Network Working Group T. Henderson Internet-Draft University of Washington Intended status: Experimental S. Venema Expires: February 4, 2017 Polyverse Security D. Mattes Tempered Networks August 3, 2016 HIP-based Virtual Private LAN Service (HIPLS) draft-henderson-hip-vpls-11 Abstract The Host Identity Protocol (HIP) and architecture adds a cryptographic name space to name Internet hosts. This draft describes a use case of the HIP architecture, which is to provide a HIP-enabled virtual private LAN service (VPLS) over an untrusted network. In this case, HIP is used to secure tunnels between the provider edge (PE) equipment. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on February 4, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Henderson, et al. Expires February 4, 2017 [Page 1] Internet-Draft HIPLS August 2016 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Reference model . . . . . . . . . . . . . . . . . . . . . . . 3 4. Service description . . . . . . . . . . . . . . . . . . . . . 6 5. System description . . . . . . . . . . . . . . . . . . . . . 7 5.1. Provisioning the PEs . . . . . . . . . . . . . . . . . . 7 5.2. Walkthrough of unicast protocol operation . . . . . . . . 7 5.3. Names and access control lists . . . . . . . . . . . . . 8 5.4. Walkthrough of multicast operation . . . . . . . . . . . 9 5.5. Mobility, multihoming, and address families . . . . . . . 9 6. Proposed extensions to HIP . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 10.1. Normative References . . . . . . . . . . . . . . . . . . 11 10.2. Informative References . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction Virtual private networks (VPNs) are popular in the wide-area Internet and also among enterprises that wish to separate multiple LAN broadcast domains across shared network infrastructure. Several techniques have been defined to provide VPNs at different layers in the stack, including layer-1 [RFC4847], layer-2 (virtual LAN, virtual private LAN service (VPLS), and pseudo-wire (PW)) [RFC4664], and layer-3 (virtual router and BGP/MPLS provider-provisioned VPNs) [RFC4176]. The Host Identity Protocol (HIP) [RFC7401] and architecture [RFC4423] adds a new public-key-based name space for use as host identifiers in Internet protocols. HIP specifies a means for hosts to use public keys to authenticate one another over Internet protocols and to set up secure data channels using Encapsulating Security Payload [RFC7402] and possibly other transports in the future. This document describes how HIP can be used to create a customer Virtual Private LAN Service (VPLS) overlaid on top of a standard IPv4 and/or IPv6 provider network. Using the nomenclature in RFC 4664 [RFC4664], a VPLS connects several physically separate LAN segments Henderson, et al. Expires February 4, 2017 [Page 2] Internet-Draft HIPLS August 2016 into a single logical LAN segment. The Provider Edge (PE) devices that connect the Customer Edge (CE) devices behave like a learning bridge, and the CE devices may be any layer-2 or layer-3 device, including hosts, routers, bridges, or switches. In the specific use case described, the tunnels between PEs are realized by Encapsulating Security Payload (ESP) tunnels, whose management is controlled by the Host Identity Protocol (HIP) signaling protocol. Each PE device is assigned a cryptographic host identifier, which may be bound to other identifiers in the system via certificates or other means. The HIP signaling protocol is used to allow PE devices to authenticate one another and to build secure tunnels over untrusted provider network infrastructure. Extensions to HIP are described to allow the PE devices to integrate with a public-key infrastructure, in order to ease deployment. Readers may note that this application of HIP differs from the traditional implementation of HIP within end hosts. The key differences are that HIP is here implemented within a middlebox (using the terminology of RFC 4301 [RFC4301], a "bump-in-the-wire" implementation) and that the payloads of the ESP-encrypted datagrams are not transport protocol data units (PDUs) but instead are layer-2 frames. 2. Terminology Terminology is reused from [RFC4664] and and [RFC7401]. 3. Reference model Section 2.2 of RFC 4664 [RFC4664] specifies the VPLS reference model where PE devices that are VPLS-capable provide a logical interconnect such that CE devices belonging to a specific VPLS appear to be on a single bridged Ethernet. A VPLS can contain a single VLAN or multiple tagged VLANs. Henderson, et al. Expires February 4, 2017 [Page 3] Internet-Draft HIPLS August 2016 +-----+ +-----+ + CE1 +--+ +---| CE2 | +-----+ | ................... | +-----+ VPLS A | +----+ +----+ | VPLS A | |VPLS| |VPLS| | +--| PE |--Routed---| PE |-+ +----+ Backbone +----+ / . | . \ _ /\_ +-----+ / . | . \ / \ / \ +-----+ + CE +--+ . | . +--\ Access \----| CE | +-----+ . +----+ . | Network | +-----+ VPLS B .....|VPLS|........ \ / VPLS B | PE | ^ ------- +----+ | | | | | +-----+ | | CE3 | +-- Emulated LAN +-----+ VPLS A Figure 1: Reference model Figure 1, copied from Figure 2 of [RFC4664], depicts the reference model for this use case. A number of CE devices are connected to PE devices over layer-2 networks. Although not shown in the figure, each CE device may be reachable by one or more PE device (for example, CE1 and CE3 may also be able to reach each other directly without using the VPLS). Moreover, the connectivity of the L2 networks (and correspondingly, between a given PE and CE) may change over time. No assumptions are made about the capabilities of the CE devices. From the perspective of the CE devices, each other CE device is reachable, using broadcast, multicast, or unicast, as if it were on the same LAN segment. Therefore, the service provided by the PE devices is that of a L2VPN. Since this is a L2VPN, CE devices are free to use higher layer protocols such as IPv4 and IPv6 and domain specific protocols such as those found in industrial control systems. Henderson, et al. Expires February 4, 2017 [Page 4] Internet-Draft HIPLS August 2016 |-----Routed Backbone-----| | (P Routers) |PSN Tunnels, Emulated LAN | |Pseudowires ....................................................................... . | | . . |---------------------|----| |--------|-----------------| . . | --------------------|--- | | -------|---------------- | . . | VPLS Forwarder | | VPLS Forwarder | . . | ----------|------------- | | ----------|------------- | . ..|.................................................................|.. | | Emulated LAN | | | Emulated LAN | | | Interface | VPLS-PEs | | Interface | | | | <----> | | | | ----------|------------ | | ----------|------------ | | | Bridge | | | | Bridge | | | -|--------|---------|-- | | ---|-------|---------|- | |--|--------|---------|----| |----|-------|---------|---| | | | | | | | | Access | | | Access | | | Networks| | | Networks| | | | | | | | | | | | | CE devices CE devices Figure 2: PE Reference model Figure 2, copied from Figure 3 of RFC4664, depicts the design model for the PE. In this model, a CE device attaches, possibly through an access network, to a "bridge" module of a VPLS-PE. Within the VPLS- PE, the bridge module attaches, through an "Emulated LAN Interface", to an Emulated LAN. For each VPLS, there is an Emulated LAN instance. Figure 3 shows some internal structure to the Emulated LAN: it consists of "VPLS Forwarder" modules connected by pseudowires, where the pseudowires may be traveling through PSN tunnels over a routed backbone. A "VPLS instance" consists of a set of VPLS Forwarders (no more than one per PE) connected by pseudowires. In our application, it is the HIP-enabled ESP tunnels that constitute the pseudowires. The PE devices are interconnected by an IP-based network. This network may be IPv4-based or IPv6-based, or a hybrid. The PEs are responsible for providing a secure (encrypted, authenticated) tunnel over which Layer-2 frames may flow betweeen CEs that are interconnected by the VPN. The PE devices are also responsible for authenticating the peer PE devices as belonging to the same overlay Henderson, et al. Expires February 4, 2017 [Page 5] Internet-Draft HIPLS August 2016 (L2VPN). Furthermore, PE devices may be responsible for maintaining access control lists (ACLs) that govern which CEs are permitted to talk to which other CEs. In addition to IP and MAC addresses found in ACLs, the ACLs may also use the cryptographic identities already bound to the PE devices for use by the HIP protocol. To build tunnels, the PEs must use pre-provisioned configuration information or must consult, on-demand, a mapping database (such as DNS or an LDAP server) to find the bindings between PE and CE device. These bindings may be secured by a public key infrastructure (PKI). PEs may change their point of attachment (and also, their IP address) to the IP-based network, and may be multihomed to the IP-based network (see PE3 in the above figure), and the PE devices must accommodate such changes such that they are transparent to the L2VPN overlay and the CEs. In this model, the PE devices use HIP as follows. Each PE device is assigned (provisioned with) a unique name, such as a serial number or asset tag, and with a public/private key pair. This unique name may be bound to the public key using an X.509 certificate. The L2VPN is also given a name. Each PE device knows which of its interfaces belong to a particular named overlay, and which of its interfaces belong to the underlay (the "routed backbone" in Figure 2). Each PE device knows or learns which CE devices it is fronting for, and how to obtain mapping information that maps a remote CE to a remote PE device. The tunnels established between PE devices are HIP-enabled ESP tunnels. HIP signaling between PE devices is used to establish and maintain the tunnels. A certificate, signed by a trust anchor in the system, binds the PE name to the PE's public key; this public key is used as the host identity in the HIP exchanges. The HIP exchanges carry a PE's certificate, thereby allowing a remote PE to authenticate the PE as a member of the overlay. HIP signaling may also be used between the PE devices and the mapping database, or this communications channel may be secured by other means. 4. Service description RFC 4665 [RFC4665] describes service requirements for L2VPNs, and outlines a number of options for variations on the L2VPN design. In this section, we describe the HIPLS service in terms of the RFC 4665 taxonomy. With respect to Section 5 of RFC 4665, we are describing a full VPLS solution; any variations or caveats should be documented according to Section 5.1 of RFC 4665. For example, a VPLS must support unicast, Henderson, et al. Expires February 4, 2017 [Page 6] Internet-Draft HIPLS August 2016 multicast, and broadcast traffic, even if realized with ESP unicast- based tunnels. 5. System description In this section, we walk through how the HIP-enabled VPLS can be provisioned and how it operates in a few use case scenarios. In the following, we refer to each L2VPN as an overlay network, and to the routed backbone as the underlay. 5.1. Provisioning the PEs At a minimum, a network operator must define a unique overlay name, and must authorize (or list) the PEs that belong to that overlay. In particular, the interfaces (overlay and underlay) that belong to the system must be identified for each PE. Additionally, each PE must possess a public/private key pair, which must be accessible to a host via a smart card, Trusted Platform Module (TPM) hardware, or a local file. The PEs must be able to authenticate the other PEs in the underlay as belonging to a given overlay. One way to do this is to pre-provision a list of PEs (and their HITs) that belong to the overlay, and deploy this list on each PE in a static configuration file. A drawback to this approach is that whenever the set of PEs on the overlay changes, each PE's master list must be edited. An alternative is to deploy an authorization system in which a PE's key is authorized by a server as belonging to that overlay. In addition, there are a number of other configuration items that may either be pre-provisioned or dynamically learned. These include access control lists, associations between PE devices and local CEs, and associations between remote PE devices and remote CEs. All of this type of information may either be pre-provisioned in static configuration files, or stored in a database accessible on the underlay. 5.2. Walkthrough of unicast protocol operation Referring again to Figure 1, consider the case in which CE1 wishes to send an IPv4 unicast datagram to CE3, and no corresponding session state exists between the respective PEs. We assume that CE1 and CE3 both share a network prefix, and that CE1 first sends an ARP request or Neighbor Discovery on its local LAN segment. This request is picked up by PE1 which listens promiscuously on its LAN segment. No other devices respond to this request. Henderson, et al. Expires February 4, 2017 [Page 7] Internet-Draft HIPLS August 2016 PE1 learns that it is the responsible PE device for the source MAC address of the ARP request, and stores this forwarding entry in its forwarding database (address learning). Note that some implementations may populate the forwarding database manually. Manual configuration is required for CE devices that never send an L2 frame ("listen only" devices) or that only send L2 frames when they have received instructions to do so. Since the ARP message is a broadcast layer-2 frame, the PE device must either perform a proxy- ARP function or must send the ARP request to all other PEs on the overlay. Therefore, a means whereby each PE knows all of the other PEs in the overlay is required, either by static configuration or by dynamic discovery. Next, the PE device must forward the ARP request to all peer PEs servicing a particular overlay, or to a specific peer PE if the MAC- to-PE mapping is already known (either by static configuration or earlier dynamic discovery). Since the PEs communicate with each other via HIP, the PE forwarding the ARP must build a HIP tunnel to each target PE if it does not already exist. The source PE wraps the L2 frame within the ESP payload, fragments it if necessary, and sends to the remote PEs where it is detunneled and placed on the remote access network segment again as a L2 broadcast frame. From this point, the intended host will ARP reply with a unicast frame. This frame should be mapped to the ESP association back to the originating PE. Note that flooding of broadcast datagrams in an L2 network is prone to loops. There may be other transparent bridges present in the access network. Therefore, the PE devices must implement and participate in an 802.1d spanning tree algorithm. Note that the nature of 802.1d and the number of broadcast frames typical in most networks will require the setup and maintenance of a full mesh of ESP associations between PEs on an overlay, in general. 5.3. Names and access control lists The name by which the PE devices know one another, at the protocol level, is the HIT, which is a hash of the host identity public key. This key can be used to authenticate messages from PE devices purporting to be a named PE device. However, from a management perspective, the names that operators will want to use in configuration files and in access control lists should be more operationally relevant, such as human- friendly strings and asset tags. Certificates are used to bind a PE device's operational name to its HIT. The HIT is obtained as usual, as a hash of the PE device's public key. All PE devices in the overlay must share a common set of CAs. Henderson, et al. Expires February 4, 2017 [Page 8] Internet-Draft HIPLS August 2016 Certificates should be presented as parameters in the base exchange, to allow peer PE devices to validate them. 5.4. Walkthrough of multicast operation Multicast operation is similer to that described in the section on handling of broadcast ARP requests. 5.5. Mobility, multihoming, and address families The PE devices may be mobile or multihomed on the underlay. The HIP mobility mechanisms [RFC5206] may be used in this case to preserve existing security associations and to update database records upon such changes to the underlying IP addresses. The underlay may itself be a combination of IPv4 and IPv6 network segments. A given overlay may be supported by either or both IPv4 and IPv6-based ESP security associations. The CE devices may be multihomed to PE devices. In this case, the PEs must coordinate to ensure that only one PE sources ingress frames destined from CE4 to another CE. The PE devices may have "backdoor" connections with one another. The 802.1d spanning tree protocol should alleviate problems of this sort. 6. Proposed extensions to HIP The system described above relies on the ability of the PE devices to exchange certificates in the R1, I2, and UPDATE messages, based on local policy. Note that passing of certificates in the HIP exchanges is not strictly necessary, but it will reduce latency if the host proactively provides its certificate as part of the signaling exchange. Work is already underway in the HIP working group to define such a certificate (CERT) parameter [RFC6253]. The system described above can be thought of as a "bump-in-the-wire" type of HIP deployment. Conceptually, what is being encapsulated is not a transport PDU but instead a layer-2 frame. Therefore, HIP implementations in the PE devices need to be able to successfully encapsulate and decapsulate such frames; i.e., this system alters the protocol processing in the stack compared to a host-based HIP implementation. An additional change is that layer-2 (and, by extension, layer-3) multicast and broadcast frames, as well as layer-2 control frames such as bridge PDUs, must be passed as needed. This requires a capability for the PEs to send a copy of each such frame to all other PEs in the overlay. One technique to do this is to replicate each Henderson, et al. Expires February 4, 2017 [Page 9] Internet-Draft HIPLS August 2016 frame and send to each other PE in the system. To support such a transmission framework, N*(N-1) tunnels must be maintained collectively between the PE devices. Alternatively, a constrained system may be deployed that does not support multicast or broadcast, nor bridge PDUs; this would be more like a unicast-only IPLS VPN. If temporary certificates are used, it has not yet been defined in HIP how a host identity may change for active security associations. 7. Security Considerations The model considered above assumes that PE devices that hold trusted credentials (certificates and private keys) are trustworthy; a malicious or misconfigured PE device could subvert packet delivery across the overlay. The model also assumes that the information that PE devices need to obtain to bind the PE name to the overlay and to its respective public key is not compromised, and that the keys of the PE devices are themselves not compromised. A PKI revocation system may aid in dealing with compromised keys. Otherwise, the system described above inherits the security properties found in HIP, including strong authentication of the binding between host identity and (underlay) IP address, and some level of robustness from denial-of-service attacks on the underlay network, based on the properties of the HIP base exchange. Section 5.5 of RFC 4665 describes security features from the perspective of the L2VPN solution, while Section 6.5 of RFC 4665 describes the security from a user perspective. The HIPLS solution must protect against the attacks listed in Section 5.5 of RFC 4665. 8. IANA Considerations There are no IANA considerations. 9. Acknowledgments Jeff Ahrenholz, Orlie Brewer, Eric Byres, Jin Fang, Darren Lissimore and Jeff Meegan have provided invaluable support in the design and prototype implementation of this HIPLS functionality. Richard Paine and Craig Dupler were instrumental in guiding early work along these lines. Members of other Standards organizations such as The Open Group, the Trusted Computing Group (TCG), and the International Society of Automation (ISA) have been involved in standards development activities that leverage HIP and this HIPLS functionality. Henderson, et al. Expires February 4, 2017 [Page 10] Internet-Draft HIPLS August 2016 10. References 10.1. Normative References [RFC4664] Andersson, L. and E. Rosen, "Framework for Layer 2 Virtual Private Networks (L2VPNs)", RFC 4664, September 2006. [RFC5206] Nikander, P., Henderson, T., Vogt, C., and J. Arkko, "End- Host Mobility and Multihoming with the Host Identity Protocol", RFC 5206, April 2008. [RFC6253] Heer, T. and S. Varjonen, "Host Identity Protocol Certificates", RFC 6253, May 2011. [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. Henderson, "Host Identity Protocol Version 2 (HIPv2)", RFC 7401, DOI 10.17487/RFC7401, April 2015, . [RFC7402] Jokela, P., Moskowitz, R., and J. Melen, "Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)", RFC 7402, DOI 10.17487/RFC7402, April 2015, . 10.2. Informative References [RFC4176] El Mghazli, Y., Nadeau, T., Boucadair, M., Chan, K., and A. Gonguet, "Framework for Layer 3 Virtual Private Networks (L3VPN) Operations and Management", RFC 4176, October 2005. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol (HIP) Architecture", RFC 4423, May 2006. [RFC4665] Augustyn, W. and Y. Serbest, "Service Requirements for Layer 2 Provider-Provisioned Virtual Private Networks", RFC 4665, September 2006. [RFC4847] Takeda, T., "Framework and Requirements for Layer 1 Virtual Private Networks", RFC 4847, April 2007. Henderson, et al. Expires February 4, 2017 [Page 11] Internet-Draft HIPLS August 2016 Authors' Addresses Thomas R. Henderson University of Washington Campus Box 352500 Seattle, WA USA Email: tomhend@u.washington.edu Steven C. Venema Polyverse Security 550 NW Kirkland Way Suite 210 Kirkland, WA USA Email: steve@polyverse.io David Mattes Tempered Networks 3101 Western Avenue Suite 550 Seattle, WA USA Email: d.mattes@temperednetworks.com Henderson, et al. Expires February 4, 2017 [Page 12]