IP Security Policy M. Richardson Internet-Draft SSW Expires: October 15, 2006 B. Sommerfeld Sun April 13, 2006 Requirements for an IPsec API draft-ietf-btns-ipsec-apireq-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on October 15, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract Given the open nature of the Internet today, application protocols require strong security. IPsec's wire protocols appear to meet the requirements of many protocols. The lack of a common model for application-layer interfaces has complicated use of IPsec by upper- layer protocols. This document provides an overview of facilities which a host IPsec implementation should provide to applications to allow them to both observe and influence how IPsec protects their Richardson & Sommerfeld Expires October 15, 2006 [Page 1] Internet-Draft IPsec API requirements April 2006 communications. Table of Contents 1. Motivation for this work . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Motivations for this work . . . . . . . . . . . . . . . . . 3 4. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 4 6. System policy . . . . . . . . . . . . . . . . . . . . . . . 4 7. HOW . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 8. WHO . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 8.1. OPAQUE IDENTITY . . . . . . . . . . . . . . . . . . . . . . 5 8.2. AUDITING . . . . . . . . . . . . . . . . . . . . . . . . . . 5 8.3. ACCESS CONTROL . . . . . . . . . . . . . . . . . . . . . . . 5 8.4. ATTRIBUTES/CREDENTIALS . . . . . . . . . . . . . . . . . . . 5 9. Error reporting . . . . . . . . . . . . . . . . . . . . . . 6 10. Security Guarantees . . . . . . . . . . . . . . . . . . . . 6 10.1. Connection-oriented communication . . . . . . . . . . . . . 6 10.2. Connectionless communication . . . . . . . . . . . . . . . . 7 11. Non-goals And Bad Ideas . . . . . . . . . . . . . . . . . . 7 11.1. Exposure of keys . . . . . . . . . . . . . . . . . . . . . . 7 11.2. Exposure of IPsec SPI values . . . . . . . . . . . . . . . . 7 12. Other issues . . . . . . . . . . . . . . . . . . . . . . . . 8 13. Security Considerations . . . . . . . . . . . . . . . . . . 8 14. Document TODO . . . . . . . . . . . . . . . . . . . . . . . 8 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 15.1. Normative References . . . . . . . . . . . . . . . . . . . . 8 15.2. Informative References . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 10 Intellectual Property and Copyright Statements . . . . . . . 11 Richardson & Sommerfeld Expires October 15, 2006 [Page 2] Internet-Draft IPsec API requirements April 2006 1. Motivation for this work Many protocols under development are considering the use of IPsec for security. Unfortunately, most existing IPsec implementations ([RFC2401] and [RFC4301]) do not give applications any visibility into what, if anything, they are doing on behalf of an application. This limitation only allows IPsec to do all-or-nothing access control, and requires two levels of authentication, with one within the application, and a second level within an IPsec key management protocol (most typically IKE [RFC2407][RFC2408][RFC2409] and IKEv2 [RFC4306][RFC4307]). 2. Terminology The term "socket" will be used here to identify an application-layer communications endpoint; it does imply any specific API is to be used. For the purposes of this discussion, a socket may include: A communications endpoint for a connectionless protocol One end of an established connection for a connection-oriented protocol A listening endpoint for a connection-oriented protocol For the purposes of this document, the term "application" refers to programs implementing any client protocol using either IP or a transport protocol such as TCP or UDP running over IP. Note that this is in many ways somewhat broader than the traditional use of "application" within the IETF, as it may also include "infrastructure" protocols built on top of IP and IPsec, including routing, ICMP, etc. 3. Motivations for this work Most protocols for application security, such as TLS [RFC2246] and SSH [RFC4251] operate at or above the transport layer. This renders the underlying transport connections vulnerable to denial of service attacks, including connection assassination [RFC3552]. IPsec offers the promise of protecting against many of these denial of service attacks. There are other potential benefits. Conventional software-based IPsec implementations isolate applications from the cryptographic keys, improving security by making inadvertant or malicious key exposure more difficult. In addition, specialized hardware may allow encryption keys protected from disclosure within trusted cryptographic units. Also, custom hardware units may well allow for higher performance. Richardson & Sommerfeld Expires October 15, 2006 [Page 3] Internet-Draft IPsec API requirements April 2006 Areas where this is currently under active discussion include the set of block storage protocols being developed by the IP Storage working group [RFC3723] and NFS version 4 (XXX: need newer reference than target="I-D.ietf-nfsv4-ccm") 4. Goals Separate policy and mechanism 5. Requirements Here are some basic requirements for an IPsec application API: An application should be able to determine HOW a communication was protected (or not). An application should be able to determine WHO it is talking to. If a communication is nominally authorized but fails, an application should be able to get an indication of WHY it failed, to help identify the configuration error causing the spurious failure. An application should be able to influence HOW a communication is protected, subject to override or modification by system policy. An application should be able to indicate WHO it wishes to talk to, again subject to override or modification by system policy. These interfaces should be as independant as possible of the key management protocol being used; it should be possible to implement this with IKEv1, IKEv2, KINK, etc., 6. System policy Interactions with system policy: System-level policy trumps all By default, applications should be able to ask for *more* protection. Applications wishing *less* protection may need appropriate local privileges. (example: ike bypass of UDP port 500; DHCP lease renewals...) 7. HOW An application may have requirements for confidentiality and/or integrity; it should be able to determine if an inbound communication was protected and whether an outbound communication will be protected. In addition, there may well be a desire to express preferences for relative strength of algorithms, or specify the Richardson & Sommerfeld Expires October 15, 2006 [Page 4] Internet-Draft IPsec API requirements April 2006 specific algorithm to be used. Hard-coding algorithm names into applications should be actively discouraged; perhaps there should be generic "weak" or "strong" indications instead of specific algorithm identifiers. 8. WHO This is perhaps the most tricky part of the problem. Existing IPsec key management protocols provide a wide variety of authentication methods -- preshared secrets, public key, Kerberos, X.509 certificates, etc., There are several potential uses for names provided by IPsec: 8.1. OPAQUE IDENTITY It should be possible to determine that two IPsec-protected communications conducted within a short to medium time frame were with the same authenticated peer; it should be possible to use a received identity to initiate a communication back to that identity. Example cases: connectionless replies; linking ftp control and data connections. The application need only be able to determine if two identities are equal. 8.2. AUDITING It should be possible for an application to construct a log entry naming the peer. 8.3. ACCESS CONTROL While policy rules may allow traffic to be blocked entirely, it's often necessary for a program to provide services to mutually suspicious clients. It should be possible for a service to make appropriate access control decisions based on the identity of the peer; in addition, the peer's certificate may contain interesting SubjectAltName or other attributes which may have relevance for the application; it may also be possible for the system to derive other attributes from the peer's identity. 8.4. ATTRIBUTES/CREDENTIALS [Mission Creep Alert] In many cases, an application is not so much interested in the peer's name, but rather in some other attribute of Richardson & Sommerfeld Expires October 15, 2006 [Page 5] Internet-Draft IPsec API requirements April 2006 the peer. Exactly where and how to map from long-term keys to these attributes needs to be nailed down; it may well be that this is best left as a local issue. Some of this is probably out of scope for the working group; however, we should not preclude others from building on this. 9. Error reporting There are a number of reasons why a communication may fail because of IPsec configuration mismatches.. These include, but are not limited to: Blocked by local or peer SPD. Local or peer key management protocols cannot establish an SA. Local or peer key management protocols cannot authenticate to each other. It MAY be appropriate to map IPsec failures into existing error codes (e.g., "connection refused", "connection timed out"), so that existing applications use appropriate error recovery strategies; however, this does result in a loss of information. It SHOULD be possible for an IPsec-aware application to get additional information about the reasons that a communications failed. 10. Security Guarantees Connection-oriented and connectionless communication often require different application structure. In many case, it will often be most convenient to do security checks once per connection, while for connectionless communications, per-message operations will be needed. 10.1. Connection-oriented communication Packet boundaries are not, in general, visible to clients of stream protocols such as TCP, while IPsec protection is provided (or not) on a packet-by-packet basis, In addition, it would be an unreasonable burden on applications to force them to continuously inquire about each individual packet. It should be possible for an application to ensure that all traffic to a particular socket is protected appropriately; it should also be possible for an application to ensure that all traffic to a socket originates from the same authenticated identity. Richardson & Sommerfeld Expires October 15, 2006 [Page 6] Internet-Draft IPsec API requirements April 2006 A pair of communicating applications should be able to determine that the ipsec protection on a connection between them is end-to-end. Note that it is common for datagram socket API's to allow a "connect" operation which sets a default destination and filters inbound packets based on source address; it should similarly be possible for the connection-oriented security guarantees to be applied to datagram sockets being used for 1:1 communications. 10.2. Connectionless communication It is also common to use datagram sockets for many-to-many communication; it should be possible to get and set identity information on a packet-by-packet basis. It may well be the case that a datagram-oriented client application will use the connection-oriented part of this API (because it is using a given datagram socket to talk to a specific server) while the server it is talking to use the connectionless API because it is using a single socket to receive requests from and send replies to a large number of clients. 11. Non-goals And Bad Ideas Here are a few ideas which have popped up every so often which really seem to be bad ideas.. in other words, things which should not be exposed to applications because they can't be used reliably or which cause active harm. 11.1. Exposure of keys There is absolutely no reason for applications to see the underlying encryption keys, or influence the choice of keys. This is to allow an IPsec implementation to have a clear boundary around its cryptographic components. 11.2. Exposure of IPsec SPI values In general, there is no need for applications to see SPI values or keys; it's also the case that in many cases the exact algorithm used may not be of interest as long as it is appropriately strong. Since both IKE and IPsec SA's may be short-lived, it is plausible that: an application connection or association will outlive any given IPsec SA. an application connection or association will outlive any given Richardson & Sommerfeld Expires October 15, 2006 [Page 7] Internet-Draft IPsec API requirements April 2006 IKE SA. an application connection may be idle for extended periods, during which time there is no IKE or IPsec SA state between the peers. It should be the case that any properties provided to applications regarding peer identity, protection, etc., should be able to survive rekeying. It may be appropriate to use SPI values as temporary handles, but applications may last much longer than SA's, and SPI values may be recycled over time; it would be better for there to be a separate, local-use-only, space for (identity, params) pairs. 12. Other issues Interface-specific vs. application-specific policy; deal with this as separate layers of filtering/intersections/etc? Real-time notifications of both ends that rekey, etc., is having trouble (highly desirable for VoIP-type applications). Balancing keeping full certificate handling out of applications while still providing full access to certificate attributes. 13. Security Considerations 14. Document TODO Flesh out Other Issues section. Flesh out Informative References with references to existing IPsec-related API's Improve security considerations section. 15. References 15.1. Normative References [RFC2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998. [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. Richardson & Sommerfeld Expires October 15, 2006 [Page 8] Internet-Draft IPsec API requirements April 2006 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)", RFC 4307, December 2005. 15.2. Informative References [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, July 2003. [RFC3723] Aboba, B., Tseng, J., Walker, J., Rangan, V., and F. Travostino, "Securing Block Storage Protocols over IP", RFC 3723, April 2004. [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Protocol Architecture", RFC 4251, January 2006. Richardson & Sommerfeld Expires October 15, 2006 [Page 9] Internet-Draft IPsec API requirements April 2006 Authors' Addresses Michael C. Richardson Sandelman Software Works 470 Dawson Avenue Ottawa, ON K1Z 5V7 CA Email: mcr@sandelman.ottawa.on.ca URI: http://www.sandelman.ottawa.on.ca/ Bill Sommerfeld Sun Microsystems 1 Network Drive Burlington, MA 01803 US Phone: +1 781 442 3458 Email: somerfeld@sun.com Richardson & Sommerfeld Expires October 15, 2006 [Page 10] Internet-Draft IPsec API requirements April 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Richardson & Sommerfeld Expires October 15, 2006 [Page 11]