Internet DRAFT - draft-jiang-6man-cga-sec-option

draft-jiang-6man-cga-sec-option







Internet Engineering Task Force                                 S. Jiang
Internet-Draft                              Huawei Technologies Co., Ltd
Intended status: Standards Track                                D. Zhang
Expires: July 18, 2015                                  Alibaba Co., Ltd
                                                             S. Krishnan
                                                                Ericsson
                                                        January 14, 2015


         CGA SEC Option for Secure Neighbor Discovery Protocol
                   draft-jiang-6man-cga-sec-option-01

Abstract

   A Cryptographically Generated Address is an IPv6 addresses binding
   with a public/private key pair.  It is a vital component of Secure
   Neighbor Discovery (SeND) protocol.  The current SeND specifications
   are lack of procedures to specify the Sec bits.  A new SEC option is
   defined accordingly to address this issue.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 18, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must



Jiang, et al.             Expires July 18, 2015                 [Page 1]

Internet-Draft                SEC RA OPTION                 January 2015


   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   2
   3.  CGA SEC Option  . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Host Behavior . . . . . . . . . . . . . . . . . . . . . . . .   3
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   4
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   4
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   4
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   4

1.  Introduction

   Cryptographically Generated Addresses (CGA, [RFC3972]) are used to
   make sure that the sender of a Neighbor Discovery message is the
   "owner" of the claimed address.  Although it is not mandatory, it is
   a vital component of Secure Neighbor Discovery (SeND, [RFC3971])
   protocol.  After CGA has been defined, as an independent security
   property, many other CGA usages have been proposed and defined, such
   as Enhanced Route Optimization for Mobile IPv6 [RFC4866], Site
   Multihoming by IPv6 Intermediation (SHIM6) [RFC5533], etc.

   SEC bits are an important parameter in the generation of CGAs.
   Particularly, SEC values are used to artificially introduce
   additional difficulty in the CGA generation process in order to
   provide additional protection against brute force attacks.
   Therefore, in different environments, host may be required to use
   different SEC bits in the generation of their CGAs.  However, the
   base SeND protocol fails to distribute the SEC values to the hosts.
   As a result, the network administration cannot propagate any
   requirements regarding to SEC value of host-generated CGA addresses.
   In order to fill this gap, a new CGA SEC Option, is defined in this
   document.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].





Jiang, et al.             Expires July 18, 2015                 [Page 2]

Internet-Draft                SEC RA OPTION                 January 2015


3.  CGA SEC Option

   CGA SEC Option is used to indicate on link hosts the lowest CGA SEC
   value they SHOULD use.  It SHOULD be contained in and only in the
   Router Advertisement Message [RFC4861].

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     OPTION_CGA_SEC_OPTION     |       option-len              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    SEC bits   |
   +-+-+-+-+-+-+-+-+

   option-code  OPTION_CGA_SEC_OPTION (TBA1)

   option-len  1.

   SEC bits  The value of SEC bits is specified in [RFC3972].

4.  Host Behavior

   On receiving the CGA SEC Option with a recommended SEC value, a host
   SHOULD use a CGA with the recommended or higher SEC value.  If
   choosing a CGA with a SEC value lower than the recommended, the host
   MAY take the risk that it is not able to use full network
   capabilities.  The network may consider the hosts that use CGAs with
   lower SEC values as unsecure users and decline some or all network
   services.

5.  Security Considerations

   This document extends SeND with a CGA SEC Option to transprot SEC
   bits used in the generation of GCAs, which enables administrators to
   specify and adjust the security level of the CGAs used in the
   network.  Apart from that, this approach does not introduce any
   significant changes to the underlying security issues considered in
   Section 9 of [RFC3971].

6.  IANA Considerations

   This document defines a new Neighbor Discovery Protocol options,
   which must be assigned an Option Type value within the IPv6 Neighbor
   Discovery Option Formats table of Internet Control Message Protocol
   version 6 (ICMPv6) Parameters (http://www.iana.org/assignments/
   icmpv6-parameters):





Jiang, et al.             Expires July 18, 2015                 [Page 3]

Internet-Draft                SEC RA OPTION                 January 2015


       Type  |    Description   |   Reference
    ---------+------------------+---------------
       TBA1  |  CGA SEC option  | This document

7.  Acknowledgements

   The authors would like to thanks the valuable comments made by
   members of 6man WG.

   This document was produced using the xml2rfc tool [RFC2629].

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3971]  Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
              Neighbor Discovery (SEND)", RFC 3971, March 2005.

   [RFC3972]  Aura, T., "Cryptographically Generated Addresses (CGA)",
              RFC 3972, March 2005.

   [RFC4861]  Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
              "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
              September 2007.

8.2.  Informative References

   [RFC2629]  Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
              June 1999.

   [RFC4866]  Arkko, J., Vogt, C., and W. Haddad, "Enhanced Route
              Optimization for Mobile IPv6", RFC 4866, May 2007.

   [RFC5533]  Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
              Shim Protocol for IPv6", RFC 5533, June 2009.

Authors' Addresses

   Sheng Jiang
   Huawei Technologies Co., Ltd
   Q14, Huawei Campus, No.156 Beiqing Road
   Hai-Dian District, Beijing, 100095
   P.R. China

   Email: jiangsheng@huawei.com



Jiang, et al.             Expires July 18, 2015                 [Page 4]

Internet-Draft                SEC RA OPTION                 January 2015


   Dacheng Zhang
   Alibaba Co., Ltd
   9th Floor, A Area, Wentelai World Finance Centre, 1 West Dawang Road
   Chaoyang District, Beijing, 100095  100025
   P.R. China

   Email: dacheng.zdc@alibaba-inc.com


   Suresh Krishnan
   Ericsson
   8400 Decarie Blvd.
   Town of Mount Royal, QC
   Canada

   Phone: +1 514 345 7900 x42871
   Email: suresh.krishnan@ericsson.com


































Jiang, et al.             Expires July 18, 2015                 [Page 5]