6MAN J.F. Guan Internet-Draft BUPT Intended status: Informational S. Yao Expires: 29 August 2024 THU K.X. Liu X.L. Hu J.L. Liu BUPT February 2024 Terminal Identity Authentication Based on Address Label draft-guan-6man-ipv6-id-authentication-00 Abstract Privacy and accountability are currently significant concerns on the internet. Privacy generally implies untraceable sources. Effective verification methods inherently raise privacy concerns when confirming a user's identity. To prevent extensive modifications to current network protocols and the introduction of new identifiers, we propose an IPv6 based address label terminal identity authentication mechanism. This mechanism facilitates user identity verification, ensuring privacy protection, security, and efficient auditing. Additionally, this document outlines the implementation of address label authentication in the IPv6 extension header. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 4 August 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. Guan, et al. Expires 29 August 2024 [Page 1] Internet-Draft Terminal Identity Authentication Based o February 2024 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Address Label Extension Header Format . . . . . . . . . . . . 3 2.1. Extra Encrypted Auth . . . . . . . . . . . . . . . . . . 4 2.2. Integrity Protection Code . . . . . . . . . . . . . . . . 5 3. Address Label Protocol Processing . . . . . . . . . . . . . . 6 3.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 6 3.2. Network Environment . . . . . . . . . . . . . . . . . . . 6 3.3. Address Label Packet Sending . . . . . . . . . . . . . . 7 3.4. Address Label Packet Forwarding . . . . . . . . . . . . . 7 3.5. Address Label Packet Reception . . . . . . . . . . . . . 8 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 4.1. Randomness Requirements . . . . . . . . . . . . . . . . . 8 4.2. Anonymous AddressR . . . . . . . . . . . . . . . . . . . 8 4.3. Unlinkability . . . . . . . . . . . . . . . . . . . . . . 9 4.4. Integrity Protection . . . . . . . . . . . . . . . . . . 9 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.1. Normative References . . . . . . . . . . . . . . . . . . 10 6.2. Informative References . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction The identity authentication mechanism, relying on address labels, utilizes the user's multi-dimensional attributes. It designs a unified user identity and employs a distributed consensus infrastructure for consensus and management. The user identity is anonymized and embedded in the data packet to ensure secure data transmission. The cross-domain receiving end verifies the authenticity and trustworthiness of the terminal identity through the dynamic label authentication mechanism. The address label identifies the identity of different terminals. The address label serves as an identifier, created by initializing the multidimensional attribute table of the terminal and encrypting it using a symmetric key. The length of the address label depends on the length of the encryption algorithm. A section of the address Guan, et al. Expires 29 August 2024 [Page 2] Internet-Draft Terminal Identity Authentication Based o February 2024 label will be incorporated into the IPv6 address, serving as a communication identifier. The remaining part will accompany the data packet to the next hop. At the subsequent hop, the device will utilize this information to acquire the complete address label. Given the aforementioned reasons, we employ address label extension headers to transmit terminal identity for authentication and scrutiny within the network. We make full use of the IPv6 address space to establish a robust connection among terminal identity, address, and data. This allows address labels to withstand diverse attacks like tampering, replay, and forgery. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Address Label Extension Header Format The ALE extension header is encapsulated in the Hop-by-Hop Options header. The (outer) protocol header (IPv6, or Extension) that immediately precedes the ALE header contain the value 0 in its Next Header field[RFC5871] (see IANA web page at http://www.iana.org/assignments/protocol-numbers). Figure 1 illustrates the basic format of the ALE header[RFC6564] [RFC7045]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Length | Opt Type | Opt Data Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | EEA Type | IPC Type | Reserve | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Extra Encrypted Address(variable) // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Integrity Protection Code(variable) // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: Basic Format of the LAE Header * The Next Header field identifies the type of header immediately following the Hop-by-Hop Options header[RFC8200]. Guan, et al. Expires 29 August 2024 [Page 3] Internet-Draft Terminal Identity Authentication Based o February 2024 * The Length field indicates the length of the Hop-by-Hop Options header in 8-octet units, not including the first 8 octets. * The Opt Type field identifies address label data with a value of 0xf3[RFC8200]. * The Opt Data Len field indicates the length of the entire ALE header in 8 bytes, including the variable length Extra Encrypted Auth and Identity Protection Code sections. * The EEA Type field represent the method of encryption used in the EEA field and the length of it. The value of this field MUST NOT be 0. * The IPC Type field represent the method of hash used in the IPC field and the length of it. The value of this field MUST NOT be 0. * The Timestamp field represents the timestamp at which the packet was sent, used to encrypt the symmetric key and generate an embedded address. * The Sequence field is usually a serial number bound to the terminal identity. * The Extra Encrypted Auth is a variable length field used to store partially encrypted data with a symmetric key (see Section 2.1). * The Integrity Protection Code is a variable length field used to store the hash results of partial terminal identity information and the entire transport layer data (see Section 2.2). 2.1. Extra Encrypted Auth The Extra Encrypted Auth field (EEA) represents a partial value derived from the encryption of identity information using a symmetric key. The initial 64 bits of the encryption result will be inserted into the trailing 64 bits of the IPv6 packet source address (referred to as the Implicit Identifier IID). The remaining portion will be stored in the EEA field, ensuring data authenticity and the inviolability of identity information. Guan, et al. Expires 29 August 2024 [Page 4] Internet-Draft Terminal Identity Authentication Based o February 2024 The length of this field MAY vary depending on the selected encryption algorithm. The data requiring encryption encompasses the anonymous identity, timestamp, and serial number of the terminal. The verifier must decrypt these outcomes to authenticate the identity. The encryption algorithm type used is represented by the first four bits of the Encryption Type field, and specific values refer to Table 1: +================+======================+=================+ | EEA Type field | Encryption Algorithm | EEA Length/bits | +================+======================+=================+ | 0 | Reserve | | +----------------+----------------------+-----------------+ | 1 | SM4 | 64 | +----------------+----------------------+-----------------+ | 2 | AES128 | 64 | +----------------+----------------------+-----------------+ | 3 | AES256 | 192 | +----------------+----------------------+-----------------+ | 4 | DES | 64 | +----------------+----------------------+-----------------+ | 5 | 3DES | 64 | +----------------+----------------------+-----------------+ Table 1: Category of Symmetric Key Encryption Algorithm Values not listed in the table are considered reserved values. 2.2. Integrity Protection Code The Identity Protection Code field (IPC) is a hash result containing partial identity information of the terminal and the complete transport layer data. The IPC field guarantees data integrity during transmission. The data subject to hash verification encompasses the IPv6 source address, destination address, EEA, anonymous terminal identity AID, timestamp, serial number, and the transport layer data (including transport layer headers) of the message. In the verification process, the identical hash operation is applied to these data, and subsequently, the IPC is compared. Transmission correctness is confirmed only when the two match; otherwise, this packet should be discarded. Guan, et al. Expires 29 August 2024 [Page 5] Internet-Draft Terminal Identity Authentication Based o February 2024 Different hash algorithms MAY result in different lengths of IPC. We use the last 4 bits of the Encryption Type field to represent the current hash algorithm being used, and specific values refer to Table 2: +================+======================+=================+ | IPC Type field | Encryption Algorithm | EEA Length/bits | +================+======================+=================+ | 0 | Reserve | | +----------------+----------------------+-----------------+ | 1 | SHA256 | 256 | +----------------+----------------------+-----------------+ | 2 | SHA384 | 384 | +----------------+----------------------+-----------------+ | 3 | SHA512 | 512 | +----------------+----------------------+-----------------+ | 4 | MD5 | 128 | +----------------+----------------------+-----------------+ Table 2: Category of Hash Algorithm Values not listed in the table are considered reserved values. 3. Address Label Protocol Processing 3.1. Assumptions The process description for the terminal identity authentication based on address label will be based on the following assumptions: (a) All entities can verify the routing prefix generated by AS. (b) Each host and router in the protocol negotiates a symmetric key through a secure method for the subsequent protocol service. The source AS and destination AS also share the corresponding symmetric key in secret. (c) The encryption method is assumed to be secure, i.e., encryption cannot be broken and MACs cannot be forged. 3.2. Network Environment This document describes a protocol process that includes a Source AS and a Destination AS, both of which contain a Border Router for packet forwarding, and each of which contains a User/Host. The network environment is illustrated in the figure 2 below: Guan, et al. Expires 29 August 2024 [Page 6] Internet-Draft Terminal Identity Authentication Based o February 2024 +---------------------+ +---------------------+ | Source AS | | Destination AS | | | | | | +--------------+ | | +--------------+ | | | User/Host | | | | User/Host | | | | | | | | | | | +--------------+ | | +--------------+ | | | | | | | | | | | | | | +--------------+ | Internet | +--------------+ | | | Border | |<--------------->| | Border | | | | Router | | | | Router | | | | | | | | | | | +--------------+ | | +--------------+ | +---------------------+ +---------------------+ Figure 2: Process Description Topology 3.3. Address Label Packet Sending Each packet sent from the source host MUST insert the extension header described above and encrypt the Anonymous Identifier (AID) of its own IPv6 address using a symmetric key. The first 64 bits of the encrypted result are used as the IID(implicit Identifier) of the address, while the remaining bits are used as the EEA in the extension header. By following these steps, the non-linkability between the sender and receiver is improved to counter third-party observers on the same LAN segment and maintain anonymity. To ensure that there are no errors during data transmission, we also use IPC fields as a means of verifying data correctness. We use specific hash algorithms to calculate the checksum of partial terminal identity information and all transport layer data. In addition, the original checksum check of the transport layer is also retained. But due to the modification of the IPv6 address, the checksum of the transport layer MAY need to be recalculated. 3.4. Address Label Packet Forwarding For outgoing packets, when the border router of the source AS receives an outgoing packet, it uses the corresponding symmetric key to decrypt the IID and EEA of the address, thereby obtaining the original AID. Next, the border router calculates the IPC using the IP header and payload and then compares it with the IPC in the packet to verify the integrity of the packet. If the verification fails, the border router discards the packet. Otherwise, it uses the corresponding symmetric key shared with the destination AS to re- Guan, et al. Expires 29 August 2024 [Page 7] Internet-Draft Terminal Identity Authentication Based o February 2024 encrypt the AID and forwards the packet. For incoming packets, when the border router of the destination AS receives an incoming packet, it requests and reproduces the symmetric key of the terminal from the domain server based on the information in the packet extension header, and decrypts the address label to verify it. If the verification is successful, it encrypts the original source address's AID using the symmetric key and forwards the packet. According to [HBH-OPTIONS-PROCESSING] and [PROC-HBH-OPT-HEADER], nodes lacking support for the current protocol MAY experience packet loss. 3.5. Address Label Packet Reception The packets forwarded by the border router are received by the User/ Host in the destination AS, which decrypts the AID of the source address with its own symmetric key, and verifies the real source address of the host with which it communicates. Similarly, the host needs to verify the correctness of data transmission through IPC field. Through the above steps, the protocol in this document can guarantee that only verified packets can leave the source AS and successfully reach the destination host. 4. Security Considerations This section contains security considerations for the protocol described in this document. 4.1. Randomness Requirements All random values in the protocol and symmetric key MUST be generated using a cryptographically secure source of randomness [RFC4086]. 4.2. Anonymous AddressR Attackers can track and identify the sender's activity patterns and history by using the source address in network traffic to conduct tracking attacks. In the network environment, the source address is usually a fixed or stable identifier, such as an IP address, a MAC address, or other types of identifiers. These identifiers can be collected and correlated by attackers to construct the sender's activity patterns and history. Guan, et al. Expires 29 August 2024 [Page 8] Internet-Draft Terminal Identity Authentication Based o February 2024 This document protocol ensures that the sender can hide their identity from the source AS, the transit ASes, the destination AS, and even the receiver, making it difficult for the source address information in network traffic to be exposed or identified. This is because the attacker does not know the symmetric key of the AS, so they cannot decrypt IDD and EEA to obtain user identifiers and extract user identities, thus fully protecting the sender's privacy and security. However, it is important to note that this document protocol does not maintain sender anonymity for observers in the LAN segment because they already know the identity (link layer address) of the sender. 4.3. Unlinkability Unlinkability in this document refers to the ability of the sender's different actions or activities to be uncorrelated. This way, the sender can prevent their actions or activity from being linked by adversaries or other third parties, thereby avoiding the leakage of their information or intentions. Through this protocol, adversaries cannot obtain more information about the source correlation of traffic by observing any number of flows from the same Autonomous System (AS). The source correlation of traffic refers to the possibility of two flows coming from the same sender. The meaning of traffic here is the same for the sender and receiver as it is in traditional networks, but it is different for other devices and observers in the network. This is because the protocol in this document changes the source or destination address. In the network environment, adversaries may invade hosts in the same LAN segment as the sender and obtain clues about the sender's identity, which leads to a decrease in sender-receiver unlinkability. When the sender sends a data packet, the invaded host in the LAN segment can know the source and destination addresses. However, in this document protocol, since the sender encrypts the AID of the destination address in each data packet, the invaded host cannot know the true destination address. 4.4. Integrity Protection Integrity protection ensures that the information in the extended header has not been tampered with or modified during packet transmission. In this document protocol, if an adversary sends packets with incorrect IPCs, the border router will concatenate and decrypt the IID and EEA in the packet and calculate a new IPC using SN, Guan, et al. Expires 29 August 2024 [Page 9] Internet-Draft Terminal Identity Authentication Based o February 2024 timestamps, and other data. If the new IPC calculated by the border router does not match the one in the packet header, the border router identifies the packet as bogus and discards it. Through the above analysis, data packets that do not pass the IPC integrity check in this protocol will not be forwarded, thus ensuring data integrity. 5. IANA Considerations IANA is asked to assign the Option Type in the "Destination Options and Hop-by-Hop Options" subregistry of the "Internet Protocol Version 6 (IPv6) Parameters" registry as follows: +===========+===================+===============+===============+ | Hex Value | Binary Value | Description | Reference | +===========+=====+=====+=======+===============+===============+ | | act | chg | rest | | | +===========+=====+=====+=======+===============+===============+ | 0xf3 | 11 | 1 | 10011 | Address Label | This document | +-----------+-----+-----+-------+---------------+---------------+ Table 3: Destination Options and Hop-by-Hop Options Registry 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005, . [RFC5871] Arkko, J. and S. Bradner, "IANA Allocation Guidelines for the IPv6 Routing Header", RFC 5871, DOI 10.17487/RFC5871, May 2010, . [RFC6564] Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., and M. Bhatia, "A Uniform Format for IPv6 Extension Headers", RFC 6564, DOI 10.17487/RFC6564, April 2012, . Guan, et al. Expires 29 August 2024 [Page 10] Internet-Draft Terminal Identity Authentication Based o February 2024 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/RFC8200, July 2017, . 6.2. Informative References [HBH-OPTIONS-PROCESSING] Hinden, R. and G. Fairhurst, "IPv6 Hop-by-Hop Options Processing Procedures", Work in Progress, Internet-Draft, draft-ietf-6man-hbh-processing-04, 21 October 2022, . [PROC-HBH-OPT-HEADER] Peng, S., Li, Z., Xie, C., Qin, Z., and G. Mishra, "Operational Issues with Processing of the Hop-by-Hop Options Header", Work in Progress, Internet-Draft, draft- ietf-v6ops-hbh-02, 21 October 2022, . [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing of IPv6 Extension Headers", RFC 7045, DOI 10.17487/RFC7045, December 2013, . Authors' Addresses Jianfeng Guan BUPT No.10 Xitucheng Road, Haidian District Beijing 100876 China Email: jfguan@bupt.edu.cn Su Yao THU No.30 Shuangqing Road, Haidian District Beijing 100084 China Email: yaosu@tsinghua.edu.cn Guan, et al. Expires 29 August 2024 [Page 11] Internet-Draft Terminal Identity Authentication Based o February 2024 Kexian Liu BUPT No.10 Xitucheng Road, Haidian District Beijing 100876 China Email: kxliu@bupt.edu.cn Xiaolong Hu BUPT No.10 Xitucheng Road, Haidian District Beijing 100876 China Email: hxl814446051@bupt.edu.cn Jianli Liu BUPT No.10 Xitucheng Road, Haidian District Beijing 100876 China Email: kuohao233@bupt.edu.cn Guan, et al. Expires 29 August 2024 [Page 12]