Internet Draft
Network Working Group Tissa Senevirathne
Internet Draft Nortel Networks
Document: draft-tsenevir-smpls-00.txt January 2001
Category: Informational
Secure MPLS - Encryption and Authentication of MPLS payloads
Status of this Memo
This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document present use of ISAKMP to establish required security
association for secure MPLS. Two methods are presented to transport
ISAKMP messages between edge LSR. New RSVP object is defined to
exchange security association messages as part of the LSP setup
messages. Also discussed are the extensions to IKE to establish
required security association for Secure MPLS using a separate IP
channel between edge LSR. It is thought that use of separate IP
channel facilitates scaling, especially in the environment where
multiple LSP terminate between same two edge LSRs. In addition, use
of dedicated IP channel does not require a definition of new DOI for
Secure MPLS, rather few new definitions to IPSec DOI. Required
encapsulation formats are presented for encryption and
authentication of MPLS payloads.
Senevirathne Expiration June 2001 1
�
draft-tsenevir-smpls-00.txt January 2001
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC-2119 [1].
Table of Contents
1.0 Introduction:....................................................2
2.0 Use of IKE for Secure MPLS.......................................4
2.1 Security Protocol Identifier.....................................4
2.2 Identification Types.............................................5
2.2.1 Identification Payload.........................................6
3.0 Use of RSVP-TE to transport ISAKMP messages......................7
3.0.1 RSVP Transport Message.........................................7
3.1 Secure_MPLS_Message Object.......................................7
4.0 Placement of Secure MPLS, ISAKMP and RSVP-TE....................10
4.1 ISAKMP messages and Secure MPLS DOI.............................10
5.0 Secure MPLS payload encapsulation...............................11
5.1 Possible SMPLS encapsulation formats............................11
5.2 SMPLS Encapsulation header types................................12
5.2.1 SMPLS Authentication Header SMPLS-AH..........................12
5.2.2 Security Association Lookup...................................13
5.2.3 Integrity Check Value Calculation.............................14
5.2.4 Inbound Packet Processing.....................................14
5.3 SMPLS Encrypting Security Payload (SMPLS-ESP)...................15
5.3.1 Outbound Packet Processing....................................16
5.3.2 Security Association Lookup...................................17
5.3.3 MPLS Payload Encryption.......................................17
5.3.4 Inbound Packet Processing.....................................17
6.0 Other Issues....................................................18
6.1 Path MTU discovery..............................................18
6.2 LSP Setup Requirements..........................................18
6.3 Intermediate LSR................................................19
6.4 Label merging...................................................19
6.5 Penultimate Hop popping.........................................19
7.0 Security Considerations.........................................19
8.0 Acknowledgment..................................................19
9.0 References......................................................19
10.0 Author's Addresses.............................................20
Full Copyright Statement............................................20
1.0 Introduction:
MPLS is gaining popularity as a protocol that provide traffic
engineering and other service capabilities beyond the strength of
traditional routing. There are several deployments that use MPLS for
wide area application or VPN services. However, at present, there
are no established method to provide MPLS payload encryption and
authentication. In addition, MPLS is gaining popularity in transport
of non-IP traffic (Layer 2) over long haul Wide Area Network. Hence,
definition of protocol agnostic (as opposed to IPSec) security
Senevirathne Expiration June 2001 2
�
draft-tsenevir-smpls-00.txt January 2001
architecture for MPLS is becoming more and more important. This
paper presents possible methods to establish security association
for MPLS payload encryption and authentication.
Encryption and authentication of IP packets are performed using
suite of well-established protocols. This protocol suite is
collectively known as IPSec. Internet Security Association and Key
Management Protocol (ISAKMP)[2] defines the messaging protocol that
is used to establish required security association for key
distribution. ISAKMP is a very generic messaging protocol that can
be used for variety of protocols. Internet Key Exchange (IKE) [3]
defines specific details of adaptation of ISAKMP for IPSec DOI[4].
In IPSec, IKE use a separate IP Control channel between end points
to negotiate and establish security associations.
Constrained routed Label Switched paths are used in MPLS to setup
traffic engineered tunnels. RSVP-TE [5] or CR-LDP[6] is used for
setting up such constrained LSP. The fact that there is a security
association with the LSP can be considered as a constrain on the
LSP. The ISAKMP is a generic protocol that could be exchanged using
any transport protocol. Hence, ability to perform ISAKMP over RSVP-
TE or CR-LDP negates the need of a separate IP control channel. In
this paper we present the methods to exchange ISAKMP messages using
RSVP-TE extensions. CR-LDP can be easily extended for the purpose.
Use of CR-LDP for the purpose will be presented in a separate paper.
Security Associations (SA) constructed using ISAKMP is uni-
directional in nature. MPLS LSP are uni-directional in nature.
Hence, ISAKMP and Secure MPLS complements with each other without
any changes to existing concepts.
In practice, there are multiple LSP between two edge LSR. Suppose
these LSP require secure MPLS services. If Secure MPLS services are
implemented using RSVP-TE extensions, there need to be a separate
Phase 1 Security Association for each LSP. On the other hand if
there is a separate control channel to negotiate and establish
security association, that channel may be used for key distribution
and management of multiple secure LSP. This can be achieved with few
additions to the existing IKE definition and will be able to reuse
the same ISAKMP code base used for IPSec. In this document we
present extension to IPSec DOI to establish secure MPLS services.
Secure MPLS need to address all the well-known security
considerations such as replay attacks, connection hijacking etc.
IPSec encapsulation is designed to address these issues. However,
some of the IPSec encapsulation methods become trivial in MPLS. As
an example, tunnel mode in IPSec is essentially MPLS LSP. In this
document we present Secure MPLS encapsulation format. Secure MPLS
encapsulation format is similar to IPSec, but only address specific
needs of MPLS.
This document is broadly classified in to two parts. Part one
presents use of ISAKMP for Security Association establishment for
Senevirathne Expiration June 2001 3
�
draft-tsenevir-smpls-00.txt January 2001
secure MPLS. Use of RSVP-TE or dedicated IP control channel for
ISAKMP message transport is also discussed. Also additions required
to the IPSec DOI to implement Secure MPLS are presented in this
document.
The part two of this document presents the Secure MPLS payload
encapsulation formats. Also it defines various Secure MPLS
operational modes.
In future, it may require dividing this document to multiple
documents to cover the full scope of the Secure MPLS. Such work may
at least include following documents
o Secure MPLS Architecture
o Secure MPLS Domain of Interpretation (DOI)
o Secure MPLS message transport
(Use of RSVP-TE or separate control channel)
o Secure MPLS payload encryption
2.0 Use of IKE for Secure MPLS
IKE [3] is designed to negotiate security parameters for multiple
applications over a single Phase I security association. In
practice, between two LSR there may be multiple LSP. As suggested
earlier, when using RSVP-TE to transport IKE messages, there is no
common session between all LSP. Each RSVP session is unique for that
LSP and bound to the life of the LSP. Thus inhibiting the ability to
use a single Phase I session for multiple LSP. As a result it is
possible that edge LSR are required to maintain large amount of
individual Security associations that could have been avoided if a
separate control channel was used for the purpose.
Hence use of IKE as a proxy to establish Security Associations for
MPLS appears a logical approach. This approach also allows reusing
the existing ISAKMP/IKE code base and allows to implement Secure
MPLS with few new definitions to IPSec DOI. However, a separate IP
control channel is required between edge LSR to carry IKE messages.
Within the IPSec DOI we propose to define the following additions.
The values presented here are suggestions only, exact values require
approval from IANA. Such approval will be sort.
2.1 Security Protocol Identifier
Section 4.4.1 of IPSec DOI [4] defines various IPSec related
Protocol Identifier. We suggest including three more definitions.
The suggested definition are presented below:
Protocol ID Value
PROTO_SMPLS_AH 5
Senevirathne Expiration June 2001 4
�
draft-tsenevir-smpls-00.txt January 2001
PROTO_SMPLS_ESP 6
PROTO_SMPLS_COMP 7
PROTO_SMPLS_AH
The PROTO_SMPLS_AH type specifies the MPLS payload authentication.
The default SMPLS-AH transform provides data origin authentication,
integrity, protection and replay detection. For export
consideration, SMPLS-AH transform must not provide any payload
confidentiality.
PROTO_SMPLS_ESP
The PROTO_SMPLS_ESP type specifies the MPLS payload confidentiality
(encryption). Authentication if required must be provided as part of
the ESP. The default SMPLS-ESP transform provides data origin
authentication, integrity, protection and replay detection.
PROTO_SMPLS_COMP
The PROTO_SMPLS_COMP type specifies MPLS payload compression. The
exact algorithms for MPLS payload encryption are under study. Use of
payload compression may have at least two direct benefits. Firstly,
it eliminates redundancies in the payload data and reduces
repetitive patterns in the payload. Secondly it conserve bandwidth
on the network by reducing the payload size. The time spent in
compressing the payload and time gained in encrypting the reduced
payload may increase the total throughput.
2.2 Identification Types
Identification payload in the ISAKMP message helps responder to
identify the appropriate LSP and apply correct security policies. In
IPSec this is defined as end station address and a port number. In
MPLS there may be large number of LSP between two edge LSR. The LSP
may not necessarily carry IP payloads. In order to distinguish
between different LSP between two given LSR, a unique Tunnel ID is
assigned to the LSP [5]. Also [5] suggest to use the extended Tunnel
ID to further narrow the scope of the LSP. It is suggested in [5]
that the extended Tunnel ID is set to the ingress node IP address.
Here we propose to use {Ingress Node Addrss::Tunnel ID} as the node
identifier. This may also be considered as {Extended Tunnel
ID::Tunnel ID}. If Extended Tunnel ID is used as part of the ISAKMP
identification, it is important that RSVP-TE [5] implementation
always use unique values for Extended Tunnel ID.
ID Type value
ID_SMPLS_IPV4 12
ID_SMPLS_IPV6 13
The values presented above are only suggestions. Exact values need
approval from IANA. Section 4.6.2.1 of IPsec DOI [4] explains the
definition of other ID Types.
Senevirathne Expiration June 2001 5
�
draft-tsenevir-smpls-00.txt January 2001
2.2.1 Identification Payload
Here we present the format of the identification data payload that
will be carried in ISAKMP identification messages for IPSec DOI.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | Reserved | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ID Type | Reserved=0 | Tunnel ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Extended Tunnel ID ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Next Payload
Type of the next payload after this. Value of zero (0) indicates
that this is the last payload.
Reserved
All reserved fields are set to zero on transmission and ignored on
receipt.
Payload Length
Length of the payload in octets, including the generic header.
ID Type
Value describing the Identification data. For Secure MPLS, this is
either ID_SMPLS_IPV4 or ID_SMPLS_IPV6.
Tunnel ID
A unique number assigned for this LSP by the ingress node.
Extended Tunnel ID
The extended Tunnel ID or the Ingress node ID. The length of this
field depend on the ID type is ID_SMPLS_IPV4 or ID_SMPLS_IPv6.
NOTE:
Here ID_SMPLS_IPV4 or ID_SMPLS_IPV6 only represent the end point
addressing.
Other DOI definitions
All other definitions are the same as IPSec DOI [4] definitions.
Senevirathne Expiration June 2001 6
�
draft-tsenevir-smpls-00.txt January 2001
3.0 Use of RSVP-TE to transport ISAKMP messages
Constrained driven LSP are setup using either CR-LDP or RSVP-TE.
Most often there is a separate CR-LDP or RSVP-TE session per LSP.
These LSP signaling sessions can be used to transport other
messages. In this section we present use of RSVP-TE to exchange
required ISAKMP messages between edge LSR. The reuse of the RSVP-TE
channel to exchange ISAKMP messages negate the need of a separate IP
control channel for the purpose. Thus creating a cleaner design with
single control channel. However, RSVP-TE sessions are closely tied
to the LSP. The Phase 1 security associations established for one
LSP may not be reused for another LSP. As a result, end LSR may
require maintaining multiple Phase 1 security associations.
We propose to define a new RSVP-TE object to carry ISAKMP messages.
The new object is called Secure_MPLS_message Object. ISAKMP messages
are exchanged end-to-end. RSVP messages are exchanged hop by hop.
Hence all transit nodes MUST pass the Secure_MPLS_message Object
unmodified to the downstream node.
Object Name Applicable RSVP messages
----------- ------------------------
Secure_MPLS_Message Transport (see below)
3.0.1 RSVP Transport Message
ISAKMP messages are sent from end-to-end. Intermediate nodes MUST
forward the message downstream without modifications. In this
regard, RSVP is functioning as a transport protocol for ISAKMP. More
established RSVP messages such as Path Message require hop-by-hop
processing and are sent with the route alert option in the IP
header. This in turn triggers hop by hop processing. As mentioned
earlier, when transporting RSVP messages, only the end nodes are
required to process the message. On the other hand RSVP transport
messages should not be subjected to the RSVP state machine. Hence,
we propose to define a new RSVP message type to provide end-to-end
message transport ability for RSVP. The payload of the RSVP
Transport message can be any of the RSVP objects such as
Secure_MPLS_Message Object. Processing of Transport message payloads
are considered a local policy. Hence, applications that require
transport service from the RSVP MUST register the application with
the RSVP module.
RSVP Message Type Value
----------------- -------
Transport 8
Message type 1 to 7 are defined in [7]. RSVP Transport message MUST
NOT be encoded with route alert option.
3.1 Secure_MPLS_Message Object
Senevirathne Expiration June 2001 7
�
draft-tsenevir-smpls-00.txt January 2001
The Secure MPLS Message object is assigned with Class value of 25
(TBD). Presently, there are two C_Type. C_Type 1 indicates that this
is an ISAKMP message with Extended tunnel ID in IP V4 format.
C_Type 2 indicates that, this is an ISAKMP message with extended
tunnel ID in IP V6 format. All other C_Type values are unused.
Class=25, C_Type=1
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Receiver Node Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sender Node Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extended Tunnel ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tunnel ID | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Type | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ISAKMP message (variable length..) |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Receiver Node Address
Receiver IP V4 Address
Sender Node Address
Sender IP V4 Address
Extended Tunnel ID
Extended Tunnel ID in IP V4 format
Tunnel ID
Unique number assigned to this LSP. See [5] for details.
Message Type
Indicates the type of the payload. Message type 1 is assigned to
indicate that payload is ISAKMP. All other values are presently
reserved.
Length
Senevirathne Expiration June 2001 8
�
draft-tsenevir-smpls-00.txt January 2001
Length of the ISAKMP message in octets. Value zero (0) indicates
that there is no message in the payload.
Class=25, C_Type=2
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Receiver Node Address |
~ (16 bytes) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sender Node Address |
~ (16 bytes) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extended Tunnel ID |
~ (16 bytes) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tunnel ID | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Type | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ISAKMP message (variable length..) |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Receiver Node Address
Receiver IP V6 Address
Sender Node Address
Sender IP V6 Address
Extended Tunnel ID
Extended Tunnel ID in IP V6 format
Tunnel ID
Unique number assigned to this LSP. See [5] for details.
Message Type
Indicates the type of the payload. Message type 1 is assigned to
indicate that payload is ISAKMP. All other values are presently
reserved.
Senevirathne Expiration June 2001 9
�
draft-tsenevir-smpls-00.txt January 2001
Length
Length of the ISAKMP message in octets. Value zero (0) indicates
that there is no message in the payload.
4.0 Placement of Secure MPLS, ISAKMP and RSVP-TE
ISAKMP by design is not tied to a specific transport protocol.
ISAKMP security associations are unidirectional in nature. MPLS LSP
are unidirectional in nature as well. Hence, Secure MPLS concepts
and ISAKMP complements, without any changes to the original
concepts. In fact, ISAKMP architecture suites better with
unidirectional transport protocol like MPLS.
+----------+ +------------
| DOI |<----------->| ISAKMP |
|Definition| +---->| |
+----------+ | +------------+
| ^ ^
| | |
| | v
+----------+ | | +-----------+
|Key Exch |<------+ | | RSVP-TE |
|Definition| | +->| |
+----------+ | | +-----------+
+----------------------+ | ^
| +------------------+ |
v | |
+-------+ | |
| API | | |
+-------+ | v
^ | +-------------------------------+
| | | Transport Layer (TCP/UDP) |
v v +-------------------------------+
+------------+ | IP |
| Secure MPLS| +-------------------------------+
| Controller |<-------->| Link Layer Protocol |
+------------+ +-------------------------------+
4.1 ISAKMP messages and Secure MPLS DOI
ISAKMP messages carried in RSVP-TE payloads are defined for Secure
MPLS DOI. In order for ISAKMP to properly handle Secure MPLS
messages, it is important that Secure MPLS define it own DOI. It is
suggested that specific value for Domain Identifier for Secure MPLS
DOI be requested from IANA.
Within the Secure MPLS DOI, the required parameters are defined. At
present most of the definitions are in line with the IPSec DOI [4]
with few exceptions. It is suggested, if this proposal receive
enough interest, to generate a separate document for the Secure MPLS
DOI.
Senevirathne Expiration June 2001 10
�
draft-tsenevir-smpls-00.txt January 2001
5.0 Secure MPLS payload encapsulation
Secure MPLS payload encryption, in addition to providing
authentication and confidentiality provide variety of security
services such as, replay protection, protection against connection
hijacking etc. IPSec community has performed extensive work in this
area. In this paper we adapt concepts used IPSec to provide
authentication and encryption services to MPLS payloads.
Authentication, encryption and authentication-encryption are
mutually exclusive requirements. Authentication-encryption is a
hybrid of authentication and encryption. Thus we define two-
encapsulation header format. Borrowing the names used in IPSec
community we define these headers as SMPLS-AH and SMPLS-ESP.
We propose to use SHIM encapsulation method for SMPLS-AH and SMPLS-
ESP.
SMPLS-AH, if present, MUST be immediately after the Data Link Layer.
SMPLS-ESP, if present, MUST be immediately after the Data Link Layer
if SMPL-AH is not present. If SMPLS-AH present, SMPLS-ESP MSUT be
immediately after the SMPLS-AH.
5.1 Possible SMPLS encapsulation formats
1. SMPLS-AH
--------------------------------------------------
|DA | SA | MPLS | SMPLS-AH| MPLS Payload |
| | | Type | | |
--------------------------------------------------
<--------------------->
Authenticated
2. SMPLS-ESP
-----------------------------------------------------------------
|DA | SA | MPLS | SMPLS-ESP| MPLS Payload |SMPLS-ESP |SMPLS-ESP |
| | | Type | | |Trailer | Auth(**) |
-----------------------------------------------------------------
<------------------------->
Encrypted
<------------------------------------>
Authenticated (**)
3. SMPLS-AH-ESP
--------------------------------------------------------
|DA | SA | MPLS |SMPLS|SMPLS-ESP| MPLS Payload |SMPLS-ESP|
| | | Type |AH | | |Trailer |
--------------------------------------------------------
<------------------------>
Encrypted
<--------------------------------->
Senevirathne Expiration June 2001 11
�
draft-tsenevir-smpls-00.txt January 2001
Authenticated
(**) Indicates optional fields
Note: Above diagrams are not to a scale.
Above encapsulation formats are presented to cover all possible
combinations. However, one may implement authentication using ESP
with NULL encryption as presented in RFC 2410 [8]. When requiring
authentication and encryption one may choose to use format in above
2 with SMPLS-ESP authentication. Hence, it may be possible to cover
all case with a single SMPLS-ESP encapsulation format. However, use
of null encryption with ESP for authentication, instead of SMPLS-AH
is open for discussion and suggestions.
5.2 SMPLS Encapsulation header types
There are two SMPLS encapsulations defined;
Type Value
Last Header 0
SMPLS-AH 1
SMPLS-ESP 2
unused 3-255
5.2.1 SMPLS Authentication Header SMPLS-AH
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=SMPLS-AH | Length | Next Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Security Parameter Index (SPI) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number (64 bits ) ? |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authentication Data (variable..) |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
Type of this header. It is set to one (1) to indicate that it is
SMPLS-AH.
Length
Length including Type/Length field in octets.
Senevirathne Expiration June 2001 12
�
draft-tsenevir-smpls-00.txt January 2001
Next Type
Type of the next header. This is either 2 to indicate that the next
header is SMPLS-ESP or 0 to indicates that MPLS payload follows
immediately.
Security Parameter Index (SPI)
The SPI is an arbiter 32-bit integer. SPI combined with, {Extended
Tunnel ID::Tunnel ID} uniquely identify the security association for
this datagram. All other interpretation of the SPI including the
range of value is as defined in [9].
Sequence Number
This unsigned 64-bit field contains a monotonically increasing
counter value (sequence number). It is mandatory and is always
present even if the receiver does not elect to enable the anti-
replay service for a specific SA. Processing of the Sequence Number
field is at the discretion of the receiver, i.e., the sender MUST
always transmit this field, but the receiver need not act upon it
(see the discussion of Sequence Number Verification in the "Inbound
Packet Processing" section below).
The sender's counter and the receiver's counter are initialized to 0
when a SA is established. (The first packet sent using a given SA
will have a Sequence Number of 1; see Section 3.3.2 of [9] for more
details on how the Sequence Number is generated.) If anti-replay is
enabled (the default), the transmitted Sequence Number must never be
allowed to cycle. Thus, the sender's counter and the receiver's
counter MUST be reset (by establishing a new SA and thus a new key)
prior to the transmission of the 2^64nd packet on a SA.
In this paper we have chosen a 64-bit sequence number as opposed to
32-bit number in [9]. It is anticipated that more and more 10Gig
pipes using MPLS. In such situation traffic may be aggregated to a
single MPLS LSP and 32-bit counter may not be adequate.
Authentication Data
This is a variable length field and contains the Integrity Check
Value (ICV) for this packet. The Authentication Data field is a
multiple of 32 bits and determined by the ICV computation method.
See [9] for details of the authentication field.
5.2.2 Security Association Lookup
SMPLS-AH is applied to an outbound packet only after the MPLS
implementation determines that the packet is associated with a SA
that calls SMPPLS-AH processing. SMPLS-AH requirement may be derived
by FEC (Forward Equivalence Class) lookup. The exact procedure is
Senevirathne Expiration June 2001 13
�
draft-tsenevir-smpls-00.txt January 2001
beyond the scope of this document. However, if enough interest is
generated a separate document may be created for the purpose.
5.2.3 Integrity Check Value Calculation
The calculation of ICV for MPLS payload is quite similar to the
calculation of ICV of IP packets in [9], except that SMPLS-AH treat
the data as a random bit sequence and no attempt is made to identify
the payload protocol type or mutable fields. In theory there are no
mutable fields in the MPLS payload as all packet forwarding is
performed based on a label. Thus simplifying some of the overheads
in IPSec encapsulations.
See section 3.3.3 of [9] for detail procedure in ICV calculation and
sequence number generation.
5.2.4 Inbound Packet Processing
Inbound packet processing follows through following steps
o Perform Label Lookup
o Security Association Lookup
o Sequence Number Verification
o Integrity Check Value Verification
Label Lookup
Egress LSR performs a label lookup on the incoming packet. If that
indicates this router is the Egress LSR and the associated LSP is
carrying Secure MPLS data, Secure MPLS module is invoked.
Security Association Lookup
Security Association Lookup is performed within the Secure MPLS
module. The incoming Label provides a mapping for the {Extended
Tunnel ID::Tunel ID} tuple. Combined with this identifier, Security
Parameter Index (SPI) and Header Type (AH) determines a unique
Security Association (SA). Note that Header Type (ESP) combined with
the same LSP ID and numerically similar SPI is required to generate
a different Security association. Hence, Header Type is considered
in resolving the SA.
If there is no SA present for this flow, the packet MUST be
discarded. As specified in [9] the event may be audited. In addition
to the information required in [9], log event SHOULD contain the
SMPLS-ESP as the flow type. Instead of the end station IP address it
SHOULD display the Extended Tunnel ID:: Tunnel ID tuple.
Sequence Number verification
Senevirathne Expiration June 2001 14
�
draft-tsenevir-smpls-00.txt January 2001
Sequence number verification is performed using methods specified in
[9]
Integrity Check Value Verification
ICV is verified using the methods specified in section 3.4.4 of [9].
Only difference, that ICV is calculated and verified over the entire
payload and there are no mutable fields.
5.3 SMPLS Encrypting Security Payload (SMPLS-ESP)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ --
| Type=SMPLS-ESP | Length | Next Type |^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|1*
| Security Parameter Index (SPI) ||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|
| Sequence Number (64 bits ) ? ||
| ||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|-
| Initialization Vector (IV) ||^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+||
| Payload Data (variable) ||2*
~ |||
| |||
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+||
| | Padding (0-255 bytes) |||
+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+||
| | Pad Length |vv
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--
| Authentication Data (variable..) |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1* - represents Authentication coverage
2* - represents Confidentiality coverage. NOTE: IV is not encrypted,
though considered as part of crypto text.
Type
Type of this header. It is set to two (2) to indicate that it is
SMPLS-ESP
Length
Length including Type/Length field in octets.
Next Type
Type of the next header. This is always set to zero (0) for SMPLS-
ESP header.
Senevirathne Expiration June 2001 15
�
draft-tsenevir-smpls-00.txt January 2001
Security Parameter Index (SPI)
The SPI is an arbiter 32-bit integer. SPI combined with, Extended
Tunnel ID::Tunnel ID uniquely identify the security association for
this datagram. All other interpretation of the SPI including the
range of value is as defined in [10].
Sequence Number
This unsigned 64-bit field contains a monotonically increasing
counter value (sequence number). It is mandatory and is always
present even if the receiver does not elect to enable the anti-
replay service for a specific SA. Processing of the Sequence Number
field is at the discretion of the receiver, i.e., the sender MUST
always transmit this field, but the receiver need not act upon it
(see the discussion of Sequence Number Verification in the "Inbound
Packet Processing" section below).
The sender's counter and the receiver's counter are initialized to 0
when a SA is established. (The first packet sent using a given SA
will have a Sequence Number of 1; see Section 3.3.3 of [10] for more
details on how the Sequence Number is generated.) If anti-replay is
enabled (the default), the transmitted Sequence Number must never be
allowed to cycle. Thus, the sender's counter and the receiver's
counter MUST be reset (by establishing a new SA and thus a new key)
prior to the transmission of the 2^64nd packet on a SA.
In this paper we have chosen a 64-bit sequence number as opposed to
32-bit number in [10]. It is anticipated that more and more 10Gig
pipes using MPLS. In such situation traffic may be aggregated to a
single MPLS LSP and 32-bit counter may not be adequate.
Authentication Data
This is a variable length field and contains the Integrity Check
Value (ICV) for this packet. The Authentication Data field is a
multiple of 32 bits and determined by the ICV computation method.
See [10] for details of the authentication field.
Note:
In ESP [10] the Next Header field contains the protocol ID of the IP
payload. This was necessary in [10] as the original IP header was
replaced with AH/ESP header. However, in MPLS, unmodified IP header
is contained in the payload or the payload is non-IP. Hence, in
Secure MPLS such explicit denotation of the payload protocol ID is
not required.
5.3.1 Outbound Packet Processing
In Secure MPLS sender encapsulate the MPLS payload in the suggested
format above. Sender is also required to construct the SMPLS-ESP
header as specified this document where applicable or according to
Senevirathne Expiration June 2001 16
�
draft-tsenevir-smpls-00.txt January 2001
corresponding IPSec document where there is no explicit reference in
this document.
5.3.2 Security Association Lookup
SMPLS-ESP is applied to an outbound packet only after the MPLS
implementation determines that the packet is associated with a SA
that calls SMPPLS-ESP processing. SMPLS-ESP requirement may be
derived by FEC (Forward Equivalence Class) lookup. The exact
procedure is beyond the scope of this document. However, if enough
interest is generated a separate document may be created for the
purpose.
5.3.3 MPLS Payload Encryption
The encryption of MPLS payload is quite similar to the encryption
procedure of IP packets in [10], except that SMPLS-ESP treat the
data as a random bit sequence and no attempt is made to identify the
payload protocol type.
See section 3.3.2 of [10] for detail procedure in encryption and
sequence number generation.
5.3.4 Inbound Packet Processing
Inbound packet processing follows through following steps
o Perform Label Lookup
o Security Association Lookup
o Sequence Number Verification
o Integrity Check Value Verification
o Payload decryption
Label Lookup
Egress LSR performs a label lookup on the incoming packet. If that
indicates this router is the Egress LSR and the associated LSP is
carrying Secure MPLS data, Secure MPLS module is invoked.
Security Association Lookup
Security Association Lookup is performed within the Secure MPLS
module. The incoming Label provide a mapping to the {Extended Tunnel
ID::Tunel ID} tuple. Combined with this identifier and Security
Parameter Index (SPI) and Header Type (ESP) determines a unique
Security Association (SA). Note that Header Type (AH) combined with
the same LSP ID and numerically similar SPI is required to generate
a different Security association. Hence, Header Type is considered
in resolving the SA.
Senevirathne Expiration June 2001 17
�
draft-tsenevir-smpls-00.txt January 2001
If there is no SA present for this flow, the packet MUST be
discarded. As specified in [10] the event may be audited. In
addition to the information required in [10], log event SHOULD
contain the SMPLS-ESP as the flow type. Instead of the end station
IP address it SHOULD display the Extended Tunnel ID:: Tunnel ID
tuple.
Sequence Number verification
Sequence number verification is performed using methods specified in
[10]
Integrity Check Value Verification
ICV is verified using the methods specified in section 3.4.4 of
[10].
MPLS Payload Decryption
Packet decryption procedure is similar to [10]. However, in secure
MPLS there are no attempts made to reconstruct the IP header. During
the setup time it is indicated that the corresponding LSP is either
IP or Layer 2 packet. Accordingly, decrypted payload is handed over
to the appropriate forwarding module.
6.0 Other Issues
6.1 Path MTU discovery
As MPLS payloads are encrypted, intermediate LSR are unable to
perform fragmentation upon MTU size violations. Hence it is
essential that ingress LSR performs path MTU discovery and performs
necessary fragmentation before encapsulation. There are several
documents published on this. MTU path discovery in Layer 2 MPLS
tunnels are presented in [11]. We suggest taking a similar approach
in discovering path MTU size for Secure MPLS LSP.
6.2 LSP Setup Requirements
Secure MPLS paths require different handling. Hence the LSP
signaling protocol MUST carry indication to the effect that this LSP
is secure MPLS. At present, either CR-LDP or RSVP-TE is used to
setup constrained LSP.
In RSVP-TE we propose to define a new flag in Session Attribute
object. The new flag is called Secure MPLS. All intermediate nodes
MUST pass this flag downstream.
Flag
0x08 Secure MPLS
This flag indicate that this LSP is carrying encrypted
payload and no attempt be made to interpret payload
Senevirathne Expiration June 2001 18
�
draft-tsenevir-smpls-00.txt January 2001
data, except by the end routers. All intermediate nodes
must pass this parameter to the downstream routers.
See [5] for details on the format of the Session Attribute object.
6.3 Intermediate LSR
Intermediate LSR MUST not attempt to interpret data, Upon errors
intermediate LSR SHOULD silently discard the packets. If RSVP-TE is
used to transport ISKMP messages, they should transparently forward
such messages to downstream node.
6.4 Label merging
Secure MPLS presented in this document is a derivative of IKE. As
such it can only establish security association with point-to-point
LSP. Label merged LSP may be considered as a point-to-multi-point
LSP. In such situation concepts presented in secure multicast
documents may be used. Security implementation in Label merge LSP
are considered beyond the scope of this document.
6.5 Penultimate Hop popping
As explained above, incoming Label and subsequently {Extended Tunnel
ID::Tunnel ID} is used to perform Security Parameter Database
lookup. Penultimate hop popping eliminate the ability of such lookup
and MUST not be performed in secure MPLS LSP.
7.0 Security Considerations
The methods presented in this document is not known to alter the
security level of ISAKMP or IKE. The Secure MPLS architecture
presented here improves the level of security offered in MPLS
implementation.
8.0 Acknowledgment
The work presented in this document has been influenced
significantly by the work presented in sited references and on going
work at the IETF.
9.0 References
1 RFC 2119 Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997
2 Maughan, D., and et.al., Internet Security Association and Key
Management Protocol (ISAKMP), RFC 2408, November 1998.
3 Harkins, D., and Carrel, D., The Internet Key Exchange (IKE), RFC
2409, November 1998.
Senevirathne Expiration June 2001 19
�
draft-tsenevir-smpls-00.txt January 2001
4 Piper, D., The Internet IP Security Domain of Interpretation for
ISAKMP, RFC 2407, November 1998.
5 Awduche, D., and et. al., RSVP-TE: Extensions to RSVP for LSP
Tunnels, Work in Progress, August 2000.
6 Jamoussi, Bilel., and et. al., Constrained-Based LSP setup using
LDP, Work in Progress, July 2000.
7 Braden, R., and et.al., Resource ReSerVation Protocol (RSVP), RFC
2205, September 1997.
8 Glenn, R., and Kent, S., The NULL Encryption Algorithm and Its
Use with IPSec, RFC 2410, November 1998.
9 Kent, S., and Atkinson R, IP Authentication Header, RFC 2402,
November 2000.
10 Kent, S., and Atkinsoon, R., IP Encapsulating Security Payload
(ESP), RFC 2406, November 1998.
11 Senevirathne, T., and Billinghurst, P., Use of CR-LDP or RSVP-TE
to Extend 802.1Q Virtual LANs across MPLS Networks, Work In
Progress, October 2000.
10.0 Author's Addresses
Tissa Senevirathne
Nortel Networks
2305 Mission College Blvd,
Santa Clara CA 95054
Email:tsenevir@nortelnetworks.com
Tel:408-565-2571
Full Copyright Statement
"Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into
Senevirathne Expiration June 2001 20
�
draft-tsenevir-smpls-00.txt January 2001
Senevirathne Expiration June 2001 21
�