Network Working Group N. Venkitaraman Internet-Draft Motorola Expires: August 14, 2006 V. Narayanan Qualcomm February 10, 2006 Pre-Shared Key (PSK) Based Addresses (PBA) draft-narayanan-psk-addr-gen-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 14, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract Cryptographically generated addresses (CGAs) provide a means of generating an IP address that is tied to a public key of a node. Using this means, the address ownership of the node can be verified by using the public key of the node to decrypt data signed by the node using its private key. In AAA-based systems, there is currently no means of performing such absolute address ownership checks, since address authorization is traditionally outside the scope of AAA. Venkitaraman & Narayanan Expires August 14, 2006 [Page 1] Internet-Draft PSK-Based Addr Gen February 2006 However, in some key generation protocols, it may be critical to perform address ownership verification or authorization before the generated key can be used. When such key generation protocols are AAA-based, there is no known method of address authorization to allow this operation. This draft provides a means of IPv6 address generation using a shared secret so that the IP address of a node can be verified by the entity with which the node shares the secret. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. PBA Generation . . . . . . . . . . . . . . . . . . . . . . . . 4 4. PBA Verification . . . . . . . . . . . . . . . . . . . . . . . 4 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 8.1. Normative References . . . . . . . . . . . . . . . . . . . 5 8.2. Informative References . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 Intellectual Property and Copyright Statements . . . . . . . . . . 7 Venkitaraman & Narayanan Expires August 14, 2006 [Page 2] Internet-Draft PSK-Based Addr Gen February 2006 1. Introduction Cryptographically generated addresses (CGAs) provide a means of generating an IP address that is tied to a public key of a node. Using this means, the address ownership of the node can be verified by using the public key of the node to decrypt data signed by the node using its private key. In AAA-based systems, there is currently no means of performing such absolute address ownership checks, since address authorization is traditionally outside the scope of AAA. However, in some key generation protocols, it may be critical to perform address ownership verification or authorization before the generated key can be used. When such key generation protocols are AAA-based, there is no known method of address authorization to allow this operation. For instance, AAA-based authentication and authorization are often used in cellular and WiMax systems. Nodes running Mobile IP may use a secret shared with the AAA server as a means for authentication and derivation of shared keys with the home agent. In the case of Fast Mobile IP (FMIP), handover keys may be derived using AAA between the MN and AR. This draft provides a means of IPv6 address generation using a shared secret so that the IP address of a node can be verified by the entity with which the node shares the secret. For instance, an MN may use an MN-AAA key to derive an IPv6 address suffix that can be verified by the AAA server for address authorization. Any AAA-assisted key derivation protocols may use the method specified in this draft to verify the address and bind the derived keys to the IP address of the MN. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC- 2119 [1]. In addition, this document uses the following terms: Pre-Shared Key (PSK) Based Address (PBA) An IPv6 address generated cryptographically using a pre-shared key. Venkitaraman & Narayanan Expires August 14, 2006 [Page 3] Internet-Draft PSK-Based Addr Gen February 2006 Address Generation Key (AGK) A key generated from the PSK specifically to use in the creation of PBAs. 3. PBA Generation This section describes a method of using a Pre-Shared Key (PSK) to derive the IPv6 address of a node. The input parameters for PBA Generation include an Address Generation Key (AGK) generated using the PSK, a link ID of the node (e.g., MAC address), a nonce, the ID of the router advertising the prefix and the advertised network prefix itself. The AGK is derived from the PSK as follows. AGK = PRF (PSK, Node ID | Key Generation Nonce | "Address Generation Key"), where | denotes concatenation. In AAA-based scenarios, the PSK is the key that the node shares with the AAA server (e.g., MN-AAA secret). The Node ID in this case is the NAI of the node. The Key Generation Nonce is a random value generated by the node. It is recommended that the nonce be a cryptographically generated value for added privacy. The IPv6 suffix of the address of the node is derived as follows. Address Suffix = PRF (AGK, Router ID | Collision Count), where | denotes concatenation. The Router ID is the IP address of the router advertising the IPv6 prefix. The collision count by default is 0 and is incremented by 1 every time there is a collision on the generated address. The Pseudo Random Function (PRF) used is HMAC-SHA1. The generated suffix is then concatenated with the advertised prefix to form a complete IPv6 address for the node. 4. PBA Verification The PBA may be sent to an entity that shares the PSK with the node for address ownership verification. Such a message must contain a hash of the address generated using the PSK. For instance, a node may use the AAA key to sign the message to the AAA server. The other parameters such as the nonce, router ID and collision count must also be sent to the AAA server. The collision count should be considered to be 0 if it is not specifically sent to the AAA server or other verifying entity. Venkitaraman & Narayanan Expires August 14, 2006 [Page 4] Internet-Draft PSK-Based Addr Gen February 2006 After successful verification of the signature, the AAA server must generate the AGK corresponding to the node based on the PSK as in the previous section. The AGK can then be used along with the other parameters in generating the address suffix in exactly the same manner as done by the node. It is generally sufficient to verify that the node is claiming the right suffix. 5. Security Considerations This document describes a means of address authorization using pre- shared keys. It is not known to introduce any security vulnerabilities. In general, the PSK and nonce used must be strong to avoid any observer being able to generate the same address or being able to tie multiple PBAs of a node together to derive the key. 6. IANA Considerations No IANA services are required in this document. 7. Acknowledgments 8. References 8.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 8.2. Informative References [2] Aura, T., "Cryptographically Generated Addresses (CGA)", RFC 3972, March 2005. Venkitaraman & Narayanan Expires August 14, 2006 [Page 5] Internet-Draft PSK-Based Addr Gen February 2006 Authors' Addresses Narayanan Venkitaraman Motorola 1301 E. Algonquin Road Schaumburg, IL 60196 US Email: narayanan.venkitaraman@motorola.com Vidya Narayanan Qualcomm 5775 Morehouse Dr San Diego, CA 92121 US Email: vidyan@qualcomm.com Venkitaraman & Narayanan Expires August 14, 2006 [Page 6] Internet-Draft PSK-Based Addr Gen February 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Venkitaraman & Narayanan Expires August 14, 2006 [Page 7]