HMAC-SHA-2 Authentication Protocols in USM for SNMPv3
draft-ietf-opsawg-hmac-sha-2-usm-snmp-new-03
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7860.
|
|
---|---|---|---|
Authors | Johannes Merkle , Manfred Lochter | ||
Last updated | 2016-01-26 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | (None) | ||
IESG | IESG state | Became RFC 7860 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | Joel Jaeggli | ||
Send notices to | (None) | ||
IANA | IANA review state | Version Changed - Review Needed |
draft-ietf-opsawg-hmac-sha-2-usm-snmp-new-03
OPSAWG J. Merkle, Ed. Internet-Draft Secunet Security Networks Obsoletes: 7630 (if approved) M. Lochter Intended status: Standards Track BSI Expires: July 29, 2016 January 26, 2016 HMAC-SHA-2 Authentication Protocols in USM for SNMPv3 draft-ietf-opsawg-hmac-sha-2-usm-snmp-new-03 Abstract This memo specifies new HMAC-SHA-2 authentication protocols for the User-based Security Model (USM) for SNMPv3 defined in RFC 3414. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 29, 2016. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Merkle & Lochter Expires July 29, 2016 [Page 1] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 Table of Contentsquot;), providing a quick and generic comparison table among them. Then the document describes the issues that an operator need to understand on different matters that will allow to define what is the best approach/scenario for each specific network case. A summary provides some recommendations and decision points. A section with clarifications on the usage of this document for enterprise networks, is also provided. Finally, an annex provides an example of a broadband deployment using 464XLAT and another annex provides hints for a CLAT implementation. [RFC7269] already provides information about NAT64 deployment options and experiences. Both, this document and [RFC7269] are complementary, as they are looking into different deployment considerations and furthermore, this document is considering the updated deployment experience and newer standards. The target deployment scenarios in this document may be covered as well by other IPv4-as-a-Service (IPv4aaS) transition mechanisms. Note that this is true only for the case of broadband networks, as in the case of cellular networks the only supported solution is the use of NAT64/464XLAT. So, it is out of scope of this document to provide a comparison among the different IPv4aaS transition mechanisms, which is being analyzed already in [I-D.lmhp-v6ops-transition-comparison]. Palet Martinez Expires November 5, 2019 [Page 4] Internet-Draft NAT64/464XLAT Deployment May 2019 Consequently, this document should not be understood as a guide for an operator or enterprise to decide which IPv4aaS is the best one for its own network. Instead it should be used as a tool for understanding all the implications, including relevant documents (or even specific parts of them), for the deployment of NAT64/464XLAT and facilitate the decision process regarding specific deployment details. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. NAT64 Deployment Scenarios Section 7 of DNS64 ([RFC6147]), provides three scenarios, depending on the location of the DNS64 function. However, since the publication of that document, other deployment scenarios and NAT64 use cases need to be considered in actual networks, despite some of them were specifically ruled out by the original NAT64/DNS64 work. Consequently, the perspective in this document is to broaden those scenarios, including a few new ones. However, in order to be able to reduce the number of possible cases, we work under the assumption that typically, the service provider wants to make sure that all the customers have a service without failures. This means considering the following assumptions for the worst possible case: a. There are hosts that will be validating DNSSEC. b. IPv4 literal addresses and non-IPv6 compliant APIs are being used. c. There are IPv4-only hosts or applications beyond the IPv6-only link (e.g., tethering in cellular networks). The document uses a common set of possible "participant entities": 1. An IPv6-only access network (IPv6). 2. An IPv4-only remote network/server/service (IPv4). 3. A NAT64 function (NAT64) in the service provider. 4. A DNS64 function (DNS64) in the service provider. Palet Martinez Expires November 5, 2019 [Page 5] Internet-Draft NAT64/464XLAT Deployment May 2019 5. An external service provider offering the NAT64 function and/or the DNS64 function (extNAT64/extDNS64). 6. 464XLAT customer side translator (CLAT). Note that the nomenclature used in parenthesis is the one that, for short, will be used in the figures. The possible scenarios are split in two general categories: 1. Known to work. 2. Known to work under special conditions. 3.1. Known to Work The scenarios in this category are known to work. Each one may have different pros and cons, and in some cases the trade-offs, maybe acceptable for some operators. 3.1.1. Service Provider NAT64 with DNS64 In this scenario, the service provider offers both, the NAT64 and the DNS64 functions. This is the most common scenario as originally considered by the designers of NAT64 ([RFC6146]) and DNS64 ([RFC6147]), however also may have the implications related the DNSSEC. This scenario also may fail to solve the issue of IPv4 literal addresses or non-IPv6 compliant APIs, as well as the issue of IPv4-only hosts or applications behind the IPv6-only access network. +----------+ +----------+ +----------+ | | | NAT64 | | | | IPv6 +--------+ + +--------+ IPv4 | | | | DNS64 | | | +----------+ +----------+ +----------+ Figure 1: NAT64 with DNS64 A similar scenario will be if the service provider offers only the DNS64 function, and the NAT64 function is provided by an outsourcing agreement with an external provider. All the considerations in the previous paragraphs of this section are the same for this sub-case. Palet Martinez Expires November 5, 2019 [Page 6] Internet-Draft NAT64/464XLAT Deployment May 2019 +----------+ +----------+ | | | | | extNAT64 +--------+ IPv4 | | | | | +----+-----+ +----------+ | | +----------+ +----+-----+ | | | | | IPv6 +--------+ DNS64 + | | | | +----------+ +----------+ Figure 2: NAT64 in external service provider This is equivalent to the scenario where the outsourcing agreement with the external provider is to provide both the NAT64 and DNS64 functions. Once more, all the considerations in the previous paragraphs of this section are the same for this sub-case. +----------+ +----------+ | extNAT64 | | | | + +-------+ IPv4 | | extDNS64 | | | +----+-----+ +----------+ | +----------+ | | | | | IPv6 +-------------+ | | +----------+ Figure 3: NAT64 and DNS64 in external provider One more equivalent scenario will be if the service provider offers the NAT64 function only, and the DNS64 function is from an external provider with or without a specific agreement among them. This is a scenario already common today, as several "global" service providers provide free DNS/DNS64 services and users often configure manually their DNS. This will only work if both the NAT64 and the DNS64 functions are using the WKP (Well-Known Prefix) or the same NSP (Network-Specific Prefix). All the considerations in the previous paragraphs of this section are the same for this sub-case. Of course, if the external DNS64 function is agreed with the service provider, then we are in the same case as in the previous ones already depicted in this scenario. Palet Martinez Expires November 5, 2019 [Page 7] Internet-Draft NAT64/464XLAT Deployment May 2019 +----------+ | | | extDNS64 | | | +----+-----+ | | +----------+ +----+-----+ +----------+ | | | | | | | IPv6 +--------+ NAT64 +--------+ IPv4 | | | | | | | +----------+ +----------+ +----------+ Figure 4: NAT64; DNS64 by external provider 3.1.2. Service Provider Offering 464XLAT, with DNS64 464XLAT ([RFC6877]) describes an architecture that provides IPv4 connectivity across a network, or part of it, when it is only natively transporting IPv6. [RFC7849] already suggest the need to support the CLAT function in order to ensure the IPv4 service continuity in IPv6-only cellular deployments. In order to do that, 464XLAT ([RFC6877]) relies on the combination of existing protocols: 1. The customer-side translator (CLAT) is a stateless IPv4 to IPv6 translator (NAT46) ([RFC7915]) implemented in the end-user device or CE (Customer Edge Router), located at the "customer edge" of the network. 2. The provider-side translator (PLAT) is a stateful NAT64 ([RFC6146]), implemented typically at in the operator network. 3. Optionally, DNS64 ([RFC6147]), may allow an optimization: a single translation at the NAT64, instead of two translations (NAT46+NAT64), when the application at the end-user device supports IPv6 DNS (uses AAAA Resource Records). Note that even if in the 464XLAT ([RFC6877]) terminology, the provider-side translator is referred as PLAT, for simplicity and uniformity, across this document is always referred as NAT64 (function). In this scenario the service provider deploys 464XLAT with a DNS64 function. As a consequence, the DNSSEC issues remain, unless the host is doing Palet Martinez Expires November 5, 2019 [Page 8] Internet-Draft NAT64/464XLAT Deployment May 2019 the address synthesis. 464XLAT ([RFC6877]) is a very simple approach to cope with the major NAT64+DNS64 drawback: Not working with applications or devices that use literal IPv4 addresses or non-IPv6 compliant APIs. 464XLAT ([RFC6877]) has been used initially mainly in IPv6-only cellular networks. By supporting a CLAT function, the end-user device applications can access IPv4-only end-networks/applications, despite those applications or devices use literal IPv4 addresses or non-IPv6 compliant APIs. In addition to that, in the same example of the cellular network above, if the User Equipment (UE) provides tethering, other devices behind it will be presented with a traditional NAT44, in addition to the native IPv6 support, so clearly it allows IPv4-only hosts behind the IPv6-only access network. Furthermore, as discussed in [RFC6877], 464XLAT can be used in broadband IPv6 network architectures, by implementing the CLAT function at the CE. The support of this scenario offers two additional advantages: o DNS load optimization: A CLAT should implement a DNS proxy (as per [RFC5625]), so that only IPv6 native queries and only for AAAA records are sent to the DNS64 server. Otherwise doubling the number of queries may impact the DNS infrastructure. o Connection establishment delay optimization: If the UE/CE implementation is detecting the presence of a DNS64 function, it may issue only the AAAA query, instead of both the AAAA and A queries. In order to understand all the communication possibilities, let's assume the following representation of two dual-stack peers: Palet Martinez Expires November 5, 2019 [Page 9] Internet-Draft NAT64/464XLAT Deployment May 2019 +-------+ .-----. .-----. | | / \ / \ .-----. | Res./ | / IPv6- \ .-----. / IPv4- \ / Local \ | SOHO +--( only )---( NAT64 )---( only ) / \ | | \ flow /\ `-----' \ flow / ( Dual- )--+ IPv6 | \ / \ / \ / \ Stack / | CE | `--+--' \ .-----. / `--+--' \ Peer / | with | | \ / Remote\/ | `-----' | CLAT | +---+----+ / \ +---+----+ | | |DNS/IPv6| ( Dual- ) |DNS/IPv4| +-------+ | with | \ Stack / +--------+ | DNS64 | \ Peer / +--------+ `-----' Figure A: Representation of 464XLAT among two peers with DNS64 The possible communication paths, among the IPv4/IPv6 stacks of both peers, in this case, are: a. Local-IPv6 to Remote-IPv6: Regular DNS and native IPv6 among peers. b. Local-IPv6 to Remote-IPv4: DNS64 and NAT64 translation. c. Local-IPv4 to Remote-IPv6: Not possible unless the CLAT implements EAM (Explicit Address Mappings) as indicated by Section 4.9. In principle, it is not expected that services are deployed in Internet using IPv6-only, unless there is certainty that peers will also be IPv6-capable. d. Local-IPv4 to Remote-IPv4: DNS64, CLAT and NAT64 translations. e. Local-IPv4 to Remote-dual-stack using EAM optimization: If the CLAT implements EAM as indicated by Section 4.9, instead of using the path d. above, NAT64 translation is avoided and the flow will use IPv6 from the CLAT to the destination. The rest of the figures in this section show different choices for placing the different elements. +----------+ +----------+ +----------+ | IPv6 | | NAT64 | | | | + +--------+ + +--------+ IPv4 | | CLAT | | DNS64 | | | +----------+ +----------+ +----------+ Figure 5: 464XLAT with DNS64 Palet Martinez Expires November 5, 2019 [Page 10] Internet-Draft NAT64/464XLAT Deployment May 2019 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. The Internet-Standard Management Framework . . . . . . . . . 3 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. The HMAC-SHA-2 Authentication Protocols . . . . . . . . . . . 3 4.1. Deviations from the HMAC-SHA-96 Authentication Protocol . 4 4.2. Processing . . . . . . . . . . . . . . . . . . . . . . . 5 4.2.1. Processing an Outgoing Message . . . . . . . . . . . 5 4.2.2. Processing an Incoming Message . . . . . . . . . . . 6 5. Key Localization and Key Change . . . . . . . . . . . . . . . 6 6. Structure of the MIB Module . . . . . . . . . . . . . . . . . 6 7. Relationship to Other MIB Modules . . . . . . . . . . . . . . 7 7.1. Relationship to SNMP-USER-BASED-SM-MIB . . . . . . . . . 7 7.2. Relationship to SNMP-FRAMEWORK-MIB . . . . . . . . . . . 7 7.3. MIB Modules Required for IMPORTS . . . . . . . . . . . . 7 8. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 7 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9 9.1. Use of the HMAC-SHA-2 Authentication Protocols in USM . . 9 9.2. Cryptographic Strength of the Authentication Protocols . 9 9.3. Derivation of Keys from Passwords . . . . . . . . . . . . 10 9.4. Access to the SNMP-USM-HMAC-SHA2-MIB . . . . . . . . . . 11 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 11.1. Normative References . . . . . . . . . . . . . . . . . . 12 11.2. Informative References . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction This memo defines a portion of the Management Information Base (MIB) for use with network management protocols. In particular, it defines additional authentication protocols for the User-based Security Model (USM) for the Simple Network Management Protocol version 3 (SNMPv3) specified in [RFC3414]. In RFC 3414, two different authentication protocols, HMAC-MD5-96 and HMAC-SHA-96, are defined based on the hash functions MD5 and SHA-1, respectively. This memo specifies new HMAC-SHA-2 authentication protocols for USM using a Hashed Message Authentication Code (HMAC) based on the SHA-2 family of hash functions [SHA] and truncated to 128 bits for SHA-224, to 192 bits for SHA-256, to 256 bits for SHA-384, and to 384 bits for SHA-512. These protocols are straightforward adaptations of the authentication protocols HMAC- MD5-96 and HMAC-SHA-96 to the SHA-2-based HMAC. This document obsoletes RFC 7630, in which the MIB MODULE-IDENTITY value was incorrectly specified. Merkle & Lochter Expires July 29, 2016 [Page 2] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in [RFC2578], [RFC2579], and [RFC2580]. 3. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119]. 4. The HMAC-SHA-2 Authentication Protocols This section describes the HMAC-SHA-2 authentication protocols, which use the SHA-2 hash functions (described in FIPS PUB 180-4 [SHA] and [RFC6234]) in the HMAC mode (described in [RFC2104] and RFC 6234), truncating the output to 128 bits for SHA-224, 192 bits for SHA-256, 256 bits for SHA-384, and 384 bits for SHA-512. RFC 6234 also provides source code for all the SHA-2 algorithms and HMAC (without truncation). It also includes test harness and standard test vectors for all the defined hash functions and HMAC examples. The following protocols are defined: usmHMAC128SHA224AuthProtocol: uses SHA-224 and truncates the output to 128 bits (16 octets); usmHMAC192SHA256AuthProtocol: uses SHA-256 and truncates the output to 192 bits (24 octets); usmHMAC256SHA384AuthProtocol: uses SHA-384 and truncates the output to 256 bits (32 octets); usmHMAC384SHA512AuthProtocol: uses SHA-512 and truncates the output to 384 bits (48 octets). Implementations conforming to this specification MUST support usmHMAC192SHA256AuthProtocol and SHOULD support Merkle & Lochter Expires July 29, 2016 [Page 3] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 usmHMAC384SHA512AuthProtocol. The protocols usmHMAC128SHA224AuthProtocol and usmHMAC256SHA384AuthProtocol are OPTIONAL. 4.1. Deviations from the HMAC-SHA-96 Authentication Protocol All the HMAC-SHA-2 authentication protocols are straightforward adaptations of the HMAC-MD5-96 and HMAC-SHA-96 authentication protocols. Specifically, they differ from the HMAC-MD5-96 and HMAC- SHA-96 authentication protocols in the following aspects: o The SHA-2 hash function is used to compute the message digest in the HMAC computation according to RFC 2104 and RFC 6234, as opposed to the MD5 hash function [RFC1321] and SHA-1 hash function [SHA] used in HMAC-MD5-96 and HMAC-SHA-96, respectively. Consequently, the length of the message digest prior to truncation is 224 bits for the SHA-224-based protocol, 256 bits for the SHA-256-based protocol, 384 bits for the SHA-384-based protocol, and 512 bits for the SHA-512-based protocol. o The resulting message digest (output of HMAC) is truncated to * 16 octets for usmHMAC128SHA224AuthProtocol * 24 octets for usmHMAC192SHA256AuthProtocol * 32 octets for usmHMAC256SHA384AuthProtocol * 48 octets for usmHMAC384SHA512AuthProtocol as opposed to the truncation to 12 octets in HMAC-MD5-96 and HMAC- SHA-96. o The user's secret key to be used when calculating a digest MUST be * 28 octets long and derived with SHA-224 for the SHA-224-based protocol usmHMAC128SHA224AuthProtocol * 32 octets long and derived with SHA-256 for the SHA-256-based protocol usmHMAC192SHA256AuthProtocol * 48 octets long and derived with SHA-384 for the SHA-384-based protocol usmHMAC256SHA384AuthProtocol * 64 octets long and derived with SHA-512 for the SHA-512-based protocol usmHMAC384SHA512AuthProtocol Merkle & Lochter Expires July 29, 2016 [Page 4] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 as opposed to the keys being 16 and 20 octets long in HMAC-MD5-96 and HMAC-SHA-96, respectively. 4.2. Processing This section describes the procedures for the HMAC-SHA-2 authentication protocols. The descriptions are based on the definition of services and data elements defined for HMAC-SHA-96 in RFC 3414 with the deviations listed in Section 4.1. Values of constants M (the length of the secret key in octets) and N (the length of the Message Authentication Code (MAC) output in octets), and the hash function H used below are: usmHMAC128SHA224AuthProtocol: M=28, N=16, H=SHA-224; usmHMAC192SHA256AuthProtocol: M=32, N=24, H=SHA-256; usmHMAC256SHA384AuthProtocol: M=48, N=32, H=SHA-384; usmHMAC384SHA512AuthProtocol: M=64, N=48, H=SHA-512. 4.2.1. Processing an Outgoing Message This section describes the procedure followed by an SNMP engine whenever it must authenticate an outgoing message using one of the authentication protocols defined above. Values of the constants M and N, and the hash function H are as defined in Section 4.2 and are selected based on which authentication protocol is configured for the given USM usmUser Table entry. 1. The msgAuthenticationParameters field is set to the serialization of an OCTET STRING containing N zero octets; it is serialized according to the rules in [RFC3417]. 2. Using the secret authKey of M octets, the HMAC is calculated over the wholeMsg according to RFC 6234 with hash function H. 3. The N first octets of the above HMAC are taken as the computed MAC value. 4. The msgAuthenticationParameters field is replaced with the MAC obtained in the previous step. 5. The authenticatedWholeMsg is then returned to the caller together with the statusInformation indicating success. Merkle & Lochter Expires July 29, 2016 [Page 5] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 4.2.2. Processing an Incoming Message This section describes the procedure followed by an SNMP engine whenever it must authenticate an incoming message using one of the HMAC-SHA-2 authentication protocols. Values of the constants M and N, and the hash function H are as defined in Section 4.2 and are selected based on which authentication protocol is configured for the given USM usmUser Table entry. 1. If the digest received in the msgAuthenticationParameters field is not N octets long, then a failure and an errorIndication (authenticationError) are returned to the calling module. 2. The MAC received in the msgAuthenticationParameters field is saved. 3. The digest in the msgAuthenticationParameters field is replaced by the N zero octets. 4. Using the secret authKey of M octets, the HMAC is calculated over the wholeMsg according to RFC 6234 with hash function H. 5. The N first octets of the above HMAC are taken as the computed MAC value. 6. The msgAuthenticationParameters field is replaced with the MAC value that was saved in step 2. 7. The newly calculated MAC is compared with the MAC saved in step 2. If they do not match, then a failure and an errorIndication (authenticationFailure) are returned to the calling module. 8. The authenticatedWholeMsg and statusInformation indicating success are then returned to the caller. 5. Key Localization and Key Change For any of the protocols defined in Section 4, key localization and key change SHALL be performed according to [RFC3414] using the same SHA-2 hash function as in the HMAC-SHA-2 authentication protocol. 6. Structure of the MIB Module The MIB module specified in this memo does not define any managed objects, subtrees, notifications, or tables; rather, it only defines object identities (for authentication protocols) under a subtree of an existing MIB. Merkle & Lochter Expires July 29, 2016 [Page 6] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 7. Relationship to Other MIB Modules 7.1. Relationship to SNMP-USER-BASED-SM-MIB RFC 3414 specifies the MIB module for USM for SNMPv3 (SNMP-USER- BASED-SM-MIB), which defines authentication protocols for USM based on the hash functions MD5 and SHA-1, respectively. The following MIB module defines new HMAC-SHA2 authentication protocols for USM based on the SHA-2 hash functions [SHA]. The use of the HMAC-SHA2 authentication protocols requires the usage of the objects defined in the SNMP-USER-BASED-SM-MIB. 7.2. Relationship to SNMP-FRAMEWORK-MIB [RFC3411] specifies the SNMP-FRAMEWORK-MIB, which defines a subtree snmpAuthProtocols for SNMP authentication protocols. The following MIB module defines new authentication protocols in the snmpAuthProtocols subtree. 7.3. MIB Modules Required for IMPORTS The following MIB module IMPORTS definitions from SNMPv2-SMI [RFC2578] and SNMP-FRAMEWORK-MIB [RFC3411]. 8. Definitions SNMP-USM-HMAC-SHA2-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-IDENTITY, mib-2 FROM SNMPv2-SMI -- [RFC2578] snmpAuthProtocols FROM SNMP-FRAMEWORK-MIB; -- [RFC3411] snmpUsmHmacSha2MIB MODULE-IDENTITY LAST-UPDATED "201510210000Z" -- 21 October 2015, midnight ORGANIZATION "SNMPv3 Working Group" CONTACT-INFO "WG email: OPSAWG@ietf.org Subscribe: https://www.ietf.org/mailman/listinfo/opsawg Editor: Johannes Merkle secunet Security Networks Postal: Mergenthaler Allee 77 D-65760 Eschborn Germany Phone: +49 20154543091 Email: johannes.merkle@secunet.com Co-Editor: Manfred Lochter Bundesamt fuer Sicherheit in der Merkle & Lochter Expires July 29, 2016 [Page 7] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 Informationstechnik (BSI) Postal: Postfach 200363 D-53133 Bonn Germany Phone: +49 228 9582 5643 Email: manfred.lochter@bsi.bund.de" DESCRIPTION "Definitions of Object Identities needed for the use of HMAC-SHA2 by SNMP's User-based Security Model. Copyright (c) 2015 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info)." REVISION "201510210000Z" -- 21 October 2015, midnight DESCRIPTION "Version correcting the MODULE-IDENTITY value, published as RFC TBD" -- RFC Ed.: replace TBD with actual RFC number & remove this line REVISION "201508130000Z" -- 13 August 2015, midnight DESCRIPTION "Initial version, published as RFC 7630" ::= { mib-2 235 } usmHMAC128SHA224AuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION "The Authentication Protocol usmHMAC128SHA224AuthProtocol uses HMAC-SHA-224 and truncates output to 128 bits." REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing for Message Authentication, RFC 2104. - National Institute of Standards and Technology, Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." ::= { snmpAuthProtocols 4 } usmHMAC192SHA256AuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION "The Authentication Protocol usmHMAC192SHA256AuthProtocol uses HMAC-SHA-256 and truncates output to 192 bits." REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing for Message Authentication, RFC 2104. - National Institute of Standards and Technology, Merkle & Lochter Expires July 29, 2016 [Page 8] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." ::= { snmpAuthProtocols 5 } usmHMAC256SHA384AuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION "The Authentication Protocol usmHMAC256SHA384AuthProtocol uses HMAC-SHA-384 and truncates output to 256 bits." REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing for Message Authentication, RFC 2104. - National Institute of Standards and Technology, Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." ::= { snmpAuthProtocols 6 } usmHMAC384SHA512AuthProtocol OBJECT-IDENTITY STATUS current DESCRIPTION "The Authentication Protocol usmHMAC384SHA512AuthProtocol uses HMAC-SHA-512 and truncates output to 384 bits." REFERENCE "- Krawczyk, H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing for Message Authentication, RFC 2104. - National Institute of Standards and Technology, Secure Hash Standard (SHS), FIPS PUB 180-4, 2012." ::= { snmpAuthProtocols 7 } END 9. Security Considerations 9.1. Use of the HMAC-SHA-2 Authentication Protocols in USM The security considerations of [RFC3414] also apply to the HMAC-SHA-2 authentication protocols defined in this document. 9.2. Cryptographic Strength of the Authentication Protocols At the time of publication of this document, all of the HMAC-SHA-2 authentication protocols provide a very high level of security. The security of each HMAC-SHA-2 authentication protocol depends on the parameters used in the corresponding HMAC computation, which are the length of the key (if the key has maximum entropy), the size of the hash function's internal state, and the length of the truncated MAC. For the HMAC-SHA-2 authentication protocols, these values are as follows (values are given in bits). Merkle & Lochter Expires July 29, 2016 [Page 9] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 +------------------------------+---------+----------------+---------+ | Protocol | Key | Size of | MAC | | | length | internal state | length | +------------------------------+---------+----------------+---------+ | usmHMAC128SHA224AuthProtocol | 224 | 256 | 128 | | usmHMAC192SHA256AuthProtocol | 256 | 256 | 192 | | usmHMAC256SHA384AuthProtocol | 384 | 512 | 256 | | usmHMAC384SHA512AuthProtocol | 512 | 512 | 384 | +------------------------------+---------+----------------+---------+ Table 1: HMAC Parameters of the HMAC-SHA-2 Authentication Protocols The security of the HMAC scales with both the key length and the size of the internal state: longer keys render key guessing attacks more difficult, and a larger internal state decreases the success probability of MAC forgeries based on internal collisions of the hash function. The role of the truncated output length is more complicated: according to [BCK], there is a trade-off in that by outputting less bits the attacker has less bits to predict in a MAC forgery but, on the other hand, the attacker also learns less about the output of the compression function from seeing the authentication tags computed by legitimate parties. Thus, truncation weakens the HMAC against forgery by guessing but, at the same time, strengthens it against chosen message attacks aiming at MAC forgery based on internal collisions or at key guessing. RFC 2104 and [BCK] allow truncation to any length that is not less than half the size of the internal state. Further discussion of the security of the HMAC construction is given in RFC 2104. 9.3. Derivation of Keys from Passwords If secret keys to be used for HMAC-SHA-2 authentication protocols are derived from passwords, the derivation SHOULD be performed using the password-to-key algorithm from Appendix A.1 of RFC 3414 with MD5 being replaced by the SHA-2 hash function H used in the HMAC-SHA-2 authentication protocol. Specifically, the password is converted into the required secret key by the following steps: o forming a string of length 1,048,576 octets by repeating the value of the password as often as necessary, truncating accordingly, and using the resulting string as the input to the hash function H. The resulting digest, termed "digest1", is used in the next step. Merkle & Lochter Expires July 29, 2016 [Page 10] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 o forming a second string by concatenating digest1, the SNMP engine's snmpEngineID value, and digest1. This string is used as input to the hash function H. 9.4. Access to the SNMP-USM-HMAC-SHA2-MIB The SNMP-USM-HMAC-SHA2-MIB module defines OBJECT IDENTIFIER values for use in other MIB modules. It does not define any objects that can be accessed. As such, the SNMP-USM-HMAC-SHA2-MIB does not, by itself, have any effect on the security of the Internet. The values defined in this module are expected to be used with the usmUserTable defined in the SNMP-USER-BASED-SM-MIB [RFC3414]. The considerations in Section 11.5 of RFC 3414 should be taken into account. 10. IANA Considerations IANA has assigned an OID for the MIB as follows. +--------------------+-------------------------+ | Descriptor | OBJECT IDENTIFIER value | +--------------------+-------------------------+ | snmpUsmHmacSha2MIB | { mib-2 235 } | +--------------------+-------------------------+ Table 2: OID of MIB Furthermore, IANA has assigned a value in the SnmpAuthProtocols registry for each of the following protocols. +------------------------------+-------+-----------+ | Description | Value | Reference | +------------------------------+-------+-----------+ | usmHMAC128SHA224AuthProtocol | 4 | RFC XXX | | usmHMAC192SHA256AuthProtocol | 5 | RFC XXX | | usmHMAC256SHA384AuthProtocol | 6 | RFC XXX | | usmHMAC384SHA512AuthProtocol | 7 | RFC XXX | +------------------------------+-------+-----------+ Table 3: Code Points Assigned to HMAC-SHA-2 Authentication Protocols -- RFC Ed.: replace XXX with actual RFC number and remove this line Merkle & Lochter Expires July 29, 2016 [Page 11] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 11. References 11.1. Normative References [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, <http://www.rfc-editor.org/info/rfc2104>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, DOI 10.17487/RFC2578, April 1999, <http://www.rfc-editor.org/info/rfc2578>. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999, <http://www.rfc-editor.org/info/rfc2579>. [RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Conformance Statements for SMIv2", STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999, <http://www.rfc-editor.org/info/rfc2580>. [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, DOI 10.17487/RFC3414, December 2002, <http://www.rfc-editor.org/info/rfc3414>. [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011, <http://www.rfc-editor.org/info/rfc6234>. [SHA] National Institute of Standards and Technology, "Secure Hash Standard (SHS)", FIPS PUB 180-4, DOI 10.6028/NIST.FIPS.180-4, March 2012, <http://nvlpubs.nist.gov/nistpubs/FIPS/ NIST.FIPS.180-4.pdf>. Merkle & Lochter Expires July 29, 2016 [Page 12] Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 11.2. Informative References [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, DOI 10.17487/RFC1321, April 1992, <http://www.rfc-editor.org/info/rfc1321>. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, DOI 10.17487/RFC3410, December 2002, <http://www.rfc-editor.org/info/rfc3410>. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, DOI 10.17487/RFC3411, December 2002, <http://www.rfc-editor.org/info/rfc3411>. [RFC3417] Presuhn, R., Ed., "Transport Mappings for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3417, DOI 10.17487/RFC3417, December 2002, <http://www.rfc-editor.org/info/rfc3417>. [BCK] Bellare, M., Canetti, R., and H. Krawczyk, "Keyed Hash Functions for Message Authentication", Advances in Cryptology - CRYPTO 96, Lecture Notes in Computer Science 1109, Springer-Verlag Berlin Heidelberg, DOI 10.1007/3-540-68697-5_1, 1996. Authors' Addresses Johannes Merkle (editor) Secunet Security Networks Mergenthaler Allee 77 65760 Eschborn Germany Phone: +49 201 5454 3091 EMail: johannes.merkle@secunet.com Merkle & Lochter Expires July 29, 2016 [Page 13]A similar scenario will be if the service provider offers only the DNS64 function, and the NAT64 function is provided by an outsourcing agreement with an external provider. All the considerations in the previous paragraphs of this section are the same for this sub-case. +----------+ +----------+ | | | | | extNAT64 +--------+ IPv4 | | | | | +----+-----+ +----------+ | | +----------+ +----+-----+ | IPv6 | | | | + +--------+ DNS64 + | CLAT | | | +----------+ +----------+ Figure 6: 464XLAT with DNS64; NAT64 in external provider As well, is equivalent to the scenario where the outsourcing agreement with the external provider is to provide both the NAT64 and DNS64 functions. Once more, all the considerations in the previous paragraphs of this section are the same for this sub-case. +----------+ +----------+ | extNAT64 | | | | + +--------+ IPv4 | | extDNS64 | | | +----+-----+ +----------+ | +----------+ | | IPv6 | | | + +-------------+ | CLAT | +----------+ Figure 7: 464XLAT with DNS64; NAT64 and DNS64 in external provider 3.1.3. Service Provider Offering 464XLAT, without DNS64 The major advantage of this scenario, using 464XLAT without DNS64, is that the service provider ensures that DNSSEC is never broken, even in case the user modifies the DNS configuration. Nevertheless, some CLAT implementations or applications may impose an extra delay, which is induced by the dual A/AAAA queries (and wait for both responses), unless Happy Eyeballs v2 (HEv2, [RFC8305]) is also present. Palet Martinez Expires November 5, 2019 [Page 11] Internet-Draft NAT64/464XLAT Deployment May 2019 A possible variation of this scenario is the case when DNS64 is used only for the discovery of the NAT64 prefix. The rest of the document is not considering it as a different scenario, because once the prefix has been discovered, the DNS64 function is not used, so it behaves as if the DNS64 synthesis function is not present. In this scenario, as in the previous one, there are no issues related to IPv4-only hosts (or IPv4-only applications) behind the IPv6-only access network, neither related to the usage of IPv4 literals or non- IPv6 compliant APIs. The support of this scenario offers one advantage: o DNS load optimization: A CLAT should implement a DNS proxy (as per [RFC5625]), so that only IPv6 native queries are sent to the DNS64 server. Otherwise doubling the number of queries may impact the DNS infrastructure. As indicated earlier, the connection establishment delay optimization is achieved only in the case of devices, Operating Systems, or applications that use HEv2 ([RFC8305]), which is very common. Let's assume the representation of two dual-stack peers as in the previous case: +-------+ .-----. .-----. | | / \ / \ .-----. | Res./ | / IPv6- \ .-----. / IPv4- \ / Local \ | SOHO +--( only )---( NAT64 )---( only ) / \ | | \ flow /\ `-----' \ flow / ( Dual- )--+ IPv6 | \ / \ / \ / \ Stack / | CE | `--+--' \ .-----. / `--+--' \ Peer / | with | | \ / Remote\/ | `-----' | CLAT | +---+----+ / \ +---+----+ | | |DNS/IPv6| ( Dual- ) |DNS/IPv4| +-------+ +--------+ \ Stack / +--------+ \ Peer / `-----' Figure B: Representation of 464XLAT among two peers without DNS64 The possible communication paths, among the IPv4/IPv6 stacks of both peers, in this case, are: a. Local-IPv6 to Remote-IPv6: Regular DNS and native IPv6 among peers. b. Local-IPv6 to Remote-IPv4: Regular DNS, CLAT and NAT64 Palet Martinez Expires November 5, 2019 [Page 12] Internet-Draft NAT64/464XLAT Deployment May 2019 translations. c. Local-IPv4 to Remote-IPv6: Not possible unless the CLAT implements EAM as indicated by Section 4.9. In principle, it is not expected that services are deployed in Internet using IPv6-only, unless there is certainty that peers will also be IPv6-capable. d. Local-IPv4 to Remote-IPv4: Regular DNS, CLAT and NAT64 translations. e. Local-IPv4 to Remote-dual-stack using EAM optimization: If the CLAT implements EAM as indicated by Section 4.9, instead of using the path d. above, NAT64 translation is avoided and the flow will use IPv6 from the CLAT to the destination. It needs to be noticed that this scenario works while the local hosts/applications are dual-stack (which is the current situation), because the connectivity from a local-IPv6 to a remote-IPv4 is not possible without an AAAA synthesis. This aspect is important only when in the LANs behind the CLAT there are IPv6-only hosts and they need to communicate with remote IPv4-only hosts. However, it doesn't look a sensible approach from an Operating System or application vendor perspective, to provide IPv6-only support unless, similarly to case c above, there is certainty of peers supporting IPv6 as well. A solution approach to this is also presented in [I-D.palet-v6ops-464xlat-opt-cdn-caches]. The following figures show different choices for placing the different elements. +----------+ +----------+ +----------+ | IPv6 | | | | | | + +--------+ NAT64 +--------+ IPv4 | | CLAT | | | | | +----------+ +----------+ +----------+ Figure 8: 464XLAT without DNS64 This is equivalent to the scenario where there is an outsourcing agreement with an external provider for the NAT64 function. All the considerations in the previous paragraphs of this section are the same for this sub-case. Palet Martinez Expires November 5, 2019 [Page 13] Internet-Draft NAT64/464XLAT Deployment May 2019 +----------+ +----------+ | | | | | extNAT64 +--------+ IPv4 | | | | | +----+-----+ +----------+ | +----------+ | | IPv6 | | | + +-------------+ | CLAT | +----------+ Figure 9: 464XLAT without DNS64; NAT64 in external provider 3.2. Known to Work Under Special Conditions The scenarios in this category are known to not work unless significant effort is devoted to solve the issues, or are intended to solve problems across "closed" networks, instead of as a general Internet access usage. In addition to the different pros, cons and trade-offs, which may be acceptable for some operators, they have implementation difficulties, as they are beyond the original expectations of the NAT64/DNS64 original intent. 3.2.1. Service Provider NAT64 without DNS64 In this scenario, the service provider offers a NAT64 function, however there is no DNS64 function support at all. As a consequence, an IPv6 host in the IPv6-only access network, will not be able to detect the presence of DNS64 by means of [RFC7050], neither to learn the IPv6 prefix to be used for the NAT64 function. This can be sorted out as indicated in Section 4.1.1. However, despite that, because the lack of the DNS64 function, the IPv6 host will not be able to obtain AAAA synthesized records, so the NAT64 function becomes useless. An exception to this "useless" scenario will be manually configure mappings between the A records of each of the IPv4-only remote hosts and the corresponding AAAA records, with the WKP (Well-Known Prefix) or NSP (Network-Specific Prefix) used by the service provider NAT64 function, as if they were synthesized by a DNS64 function. This mapping could be done by several means, typically at the authoritative DNS server, or at the service provider resolvers by means of DNS RPZ (Response Policy Zones, [I-D.vixie-dns-rpz]) or Palet Martinez Expires November 5, 2019 [Page 14] Internet-Draft NAT64/464XLAT Deployment May 2019 equivalent functionality. DNS RPZ, may have implications in DNSSEC, if the zone is signed. Also, if the service provider is using an NSP, having the mapping at the authoritative server, may create troubles to other parties trying to use different NSP or the WKP, unless multiple DNS "views" (split-DNS) is also being used at the authoritative servers. Generally, the mappings alternative, will only make sense if a few set of IPv4-only remote hosts need to be accessed by a single network (or a small number of them), which support IPv6-only in the access. This will require some kind of mutual agreement for using this procedure, so it doesn't care if they become a trouble for other parties across Internet ("closed services"). In any case, this scenario doesn't solve the issue of IPv4 literal addresses or non-IPv6 compliant APIs, neither it solves the problem of IPv4-only hosts within that IPv6-only access network. +----------+ +----------+ +----------+ | | | | | | | IPv6 +--------+ NAT64 +--------+ IPv4 | | | | | | | +----------+ +----------+ +----------+ Figure 10: NAT64 without DNS64 3.2.2. Service Provider NAT64; DNS64 in the IPv6 hosts In this scenario, the service provider offers the NAT64 function, but not the DNS64 function. However, the IPv6 hosts have a built-in DNS64 function. This may become common if the DNS64 function is implemented in all the IPv6 hosts/stacks, which is not the actual situation, but it may happen in the medium-term. At this way, the DNSSEC validation is performed on the A record, and then the host can use the DNS64 function so to be able to use the NAT64 function, without any DNSSEC issues. This scenario fails to solve the issue of IPv4 literal addresses or non-IPv6 compliant APIs, unless the IPv6 hosts also supports HEv2 ([RFC8305], Section 7.1), which may solve that issue. However, this scenario still fails to solve the problem of IPv4-only hosts or applications behind the IPv6-only access network. Palet Martinez Expires November 5, 2019 [Page 15] Internet-Draft NAT64/464XLAT Deployment May 2019 +----------+ +----------+ +----------+ | IPv6 | | | | | | + +--------+ NAT64 +--------+ IPv4 | | DNS64 | | | | | +----------+ +----------+ +----------+ Figure 11: NAT64; DNS64 in IPv6 hosts 3.2.3. Service Provider NAT64; DNS64 in the IPv4-only remote network In this scenario, the service provider offers the NAT64 function only. The remote IPv4-only network offers the DNS64 function. This is not common, and looks like doesn't make too much sense that a remote network, not deploying IPv6, is providing a DNS64 function. As in the case of the scenario depicted in Section 3.2.1, it will only work if both sides are using the WKP or the same NSP, so the same considerations apply. It can be also tuned to behave as in Section 3.1.1 This scenario still fails to solve the issue of IPv4 literal addresses or non-IPv6 compliant APIs. This scenario also fails to solve the problem of IPv4-only hosts or applications behind the IPv6-only access network. +----------+ +----------+ +----------+ | | | | | IPv4 | | IPv6 +--------+ NAT64 +--------+ + | | | | | | DNS64 | +----------+ +----------+ +----------+ Figure 12: NAT64; DNS64 in the IPv4-only 3.3. Comparing the Scenarios This section compares the different scenarios, including the possible variations (each one represented in the precedent sections by a different figure), looking at the following criteria: a. DNSSEC: Are there hosts validating DNSSEC? b. Literal/APIs: Are there applications using IPv4 literals or non- IPv6 compliant APIs? c. IPv4-only: Are there hosts or applications using IPv4-only? d. Foreign DNS: Is the scenario surviving if the user, Operating Palet Martinez Expires November 5, 2019 [Page 16] Internet-Draft NAT64/464XLAT Deployment May 2019 Internet-Draft HMAC-SHA-2_Auth_USM_new January 2016 Manfred Lochter BSI Postfach 200363 53133 Bonn Germany Phone: +49 228 9582 5643 EMail: manfred.lochter@bsi.bund.de Merkle & Lochter Expires July 29, 2016 [Page 14]