3.2.1 Abstract Data Model

  • Article

This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This specification does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this specification.

As a protocol that uses DHCP for transport, NKPU relies on the DHCP data store (as defined in [RFC2131] section 2.1). The state machine and data model for DHCP are defined in [RFC2131] section 4.4. The data model for DHCPv6 is similar and is defined by [RFC3315].

NKPU servers also maintain the following state:

Key Protector Response (KPR): The key data that the server returns to the client, encrypted with the SK ADM element (section 3.1.1) content by using the AES-CCM [FIPS197], [RFC3610], mode of encryption. The server uses AES-CCM to encrypt the concatenation of an implementation-specific<2> header and the CK ADM element (section 3.1.1) and to produce the MAC. When calling AES-CCM, there is no authentication data and the nonce used is 12 bytes, all zeros, and is not transmitted. The KPR is the encrypted output prepended with the 16-byte MAC.

Public Key (PK): As defined in section 3.1.1.

Private Key: The RSA [RFC8017] private key corresponding to the PK ADM element (section 3.1.1).

An NKPU server implementation can optionally maintain the following state:

IPv4 Allow List: A list of IPv4 subnets, in classless inter-domain routing (CIDR) notation, from which clients are permitted to be unlocked. If empty or not implemented, all IPv4 addresses are considered allowed.

IPv6 Allow List: A list of IPv6 subnets, in CIDR notation, from which clients are permitted to be unlocked. If empty or not implemented, all IPv6 addresses are considered allowed.<3>

Note  A server implementation is permitted to have multiple configurations for NKPU, each with its own IPv4 Allow List and IPv6 Allow List. However, each NKPU configuration in a server implementation MUST have its own unique Public Key and Private Key pair.