Independent Submission J. Touch Request for Comments: 6978 USC/ISI Category: Experimental July 2013 ISSN: 2070-1721
Independent Submission J. Touch Request for Comments: 6978 USC/ISI Category: Experimental July 2013 ISSN: 2070-1721
A TCP Authentication Option Extension for NAT Traversal
用于NAT遍历的TCP身份验证选项扩展
Abstract
摘要
This document describes an extension to the TCP Authentication Option (TCP-AO) to support its use over connections that pass through Network Address Translators and/or Network Address and Port Translators (NATs/NAPTs). This extension changes the data used to compute traffic keys, but it does not alter TCP-AO's packet processing or key generation algorithms.
本文档介绍了TCP身份验证选项(TCP-AO)的扩展,以支持通过网络地址转换器和/或网络地址和端口转换器(NAT/NAPT)的连接使用该选项。此扩展更改了用于计算流量密钥的数据,但不会改变TCP-AO的数据包处理或密钥生成算法。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation.
本文件不是互联网标准跟踪规范;它是为检查、实验实施和评估而发布的。
This document defines an Experimental Protocol for the Internet community. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文档为互联网社区定义了一个实验协议。这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6978.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6978.
Copyright Notice
版权公告
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................2 2. Conventions Used in This Document ...............................2 3. Background ......................................................3 4. Extension to Allow NAT Traversal ................................3 5. Intended Use ....................................................4 6. Security Considerations .........................................5 7. References ......................................................5 7.1. Normative References .......................................5 7.2. Informative References .....................................5 8. Acknowledgments .................................................6
1. Introduction ....................................................2 2. Conventions Used in This Document ...............................2 3. Background ......................................................3 4. Extension to Allow NAT Traversal ................................3 5. Intended Use ....................................................4 6. Security Considerations .........................................5 7. References ......................................................5 7.1. Normative References .......................................5 7.2. Informative References .....................................5 8. Acknowledgments .................................................6
This document describes an extension to the TCP Authentication Option (TCP-AO) [RFC5925] called TCP-AO-NAT to support its use in the presence of Network Address Translators and/or Network Address and Port Translators (NATs/NAPTs) [RFC2663]. These devices translate the source address and/or the source port number of a TCP connection. TCP-AO without TCP-AO-NAT extensions would be sensitive to these modifications and would discard authenticated segments.
本文档描述了TCP身份验证选项(TCP-AO)[RFC5925]的扩展,称为TCP-AO-NAT,以支持在存在网络地址转换器和/或网络地址和端口转换器(NAT/NAPT)[RFC2663]的情况下使用它。这些设备转换TCP连接的源地址和/或源端口号。没有TCP-AO-NAT扩展的TCP-AO将对这些修改敏感,并将丢弃经过身份验证的段。
At least one potential application of TCP-AO-NAT is to support the experimental multipath TCP protocol [RFC6824], which uses multiple IP addresses to support a single TCP transfer.
TCP-AO-NAT的至少一个潜在应用是支持实验性多路径TCP协议[RFC6824],该协议使用多个IP地址来支持单个TCP传输。
This document assumes detailed familiarity with TCP-AO [RFC5925]. As a preview, this document focuses on how TCP-AO generates traffic keys, and it does not otherwise alter the TCP-AO mechanism or that of its key generation [RFC5926].
本文档假设您对TCP-AO[RFC5925]非常熟悉。作为预览,本文档重点介绍TCP-AO如何生成流量密钥,并且不会改变TCP-AO机制或其密钥生成机制[RFC5926]。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. When used in lower case, these words have their conventional meaning and do not convey the interpretations in RFC 2119.
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。当以小写形式使用时,这些词具有其常规含义,不传达RFC 2119中的解释。
TCP-AO generates traffic keys that are specific to a socket pair [RFC5925]. The following information is used to create a connection's traffic keys. (Note that 'local' and 'remote' are interpreted as in TCP-AO [RFC5925].)
TCP-AO生成特定于套接字对的通信密钥[RFC5925]。以下信息用于创建连接的通信密钥。(注意,“本地”和“远程”在TCP-AO[RFC5925]中被解释为。)
o IP local address
o IP本地地址
o IP remote address
o IP远程地址
o TCP local port
o TCP本地端口
o TCP remote port
o TCP远程端口
o TCP local Initial Sequence Number (ISN)
o TCP本地初始序列号(ISN)
o TCP remote Initial Sequence Number (ISN)
o TCP远程初始序列号(ISN)
Of these fields, the remote ISN is not known for SYN segments and is excluded from the traffic key used to authenticate them. Otherwise, all fields are used in the traffic keys of all other segments.
在这些字段中,SYN段的远程ISN是未知的,并且被排除在用于对其进行身份验证的流量密钥之外。否则,所有字段将在所有其他段的交通密钥中使用。
NATs and NAPTs (both referred to herein as "NATs", even if port translation is included) would interfere with these uses, because they alter the IP address and TCP port of the endpoint behind the NAT [RFC2663].
NAT和NAPT(此处均称为“NAT”,即使包括端口转换)会干扰这些使用,因为它们会改变NAT后面端点的IP地址和TCP端口[RFC2663]。
The premise of TCP-AO-NAT is that it might be useful to allow TCP-AO use in the presence of NATs, e.g., to protect client/server communication where clients are behind NATs.
TCP-AO-NAT的前提是,允许在NAT存在的情况下使用TCP-AO可能是有用的,例如,在客户端位于NAT后面的情况下,保护客户端/服务器通信。
This document describes TCP-AO-NAT, an extension to TCP-AO that enables its use in the presence of NATs. This extension requires no modification to the TCP-AO header or packet processing, and it requires no modification to the algorithms used to generate traffic keys [RFC5926]. The change is limited to the data used to generate traffic keys only.
本文档介绍TCP-AO-NAT,它是TCP-AO的一个扩展,支持在存在NAT的情况下使用它。此扩展不需要修改TCP-AO报头或数据包处理,也不需要修改用于生成流量密钥的算法[RFC5926]。更改仅限于用于生成流量密钥的数据。
In TCP-AO, "a Master Key Tuple (MKT) describes the TCP-AO properties to be associated with one or more connections" [RFC5925]. This includes the TCP connection identifier, the TCP option flag (indicating whether TCP options other than TCP-AO are included in the
在TCP-AO中,“主密钥元组(MKT)描述与一个或多个连接关联的TCP-AO属性”[RFC5925]。这包括TCP连接标识符、TCP选项标志(指示TCP-AO以外的TCP选项是否包括在
Message Authentication Code (MAC) calculation), keying information, and other parameters. TCP-AO-NAT augments the MKT with two additional flags:
消息身份验证码(MAC)计算)、密钥信息和其他参数。TCP-AO-NAT使用两个附加标志来增强MKT:
o localNAT
o 本地NAT
o remoteNAT
o 远程NAT
TCP-AO implementations supporting TCP-AO-NAT MUST support both localNAT and remoteNAT flags.
支持TCP-AO-NAT的TCP-AO实现必须同时支持localNAT和remoteNAT标志。
These flags indicate whether a segment's local or remote (respectively) IP address and TCP port are zeroed before MAC calculation, either for creating the MAC to insert (for outgoing segments) or for calculating a MAC to validate against the value in the option. These flags modify TCP-AO processing rules as follows:
这些标志指示在MAC计算之前段的本地或远程(分别)IP地址和TCP端口是否为零,用于创建要插入的MAC(用于传出段)或用于根据选项中的值计算要验证的MAC。这些标志修改TCP-AO处理规则如下:
o In TCP-AO-NAT, traffic keys are computed by zeroing the local/remote IP address and TCP port as indicated by the localNAT or remoteNAT flags.
o 在TCP-AO-NAT中,通过将本地/远程IP地址和TCP端口归零来计算流量密钥,如localNAT或remoteNAT标志所示。
o In TCP-AO-NAT, MAC values are computed by zeroing the local/remote IP address and TCP port as indicated by the localNAT or remoteNAT flags.
o 在TCP-AO-NAT中,MAC值是通过将本地/远程IP地址和TCP端口归零来计算的,如localNAT或remoteNAT标志所示。
The use of these flags needs to match on both ends of the connection, just as with all other MKT parameters.
这些标志的使用需要在连接的两端匹配,就像所有其他MKT参数一样。
A host MAY use TCP-AO-NAT when it is behind a NAT, as determined using NAT discovery techniques, or when TCP-AO protection is desired but conventional TCP-AO fails to establish connections.
当主机位于NAT后面时(使用NAT发现技术确定),或者当需要TCP-AO保护但传统TCP-AO无法建立连接时,主机可以使用TCP-AO-NAT。
A client behind a NAT MAY set localNAT=TRUE for MKTs supporting TCP-AO-NAT for outgoing connections. A server MAY set remoteNAT=TRUE for MKTs supporting TCP-AO-NAT for incoming connections. Peer-to-peer applications with dual NAT support, e.g., those traversing so-called 'symmetric NATs' [RFC5389], MAY set both localNAT=TRUE and remoteNAT=TRUE for MKTs supporting TCP-AO-NAT bidirectionally. Once these flags are set in an MKT, they affect all connections that match that MKT.
NAT后面的客户机可以为支持TCP-AO-NAT的MKTs设置localNAT=TRUE以用于传出连接。对于支持TCP-AO-NAT的MKT,服务器可以为传入连接设置remoteNAT=TRUE。对于双向支持TCP-AO-NAT的MKTs,具有双NAT支持的对等应用程序,例如,那些遍历所谓的“对称NAT”[RFC5389]的应用程序,可以同时设置localNAT=TRUE和remoteNAT=TRUE。一旦在MKT中设置了这些标志,它们就会影响与该MKT匹配的所有连接。
TCP-AO-NAT is intended for use only where coordinated between endpoints for connections that match the shared MKT parameters, as with all other MKT parameters.
TCP-AO-NAT仅适用于与共享MKT参数匹配的连接的端点之间进行协调的情况,与所有其他MKT参数一样。
Note that TCP-AO-NAT is not intended for use with services transiting Application Layer Gateways (ALGs), i.e., NATs that also translate in-band addresses, such as used in FTP or SIP. TCP-AO-NAT protects the contents of the TCP segments from modification and would (correctly) interpret such alterations as an attack on those contents.
请注意,TCP-AO-NAT不适用于传输应用层网关(ALG)的服务,即也转换带内地址的NAT,如FTP或SIP中使用的NAT。TCP-AO-NAT保护TCP段的内容不受修改,并(正确地)将此类修改解释为对这些内容的攻击。
TCP-AO-NAT does not affect the security of connections that do not set either the localNAT or remoteNAT flags. Such connections are not affected themselves and are not affected by segments in other connections that set those flags.
TCP-AO-NAT不会影响未设置localNAT或remoteNAT标志的连接的安全性。这些连接本身不受影响,也不受设置这些标志的其他连接中的段的影响。
Setting either the localNAT or remoteNAT flags reduces the randomness of the input to the Key Derivation Function (KDF) used to generate the traffic keys. The largest impact occurs when using IPv4, which reduces the randomness from 2 IPv4 addresses, 2 ISNs, and both ports down to just the two ISNs when both flags are set. The amount of randomness in the IPv4 addresses and service port is likely to be small, and the randomness of the dynamic port is under debate and should not be considered substantial [RFC6056]. The KDF input randomness is thus expected to be dominated by that of the ISNs, so reducing it by either or both of the IPv4 addresses and ports is not expected to have a significant impact.
设置localNAT或remoteNAT标志可以减少用于生成流量密钥的密钥派生函数(KDF)输入的随机性。最大的影响发生在使用IPv4时,这将随机性从2个IPv4地址、2个iSN和两个端口降低到仅设置两个标志时的两个iSN。IPv4地址和服务端口的随机性可能很小,动态端口的随机性正在讨论中,不应被视为实质性的[RFC6056]。因此,KDF输入的随机性预计将由ISNs的随机性控制,因此通过IPv4地址和端口中的一个或两个来减少KDF输入的随机性预计不会产生重大影响。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP Authentication Option", RFC 5925, June 2010.
[RFC5925]Touch,J.,Mankin,A.,和R.Bonica,“TCP认证选项”,RFC 59252010年6月。
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999.
[RFC2663]Srisuresh,P.和M.Holdrege,“IP网络地址转换器(NAT)术语和注意事项”,RFC 2663,1999年8月。
[RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, "Session Traversal Utilities for NAT (STUN)", RFC 5389, October 2008.
[RFC5389]Rosenberg,J.,Mahy,R.,Matthews,P.,和D.Wing,“NAT的会话遍历实用程序(STUN)”,RFC 5389,2008年10月。
[RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms for the TCP Authentication Option (TCP-AO)", RFC 5926, June 2010.
[RFC5926]Lebovitz,G.和E.Rescorla,“TCP认证选项(TCP-AO)的加密算法”,RFC 5926,2010年6月。
[RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport-Protocol Port Randomization", BCP 156, RFC 6056, January 2011.
[RFC6056]Larsen,M.和F.Gont,“传输协议端口随机化建议”,BCP 156,RFC 6056,2011年1月。
[RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, "TCP Extensions for Multipath Operation with Multiple Addresses", RFC 6824, January 2013.
[RFC6824]Ford,A.,Raiciu,C.,Handley,M.,和O.Bonaventure,“多地址多路径操作的TCP扩展”,RFC 68242013年1月。
This extension was inspired by discussions with Dan Wing.
这一扩展受到与Dan Wing讨论的启发。
This document was initially prepared using 2-Word-v2.0.template.dot.
本文件最初使用2-Word-v2.0.template.dot编制。
Author's Address
作者地址
Joe Touch USC/ISI 4676 Admiralty Way Marina del Rey, CA 90292 USA
Joe Touch USC/ISI 4676美国加利福尼亚州玛丽娜·德雷海军部路90292号
Phone: +1 (310) 448-9151 EMail: touch@isi.edu
Phone: +1 (310) 448-9151 EMail: touch@isi.edu