickle.name.example.com". This record indicates the most preferred
public key at which the host can be reached, and contains a Challenge
value to be used when computing the shared secret for HMAC
computations.
4.1. Representation of Public Keys in DNS
A public key TXT record is formatted as a sequence of attribute/value
pairs separated by semicolons (";"). The list of possible attributes
is as follows:
McCann & Gilbert Expires June 10, 2011 [Page 32]
�
Internet-Draft Pickle Packet December 2010
c= Challenge value. A base-64 encoded 64-bit number. This
attribute is MANDATORY in keys of type keyAgreement that will
be used for receiving incoming connections.
k= Key type. This is a string value (NOT an OID) taken from
Section 2.1.1.1 of RFC 5480 [4]. Can be one of the following:
secp256r1
u= Intended key usage. A public key may be used either for key
agreement or digital signatures, but not both. The usage of a
key is indicated with the "u=" attribute. Can be one of the
following:
keyAgreement The key will be used in a Diffie-Hellman
computation for generating shared secret
material.
digitalSignature The key will be used to compute the public
key signatures using the ECDSA algorithm as
specified for the public key signature block
type (see Section 3.1.7).
h= Hash algorithm. When u=keyAgreement, this indicates the type
of signature that must be used in the Fragment Signature field
of incoming packets.
sha1/4 HMAC-SHA-1 truncated to 4 octets (equivalent to
L=00).
sha1/12 HMAC-SHA-1 truncated to 12 octets (equivalent
to L=01).
sha1/20 A full HMAC-SHA-1 (equivalent to L=10).
sha256/32 A full HMAC-SHA-256 (equivalent to L=11).
When u=digitalSignature it indicates the compression function
to be applied to the preceding data before computing the
signature. In this case it be one of the following:
sha256/32 This value MUST be used when k=secp256r1.
p= Public Key value. A base-64 encoded representation of the
bytestring formed by concatenating the value of X with one byte
indicating whether Y is irrelevant, positive, negative, or
explicit followed by the value of Y in case it is given
explicitly. The one byte can take on the following values:
McCann & Gilbert Expires June 10, 2011 [Page 33]
�
Internet-Draft Pickle Packet December 2010
0 Y is not given explicitly, and the value of Y is
irrelevant.
1 Y is not given explicitly but is positive and can be
calculated from X.
2 Y is not given explicitly but is negative and can be
calculated from X.
3 Y follows explicitly.
np= Next preferred public key selector. This is a string of DNS
labels separated by periods (".") that indicates a selector
that may be tried next in case the current TXT record is
unsatisfactory. This attribute is OPTIONAL.
The entity retreiving public keys from DNS MUST have assurance that
the records were created by the owner of the given hostname. The use
of a protection mechanism such as DNSSEC [5] is STRONGLY RECOMMENDED.
4.2. Vouch-by-Reference Records
The list of vouching domains present in a Vouch-by-Reference
Information block (Section 3.1.2) can be used by middleboxes to check
the reputation of a Message Source. To do so, a middlebox would
lookup a TXT record at a name constructed by concatenating the last
NSuffLabels labels of the Source DNS Name (this would normally not
include the key selector or the string "_pickle") with the label
"_vouch" followed by the domain of the vouching service. This is as
described in Vouch-by-Reference [3], although we extend the set of
strings that can be placed in the resulting TXT record to correspond
with the Situation levels available in the Situation field of the
Vouch-by-Refernce Information block. When a vouching service returns
a given Situation level, it means that it attests that the Initiator
will responsibly use that Situation level or higher. The allowed
strings are given below in Table 7.
McCann & Gilbert Expires June 10, 2011 [Page 34]
�
Internet-Draft Pickle Packet December 2010
+------+-----------------+---------------------------------------+
| Code | TXT String | Description |
+------+-----------------+---------------------------------------+
| 0 | "all" | Unspecified situation. |
| 1 | "list" | See Section 6.2 of RFC5518 [3]. |
| 3 | "entertainment" | Personal entertainment. |
| 5 | "educational" | Research or training. |
| 7 | "transaction" | See Section 6.3 of RFC5518 [3]. |
| 10 | "safety" | A situation affecting public safety. |
| 13 | "emergency" | A serious life-threatening emergency. |
+------+-----------------+---------------------------------------+
Table 7: Vouching Strings
5. Acknowledgements
6. IANA Considerations
This memo includes no request to IANA.
7. Security Considerations
8. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Barker, E., Johnson, D., and M. Smid, "Recommendation for Pair-
Wise Key Establishment Schemes Using Discrete Logarithm
Cryptography (Revised)", NIST Special Publication 800-56A,
March 2007, <http://csrc.nist.gov/publications/nistpubs/800-56A/
SP800-56A_Revision1_Mar08-2007.pdf>.
[3] Hoffman, P., Levine, J., and A. Hathcock, "Vouch By Reference",
RFC 5518, April 2009.
[4] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
"Elliptic Curve Cryptography Subject Public Key Information",
RFC 5480, March 2009.
[5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033,
March 2005.
McCann & Gilbert Expires June 10, 2011 [Page 35]
�
Internet-Draft Pickle Packet December 2010
Authors' Addresses
Peter J. McCann
1074 N Stone Ct
Naperville, Illinois 60563
USA
Phone: +1 630 369 9693
Email: mccap@petoni.org
Steve Gilbert
Motorola, Inc.
1301 E. Algonquin Rd.
Schaumburg, Illinois 60196
USA
Phone: +1 847 576 0247
Email: steve.gilbert@motorola.com
McCann & Gilbert Expires June 10, 2011 [Page 36]
�