Internet Draft

   Network Working Group                             Tissa Senevirathne 
   Internet Draft                                       Nortel Networks 
   Document: draft-tsenevir-smpls-00.txt                   January 2001 
   Category: Informational                                              
 
                                      
      Secure MPLS - Encryption and Authentication of MPLS payloads 
 
 
Status of this Memo 
 
   This document is an Internet-Draft and is in full conformance 
   with all provisions of Section 10 of RFC2026. 
    
    
   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF), its areas, and its working groups.  Note that      
   other groups may also distribute working documents as Internet-
   Drafts. 
    
   Internet-Drafts are draft documents valid for a maximum of six 
   months and may be updated, replaced, or obsoleted by other documents 
   at any time.  It is inappropriate to use Internet-Drafts as 
   reference material or to cite them other than as "work in progress." 
    
   The list of current Internet-Drafts can be accessed at 
        http://www.ietf.org/ietf/1id-abstracts.txt 
   The list of Internet-Draft Shadow Directories can be accessed at 
        http://www.ietf.org/shadow.html. 
    
    
Abstract 
    
   This document present use of ISAKMP to establish required security 
   association for secure MPLS. Two methods are presented to transport 
   ISAKMP messages between edge LSR. New RSVP object is defined to 
   exchange security association messages as part of the LSP setup 
   messages. Also discussed are the extensions to IKE to establish 
   required security association for Secure MPLS using a separate IP 
   channel between edge LSR.  It is thought that use of separate IP 
   channel facilitates scaling, especially in the environment where 
   multiple LSP terminate between same two edge LSRs. In addition, use 
   of dedicated IP channel does not require a definition of new DOI for 
   Secure MPLS, rather few new definitions to IPSec DOI. Required 
   encapsulation formats are presented for encryption and 
   authentication of MPLS payloads. 
    
    
    
    
    
    
    
    
    
    
    Senevirathne         Expiration June 2001                        1 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   Conventions used in this document 
    
    
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
   this document are to be interpreted as described in RFC-2119 [1]. 
 
    
   Table of Contents 
1.0 Introduction:....................................................2 
2.0 Use of IKE for Secure MPLS.......................................4 
2.1 Security Protocol Identifier.....................................4 
2.2 Identification Types.............................................5 
2.2.1 Identification Payload.........................................6 
3.0 Use of RSVP-TE to transport ISAKMP messages......................7 
3.0.1 RSVP Transport Message.........................................7 
3.1 Secure_MPLS_Message Object.......................................7 
4.0 Placement of Secure MPLS, ISAKMP and RSVP-TE....................10 
4.1 ISAKMP messages and Secure MPLS DOI.............................10 
5.0 Secure MPLS payload encapsulation...............................11 
5.1 Possible SMPLS encapsulation formats............................11 
5.2 SMPLS Encapsulation header types................................12 
5.2.1 SMPLS Authentication Header SMPLS-AH..........................12 
5.2.2 Security Association Lookup...................................13 
5.2.3 Integrity Check Value Calculation.............................14 
5.2.4 Inbound Packet Processing.....................................14 
5.3 SMPLS Encrypting Security Payload (SMPLS-ESP)...................15 
5.3.1 Outbound Packet Processing....................................16 
5.3.2 Security Association Lookup...................................17 
5.3.3 MPLS Payload Encryption.......................................17 
5.3.4 Inbound Packet Processing.....................................17 
6.0 Other Issues....................................................18 
6.1 Path MTU discovery..............................................18 
6.2 LSP Setup Requirements..........................................18 
6.3 Intermediate LSR................................................19 
6.4 Label merging...................................................19 
6.5 Penultimate Hop popping.........................................19 
7.0 Security Considerations.........................................19 
8.0 Acknowledgment..................................................19 
9.0 References......................................................19 
10.0 Author's Addresses.............................................20 
Full Copyright Statement............................................20 
 

1.0 Introduction: 
    
   MPLS is gaining popularity as a protocol that provide traffic 
   engineering and other service capabilities beyond the strength of 
   traditional routing. There are several deployments that use MPLS for 
   wide area application or VPN services. However, at present, there 
   are no established method to provide MPLS payload encryption and 
   authentication. In addition, MPLS is gaining popularity in transport 
   of non-IP traffic (Layer 2) over long haul Wide Area Network. Hence, 
   definition of protocol agnostic (as opposed to IPSec) security 

     
   Senevirathne          Expiration June 2001                        2 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   architecture for MPLS is becoming more and more important. This 
   paper presents possible methods to establish security association 
   for MPLS payload encryption and authentication.  
 
   Encryption and authentication of IP packets are performed using 
   suite of well-established protocols. This protocol suite is 
   collectively known as IPSec. Internet Security Association and Key 
   Management Protocol (ISAKMP)[2] defines the messaging protocol that 
   is used to establish required security association for key 
   distribution. ISAKMP is a very generic messaging protocol that can 
   be used for variety of protocols. Internet Key Exchange (IKE) [3] 
   defines specific details of adaptation of ISAKMP for IPSec DOI[4]. 
   In IPSec, IKE use a separate IP Control channel between end points 
   to negotiate and establish security associations. 
 
   Constrained routed Label Switched paths are used in MPLS to setup 
   traffic engineered tunnels. RSVP-TE [5] or CR-LDP[6] is used for 
   setting up such constrained LSP. The fact that there is a security 
   association with the LSP can be considered as a constrain on the 
   LSP. The ISAKMP is a generic protocol that could be exchanged using 
   any transport protocol. Hence, ability to perform ISAKMP over RSVP-
   TE or CR-LDP negates the need of a separate IP control channel. In 
   this paper we present the methods to exchange ISAKMP messages using 
   RSVP-TE extensions. CR-LDP can be easily extended for the purpose. 
   Use of CR-LDP for the purpose will be presented in a separate paper.  
 
   Security Associations (SA) constructed using ISAKMP is uni-
   directional in nature. MPLS LSP are uni-directional in nature. 
   Hence, ISAKMP and Secure MPLS complements with each other without 
   any changes to existing concepts. 
    
    
   In practice, there are multiple LSP between two edge LSR. Suppose 
   these LSP require secure MPLS services. If Secure MPLS services are 
   implemented using RSVP-TE extensions, there need to be a separate 
   Phase 1 Security Association for each LSP. On the other hand if 
   there is a separate control channel to negotiate and establish 
   security association, that channel may be used for key distribution 
   and management of multiple secure LSP. This can be achieved with few 
   additions to the existing IKE definition and will be able to reuse 
   the same ISAKMP code base used for IPSec. In this document we 
   present extension to IPSec DOI to establish secure MPLS services. 
    
   Secure MPLS need to address all the well-known security 
   considerations such as replay attacks, connection hijacking etc. 
   IPSec encapsulation is designed to address these issues. However, 
   some of the IPSec encapsulation methods become trivial in MPLS. As 
   an example, tunnel mode in IPSec is essentially MPLS LSP. In this 
   document we present Secure MPLS encapsulation format. Secure MPLS 
   encapsulation format is similar to IPSec, but only address specific 
   needs of MPLS. 
    
   This document is broadly classified in to two parts. Part one 
   presents use of ISAKMP for Security Association establishment for 
     
   Senevirathne          Expiration June 2001                        3 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   secure MPLS. Use of RSVP-TE or dedicated IP control channel for 
   ISAKMP message transport is also discussed. Also additions required 
   to the IPSec DOI to implement Secure MPLS are presented in this 
   document.  
    
   The part two of this document presents the Secure MPLS payload 
   encapsulation formats. Also it defines various Secure MPLS 
   operational modes. 
    
   In future, it may require dividing this document to multiple 
   documents to cover the full scope of the Secure MPLS. Such work may 
   at least include following documents 
    
        o Secure MPLS Architecture 
    
        o Secure MPLS Domain of Interpretation (DOI) 
    
        o Secure MPLS message transport 
          (Use of RSVP-TE or separate control channel) 
    
        o Secure MPLS payload encryption 
 
2.0 Use of IKE for Secure MPLS 
    
   IKE [3] is designed to negotiate security parameters for multiple 
   applications over a single Phase I security association. In 
   practice, between two LSR there may be multiple LSP. As suggested 
   earlier, when using RSVP-TE to transport IKE messages, there is no 
   common session between all LSP. Each RSVP session is unique for that 
   LSP and bound to the life of the LSP. Thus inhibiting the ability to 
   use a single Phase I session for multiple LSP. As a result it is 
   possible that edge LSR are required to maintain large amount of 
   individual Security associations that could have been avoided if a 
   separate control channel was used for the purpose. 
    
   Hence use of IKE as a proxy to establish Security Associations for 
   MPLS appears a logical approach. This approach also allows reusing 
   the existing ISAKMP/IKE code base and allows to implement Secure 
   MPLS with few new definitions to IPSec DOI. However, a separate IP 
   control channel is required between edge LSR to carry IKE messages. 
    
   Within the IPSec DOI we propose to define the following additions. 
   The values presented here are suggestions only, exact values require 
   approval from IANA. Such approval will be sort. 
    
2.1 Security Protocol Identifier 
    
   Section 4.4.1 of IPSec DOI [4] defines various IPSec related 
   Protocol Identifier. We suggest including three more definitions. 
   The suggested definition are presented below: 
    
   Protocol ID                          Value 
    
   PROTO_SMPLS_AH                       5 
     
   Senevirathne          Expiration June 2001                        4 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   PROTO_SMPLS_ESP                      6 
   PROTO_SMPLS_COMP                     7 
    
   PROTO_SMPLS_AH 
    
   The PROTO_SMPLS_AH type specifies the MPLS payload authentication. 
   The default SMPLS-AH transform provides data origin authentication, 
   integrity, protection and replay detection. For export 
   consideration, SMPLS-AH transform must not provide any payload 
   confidentiality. 
    
   PROTO_SMPLS_ESP 
    
   The PROTO_SMPLS_ESP type specifies the MPLS payload confidentiality 
   (encryption). Authentication if required must be provided as part of 
   the ESP. The default SMPLS-ESP transform provides data origin 
   authentication, integrity, protection and replay detection.  
    
   PROTO_SMPLS_COMP 
    
   The PROTO_SMPLS_COMP type specifies MPLS payload compression. The 
   exact algorithms for MPLS payload encryption are under study. Use of 
   payload compression may have at least two direct benefits. Firstly, 
   it eliminates redundancies in the payload data and reduces 
   repetitive patterns in the payload. Secondly it conserve bandwidth 
   on the network by reducing the payload size. The time spent in 
   compressing the payload and time gained in encrypting the reduced 
   payload may increase the total throughput. 
    
2.2 Identification Types 
    
   Identification payload in the ISAKMP message helps responder to 
   identify the appropriate LSP and apply correct security policies. In 
   IPSec this is defined as end station address and a port number. In 
   MPLS there may be large number of LSP between two edge LSR. The LSP 
   may not necessarily carry IP payloads. In order to distinguish 
   between different LSP between two given LSR, a unique Tunnel ID is 
   assigned to the LSP [5]. Also [5] suggest to use the extended Tunnel 
   ID to further narrow the scope of the LSP. It is suggested in [5] 
   that the extended Tunnel ID is set to the ingress node IP address. 
   Here we propose to use {Ingress Node Addrss::Tunnel ID} as the node 
   identifier. This may also be considered as {Extended Tunnel 
   ID::Tunnel ID}. If Extended Tunnel ID is used as part of the ISAKMP 
   identification, it is important that RSVP-TE [5] implementation 
   always use unique values for Extended Tunnel ID. 
    
   ID Type                      value 
    
   ID_SMPLS_IPV4                12 
   ID_SMPLS_IPV6                13 
    
   The values presented above are only suggestions. Exact values need 
   approval from IANA. Section 4.6.2.1 of IPsec DOI [4] explains the 
   definition of other ID Types. 
     
   Senevirathne          Expiration June 2001                        5 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
    
2.2.1 Identification Payload 
    
   Here we present the format of the identification data payload that 
   will be carried in ISAKMP identification messages for IPSec DOI. 
    
    0                   1                   2                   3    
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1  
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   | Next Payload  |  Reserved     |   Payload Length              | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   | ID Type       | Reserved=0    |      Tunnel ID                | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   ~             Extended Tunnel ID                                ~ 
   |                                                               | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
    
    
   Next Payload   
    
   Type of the next payload after this. Value of zero (0) indicates 
   that this is the last payload. 
    
   Reserved 
    
   All reserved fields are set to zero on transmission and ignored on 
   receipt. 
    
   Payload Length 
    
   Length of the payload in octets, including the generic header. 
    
   ID Type 
    
   Value describing the Identification data. For Secure MPLS, this is 
   either ID_SMPLS_IPV4 or ID_SMPLS_IPV6. 
    
   Tunnel ID 
    
   A unique number assigned for this LSP by the ingress node. 
    
   Extended Tunnel ID 
    
   The extended Tunnel ID or the Ingress node ID. The length of this 
   field depend on the ID type is ID_SMPLS_IPV4 or ID_SMPLS_IPv6. 
    
   NOTE: 
    
   Here ID_SMPLS_IPV4 or ID_SMPLS_IPV6 only represent the end point 
   addressing. 
    
   Other DOI definitions 
    
   All other definitions are the same as IPSec DOI [4] definitions. 
     
   Senevirathne          Expiration June 2001                        6 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
    
3.0 Use of RSVP-TE to transport ISAKMP messages 
    
   Constrained driven LSP are setup using either CR-LDP or RSVP-TE. 
   Most often there is a separate CR-LDP or RSVP-TE session per LSP. 
   These LSP signaling sessions can be used to transport other 
   messages. In this section we present use of RSVP-TE to exchange 
   required ISAKMP messages between edge LSR. The reuse of the RSVP-TE 
   channel to exchange ISAKMP messages negate the need of a separate IP 
   control channel for the purpose. Thus creating a cleaner design with 
   single control channel. However, RSVP-TE sessions are closely tied 
   to the LSP. The Phase 1 security associations established for one 
   LSP may not be reused for another LSP. As a result, end LSR may 
   require maintaining multiple Phase 1 security associations. 
    
   We propose to define a new RSVP-TE object to carry ISAKMP messages. 
   The new object is called Secure_MPLS_message Object. ISAKMP messages 
   are exchanged end-to-end. RSVP messages are exchanged hop by hop. 
   Hence all transit nodes MUST pass the Secure_MPLS_message Object 
   unmodified to the downstream node. 
    
   Object Name          Applicable RSVP messages 
   -----------          ------------------------ 
   Secure_MPLS_Message   Transport (see below) 
    
3.0.1 RSVP Transport Message 
    
   ISAKMP messages are sent from end-to-end. Intermediate nodes MUST 
   forward the message downstream without modifications. In this 
   regard, RSVP is functioning as a transport protocol for ISAKMP. More 
   established RSVP messages such as Path Message require hop-by-hop 
   processing and are sent with the route alert option in the IP 
   header. This in turn triggers hop by hop processing. As mentioned 
   earlier, when transporting RSVP messages, only the end nodes are 
   required to process the message. On the other hand RSVP transport 
   messages should not be subjected to the RSVP state machine. Hence, 
   we propose to define a new RSVP message type to provide end-to-end 
   message transport ability for RSVP. The payload of the RSVP 
   Transport message can be any of the RSVP objects such as 
   Secure_MPLS_Message Object. Processing of Transport message payloads 
   are considered a local policy. Hence, applications that require 
   transport service from the RSVP MUST register the application with 
   the RSVP module. 
    
   RSVP Message Type                 Value 
   -----------------                 ------- 
    
   Transport                            8 
    
   Message type 1 to 7 are defined in [7]. RSVP Transport message MUST 
   NOT be encoded with route alert option. 
     
3.1 Secure_MPLS_Message Object 
    
     
   Senevirathne          Expiration June 2001                        7 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   The Secure MPLS Message object is assigned with Class value of 25 
   (TBD). Presently, there are two C_Type. C_Type 1 indicates that this 
   is an ISAKMP message with Extended tunnel ID in IP V4 format.  
   C_Type 2 indicates that, this is an ISAKMP message with extended 
   tunnel ID in IP V6 format.  All other C_Type values are unused. 
    
   Class=25, C_Type=1 
    
    0                   1                   2                   3    
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1  
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |              Receiver Node Address                            | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |              Sender Node Address                              | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |               Extended Tunnel ID                              | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   | Tunnel ID                     |  Reserved                     | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   | Message Type  | Length        |  Reserved                     | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |            ISAKMP message (variable length..)                 | 
   ~                                                               ~ 
   |                                                               | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
    
    
   Receiver Node Address 
    
      Receiver IP V4 Address 
    
    
   Sender Node Address 
    
      Sender IP V4 Address 
    
    
   Extended Tunnel ID 
    
      Extended Tunnel ID in IP V4 format 
    
    
   Tunnel ID 
    
     Unique number assigned to this LSP. See [5] for details. 
    
   Message Type 
    
     Indicates the type of the payload. Message type 1 is assigned to 
   indicate that payload is ISAKMP. All other values are presently 
   reserved. 
    
   Length 
    
     
   Senevirathne          Expiration June 2001                        8 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
      Length of the ISAKMP message in octets. Value zero (0) indicates 
   that there is no message in the payload. 
    
   Class=25, C_Type=2 
    
    0                   1                   2                   3    
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1  
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |              Receiver Node Address                            | 
   ~                 (16 bytes)                                    ~ 
   |                                                               | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |              Sender Node Address                              | 
   ~                  (16 bytes)                                   ~ 
   |                                                               | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |               Extended Tunnel ID                              | 
   ~                  (16 bytes)                                   ~ 
   |                                                               | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   | Tunnel ID                     |  Reserved                     | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   | Message Type  | Length        |  Reserved                     | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |            ISAKMP message (variable length..)                 | 
   ~                                                               ~ 
   |                                                               | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
    
   Receiver Node Address 
    
      Receiver IP V6 Address 
    
    
   Sender Node Address 
    
      Sender IP V6 Address 
    
    
   Extended Tunnel ID 
    
      Extended Tunnel ID in IP V6 format 
    
    
   Tunnel ID 
    
     Unique number assigned to this LSP. See [5] for details. 
    
   Message Type 
    
     Indicates the type of the payload. Message type 1 is assigned to 
   indicate that payload is ISAKMP. All other values are presently 
   reserved. 
    
     
   Senevirathne          Expiration June 2001                        9 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   Length 
    
      Length of the ISAKMP message in octets. Value zero (0) indicates 
   that there is no message in the payload. 
    
    
4.0 Placement of Secure MPLS, ISAKMP and RSVP-TE 
    
   ISAKMP by design is not tied to a specific transport protocol. 
   ISAKMP security associations are unidirectional in nature. MPLS LSP 
   are unidirectional in nature as well. Hence, Secure MPLS concepts 
   and ISAKMP complements, without any changes to the original 
   concepts. In fact, ISAKMP architecture suites better with 
   unidirectional transport protocol like MPLS. 
    
   +----------+             +------------ 
   |  DOI     |<----------->| ISAKMP     | 
   |Definition|       +---->|            | 
   +----------+       |     +------------+ 
                      |       ^        ^ 
                      |       |        | 
                      |       |        v 
   +----------+       |       |     +-----------+ 
   |Key Exch  |<------+       |     |  RSVP-TE  | 
   |Definition|               |  +->|           | 
   +----------+               |  |  +-----------+ 
       +----------------------+  |        ^ 
       |      +------------------+        | 
       v      |                           | 
   +-------+  |                           | 
   | API   |  |                           | 
   +-------+  |                           v 
       ^      |            +-------------------------------+ 
       |      |            |  Transport Layer (TCP/UDP)    | 
       v      v            +-------------------------------+ 
   +------------+          |         IP                    | 
   | Secure MPLS|          +-------------------------------+ 
   | Controller |<-------->|  Link Layer Protocol          | 
   +------------+          +-------------------------------+ 
    
4.1 ISAKMP messages and Secure MPLS DOI 
    
   ISAKMP messages carried in RSVP-TE payloads are defined for Secure 
   MPLS DOI. In order for ISAKMP to properly handle Secure MPLS 
   messages, it is important that Secure MPLS define it own DOI. It is 
   suggested that specific value for Domain Identifier for Secure MPLS 
   DOI be requested from IANA. 
    
   Within the Secure MPLS DOI, the required parameters are defined. At 
   present most of the definitions are in line with the IPSec DOI [4] 
   with few exceptions. It is suggested, if this proposal receive 
   enough interest, to generate a separate document for the Secure MPLS 
   DOI. 
    
     
   Senevirathne          Expiration June 2001                       10 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
5.0 Secure MPLS payload encapsulation 
    
   Secure MPLS payload encryption, in addition to providing 
   authentication and confidentiality provide variety of security 
   services such as, replay protection, protection against connection 
   hijacking etc. IPSec community has performed extensive work in this 
   area. In this paper we adapt concepts used IPSec to provide 
   authentication and encryption services to MPLS payloads. 
    
   Authentication, encryption and authentication-encryption are 
   mutually exclusive requirements. Authentication-encryption is a 
   hybrid of authentication and encryption. Thus we define two-
   encapsulation header format. Borrowing the names used in IPSec 
   community we define these headers as SMPLS-AH and SMPLS-ESP. 
    
   We propose to use SHIM encapsulation method for SMPLS-AH and SMPLS-
   ESP. 
    
   SMPLS-AH, if present, MUST be immediately after the Data Link Layer. 
    
   SMPLS-ESP, if present, MUST be immediately after the Data Link Layer 
   if SMPL-AH is not present. If SMPLS-AH present, SMPLS-ESP MSUT be 
   immediately after the SMPLS-AH. 
    
5.1 Possible SMPLS encapsulation formats 
    
   1. SMPLS-AH 
    
    -------------------------------------------------- 
   |DA   | SA | MPLS | SMPLS-AH| MPLS Payload         | 
   |     |    | Type |         |                      | 
    -------------------------------------------------- 
                                <---------------------> 
                                 Authenticated 
   2. SMPLS-ESP 
    
   ----------------------------------------------------------------- 
   |DA   | SA | MPLS | SMPLS-ESP| MPLS Payload |SMPLS-ESP |SMPLS-ESP |   
   |     |    | Type |          |              |Trailer   | Auth(**) | 
    ----------------------------------------------------------------- 
                                <-------------------------> 
                                 Encrypted 
                      <------------------------------------> 
                                 Authenticated (**)          
    
   3. SMPLS-AH-ESP 
    
    -------------------------------------------------------- 
   |DA | SA | MPLS |SMPLS|SMPLS-ESP| MPLS Payload |SMPLS-ESP|              
   |   |    | Type |AH   |         |              |Trailer  | 
    -------------------------------------------------------- 
                                   <------------------------> 
                                     Encrypted 
                          <---------------------------------> 
     
   Senevirathne          Expiration June 2001                       11 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
                                     Authenticated 
    
   (**) Indicates optional fields 
    
   Note: Above diagrams are not to a scale. 
    
 
   Above encapsulation formats are presented to cover all possible 
   combinations. However, one may implement authentication using ESP 
   with NULL encryption as presented in RFC 2410 [8]. When requiring 
   authentication and encryption one may choose to use format in above 
   2 with SMPLS-ESP authentication. Hence, it may be possible to cover 
   all case with a single SMPLS-ESP encapsulation format. However, use 
   of null encryption with ESP for authentication, instead of SMPLS-AH 
   is open for discussion and suggestions. 
    
5.2 SMPLS Encapsulation header types 
    
   There are two SMPLS encapsulations defined; 
    
   Type                              Value 
    
   Last Header                         0 
   SMPLS-AH                            1 
   SMPLS-ESP                           2 
    
   unused                              3-255 
     
5.2.1 SMPLS Authentication Header SMPLS-AH 
    
    
    0                   1                   2                   3    
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1  
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   | Type=SMPLS-AH | Length                        | Next Type     | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |    Security Parameter Index (SPI)                             | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |    Sequence Number (64 bits ) ?                               | 
   |                                                               | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
   |     Authentication Data (variable..)                          | 
   ~                                                               ~ 
   |                                                               | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
    
   Type 
    
   Type of this header. It is set to one (1) to indicate that it is 
   SMPLS-AH. 
    
   Length 
    
   Length including Type/Length field in octets. 
     
   Senevirathne          Expiration June 2001                       12 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
    
   Next Type 
    
   Type of the next header. This is either 2 to indicate that the next 
   header is SMPLS-ESP or 0 to indicates that MPLS payload follows 
   immediately. 
    
   Security Parameter Index (SPI) 
    
   The SPI is an arbiter 32-bit integer. SPI combined with, {Extended 
   Tunnel ID::Tunnel ID} uniquely identify the security association for 
   this datagram. All other interpretation of the SPI including the 
   range of value is as defined in [9]. 
    
   Sequence Number 
    
   This unsigned 64-bit field contains a monotonically increasing 
   counter value (sequence number).  It is mandatory and is always 
   present even if the receiver does not elect to enable the anti-
   replay service for a specific SA.  Processing of the Sequence Number 
   field is at the discretion of the receiver, i.e., the sender MUST 
   always transmit this field, but the receiver need not act upon it 
   (see the discussion of Sequence Number Verification in the "Inbound 
   Packet Processing" section below). 
    
   The sender's counter and the receiver's counter are initialized to 0 
   when a SA is established.  (The first packet sent using a given SA 
   will have a Sequence Number of 1; see Section 3.3.2 of [9] for more 
   details on how the Sequence Number is generated.)  If anti-replay is 
   enabled (the default), the transmitted Sequence Number must never be 
   allowed to cycle.  Thus, the sender's counter and the receiver's 
   counter MUST be reset (by establishing a new SA and thus a new key) 
   prior to the transmission of the 2^64nd packet on a SA. 
    
   In this paper we have chosen a 64-bit sequence number as opposed to 
   32-bit number in [9]. It is anticipated that more and more 10Gig 
   pipes using MPLS. In such situation traffic may be aggregated to a 
   single MPLS LSP and 32-bit counter may not be adequate. 
    
    
   Authentication Data 
    
   This is a variable length field and contains the Integrity Check 
   Value (ICV) for this packet. The Authentication Data field is a 
   multiple of 32 bits and determined by the ICV computation method. 
   See [9] for details of the authentication field. 
    
    
5.2.2 Security Association Lookup 
    
   SMPLS-AH is applied to an outbound packet only after the MPLS 
   implementation determines that the packet is associated with a SA 
   that calls SMPPLS-AH processing. SMPLS-AH requirement may be derived 
   by FEC (Forward Equivalence Class) lookup. The exact procedure is 
     
   Senevirathne          Expiration June 2001                       13 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   beyond the scope of this document. However, if enough interest is 
   generated a separate document may be created for the purpose. 
    
5.2.3 Integrity Check Value Calculation 
    
   The calculation of ICV for MPLS payload is quite similar to the 
   calculation of ICV of IP packets in [9], except that SMPLS-AH treat 
   the data as a random bit sequence and no attempt is made to identify 
   the payload protocol type or mutable fields. In theory there are no 
   mutable fields in the MPLS payload as all packet forwarding is 
   performed based on a label. Thus simplifying some of the overheads 
   in IPSec encapsulations. 
 
   See section 3.3.3 of [9] for detail procedure in ICV calculation and 
   sequence number generation. 
    
5.2.4 Inbound Packet Processing 
    
   Inbound packet processing follows through following steps 
    
   o Perform Label Lookup 
    
   o Security Association Lookup 
    
   o Sequence Number Verification 
    
   o Integrity Check Value Verification 
    
   Label Lookup 
    
   Egress LSR performs a label lookup on the incoming packet. If that 
   indicates this router is the Egress LSR and the associated LSP is 
   carrying Secure MPLS data, Secure MPLS module is invoked. 
    
   Security Association Lookup 
    
   Security Association Lookup is performed within the Secure MPLS 
   module. The incoming Label provides a mapping for the {Extended 
   Tunnel ID::Tunel ID} tuple. Combined with this identifier, Security 
   Parameter Index (SPI) and Header Type (AH) determines a unique 
   Security Association (SA). Note that Header Type (ESP) combined with 
   the same LSP ID and numerically similar SPI is required to generate 
   a different Security association. Hence, Header Type is considered 
   in resolving the SA. 
    
   If there is no SA present for this flow, the packet MUST be 
   discarded. As specified in [9] the event may be audited. In addition 
   to the information required in [9], log event SHOULD contain the 
   SMPLS-ESP as the flow type. Instead of the end station IP address it 
   SHOULD display the Extended Tunnel ID:: Tunnel ID tuple. 
    
   Sequence Number verification 
    

     
   Senevirathne          Expiration June 2001                       14 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   Sequence number verification is performed using methods specified in 
   [9] 
    
   Integrity Check Value Verification 
    
   ICV is verified using the methods specified in section 3.4.4 of [9]. 
   Only difference, that ICV is calculated and verified over the entire 
   payload and there are no mutable fields. 
    
5.3 SMPLS Encrypting Security Payload (SMPLS-ESP) 
        
   0                   1                   2                   3    
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1  
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- 
   | Type=SMPLS-ESP | Length                        | Next Type    |^ 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|1* 
   |    Security Parameter Index (SPI)                             || 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| 
   |    Sequence Number (64 bits ) ?                               || 
   |                                                               || 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|- 
   |   Initialization Vector (IV)                                  ||^ 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|| 
   |  Payload Data   (variable)                                    ||2* 
   ~                                                               ||| 
   |                                                               ||| 
   +                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|| 
   |                     |   Padding (0-255 bytes)                 ||| 
   +-+-+-+-+-+-+-+-+-+-+-+                         +-+-+-+-+-+-+-+-+|| 
   |                                               | Pad Length    |vv 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-- 
   |     Authentication Data (variable..)                          | 
   ~                                                               ~ 
   |                                                               | 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
    
   1* - represents Authentication coverage 
   2* - represents Confidentiality coverage. NOTE: IV is not encrypted, 
   though considered as part of crypto text. 
    
   Type 
    
   Type of this header. It is set to two (2) to indicate that it is 
   SMPLS-ESP 
    
   Length 
    
   Length including Type/Length field in octets. 
    
   Next Type 
    
   Type of the next header. This is always set to zero (0) for SMPLS-
   ESP header. 
    
     
   Senevirathne          Expiration June 2001                       15 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   Security Parameter Index (SPI) 
    
   The SPI is an arbiter 32-bit integer. SPI combined with, Extended 
   Tunnel ID::Tunnel ID uniquely identify the security association for 
   this datagram. All other interpretation of the SPI including the 
   range of value is as defined in [10]. 
    
   Sequence Number 
    
   This unsigned 64-bit field contains a monotonically increasing 
   counter value (sequence number).  It is mandatory and is always 
   present even if the receiver does not elect to enable the anti-
   replay service for a specific SA.  Processing of the Sequence Number 
   field is at the discretion of the receiver, i.e., the sender MUST 
   always transmit this field, but the receiver need not act upon it 
   (see the discussion of Sequence Number Verification in the "Inbound 
   Packet Processing" section below). 
    
   The sender's counter and the receiver's counter are initialized to 0 
   when a SA is established.  (The first packet sent using a given SA 
   will have a Sequence Number of 1; see Section 3.3.3 of [10] for more 
   details on how the Sequence Number is generated.)  If anti-replay is 
   enabled (the default), the transmitted Sequence Number must never be 
   allowed to cycle.  Thus, the sender's counter and the receiver's 
   counter MUST be reset (by establishing a new SA and thus a new key) 
   prior to the transmission of the 2^64nd packet on a SA. 
    
   In this paper we have chosen a 64-bit sequence number as opposed to 
   32-bit number in [10]. It is anticipated that more and more 10Gig 
   pipes using MPLS. In such situation traffic may be aggregated to a 
   single MPLS LSP and 32-bit counter may not be adequate. 
    
    
   Authentication Data 
    
   This is a variable length field and contains the Integrity Check 
   Value (ICV) for this packet. The Authentication Data field is a 
   multiple of 32 bits and determined by the ICV computation method. 
   See [10] for details of the authentication field. 
    
   Note: 
    
   In ESP [10] the Next Header field contains the protocol ID of the IP 
   payload. This was necessary in [10] as the original IP header was 
   replaced with AH/ESP header. However, in MPLS, unmodified IP header 
   is contained in the payload or the payload is non-IP. Hence, in 
   Secure MPLS such explicit denotation of the payload protocol ID is 
   not required. 
    
5.3.1 Outbound Packet Processing 
    
   In Secure MPLS sender encapsulate the MPLS payload in the suggested 
   format above. Sender is also required to construct the SMPLS-ESP 
   header as specified this document where applicable or according to 
     
   Senevirathne          Expiration June 2001                       16 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   corresponding IPSec document where there is no explicit reference in 
   this document. 
    
5.3.2 Security Association Lookup 
    
   SMPLS-ESP is applied to an outbound packet only after the MPLS 
   implementation determines that the packet is associated with a SA 
   that calls SMPPLS-ESP processing. SMPLS-ESP requirement may be 
   derived by FEC (Forward Equivalence Class) lookup. The exact 
   procedure is beyond the scope of this document. However, if enough 
   interest is generated a separate document may be created for the 
   purpose. 
    
5.3.3 MPLS Payload Encryption 
    
   The encryption of MPLS payload is quite similar to the encryption 
   procedure of IP packets in [10], except that SMPLS-ESP treat the 
   data as a random bit sequence and no attempt is made to identify the 
   payload protocol type. 
    
   See section 3.3.2 of [10] for detail procedure in encryption and 
   sequence number generation. 
    
5.3.4 Inbound Packet Processing 
    
   Inbound packet processing follows through following steps 
    
   o Perform Label Lookup 
    
   o Security Association Lookup 
    
   o Sequence Number Verification 
    
   o Integrity Check Value Verification 
    
   o Payload decryption 
    
   Label Lookup 
    
   Egress LSR performs a label lookup on the incoming packet. If that 
   indicates this router is the Egress LSR and the associated LSP is 
   carrying Secure MPLS data, Secure MPLS module is invoked. 
    
   Security Association Lookup 
    
   Security Association Lookup is performed within the Secure MPLS 
   module. The incoming Label provide a mapping to the {Extended Tunnel 
   ID::Tunel ID} tuple. Combined with this identifier and Security 
   Parameter Index (SPI) and Header Type (ESP) determines a unique 
   Security Association (SA). Note that Header Type (AH) combined with 
   the same LSP ID and numerically similar SPI is required to generate 
   a different Security association. Hence, Header Type is considered 
   in resolving the SA. 
    
     
   Senevirathne          Expiration June 2001                       17 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
   If there is no SA present for this flow, the packet MUST be 
   discarded. As specified in [10] the event may be audited. In 
   addition to the information required in [10], log event SHOULD 
   contain the SMPLS-ESP as the flow type. Instead of the end station 
   IP address it SHOULD display the Extended Tunnel ID:: Tunnel ID 
   tuple. 
    
   Sequence Number verification 
    
   Sequence number verification is performed using methods specified in 
   [10] 
    
   Integrity Check Value Verification 
    
   ICV is verified using the methods specified in section 3.4.4 of 
   [10]. 
    
   MPLS Payload Decryption 
    
   Packet decryption procedure is similar to [10]. However, in secure 
   MPLS there are no attempts made to reconstruct the IP header. During 
   the setup time it is indicated that the corresponding LSP is either 
   IP or Layer 2 packet. Accordingly, decrypted payload is handed over 
   to the appropriate forwarding module. 
    
6.0 Other Issues 
    
6.1 Path MTU discovery 
    
   As MPLS payloads are encrypted, intermediate LSR are unable to 
   perform fragmentation upon MTU size violations. Hence it is 
   essential that ingress LSR performs path MTU discovery and performs 
   necessary fragmentation before encapsulation. There are several 
   documents published on this. MTU path discovery in Layer 2 MPLS 
   tunnels are presented in [11]. We suggest taking a similar approach 
   in discovering path MTU size for Secure MPLS LSP. 
    
6.2 LSP Setup Requirements 
    
   Secure MPLS paths require different handling. Hence the LSP 
   signaling protocol MUST carry indication to the effect that this LSP 
   is secure MPLS. At present, either CR-LDP or RSVP-TE is used to 
   setup constrained LSP.  
    
   In RSVP-TE we propose to define a new flag in Session Attribute 
   object. The new flag is called Secure MPLS. All intermediate nodes 
   MUST pass this flag downstream. 
    
   Flag 
    
        0x08 Secure MPLS 
                This flag indicate that this LSP is carrying encrypted 
                payload and no attempt be made to interpret payload 

     
   Senevirathne          Expiration June 2001                       18 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
                data, except by the end routers. All intermediate nodes 
                must pass this parameter to the downstream routers. 
                 
   See [5] for details on the format of the Session Attribute object. 
    
6.3 Intermediate LSR 
    
   Intermediate LSR MUST not attempt to interpret data, Upon errors 
   intermediate LSR SHOULD silently discard the packets. If RSVP-TE is 
   used to transport ISKMP messages, they should transparently forward 
   such messages to downstream node. 
    
6.4 Label merging 
    
   Secure MPLS presented in this document is a derivative of IKE. As 
   such it can only establish security association with point-to-point 
   LSP. Label merged LSP may be considered as a point-to-multi-point 
   LSP. In such situation concepts presented in secure multicast 
   documents may be used. Security implementation in Label merge LSP 
   are considered beyond the scope of this document. 
    
6.5 Penultimate Hop popping 
    
   As explained above, incoming Label and subsequently {Extended Tunnel 
   ID::Tunnel ID} is used to perform Security Parameter Database 
   lookup. Penultimate hop popping eliminate the ability of such lookup 
   and  MUST not be performed in secure MPLS LSP. 
    
7.0 Security Considerations 
 
   The methods presented in this document is not known to alter the 
   security level of ISAKMP or IKE. The Secure MPLS architecture 
   presented here improves the level of security offered in MPLS 
   implementation. 
    
8.0 Acknowledgment 
    
   The work presented in this document has been influenced 
   significantly by the work presented in sited references and on going 
   work at the IETF. 
    
    
9.0 References 
    
   1  RFC 2119 Bradner, S., "Key words for use in RFCs to Indicate 
      Requirement Levels", BCP 14, RFC 2119, March 1997 
    
   2  Maughan, D., and et.al., Internet Security Association and Key 
      Management Protocol (ISAKMP), RFC 2408, November 1998. 
    
   3  Harkins, D., and Carrel, D., The Internet Key Exchange (IKE), RFC 
      2409, November 1998. 
    
 

     
   Senevirathne          Expiration June 2001                       19 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
    
     
   4  Piper, D., The Internet IP Security Domain of Interpretation for 
      ISAKMP, RFC 2407, November 1998. 
    
   5  Awduche, D., and et. al., RSVP-TE: Extensions to RSVP for LSP 
      Tunnels, Work in Progress, August 2000. 
     
   6  Jamoussi, Bilel., and et. al., Constrained-Based LSP setup using 
      LDP, Work in Progress, July 2000. 
     
   7  Braden, R., and et.al., Resource ReSerVation Protocol (RSVP), RFC 
      2205, September 1997. 
    
   8  Glenn, R., and Kent, S., The NULL Encryption Algorithm and Its 
      Use with IPSec, RFC 2410, November 1998. 
    
   9  Kent, S., and Atkinson R, IP Authentication Header, RFC 2402, 
      November 2000. 
     
   10  Kent, S., and Atkinsoon, R., IP Encapsulating Security Payload 
      (ESP), RFC 2406, November 1998. 
    
   11 Senevirathne, T., and Billinghurst, P., Use of CR-LDP or RSVP-TE 
      to Extend 802.1Q Virtual LANs across MPLS Networks, Work In 
      Progress, October 2000. 
    
    
10.0 Author's Addresses 
    
   Tissa Senevirathne 
   Nortel Networks 
   2305 Mission College Blvd, 
   Santa Clara CA 95054 
    
   Email:tsenevir@nortelnetworks.com 
   Tel:408-565-2571 
    
    
Full Copyright Statement 
 

   "Copyright (C) The Internet Society (2001). All Rights Reserved. 
   This document and translations of it may be copied and furnished to 
   others, and derivative works that comment on or otherwise explain it 
   or assist in its implmentation may be prepared, copied, published 
   and distributed, in whole or in part, without restriction of any 
   kind, provided that the above copyright notice and this paragraph 
   are included on all such copies and derivative works. However, this 
   document itself may not be modified in any way, such as by removing 
   the copyright notice or references to the Internet Society or other 
   Internet organizations, except as needed for the purpose of 
   developing Internet standards in which case the procedures for 
   copyrights defined in the Internet Standards process must be 
   followed, or as required to translate it into 

     
   Senevirathne          Expiration June 2001                       20 

                     draft-tsenevir-smpls-00.txt         January 2001 
    
    
    
    



















































     
   Senevirathne          Expiration June 2001                       21