Obsoletes: 4306, 4718 P. Hoffman
(if approved) VPN Consortium
Intended status: Standards Track Y. Nir
-Expires: October 26, 2009 Check Point
+Expires: January 9, 2010 Check Point
P. Eronen
Nokia
- April 24, 2009
+ July 8, 2009
Internet Key Exchange Protocol: IKEv2
- draft-ietf-ipsecme-ikev2bis-03
+ draft-ietf-ipsecme-ikev2bis-04
Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
- This Internet-Draft will expire on October 26, 2009.
+ This Internet-Draft will expire on January 9, 2010.
Copyright Notice
-Kaufman, et al. Expires October 26, 2009 [Page 1]
+Kaufman, et al. Expires January 9, 2010 [Page 1]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Copyright (c) 2009 IETF Trust and the persons identified as the
-Kaufman, et al. Expires October 26, 2009 [Page 2]
+Kaufman, et al. Expires January 9, 2010 [Page 2]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . 7
- 1.1.1. Security Gateway to Security Gateway Tunnel Mode . . 7
+ 1.1.1. Security Gateway to Security Gateway Tunnel Mode . . 8
1.1.2. Endpoint-to-Endpoint Transport Mode . . . . . . . . . 8
1.1.3. Endpoint to Security Gateway Tunnel Mode . . . . . . 9
- 1.1.4. Other Scenarios . . . . . . . . . . . . . . . . . . . 9
+ 1.1.4. Other Scenarios . . . . . . . . . . . . . . . . . . . 10
1.2. The Initial Exchanges . . . . . . . . . . . . . . . . . . 10
1.3. The CREATE_CHILD_SA Exchange . . . . . . . . . . . . . . 13
1.3.1. Creating New Child SAs with the CREATE_CHILD_SA
Exchange . . . . . . . . . . . . . . . . . . . . . . 14
- 1.3.2. Rekeying IKE SAs with the CREATE_CHILD_SA Exchange . 16
+ 1.3.2. Rekeying IKE SAs with the CREATE_CHILD_SA Exchange . 15
1.3.3. Rekeying Child SAs with the CREATE_CHILD_SA
Exchange . . . . . . . . . . . . . . . . . . . . . . 16
1.4. The INFORMATIONAL Exchange . . . . . . . . . . . . . . . 17
- 1.4.1. Deleting an SA with INFORMATIONAL Exchanges . . . . . 18
+ 1.4.1. Deleting an SA with INFORMATIONAL Exchanges . . . . . 17
1.5. Informational Messages outside of an IKE SA . . . . . . . 18
1.6. Requirements Terminology . . . . . . . . . . . . . . . . 19
- 1.7. Differences Between RFC 4306 and This Document . . . . . 20
+ 1.7. Differences Between RFC 4306 and This Document . . . . . 19
2. IKE Protocol Details and Variations . . . . . . . . . . . . . 21
- 2.1. Use of Retransmission Timers . . . . . . . . . . . . . . 22
+ 2.1. Use of Retransmission Timers . . . . . . . . . . . . . . 21
2.2. Use of Sequence Numbers for Message ID . . . . . . . . . 23
- 2.3. Window Size for Overlapping Requests . . . . . . . . . . 24
+ 2.3. Window Size for Overlapping Requests . . . . . . . . . . 23
2.4. State Synchronization and Connection Timeouts . . . . . . 25
2.5. Version Numbers and Forward Compatibility . . . . . . . . 27
- 2.6. IKE SA SPIs and Cookies . . . . . . . . . . . . . . . . . 29
- 2.6.1. Interaction of COOKIE and INVALID_KE_PAYLOAD . . . . 32
+ 2.6. IKE SA SPIs and Cookies . . . . . . . . . . . . . . . . . 28
+ 2.6.1. Interaction of COOKIE and INVALID_KE_PAYLOAD . . . . 31
2.7. Cryptographic Algorithm Negotiation . . . . . . . . . . . 32
- 2.8. Rekeying . . . . . . . . . . . . . . . . . . . . . . . . 34
- 2.8.1. Simultaneous Child SA rekeying . . . . . . . . . . . 36
- 2.8.2. Simultaneous IKE SA Rekeying . . . . . . . . . . . . 38
- 2.8.3. Rekeying the IKE SA Versus Reauthentication . . . . . 39
+ 2.8. Rekeying . . . . . . . . . . . . . . . . . . . . . . . . 33
+ 2.8.1. Simultaneous Child SA rekeying . . . . . . . . . . . 35
+ 2.8.2. Simultaneous IKE SA Rekeying . . . . . . . . . . . . 37
+ 2.8.3. Rekeying the IKE SA Versus Reauthentication . . . . . 38
2.9. Traffic Selector Negotiation . . . . . . . . . . . . . . 39
- 2.9.1. Traffic Selectors Violating Own Policy . . . . . . . 42
- 2.10. Nonces . . . . . . . . . . . . . . . . . . . . . . . . . 43
- 2.11. Address and Port Agility . . . . . . . . . . . . . . . . 43
+ 2.9.1. Traffic Selectors Violating Own Policy . . . . . . . 41
+ 2.10. Nonces . . . . . . . . . . . . . . . . . . . . . . . . . 42
+ 2.11. Address and Port Agility . . . . . . . . . . . . . . . . 42
2.12. Reuse of Diffie-Hellman Exponentials . . . . . . . . . . 43
- 2.13. Generating Keying Material . . . . . . . . . . . . . . . 44
+ 2.13. Generating Keying Material . . . . . . . . . . . . . . . 43
2.14. Generating Keying Material for the IKE SA . . . . . . . . 45
- 2.15. Authentication of the IKE SA . . . . . . . . . . . . . . 46
- 2.16. Extensible Authentication Protocol Methods . . . . . . . 48
- 2.17. Generating Keying Material for Child SAs . . . . . . . . 50
- 2.18. Rekeying IKE SAs Using a CREATE_CHILD_SA Exchange . . . . 51
- 2.19. Requesting an Internal Address on a Remote Network . . . 52
+ 2.15. Authentication of the IKE SA . . . . . . . . . . . . . . 45
+ 2.16. Extensible Authentication Protocol Methods . . . . . . . 47
+ 2.17. Generating Keying Material for Child SAs . . . . . . . . 49
+ 2.18. Rekeying IKE SAs Using a CREATE_CHILD_SA Exchange . . . . 50
+ 2.19. Requesting an Internal Address on a Remote Network . . . 51
2.19.1. Configuration Payloads . . . . . . . . . . . . . . . 53
- 2.20. Requesting the Peer's Version . . . . . . . . . . . . . . 55
+ 2.20. Requesting the Peer's Version . . . . . . . . . . . . . . 54
2.21. Error Handling . . . . . . . . . . . . . . . . . . . . . 55
-Kaufman, et al. Expires October 26, 2009 [Page 3]
+Kaufman, et al. Expires January 9, 2010 [Page 3]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
2.22. IPComp . . . . . . . . . . . . . . . . . . . . . . . . . 56
- 2.23. NAT Traversal . . . . . . . . . . . . . . . . . . . . . . 58
+ 2.23. NAT Traversal . . . . . . . . . . . . . . . . . . . . . . 57
2.24. Explicit Congestion Notification (ECN) . . . . . . . . . 61
- 3. Header and Payload Formats . . . . . . . . . . . . . . . . . 62
- 3.1. The IKE Header . . . . . . . . . . . . . . . . . . . . . 62
- 3.2. Generic Payload Header . . . . . . . . . . . . . . . . . 65
- 3.3. Security Association Payload . . . . . . . . . . . . . . 67
- 3.3.1. Proposal Substructure . . . . . . . . . . . . . . . . 69
- 3.3.2. Transform Substructure . . . . . . . . . . . . . . . 71
- 3.3.3. Valid Transform Types by Protocol . . . . . . . . . . 74
- 3.3.4. Mandatory Transform IDs . . . . . . . . . . . . . . . 74
- 3.3.5. Transform Attributes . . . . . . . . . . . . . . . . 75
- 3.3.6. Attribute Negotiation . . . . . . . . . . . . . . . . 77
- 3.4. Key Exchange Payload . . . . . . . . . . . . . . . . . . 78
- 3.5. Identification Payloads . . . . . . . . . . . . . . . . . 79
- 3.6. Certificate Payload . . . . . . . . . . . . . . . . . . . 81
- 3.7. Certificate Request Payload . . . . . . . . . . . . . . . 83
- 3.8. Authentication Payload . . . . . . . . . . . . . . . . . 85
- 3.9. Nonce Payload . . . . . . . . . . . . . . . . . . . . . . 87
- 3.10. Notify Payload . . . . . . . . . . . . . . . . . . . . . 87
- 3.10.1. Notify Message Types . . . . . . . . . . . . . . . . 88
- 3.11. Delete Payload . . . . . . . . . . . . . . . . . . . . . 91
- 3.12. Vendor ID Payload . . . . . . . . . . . . . . . . . . . . 93
- 3.13. Traffic Selector Payload . . . . . . . . . . . . . . . . 94
- 3.13.1. Traffic Selector . . . . . . . . . . . . . . . . . . 95
- 3.14. Encrypted Payload . . . . . . . . . . . . . . . . . . . . 97
- 3.15. Configuration Payload . . . . . . . . . . . . . . . . . . 99
- 3.15.1. Configuration Attributes . . . . . . . . . . . . . . 100
- 3.15.2. Meaning of INTERNAL_IP4_SUBNET/INTERNAL_IP6_SUBNET . 103
- 3.15.3. Configuration payloads for IPv6 . . . . . . . . . . . 105
- 3.15.4. Address Assignment Failures . . . . . . . . . . . . . 106
- 3.16. Extensible Authentication Protocol (EAP) Payload . . . . 106
- 4. Conformance Requirements . . . . . . . . . . . . . . . . . . 108
- 5. Security Considerations . . . . . . . . . . . . . . . . . . . 110
- 5.1. Traffic selector authorization . . . . . . . . . . . . . 113
- 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 114
- 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 114
- 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 115
- 8.1. Normative References . . . . . . . . . . . . . . . . . . 115
- 8.2. Informative References . . . . . . . . . . . . . . . . . 116
- Appendix A. Summary of changes from IKEv1 . . . . . . . . . . . 120
- Appendix B. Diffie-Hellman Groups . . . . . . . . . . . . . . . 121
- B.1. Group 1 - 768 Bit MODP . . . . . . . . . . . . . . . . . 122
- B.2. Group 2 - 1024 Bit MODP . . . . . . . . . . . . . . . . . 122
- Appendix C. Exchanges and Payloads . . . . . . . . . . . . . . . 122
- C.1. IKE_SA_INIT Exchange . . . . . . . . . . . . . . . . . . 123
- C.2. IKE_AUTH Exchange without EAP . . . . . . . . . . . . . . 124
- C.3. IKE_AUTH Exchange with EAP . . . . . . . . . . . . . . . 125
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 4]
-\f
-Internet-Draft IKEv2bis April 2009
+ 3. Header and Payload Formats . . . . . . . . . . . . . . . . . 61
+ 3.1. The IKE Header . . . . . . . . . . . . . . . . . . . . . 61
+ 3.2. Generic Payload Header . . . . . . . . . . . . . . . . . 64
+ 3.3. Security Association Payload . . . . . . . . . . . . . . 66
+ 3.3.1. Proposal Substructure . . . . . . . . . . . . . . . . 68
+ 3.3.2. Transform Substructure . . . . . . . . . . . . . . . 70
+ 3.3.3. Valid Transform Types by Protocol . . . . . . . . . . 73
+ 3.3.4. Mandatory Transform IDs . . . . . . . . . . . . . . . 73
+ 3.3.5. Transform Attributes . . . . . . . . . . . . . . . . 74
+ 3.3.6. Attribute Negotiation . . . . . . . . . . . . . . . . 76
+ 3.4. Key Exchange Payload . . . . . . . . . . . . . . . . . . 77
+ 3.5. Identification Payloads . . . . . . . . . . . . . . . . . 78
+ 3.6. Certificate Payload . . . . . . . . . . . . . . . . . . . 80
+ 3.7. Certificate Request Payload . . . . . . . . . . . . . . . 82
+ 3.8. Authentication Payload . . . . . . . . . . . . . . . . . 84
+ 3.9. Nonce Payload . . . . . . . . . . . . . . . . . . . . . . 85
+ 3.10. Notify Payload . . . . . . . . . . . . . . . . . . . . . 86
+ 3.10.1. Notify Message Types . . . . . . . . . . . . . . . . 87
+ 3.11. Delete Payload . . . . . . . . . . . . . . . . . . . . . 90
+ 3.12. Vendor ID Payload . . . . . . . . . . . . . . . . . . . . 92
+ 3.13. Traffic Selector Payload . . . . . . . . . . . . . . . . 93
+ 3.13.1. Traffic Selector . . . . . . . . . . . . . . . . . . 94
+ 3.14. Encrypted Payload . . . . . . . . . . . . . . . . . . . . 96
+ 3.15. Configuration Payload . . . . . . . . . . . . . . . . . . 98
+ 3.15.1. Configuration Attributes . . . . . . . . . . . . . . 99
+ 3.15.2. Meaning of INTERNAL_IP4_SUBNET/INTERNAL_IP6_SUBNET . 102
+ 3.15.3. Configuration payloads for IPv6 . . . . . . . . . . . 104
+ 3.15.4. Address Assignment Failures . . . . . . . . . . . . . 104
+ 3.16. Extensible Authentication Protocol (EAP) Payload . . . . 105
+ 4. Conformance Requirements . . . . . . . . . . . . . . . . . . 107
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 109
+ 5.1. Traffic selector authorization . . . . . . . . . . . . . 112
+ 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 113
+ 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 113
+ 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 114
+ 8.1. Normative References . . . . . . . . . . . . . . . . . . 114
+ 8.2. Informative References . . . . . . . . . . . . . . . . . 115
+ Appendix A. Summary of changes from IKEv1 . . . . . . . . . . . 119
+ Appendix B. Diffie-Hellman Groups . . . . . . . . . . . . . . . 120
+ B.1. Group 1 - 768 Bit MODP . . . . . . . . . . . . . . . . . 120
+ B.2. Group 2 - 1024 Bit MODP . . . . . . . . . . . . . . . . . 121
+ Appendix C. Exchanges and Payloads . . . . . . . . . . . . . . . 121
+ C.1. IKE_SA_INIT Exchange . . . . . . . . . . . . . . . . . . 122
+ C.2. IKE_AUTH Exchange without EAP . . . . . . . . . . . . . . 123
+ C.3. IKE_AUTH Exchange with EAP . . . . . . . . . . . . . . . 124
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 4]
+\f
+Internet-Draft IKEv2bis July 2009
C.4. CREATE_CHILD_SA Exchange for Creating or Rekeying
- Child SAs . . . . . . . . . . . . . . . . . . . . . . . . 126
- C.5. CREATE_CHILD_SA Exchange for Rekeying the IKE SA . . . . 126
- C.6. INFORMATIONAL Exchange . . . . . . . . . . . . . . . . . 126
- Appendix D. Significant Changes from RFC 4306 . . . . . . . . . 126
- Appendix E. Changes Between Internet Draft Versions . . . . . . 127
- E.1. Changes from IKEv2 to draft -00 . . . . . . . . . . . . . 127
- E.2. Changes from draft -00 to draft -01 . . . . . . . . . . . 127
- E.3. Changes from draft -00 to draft -01 . . . . . . . . . . . 129
- E.4. Changes from draft -01 to draft -02 . . . . . . . . . . . 130
- E.5. Changes from draft -02 to draft -03 . . . . . . . . . . . 131
+ Child SAs . . . . . . . . . . . . . . . . . . . . . . . . 125
+ C.5. CREATE_CHILD_SA Exchange for Rekeying the IKE SA . . . . 125
+ C.6. INFORMATIONAL Exchange . . . . . . . . . . . . . . . . . 125
+ Appendix D. Significant Changes from RFC 4306 . . . . . . . . . 125
+ Appendix E. Changes Between Internet Draft Versions . . . . . . 126
+ E.1. Changes from IKEv2 to draft -00 . . . . . . . . . . . . . 126
+ E.2. Changes from draft -00 to draft -01 . . . . . . . . . . . 126
+ E.3. Changes from draft -00 to draft -01 . . . . . . . . . . . 128
+ E.4. Changes from draft -01 to draft -02 . . . . . . . . . . . 129
+ E.5. Changes from draft -02 to draft -03 . . . . . . . . . . . 130
E.6. Changes from draft -03 to
- draft-ietf-ipsecme-ikev2bis-00 . . . . . . . . . . . . . 132
+ draft-ietf-ipsecme-ikev2bis-00 . . . . . . . . . . . . . 131
E.7. Changes from draft-ietf-ipsecme-ikev2bis-00 to
- draft-ietf-ipsecme-ikev2bis-01 . . . . . . . . . . . . . 133
+ draft-ietf-ipsecme-ikev2bis-01 . . . . . . . . . . . . . 132
E.8. Changes from draft-ietf-ipsecme-ikev2bis-01 to
- draft-ietf-ipsecme-ikev2bis-02 . . . . . . . . . . . . . 137
+ draft-ietf-ipsecme-ikev2bis-02 . . . . . . . . . . . . . 136
E.9. Changes from draft-ietf-ipsecme-ikev2bis-01 to
- draft-ietf-ipsecme-ikev2bis-02 . . . . . . . . . . . . . 139
+ draft-ietf-ipsecme-ikev2bis-02 . . . . . . . . . . . . . 138
E.10. Changes from draft-ietf-ipsecme-ikev2bis-02 to
- draft-ietf-ipsecme-ikev2bis-03 . . . . . . . . . . . . . 140
+ draft-ietf-ipsecme-ikev2bis-03 . . . . . . . . . . . . . 139
+ E.11. Changes from draft-ietf-ipsecme-ikev2bis-03 to
+ draft-ietf-ipsecme-ikev2bis-04 . . . . . . . . . . . . . 139
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 140
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 5]
+Kaufman, et al. Expires January 9, 2010 [Page 5]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
1. Introduction
2408 [ISAKMP], and 2409 [IKEV1]. IKEv2 replaced all of those RFCs.
IKEv2 was defined in [IKEV2] (RFC 4306) and was clarified in [Clarif]
(RFC 4718). This document replaces and updates RFC 4306 and RFC
- 4718.
+ 4718. IKEv2 was a change to the IKE protocol that was not backward
+ compatible. In contrast, the current document not only provides a
+ clarification of IKEv2, but makes minimum changes to the IKE
+ protocol.
IKE performs mutual authentication between two parties and
establishes an IKE security association (SA) that includes shared
exchange and a single IKE_AUTH exchange (a total of four messages) to
establish the IKE SA and the first Child SA. In exceptional cases,
there may be more than one of each of these exchanges. In all cases,
- all IKE_SA_INIT exchanges MUST complete before any other exchange
- type, then all IKE_AUTH exchanges MUST complete, and following that
- any number of CREATE_CHILD_SA and INFORMATIONAL exchanges may occur
-Kaufman, et al. Expires October 26, 2009 [Page 6]
+Kaufman, et al. Expires January 9, 2010 [Page 6]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
+ all IKE_SA_INIT exchanges MUST complete before any other exchange
+ type, then all IKE_AUTH exchanges MUST complete, and following that
+ any number of CREATE_CHILD_SA and INFORMATIONAL exchanges may occur
in any order. In some scenarios, only a single Child SA is needed
between the IPsec endpoints, and therefore there would be no
additional exchanges. Subsequent exchanges MAY be used to establish
IKE is expected to be used to negotiate ESP or AH SAs in a number of
different scenarios, each with its own special requirements.
+
+
+
+
+
+
+
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 7]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
1.1.1. Security Gateway to Security Gateway Tunnel Mode
+-+-+-+-+-+ +-+-+-+-+-+
Figure 1: Security Gateway to Security Gateway Tunnel
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 7]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
In this scenario, neither endpoint of the IP connection implements
IPsec, but network nodes between them protect traffic for part of the
way. Protection is transparent to the endpoints, and depends on
It is possible in this scenario that one or both of the protected
endpoints will be behind a network address translation (NAT) node, in
which case the tunneled packets will have to be UDP encapsulated so
- that port numbers in the UDP headers can be used to identify
- individual endpoints "behind" the NAT (see Section 2.23).
-
-
-
-
-
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 8]
+Kaufman, et al. Expires January 9, 2010 [Page 8]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
+ that port numbers in the UDP headers can be used to identify
+ individual endpoints "behind" the NAT (see Section 2.23).
+
1.1.3. Endpoint to Security Gateway Tunnel Mode
+-+-+-+-+-+ +-+-+-+-+-+
address associated with the security gateway so that packets returned
to it will go to the security gateway and be tunneled back. This IP
address may be static or may be dynamically allocated by the security
- gateway. {{ Clarif-6.1 }} In support of the latter case, IKEv2
- includes a mechanism (namely, configuration payloads) for the
- initiator to request an IP address owned by the security gateway for
- use for the duration of its SA.
+ gateway. In support of the latter case, IKEv2 includes a mechanism
+ (namely, configuration payloads) for the initiator to request an IP
+ address owned by the security gateway for use for the duration of its
+ SA.
In this scenario, packets will use tunnel mode. On each packet from
the protected endpoint, the outer IP header will contain the source
endpoint, and packets will have to be UDP encapsulated in order to be
routed properly.
-1.1.4. Other Scenarios
- Other scenarios are possible, as are nested combinations of the
- above. One notable example combines aspects of 1.1.1 and 1.1.3. A
- subnet may make all external accesses through a remote security
-Kaufman, et al. Expires October 26, 2009 [Page 9]
+
+Kaufman, et al. Expires January 9, 2010 [Page 9]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
+1.1.4. Other Scenarios
+
+ Other scenarios are possible, as are nested combinations of the
+ above. One notable example combines aspects of 1.1.1 and 1.1.3. A
+ subnet may make all external accesses through a remote security
gateway using an IPsec tunnel, where the addresses on the subnet are
routed to the security gateway by the rest of the Internet. An
example would be someone's home network being virtually on the
protected with keys established through the IKE_SA_INIT exchange, so
the identities are hidden from eavesdroppers and all fields in all
the messages are authenticated. (See Section 2.14 for information on
- how the encyrption keys are generated.)
+ how the encryption keys are generated.)
All messages following the initial exchange are cryptographically
protected using the cryptographic algorithms and keys negotiated in
-
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 10]
+Kaufman, et al. Expires January 9, 2010 [Page 10]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Notation Payload
-Kaufman, et al. Expires October 26, 2009 [Page 11]
+Kaufman, et al. Expires January 9, 2010 [Page 11]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
encryption and integrity protection are derived from SKEYSEED and are
-Kaufman, et al. Expires October 26, 2009 [Page 12]
+Kaufman, et al. Expires January 9, 2010 [Page 12]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- {{ Clarif-4.2}} If creating the Child SA during the IKE_AUTH exchange
- fails for some reason, the IKE SA is still created as usual. The
- list of responses in the IKE_AUTH exchange that do not prevent an IKE
- SA from being set up include at least the following:
- NO_PROPOSAL_CHOSEN, TS_UNACCEPTABLE, SINGLE_PAIR_REQUIRED,
- INTERNAL_ADDRESS_FAILURE, and FAILED_CP_REQUIRED.
+ If creating the Child SA during the IKE_AUTH exchange fails for some
+ reason, the IKE SA is still created as usual. The list of responses
+ in the IKE_AUTH exchange that do not prevent an IKE SA from being set
+ up include at least the following: NO_PROPOSAL_CHOSEN,
+ TS_UNACCEPTABLE, SINGLE_PAIR_REQUIRED, INTERNAL_ADDRESS_FAILURE, and
+ FAILED_CP_REQUIRED.
- {{ Clarif-4.3 }} Note that IKE_AUTH messages do not contain KEi/KEr
- or Ni/Nr payloads. Thus, the SA payloads in the IKE_AUTH exchange
- cannot contain Transform Type 4 (Diffie-Hellman Group) with any value
- other than NONE. Implementations SHOULD omit the whole transform
- substructure instead of sending value NONE.
+ Note that IKE_AUTH messages do not contain KEi/KEr or Ni/Nr payloads.
+ Thus, the SA payloads in the IKE_AUTH exchange cannot contain
+ Transform Type 4 (Diffie-Hellman Group) with any value other than
+ NONE. Implementations SHOULD omit the whole transform substructure
+ instead of sending value NONE.
1.3. The CREATE_CHILD_SA Exchange
- {{ This is a heavy rewrite of most of this section. The major
- organization changes are described in Clarif-4.1 and Clarif-5.1. }}
-
The CREATE_CHILD_SA exchange is used to create new Child SAs and to
rekey both IKE SAs and Child SAs. This exchange consists of a single
request/response pair, and some of its function was referred to as a
exchange. An implementation MAY refuse all CREATE_CHILD_SA requests
within an IKE SA.
+ The CREATE_CHILD_SA request MAY optionally contain a KE payload for
+ an additional Diffie-Hellman exchange to enable stronger guarantees
+ of forward secrecy for the Child SA. The keying material for the
-Kaufman, et al. Expires October 26, 2009 [Page 13]
+Kaufman, et al. Expires January 9, 2010 [Page 13]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- The CREATE_CHILD_SA request MAY optionally contain a KE payload for
- an additional Diffie-Hellman exchange to enable stronger guarantees
- of forward secrecy for the Child SA. The keying material for the
Child SA is a function of SK_d established during the establishment
of the IKE SA, the nonces exchanged during the CREATE_CHILD_SA
exchange, and the Diffie-Hellman value (if KE payloads are included
groups can be proposed). If the responder selects a proposal using a
different Diffie-Hellman group (other than NONE), the responder MUST
reject the request and indicate its preferred Diffie-Hellman group in
- the INVALID_KE_PAYLOAD Notification payload. {{ 3.10.1-17 }} There
- are two octets of data associated with this notification: the
- accepted D-H Group number in big endian order. In the case of such a
- rejection, the CREATE_CHILD_SA exchange fails, and the initiator will
- probably retry the exchange with a Diffie-Hellman proposal and KEi in
- the group that the responder gave in the INVALID_KE_PAYLOAD.
-
- {{ 3.10.1-35 }} The responder sends a NO_ADDITIONAL_SAS notification
- to indicate that a CREATE_CHILD_SA request is unacceptable because
- the responder is unwilling to accept any more Child SAs on this IKE
- SA. Some minimal implementations may only accept a single Child SA
- setup in the context of an initial IKE exchange and reject any
- subsequent attempts to add more.
+ the INVALID_KE_PAYLOAD Notification payload. There are two octets of
+ data associated with this notification: the accepted D-H Group number
+ in big endian order. In the case of such a rejection, the
+ CREATE_CHILD_SA exchange fails, and the initiator will probably retry
+ the exchange with a Diffie-Hellman proposal and KEi in the group that
+ the responder gave in the INVALID_KE_PAYLOAD.
+
+ The responder sends a NO_ADDITIONAL_SAS notification to indicate that
+ a CREATE_CHILD_SA request is unacceptable because the responder is
+ unwilling to accept any more Child SAs on this IKE SA. Some minimal
+ implementations may only accept a single Child SA setup in the
+ context of an initial IKE exchange and reject any subsequent attempts
+ to add more.
1.3.1. Creating New Child SAs with the CREATE_CHILD_SA Exchange
<-- HDR, SK {SA, Nr, [KEr],
TSi, TSr}
+ The responder replies (using the same Message ID to respond) with the
+ accepted offer in an SA payload, and a Diffie-Hellman value in the
-Kaufman, et al. Expires October 26, 2009 [Page 14]
+
+Kaufman, et al. Expires January 9, 2010 [Page 14]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- The responder replies (using the same Message ID to respond) with the
- accepted offer in an SA payload, and a Diffie-Hellman value in the
KEr payload if KEi was included in the request and the selected
cryptographic suite includes that group.
in the TS payloads in the response, which may be a subset of what the
initiator of the Child SA proposed.
- {{ 3.10.1-16391 }} The USE_TRANSPORT_MODE notification MAY be
- included in a request message that also includes an SA payload
- requesting a Child SA. It requests that the Child SA use transport
- mode rather than tunnel mode for the SA created. If the request is
- accepted, the response MUST also include a notification of type
- USE_TRANSPORT_MODE. If the responder declines the request, the Child
- SA will be established in tunnel mode. If this is unacceptable to
- the initiator, the initiator MUST delete the SA. Note: Except when
- using this option to negotiate transport mode, all Child SAs will use
- tunnel mode.
-
- {{ 3.10.1-16394 }} The ESP_TFC_PADDING_NOT_SUPPORTED notification
- asserts that the sending endpoint will NOT accept packets that
- contain Traffic Flow Confidentiality (TFC) padding over the Child SA
- being negotiated. {{ Clarif-4.5 }} If neither endpoint accepts TFC
- padding, this notification is included in both the request and the
- response. If this notification is included in only one of the
- messages, TFC padding can still be sent in the other direction.
-
- {{ 3.10.1-16395 }} The NON_FIRST_FRAGMENTS_ALSO notification is used
- for fragmentation control. See [IPSECARCH] for a fuller explanation.
- {{ Clarif-4.6 }} Both parties need to agree to sending non-first
- fragments before either party does so. It is enabled only if
- NON_FIRST_FRAGMENTS_ALSO notification is included in both the request
- proposing an SA and the response accepting it. If the responder does
- not want to send or receive non-first fragments, it only omits
- NON_FIRST_FRAGMENTS_ALSO notification from its response, but does not
- reject the whole Child SA creation.
+ The USE_TRANSPORT_MODE notification MAY be included in a request
+ message that also includes an SA payload requesting a Child SA. It
+ requests that the Child SA use transport mode rather than tunnel mode
+ for the SA created. If the request is accepted, the response MUST
+ also include a notification of type USE_TRANSPORT_MODE. If the
+ responder declines the request, the Child SA will be established in
+ tunnel mode. If this is unacceptable to the initiator, the initiator
+ MUST delete the SA. Note: Except when using this option to negotiate
+ transport mode, all Child SAs will use tunnel mode.
+
+ The ESP_TFC_PADDING_NOT_SUPPORTED notification asserts that the
+ sending endpoint will NOT accept packets that contain Traffic Flow
+ Confidentiality (TFC) padding over the Child SA being negotiated. If
+ neither endpoint accepts TFC padding, this notification is included
+ in both the request and the response. If this notification is
+ included in only one of the messages, TFC padding can still be sent
+ in the other direction.
+
+ The NON_FIRST_FRAGMENTS_ALSO notification is used for fragmentation
+ control. See [IPSECARCH] for a fuller explanation. Both parties
+ need to agree to sending non-first fragments before either party does
+ so. It is enabled only if NON_FIRST_FRAGMENTS_ALSO notification is
+ included in both the request proposing an SA and the response
+ accepting it. If the responder does not want to send or receive non-
+ first fragments, it only omits NON_FIRST_FRAGMENTS_ALSO notification
+ from its response, but does not reject the whole Child SA creation.
Failure of an attempt to create a CHILD SA SHOULD NOT tear down the
IKE SA: there is no reason to lose the work done to set up the IKE
authenticate that message. [[ Note: this text may be changed in the
future. ]]
-
-
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 15]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
1.3.2. Rekeying IKE SAs with the CREATE_CHILD_SA Exchange
The CREATE_CHILD_SA request for rekeying an IKE SA is:
-------------------------------------------------------------------
HDR, SK {SA, Ni, KEi} -->
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 15]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
The initiator sends SA offer(s) in the SA payload, a nonce in the Ni
payload, and a Diffie-Hellman value in the KEi payload. The KEi
payload MUST be included. New initiator and responder SPIs are
the proposed traffic selectors for the proposed Child SA in the TSi
and TSr payloads.
- {{ 3.10.1-16393 }} The REKEY_SA notification MUST be included in a
- CREATE_CHILD_SA exchange if the purpose of the exchange is to replace
- an existing ESP or AH SA. {{ Clarif-5.4 }} The SA being rekeyed is
- identified by the SPI field in the Notify payload; this is the SPI
- the exchange initiator would expect in inbound ESP or AH packets.
+ The REKEY_SA notification MUST be included in a CREATE_CHILD_SA
+ exchange if the purpose of the exchange is to replace an existing ESP
+ or AH SA. The SA being rekeyed is identified by the SPI field in the
+ Notify payload; this is the SPI the exchange initiator would expect
+ in inbound ESP or AH packets. There is no data associated with this
+ Notify type. The Protocol ID field of the REKEY_SA notification is
+ set to match the protocol of the SA we are rekeying, for example, 3
+ for ESP and 2 for AH.
+ The CREATE_CHILD_SA response for rekeying a Child SA is:
+ <-- HDR, SK {SA, Nr, [KEr],
+ TSi, TSr}
-Kaufman, et al. Expires October 26, 2009 [Page 16]
-\f
-Internet-Draft IKEv2bis April 2009
- There is no data associated with this Notify type. The Protocol ID
- field of the REKEY_SA notification is set to match the protocol of
- the SA we are rekeying, for example, 3 for ESP and 2 for AH.
+Kaufman, et al. Expires January 9, 2010 [Page 16]
+\f
+Internet-Draft IKEv2bis July 2009
- The CREATE_CHILD_SA response for rekeying a Child SA is:
-
- <-- HDR, SK {SA, Nr, [KEr],
- TSi, TSr}
The responder replies (using the same Message ID to respond) with the
accepted offer in an SA payload, and a Diffie-Hellman value in the
HDR, SK {[N,] [D,]
[CP,] ...} -->
<-- HDR, SK {[N,] [D,]
+ [CP], ...}
+ The processing of an INFORMATIONAL exchange is determined by its
+ component payloads.
+1.4.1. Deleting an SA with INFORMATIONAL Exchanges
-Kaufman, et al. Expires October 26, 2009 [Page 17]
-\f
-Internet-Draft IKEv2bis April 2009
+ ESP and AH SAs always exist in pairs, with one SA in each direction.
+ When an SA is closed, both members of the pair MUST be closed (that
- [CP], ...}
- The processing of an INFORMATIONAL exchange is determined by its
- component payloads.
+Kaufman, et al. Expires January 9, 2010 [Page 17]
+\f
+Internet-Draft IKEv2bis July 2009
-1.4.1. Deleting an SA with INFORMATIONAL Exchanges
- {{ Clarif-5.6 }} ESP and AH SAs always exist in pairs, with one SA in
- each direction. When an SA is closed, both members of the pair MUST
- be closed (that is, deleted). Each endpoint MUST close its incoming
- SAs and allow the other endpoint to close the other SA in each pair.
- To delete an SA, an INFORMATIONAL exchange with one or more delete
- payloads is sent listing the SPIs (as they would be expected in the
- headers of inbound packets) of the SAs to be deleted. The recipient
- MUST close the designated SAs. {{ Clarif-5.7 }} Note that one never
- sends delete payloads for the two sides of an SA in a single message.
- If there are many SAs to delete at the same time, one includes delete
- payloads for the inbound half of each SA pair in your Informational
- exchange.
+ is, deleted). Each endpoint MUST close its incoming SAs and allow
+ the other endpoint to close the other SA in each pair. To delete an
+ SA, an INFORMATIONAL exchange with one or more delete payloads is
+ sent listing the SPIs (as they would be expected in the headers of
+ inbound packets) of the SAs to be deleted. The recipient MUST close
+ the designated SAs. Note that one never sends delete payloads for
+ the two sides of an SA in a single message. If there are many SAs to
+ delete at the same time, one includes delete payloads for the inbound
+ half of each SA pair in your Informational exchange.
Normally, the reply in the INFORMATIONAL exchange will contain delete
payloads for the paired SAs going in the other direction. There is
that would result in duplicate deletion and could in theory delete
the wrong SA.
- {{ Demoted the SHOULD }} Half-closed ESP or AH connections are
- anomalous, and a node with auditing capability should probably audit
- their existence if they persist. Note that this specification
- nowhere specifies time periods, so it is up to individual endpoints
- to decide how long to wait. A node MAY refuse to accept incoming
- data on half-closed connections but MUST NOT unilaterally close them
- and reuse the SPIs. If connection state becomes sufficiently messed
- up, a node MAY close the IKE SA; doing so will implicitly close all
- SAs negotiated under it. It can then rebuild the SAs it needs on a
- clean base under a new IKE SA. {{ Clarif-5.8 }} The response to a
- request that deletes the IKE SA is an empty Informational response.
+ Half-closed ESP or AH connections are anomalous, and a node with
+ auditing capability should probably audit their existence if they
+ persist. Note that this specification nowhere specifies time
+ periods, so it is up to individual endpoints to decide how long to
+ wait. A node MAY refuse to accept incoming data on half-closed
+ connections but MUST NOT unilaterally close them and reuse the SPIs.
+ If connection state becomes sufficiently messed up, a node MAY close
+ the IKE SA; doing so will implicitly close all SAs negotiated under
+ it. It can then rebuild the SAs it needs on a clean base under a new
+ IKE SA. The response to a request that deletes the IKE SA is an
+ empty Informational response.
1.5. Informational Messages outside of an IKE SA
If an encrypted IKE request packet arrives on port 500 or 4500 with
an unrecognized SPI, it could be because the receiving node has
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 18]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
recently crashed and lost state or because of some other system
malfunction or attack. If the receiving node has an active IKE SA to
the IP address from whence the packet came, it MAY send a
exchange, and the receiving node MUST NOT respond to it. Doing so
could cause a message loop.
- {{ 3.10.1-11 }} The INVALID_SPI notification MAY be sent in an IKE
- INFORMATIONAL exchange when a node receives an ESP or AH packet with
- an invalid SPI. The Notification Data contains the SPI of the
- invalid packet. This usually indicates a node has rebooted and
- forgotten an SA. If this Informational Message is sent outside the
- context of an IKE SA, it should only be used by the recipient as a
- "hint" that something might be wrong (because it could easily be
- forged).
-
- {{ Clarif-7.7 }} There are two cases when such a one-way notification
- is sent: INVALID_IKE_SPI and INVALID_SPI. These notifications are
- sent outside of an IKE SA. Note that such notifications are
- explicitly not Informational exchanges; these are one-way messages
- that must not be responded to.
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 18]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
+ The INVALID_SPI notification MAY be sent in an IKE INFORMATIONAL
+ exchange when a node receives an ESP or AH packet with an invalid
+ SPI. The Notification Data contains the SPI of the invalid packet.
+ This usually indicates a node has rebooted and forgotten an SA. If
+ this Informational Message is sent outside the context of an IKE SA,
+ it should only be used by the recipient as a "hint" that something
+ might be wrong (because it could easily be forged). The recipient of
+ this notification cannot tell whether the SPI is for AH or ESP, but
+ this is not important because the SPIs are supposed to be different
+ for the two.
+
+ There are two cases when such a one-way notification is sent:
+ INVALID_IKE_SPI and INVALID_SPI. These notifications are sent
+ outside of an IKE SA. Note that such notifications are explicitly
+ not Informational exchanges; these are one-way messages that must not
+ be responded to. (INVALID_MAJOR_VERSION is also a one-way message
+ which is sent outside of an IKE SA, although it is sent as a response
+ to the incoming IKE SA creation.)
In case of INVALID_IKE_SPI, the message sent is a response message,
and thus it is sent to the IP address and port from whence it came
1.6. Requirements Terminology
Definitions of the primitive terms in this document (such as Security
- Association or SA) can be found in [IPSECARCH]. {{ Clarif-7.2 }} It
- should be noted that parts of IKEv2 rely on some of the processing
- rules in [IPSECARCH], as described in various sections of this
- document.
+ Association or SA) can be found in [IPSECARCH]. It should be noted
+ that parts of IKEv2 rely on some of the processing rules in
+ [IPSECARCH], as described in various sections of this document.
Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
"MAY" that appear in this document are to be interpreted as described
+ in [MUSTSHOULD].
+1.7. Differences Between RFC 4306 and This Document
+ {{ Added this entire section, including this recursive remark. }}
-Kaufman, et al. Expires October 26, 2009 [Page 19]
-\f
-Internet-Draft IKEv2bis April 2009
+ This document contains clarifications and amplifications to IKEv2
- in [MUSTSHOULD].
-1.7. Differences Between RFC 4306 and This Document
+Kaufman, et al. Expires January 9, 2010 [Page 19]
+\f
+Internet-Draft IKEv2bis July 2009
- {{ Added this entire section, including this recursive remark. }}
- This document contains clarifications and amplifications to IKEv2
[IKEV2]. The clarifications are mostly based on [Clarif]. The
changes listed in that document were discussed in the IPsec Working
Group and, after the Working Group was disbanded, on the IPsec
of the document. Much of the material from those tables has been
moved into the associated parts of the main body of the document.
- In the body of this document, notes that are enclosed in double curly
- braces {{ such as this }} point out changes from IKEv2. Changes that
- come from [Clarif] are marked with the section from that document,
- such as "{{ Clarif-2.10 }}". Changes that come from moving
- descriptive text out of the tables in Section 3.10.1 are marked with
- that number and the message type that contained the text, such as "{{
- 3.10.1-16384 }}".
-
This document removes discussion of nesting AH and ESP. This was a
mistake in RFC 4306 caused by the lag between finishing RFC 4306 and
RFC 4301. Basically, IKEv2 is based on RFC 4301, which does not
include "SA bundles" that were part of RFC 2401. While a single
packet can go through IPsec processing multiple times, each of these
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 20]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
passes uses a separate SA, and the passes are coordinated by the
forwarding tables. In IKEv2, each of these SAs has to be created
using a separate CREATE_CHILD_SA exchange.
implementations because there were no standardized PRFs that have
fixed-size keys.
- A later version of this document may have all the {{ }} comments
- removed from the body of the document and instead appear in an
- appendix.
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 20]
+\f
+Internet-Draft IKEv2bis July 2009
2. IKE Protocol Details and Variations
All IKEv2 implementations MUST be able to send, receive, and process
IKE messages that are up to 1280 octets long, and they SHOULD be able
to send, receive, and process messages that are up to 3000 octets
- long. {{ Demoted the SHOULD }} IKEv2 implementations need to be aware
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 21]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
- of the maximum UDP message size supported and MAY shorten messages by
- leaving out some certificates or cryptographic suite proposals if
- that will keep messages below the maximum. Use of the "Hash and URL"
- formats rather than including certificates in exchanges where
- possible can avoid most problems. {{ Demoted the SHOULD }}
- Implementations and configuration need to keep in mind, however, that
- if the URL lookups are possible only after the IPsec SA is
- established, recursion issues could prevent this technique from
- working.
-
- {{ Clarif-7.5 }} The UDP payload of all packets containing IKE
- messages sent on port 4500 MUST begin with the prefix of four zeros;
- otherwise, the receiver won't know how to handle them.
+ long. IKEv2 implementations need to be aware of the maximum UDP
+ message size supported and MAY shorten messages by leaving out some
+ certificates or cryptographic suite proposals if that will keep
+ messages below the maximum. Use of the "Hash and URL" formats rather
+ than including certificates in exchanges where possible can avoid
+ most problems. Implementations and configuration need to keep in
+ mind, however, that if the URL lookups are possible only after the
+ IPsec SA is established, recursion issues could prevent this
+ technique from working.
+
+ The UDP payload of all packets containing IKE messages sent on port
+ 4500 MUST begin with the prefix of four zeros; otherwise, the
+ receiver won't know how to handle them.
2.1. Use of Retransmission Timers
Once the IKE SA is set up, either end of the security association may
initiate requests at any time, and there can be many requests and
responses "in flight" at any given moment. But each message is
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 21]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
labeled as either a request or a response, and for each request/
response pair one end of the security association is the initiator
and the other is the responder.
MUST be bitwise identical to the original request. That is,
everything starting from the IKE Header (the IKE SA Initiator's SPI
onwards) must be bitwise identical; items before it (such as the IP
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 22]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
and UDP headers, and the zero non-ESP marker) do not have to be
identical.
- {{ Clarif-2.3 }} Retransmissions of the IKE_SA_INIT request require
- some special handling. When a responder receives an IKE_SA_INIT
- request, it has to determine whether the packet is a retransmission
- belonging to an existing "half-open" IKE SA (in which case the
- responder retransmits the same response), or a new request (in which
- case the responder creates a new IKE SA and sends a fresh response),
- or it belongs to an existing IKE SA where the IKE_AUTH request has
- been already received (in which case the responder ignores it).
+ Retransmissions of the IKE_SA_INIT request require some special
+ handling. When a responder receives an IKE_SA_INIT request, it has
+ to determine whether the packet is a retransmission belonging to an
+ existing "half-open" IKE SA (in which case the responder retransmits
+ the same response), or a new request (in which case the responder
+ creates a new IKE SA and sends a fresh response), or it belongs to an
+ existing IKE SA where the IKE_AUTH request has been already received
+ (in which case the responder ignores it).
It is not sufficient to use the initiator's SPI and/or IP address to
differentiate between these three cases because two different peers
robust responder will do the IKE SA lookup using the whole packet,
its hash, or the Ni payload.
+
+
+
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 22]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
2.2. Use of Sequence Numbers for Message ID
Every IKE message contains a Message ID as part of its fixed header.
The Message ID is a 32-bit quantity, which is zero for the
IKE_SA_INIT messages (including retries of the message due to
- responses such as COOKIE and INVALID_KE_PAYLOAD {{ Clarif-2.2 }}),
- and incremented for each subsequent exchange. Rekeying an IKE SA
- resets the sequence numbers. Thus, the first pair of IKE_AUTH
- messages will have ID of 1, the second (when EAP is used) will be 2,
- and so on. {{ Clarif-3.10 }}
+ responses such as COOKIE and INVALID_KE_PAYLOAD), and incremented for
+ each subsequent exchange. The Message ID is reset to zero in the new
+ IKE SA after the IKE SA is rekeyed. Rekeying an IKE SA resets the
+ sequence numbers. Thus, the first pair of IKE_AUTH messages will
+ have ID of 1, the second (when EAP is used) will be 2, and so on.
Each endpoint in the IKE Security Association maintains two "current"
Message IDs: the next one to be used for a request it initiates and
the (I)nitiator and (R)esponse bits in the message header specify
which of the four messages a particular one is.
- {{ Clarif-5.9 }} Throughout this document, "initiator" refers to the
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 23]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
- party who initiated the exchange being described, and "original
- initiator" refers to the party who initiated the whole IKE SA. The
- "original initiator" always refers to the party who initiated the
- exchange which resulted in the current IKE SA. In other words, if
- the "original responder" starts rekeying the IKE SA, that party
- becomes the "original initiator" of the new IKE SA.
+ Throughout this document, "initiator" refers to the party who
+ initiated the exchange being described, and "original initiator"
+ refers to the party who initiated the whole IKE SA. The "original
+ initiator" always refers to the party who initiated the exchange
+ which resulted in the current IKE SA. In other words, if the
+ "original responder" starts rekeying the IKE SA, that party becomes
+ the "original initiator" of the new IKE SA.
Note that Message IDs are cryptographically protected and provide
protection against message replays. In the unlikely event that
2.3. Window Size for Overlapping Requests
- {{ 3.10.1-16385 }} The SET_WINDOW_SIZE notification asserts that the
- sending endpoint is capable of keeping state for multiple outstanding
- exchanges, permitting the recipient to send multiple requests before
- getting a response to the first. The data associated with a
- SET_WINDOW_SIZE notification MUST be 4 octets long and contain the
- big endian representation of the number of messages the sender
- promises to keep. The window size is always one until the initial
- exchanges complete.
+ The SET_WINDOW_SIZE notification asserts that the sending endpoint is
+ capable of keeping state for multiple outstanding exchanges,
+ permitting the recipient to send multiple requests before getting a
+ response to the first. The data associated with a SET_WINDOW_SIZE
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 23]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
+ notification MUST be 4 octets long and contain the big endian
+ representation of the number of messages the sender promises to keep.
+ The window size is always one until the initial exchanges complete.
An IKE endpoint MUST wait for a response to each of its messages
before sending a subsequent message unless it has received a
These requests may pass one another over the network. An IKE
endpoint MUST be prepared to accept and process a request while it
has a request outstanding in order to avoid a deadlock in this
- situation. {{ Downgraded the SHOULD }} An IKE endpoint may also
- accept and process multiple requests while it has a request
- outstanding.
+ situation. An IKE endpoint may also accept and process multiple
+ requests while it has a request outstanding.
An IKE endpoint MUST NOT exceed the peer's stated window size for
transmitted IKE requests. In other words, if the responder stated
corresponding response. An IKE endpoint MUST keep a copy of (or be
able to regenerate exactly) the number of previous responses equal to
its declared window size in case its response was lost and the
+ initiator requests its retransmission by retransmitting the request.
+ An IKE endpoint supporting a window size greater than one ought to be
+ capable of processing incoming requests out of order to maximize
+ performance in the event of network failures or packet reordering.
+ The window size is normally a (possibly configurable) property of a
+ particular implementation, and is not related to congestion control
+ (unlike the window size in TCP, for example). In particular, it is
+ not defined what the responder should do when it receives a
+ SET_WINDOW_SIZE notification containing a smaller value than is
+ currently in effect. Thus, there is currently no way to reduce the
+ window size of an existing IKE SA; you can only increase it. When
+ rekeying an IKE SA, the new IKE SA starts with window size 1 until it
+ is explicitly increased by sending a new SET_WINDOW_SIZE
+ notification.
-Kaufman, et al. Expires October 26, 2009 [Page 24]
-\f
-Internet-Draft IKEv2bis April 2009
+ The INVALID_MESSAGE_ID notification is sent when an IKE message ID
+ outside the supported window is received. This Notify MUST NOT be
+ sent in a response; the invalid request MUST NOT be acknowledged.
- initiator requests its retransmission by retransmitting the request.
- An IKE endpoint supporting a window size greater than one ought to be
- capable of processing incoming requests out of order to maximize
- performance in the event of network failures or packet reordering.
+Kaufman, et al. Expires January 9, 2010 [Page 24]
+\f
+Internet-Draft IKEv2bis July 2009
- {{ Clarif-7.3 }} The window size is normally a (possibly
- configurable) property of a particular implementation, and is not
- related to congestion control (unlike the window size in TCP, for
- example). In particular, it is not defined what the responder should
- do when it receives a SET_WINDOW_SIZE notification containing a
- smaller value than is currently in effect. Thus, there is currently
- no way to reduce the window size of an existing IKE SA; you can only
- increase it. When rekeying an IKE SA, the new IKE SA starts with
- window size 1 until it is explicitly increased by sending a new
- SET_WINDOW_SIZE notification.
-
- {{ 3.10.1-9 }}The INVALID_MESSAGE_ID notification is sent when an IKE
- message ID outside the supported window is received. This Notify
- MUST NOT be sent in a response; the invalid request MUST NOT be
- acknowledged. Instead, inform the other side by initiating an
- INFORMATIONAL exchange with Notification data containing the four
- octet invalid message ID. Sending this notification is optional, and
- notifications of this type MUST be rate limited.
+
+ Instead, inform the other side by initiating an INFORMATIONAL
+ exchange with Notification data containing the four octet invalid
+ message ID. Sending this notification is optional, and notifications
+ of this type MUST be rate limited.
2.4. State Synchronization and Connection Timeouts
conditions and not continue to waste network bandwidth by sending
packets over discarded SAs and having them fall into a black hole.
- {{ 3.10.1-16384 }} The INITIAL_CONTACT notification asserts that this
- IKE SA is the only IKE SA currently active between the authenticated
- identities. It MAY be sent when an IKE SA is established after a
- crash, and the recipient MAY use this information to delete any other
- IKE SAs it has to the same authenticated identity without waiting for
- a timeout. This notification MUST NOT be sent by an entity that may
- be replicated (e.g., a roaming user's credentials where the user is
+ The INITIAL_CONTACT notification asserts that this IKE SA is the only
+ IKE SA currently active between the authenticated identities. It MAY
+ be sent when an IKE SA is established after a crash, and the
+ recipient MAY use this information to delete any other IKE SAs it has
+ to the same authenticated identity without waiting for a timeout.
+ This notification MUST NOT be sent by an entity that may be
+ replicated (e.g., a roaming user's credentials where the user is
allowed to connect to the corporate firewall from two remote systems
- at the same time). {{ Clarif-7.9 }} The INITIAL_CONTACT notification,
- if sent, MUST be in the first IKE_AUTH request or response, not as a
- separate exchange afterwards; however, receiving parties MAY ignore
- it in other messages.
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 25]
-\f
-Internet-Draft IKEv2bis April 2009
-
+ at the same time). The INITIAL_CONTACT notification, if sent, MUST
+ be in the first IKE_AUTH request or response, not as a separate
+ exchange afterwards; however, receiving parties MAY ignore it in
+ other messages.
Since IKE is designed to operate in spite of Denial of Service (DoS)
attacks from the network, an endpoint MUST NOT conclude that the
when repeated attempts to contact it have gone unanswered for a
timeout period or when a cryptographically protected INITIAL_CONTACT
notification is received on a different IKE SA to the same
- authenticated identity. {{ Demoted the SHOULD }} An endpoint should
- suspect that the other endpoint has failed based on routing
- information and initiate a request to see whether the other endpoint
- is alive. To check whether the other side is alive, IKE specifies an
- empty INFORMATIONAL message that (like all IKE requests) requires an
- acknowledgement (note that within the context of an IKE SA, an
- "empty" message consists of an IKE header followed by an Encrypted
- payload that contains no payloads). If a cryptographically protected
- (fresh, i.e. not retransmitted) message has been received from the
- other side recently, unprotected notifications MAY be ignored.
- Implementations MUST limit the rate at which they take actions based
- on unprotected messages.
+ authenticated identity. An endpoint should suspect that the other
+ endpoint has failed based on routing information and initiate a
+ request to see whether the other endpoint is alive. To check whether
+ the other side is alive, IKE specifies an empty INFORMATIONAL message
+ that (like all IKE requests) requires an acknowledgement (note that
+ within the context of an IKE SA, an "empty" message consists of an
+ IKE header followed by an Encrypted payload that contains no
+ payloads). If a cryptographically protected (fresh, i.e. not
+ retransmitted) message has been received from the other side
+ recently, unprotected notifications MAY be ignored. Implementations
+ MUST limit the rate at which they take actions based on unprotected
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 25]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
+ messages.
Numbers of retries and lengths of timeouts are not covered in this
specification because they do not affect interoperability. It is
There is a Denial of Service attack on the initiator of an IKE SA
that can be avoided if the initiator takes the proper care. Since
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 26]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
the first two messages of an SA setup are not cryptographically
protected, an attacker could respond to the initiator's message
before the genuine responder and poison the connection setup attempt.
resources used to hold their state. If an IKE endpoint chooses to
delete Child SAs, it MUST send Delete payloads to the other end
notifying it of the deletion. It MAY similarly time out the IKE SA.
- {{ Clarified the SHOULD }} Closing the IKE SA implicitly closes all
- associated Child SAs. In this case, an IKE endpoint SHOULD send a
- Delete payload indicating that it has closed the IKE SA unless the
- other endpoint is no longer responding.
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 26]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
+ Closing the IKE SA implicitly closes all associated Child SAs. In
+ this case, an IKE endpoint SHOULD send a Delete payload indicating
+ that it has closed the IKE SA unless the other endpoint is no longer
+ responding.
2.5. Version Numbers and Forward Compatibility
This document describes version 2.0 of IKE, meaning the major version
- number is 2 and the minor version number is 0. {{ Restated the
- relationship to RFC 4306 }} This document is a replacement for
- [IKEV2]. It is likely that some implementations will want to support
- version 1.0 and version 2.0, and in the future, other versions.
+ number is 2 and the minor version number is 0. This document is a
+ replacement for [IKEV2]. It is likely that some implementations will
+ want to support version 1.0 and version 2.0, and in the future, other
+ versions.
The major version number should be incremented only if the packet
formats or required actions have changed so dramatically that an
would simply note that its correspondent would not be able to
understand that message and therefore would not send it.
- {{ 3.10.1-5 }} If an endpoint receives a message with a higher major
- version number, it MUST drop the message and SHOULD send an
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 27]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
- unauthenticated notification message of type INVALID_MAJOR_VERSION
- containing the highest (closest) version number it supports. If an
- endpoint supports major version n, and major version m, it MUST
- support all versions between n and m. If it receives a message with
- a major version that it supports, it MUST respond with that version
- number. In order to prevent two nodes from being tricked into
- corresponding with a lower major version number than the maximum that
- they both support, IKE has a flag that indicates that the node is
- capable of speaking a higher major version number.
+ If an endpoint receives a message with a higher major version number,
+ it MUST drop the message and SHOULD send an unauthenticated
+ notification message of type INVALID_MAJOR_VERSION containing the
+ highest (closest) version number it supports. If an endpoint
+ supports major version n, and major version m, it MUST support all
+ versions between n and m. If it receives a message with a major
+ version that it supports, it MUST respond with that version number.
+ In order to prevent two nodes from being tricked into corresponding
+ with a lower major version number than the maximum that they both
+ support, IKE has a flag that indicates that the node is capable of
+ speaking a higher major version number.
Thus, the major version number in the IKE header indicates the
version number of the message, not the highest version number that
that the other side can support a higher version number, and they
MUST break the connection and reconnect using version n+1.
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 27]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
Note that IKEv1 does not follow these rules, because there is no way
in v1 of noting that you are capable of speaking a higher version
number. So an active attacker can trick two v2-capable nodes into
- speaking v1. {{ Demoted the SHOULD }} When a v2-capable node
- negotiates down to v1, it should note that fact in its logs.
+ speaking v1. When a v2-capable node negotiates down to v1, it should
+ note that fact in its logs.
Also for forward compatibility, all fields marked RESERVED MUST be
set to zero by an implementation running version 2.0, and their
and the payload type is unrecognized, the message MUST be rejected
and the response to the IKE request containing that payload MUST
include a Notify payload UNSUPPORTED_CRITICAL_PAYLOAD, indicating an
- unsupported critical payload was included. {{ 3.10.1-1 }} In that
- Notify payload, the notification data contains the one-octet payload
- type. If the critical flag is not set and the payload type is
- unsupported, that payload MUST be ignored. Payloads sent in IKE
- response messages MUST NOT have the critical flag set. Note that the
- critical flag applies only to the payload type, not the contents. If
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 28]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
- the payload type is recognized, but the payload contains something
- which is not (such as an unknown transform inside an SA payload, or
- an unknown Notify Message Type inside a Notify payload), the critical
- flag is ignored.
+ unsupported critical payload was included. In that Notify payload,
+ the notification data contains the one-octet payload type. If the
+ critical flag is not set and the payload type is unsupported, that
+ payload MUST be ignored. Payloads sent in IKE response messages MUST
+ NOT have the critical flag set. Note that the critical flag applies
+ only to the payload type, not the contents. If the payload type is
+ recognized, but the payload contains something which is not (such as
+ an unknown transform inside an SA payload, or an unknown Notify
+ Message Type inside a Notify payload), the critical flag is ignored.
- {{ Demoted the SHOULD in the second clause }}Although new payload
- types may be added in the future and may appear interleaved with the
- fields defined in this specification, implementations MUST send the
- payloads defined in this specification in the order shown in the
- figures in Section 2; implementations are explicitly allowed to
- reject as invalid a message with those payloads in any other order.
+ Although new payload types may be added in the future and may appear
+ interleaved with the fields defined in this specification,
+ implementations SHOULD send the payloads defined in this
+ specification in the order shown in the figures in Section 2;
+ implementations MUST NOT reject as invalid a message with those
+ payloads in any other order.
2.6. IKE SA SPIs and Cookies
and IKEv2, although in IKEv2 they are referred to as the "IKE SPI"
and there is a new separate field in a Notify payload holding the
cookie. The initial two eight-octet fields in the header are used as
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 28]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
a connection identifier at the beginning of IKE packets. Each
endpoint chooses one of the two SPIs and MUST choose them so as to be
unique identifiers of an IKE SA. An SPI value of zero is special and
to an SA until it knows the initiator can receive packets at the
address from which it claims to be sending them.
+ When a responder detects a large number of half-open IKE SAs, it
+ SHOULD reply to IKE_SA_INIT requests with a response containing the
+ COOKIE notification. The data associated with this notification MUST
+ be between 1 and 64 octets in length (inclusive), and its generation
+ is described later in this section. If the IKE_SA_INIT response
+ includes the COOKIE notification, the initiator MUST then retry the
+ IKE_SA_INIT request, and include the COOKIE notification containing
+ the received data as the first payload, and all other payloads
+ unchanged. The initial exchange will then be as follows:
+
+
+
+
+
-Kaufman, et al. Expires October 26, 2009 [Page 29]
-\f
-Internet-Draft IKEv2bis April 2009
- When a responder detects a large number of half-open IKE SAs, it
- SHOULD reply to IKE_SA_INIT requests with a response containing the
- COOKIE notification. {{ 3.10.1-16390 }} The data associated with this
- notification MUST be between 1 and 64 octets in length (inclusive),
- and its generation is described later in this section. If the
- IKE_SA_INIT response includes the COOKIE notification, the initiator
- MUST then retry the IKE_SA_INIT request, and include the COOKIE
- notification containing the received data as the first payload, and
- all other payloads unchanged. The initial exchange will then be as
- follows:
+
+
+
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 29]
+\f
+Internet-Draft IKEv2bis July 2009
+
Initiator Responder
-------------------------------------------------------------------
is the SPI assigned by the initiator, while 'B' is the SPI assigned
by the responder.
- {{ Demoted the SHOULD }} An IKE implementation can implement its
- responder cookie generation in such a way as to not require any saved
- state to recognize its valid cookie when the second IKE_SA_INIT
- message arrives. The exact algorithms and syntax they use to
- generate cookies do not affect interoperability and hence are not
- specified here. The following is an example of how an endpoint could
- use cookies to implement limited DOS protection.
+ An IKE implementation can implement its responder cookie generation
+ in such a way as to not require any saved state to recognize its
+ valid cookie when the second IKE_SA_INIT message arrives. The exact
+ algorithms and syntax they use to generate cookies do not affect
+ interoperability and hence are not specified here. The following is
+ an example of how an endpoint could use cookies to implement limited
+ DOS protection.
A good way to do this is to set the responder cookie to be:
responder and periodically changed and | indicates concatenation.
<VersionIDofSecret> should be changed whenever <secret> is
regenerated. The cookie can be recomputed when the IKE_SA_INIT
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 30]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
arrives the second time and compared to the cookie in the received
message. If it matches, the responder knows that the cookie was
generated since the last change to <secret> and that IPi must be the
forge a message 3. Also, incorporating Ni in the hash prevents an
attacker from fetching one one cookie from the other end, and then
initiating many IKE_SA_INIT exchanges all with different initiator
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 30]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
SPIs (and perhaps port numbers) so that the responder thinks that
there are lots of machines behind one NAT box who are all trying to
connect.
with other than the current <VersionIDofSecret>. The responder in
that case MAY reject the message by sending another response with a
new cookie or it MAY keep the old value of <secret> around for a
- short time and accept cookies computed from either one. {{ Demoted
- the SHOULD NOT }} The responder should not accept cookies
- indefinitely after <secret> is changed, since that would defeat part
- of the denial of service protection. {{ Demoted the SHOULD }} The
- responder should change the value of <secret> frequently, especially
- if under attack.
-
- {{ Clarif-2.1 }} In addition to cookies, there are several cases
- where the IKE_SA_INIT exchange does not result in the creation of an
- IKE SA (such as INVALID_KE_PAYLOAD or NO_PROPOSAL_CHOSEN). In such a
- case, sending a zero value for the Responder's SPI is correct. If
- the responder sends a non-zero responder SPI, the initiator should
- not reject the response for only that reason.
-
- {{ Clarif-2.5 }} When one party receives an IKE_SA_INIT request
- containing a cookie whose contents do not match the value expected,
- that party MUST ignore the cookie and process the message as if no
- cookie had been included; usually this means sending a response
- containing a new cookie. The initiator should limit the number of
- cookie exchanges it tries before giving up. An attacker can forge
- multiple cookie responses to the initiator's IKE_SA_INIT message, and
- each of those forged cookie reply will trigger two packets: one
- packet from the initiator to the responder (which will reject those
- cookies), and one reply from responder to initiator that includes the
- correct cookie.
-
-
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 31]
-\f
-Internet-Draft IKEv2bis April 2009
-
+ short time and accept cookies computed from either one. The
+ responder should not accept cookies indefinitely after <secret> is
+ changed, since that would defeat part of the denial of service
+ protection. The responder should change the value of <secret>
+ frequently, especially if under attack.
+
+ In addition to cookies, there are several cases where the IKE_SA_INIT
+ exchange does not result in the creation of an IKE SA (such as
+ INVALID_KE_PAYLOAD or NO_PROPOSAL_CHOSEN). In such a case, sending a
+ zero value for the Responder's SPI is correct. If the responder
+ sends a non-zero responder SPI, the initiator should not reject the
+ response for only that reason.
+
+ When one party receives an IKE_SA_INIT request containing a cookie
+ whose contents do not match the value expected, that party MUST
+ ignore the cookie and process the message as if no cookie had been
+ included; usually this means sending a response containing a new
+ cookie. The initiator should limit the number of cookie exchanges it
+ tries before giving up. An attacker can forge multiple cookie
+ responses to the initiator's IKE_SA_INIT message, and each of those
+ forged cookie reply will trigger two packets: one packet from the
+ initiator to the responder (which will reject those cookies), and one
+ reply from responder to initiator that includes the correct cookie.
2.6.1. Interaction of COOKIE and INVALID_KE_PAYLOAD
- {{ This section added by Clarif-2.4 }}
-
There are two common reasons why the initiator may have to retry the
IKE_SA_INIT exchange: the responder requests a cookie or wants a
different Diffie-Hellman group than was included in the KEi payload.
roundtrip is needed also if the initiator includes the cookie in all
retries, but the responder does not support this. For instance, if
the responder includes the SAi1 and KEi payloads in cookie
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 31]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
calculation, it will reject the request by sending a new cookie.
If both peers support including the cookie in all retries, a slightly
choices of IPsec protocols (IKE, ESP, or AH) for the SA as well as
cryptographic algorithms associated with each protocol.
- An SA payload consists of one or more proposals. {{ Clarif-7.13 }}
- Each proposal includes one protocol. Each protocol contains one or
- more transforms -- each specifying a cryptographic algorithm. Each
- transform contains zero or more attributes (attributes are needed
- only if the transform identifier does not completely specify the
- cryptographic algorithm).
+ An SA payload consists of one or more proposals. Each proposal
+ includes one protocol. Each protocol contains one or more transforms
+ -- each specifying a cryptographic algorithm. Each transform
+ contains zero or more attributes (attributes are needed only if the
+ transform identifier does not completely specify the cryptographic
+ algorithm).
This hierarchical structure was designed to efficiently encode
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 32]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
proposals for cryptographic suites when the number of supported
suites is large because multiple values are acceptable for multiple
transforms. The responder MUST choose a single suite, which may be
any subset of the SA proposal following the rules below:
- {{ Clarif-7.13 }} Each proposal contains one protocol. If a proposal
- is accepted, the SA response MUST contain the same protocol. The
- responder MUST accept a single proposal or reject them all and return
- an error. {{ 3.10.1-14 }} The error is given in a notification of
- type NO_PROPOSAL_CHOSEN.
+ Each proposal contains one protocol. If a proposal is accepted, the
+ SA response MUST contain the same protocol. The responder MUST
+ accept a single proposal or reject them all and return an error. The
+ error is given in a notification of type NO_PROPOSAL_CHOSEN.
Each IPsec protocol proposal contains one or more transforms. Each
transform contains a transform type. The accepted cryptographic
ENCR_3DES, ENCR_AES w/keysize 128, ENCR_AES w/keysize 256,
AUTH_HMAC_MD5, and AUTH_HMAC_SHA, the accepted suite MUST contain one
of the ENCR_ transforms and one of the AUTH_ transforms. Thus, six
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 32]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
combinations are acceptable.
If an initiator proposes both normal ciphers with integrity
trick the endpoints into negotiating a weaker suite than a stronger
one that they both prefer.
- {{ Clarif-2.1 }} When the IKE_SA_INIT exchange does not result in the
- creation of an IKE SA due to INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
- or COOKIE (see Section 2.6), the responder's SPI will be zero.
- However, if the responder sends a non-zero responder SPI, the
- initiator should not reject the response for only that reason.
-
-
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 33]
-\f
-Internet-Draft IKEv2bis April 2009
-
+ When the IKE_SA_INIT exchange does not result in the creation of an
+ IKE SA due to INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN, or COOKIE (see
+ Section 2.6), the responder's SPI will be zero. However, if the
+ responder sends a non-zero responder SPI, the initiator should not
+ reject the response for only that reason.
2.8. Rekeying
- {{ Demoted the SHOULD }} IKE, ESP, and AH security associations use
- secret keys that should be used only for a limited amount of time and
- to protect a limited amount of data. This limits the lifetime of the
- entire security association. When the lifetime of a security
- association expires, the security association MUST NOT be used. If
- there is demand, new security associations MAY be established.
- Reestablishment of security associations to take the place of ones
- that expire is referred to as "rekeying".
+ IKE, ESP, and AH security associations use secret keys that should be
+ used only for a limited amount of time and to protect a limited
+ amount of data. This limits the lifetime of the entire security
+ association. When the lifetime of a security association expires,
+ the security association MUST NOT be used. If there is demand, new
+ security associations MAY be established. Reestablishment of
+ security associations to take the place of ones that expire is
+ referred to as "rekeying".
To allow for minimal IPsec implementations, the ability to rekey SAs
without restarting the entire IKE SA is optional. An implementation
MAY refuse all CREATE_CHILD_SA requests within an IKE SA. If an SA
has expired or is about to expire and rekeying attempts using the
mechanisms described here fail, an implementation MUST close the IKE
- SA and any associated Child SAs and then MAY start new ones. {{
- Demoted the SHOULD }} Implementations may wish to support in-place
- rekeying of SAs, since doing so offers better performance and is
- likely to reduce the number of packets lost during the transition.
+ SA and any associated Child SAs and then MAY start new ones.
+ Implementations may wish to support in-place rekeying of SAs, since
+ doing so offers better performance and is likely to reduce the number
+ of packets lost during the transition.
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 33]
+\f
+Internet-Draft IKEv2bis July 2009
+
To rekey a Child SA within an existing IKE SA, create a new,
equivalent SA (see Section 2.17 below), and when the new one is
the old IKE SA. Note that, when rekeying, the new Child SA MAY have
different traffic selectors and algorithms than the old one.
- {{ Demoted the SHOULD }} SAs should be rekeyed proactively, i.e., the
- new SA should be established before the old one expires and becomes
- unusable. Enough time should elapse between the time the new SA is
- established and the old one becomes unusable so that traffic can be
- switched over to the new SA.
+ SAs should be rekeyed proactively, i.e., the new SA should be
+ established before the old one expires and becomes unusable. Enough
+ time should elapse between the time the new SA is established and the
+ old one becomes unusable so that traffic can be switched over to the
+ new SA.
A difference between IKEv1 and IKEv2 is that in IKEv1 SA lifetimes
were negotiated. In IKEv2, each end of the SA is responsible for
the rekeying. If an SA has been inactive for a long time and if an
endpoint would not initiate the SA in the absence of traffic, the
endpoint MAY choose to close the SA instead of rekeying it when its
- lifetime expires. {{ Demoted the SHOULD }} It should do so if there
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 34]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
- has been no traffic since the last time the SA was rekeyed.
+ lifetime expires. It should do so if there has been no traffic since
+ the last time the SA was rekeyed.
Note that IKEv2 deliberately allows parallel SAs with the same
traffic selectors between common endpoints. One of the purposes of
those endpoints, so the IKEv1 rekeying heuristic of deleting SAs on
the basis of duplicate traffic selectors SHOULD NOT be used.
- {{ Demoted the SHOULD }} The node that initiated the surviving
- rekeyed SA should delete the replaced SA after the new one is
- established.
+ The node that initiated the surviving rekeyed SA should delete the
+ replaced SA after the new one is established.
There are timing windows -- particularly in the presence of lost
packets -- where endpoints may not agree on the state of an SA. The
is no ambiguity for the initiator. The initiator MAY begin sending
on an SA as soon as it processes the response. The initiator,
however, cannot receive on a newly created SA until it receives and
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 34]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
processes the response to its CREATE_CHILD_SA request. How, then, is
the responder to know when it is OK to send on the newly created SA?
replaced SA. When rekeying an SA, the responder continues to send
traffic on the old SA until one of those events occurs. When
establishing a new SA, the responder MAY defer sending messages on a
- new SA until either it receives one or a timeout has occurred. {{
- Demoted the SHOULD }} If an initiator receives a message on an SA for
- which it has not received a response to its CREATE_CHILD_SA request,
- it interprets that as a likely packet loss and retransmits the
- CREATE_CHILD_SA request. An initiator MAY send a dummy message on a
- newly created SA if it has no messages queued in order to assure the
- responder that the initiator is ready to receive messages.
-
-
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 35]
-\f
-Internet-Draft IKEv2bis April 2009
-
+ new SA until either it receives one or a timeout has occurred. If an
+ initiator receives a message on an SA for which it has not received a
+ response to its CREATE_CHILD_SA request, it interprets that as a
+ likely packet loss and retransmits the CREATE_CHILD_SA request. An
+ initiator MAY send a dummy message on a newly created SA if it has no
+ messages queued in order to assure the responder that the initiator
+ is ready to receive messages.
2.8.1. Simultaneous Child SA rekeying
- {{ The first two paragraphs were moved, and the rest was added, based
- on Clarif-5.11 }}
-
If the two ends have the same lifetime policies, it is possible that
both will initiate a rekeying at the same time (which will result in
redundant SAs). To reduce the probability of this happening, the
receive packets, a node MUST accept incoming packets through either
SA. If redundant SAs are created though such a collision, the SA
created with the lowest of the four nonces used in the two exchanges
- SHOULD be closed by the endpoint that created it. {{ Clarif-5.10 }}
- "Lowest" means an octet-by-octet, lexicographical comparison (instead
- of, for instance, comparing the nonces as large integers). In other
- words, start by comparing the first octet; if they're equal, move to
- the next octet, and so on. If you reach the end of one nonce, that
- nonce is the lower one.
+ SHOULD be closed by the endpoint that created it. "Lowest" means an
+ octet-by-octet, lexicographical comparison (instead of, for instance,
+ comparing the nonces as large integers). In other words, start by
+ comparing the first octet; if they're equal, move to the next octet,
+ and so on. If you reach the end of one nonce, that nonce is the
+ lower one.
The following is an explanation on the impact this has on
implementations. Assume that hosts A and B have an existing IPsec SA
pair with SPIs (SPIa1,SPIb1), and both start rekeying it at the same
time:
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 35]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
Host A Host B
-------------------------------------------------------------------
send req1: N(REKEY_SA,SPIa1),
Now B also knows that simultaneous rekeying is going on. It responds
as usual.
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 36]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
<-- send resp1: SA(..,SPIb3,..),
Nr2,..
recv resp1 <--
retransmissions. The rekeying begins as usual, but A's first packet
(req1) is lost.
+
+
+
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 36]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
Host A Host B
-------------------------------------------------------------------
send req1: N(REKEY_SA,SPIa1),
resend req1 -->
--> recv req1
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 37]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
To B, it looks like A is trying to rekey an SA that no longer exists;
thus, B responds to the request with something non-fatal such as
NO_PROPOSAL_CHOSEN.
However, there is a twist to the other case where one rekeying
finishes first:
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 37]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
Host A Host B
-------------------------------------------------------------------
send req1:
<-- send resp3: ()
-
-
-
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 38]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
2.8.3. Rekeying the IKE SA Versus Reauthentication
- {{ Added this section from Clarif-5.2 }}
-
Rekeying the IKE SA and reauthentication are different concepts in
IKEv2. Rekeying the IKE SA establishes new keys for the IKE SA and
resets the Message ID counters, but it does not authenticate the
reauthentication has to be initiated by the same party as the
original IKE SA. IKEv2 does not currently allow the responder to
request reauthentication in this case; however, there are extensions
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 38]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
that add this functionality such as [REAUTH].
2.9. Traffic Selector Negotiation
- {{ Clarif-7.2 }} When an RFC4301-compliant IPsec subsystem receives
- an IP packet that matches a "protect" selector in its Security Policy
- Database (SPD), the subsystem protects that packet with IPsec. When
- no SA exists yet, it is the task of IKE to create it. Maintenance of
- a system's SPD is outside the scope of IKE (see [PFKEY] for an
- example protocol, although it only applies to IKEv1), though some
- implementations might update their SPD in connection with the running
- of IKE (for an example scenario, see Section 1.1.3).
+ When an RFC4301-compliant IPsec subsystem receives an IP packet that
+ matches a "protect" selector in its Security Policy Database (SPD),
+ the subsystem protects that packet with IPsec. When no SA exists
+ yet, it is the task of IKE to create it. Maintenance of a system's
+ SPD is outside the scope of IKE (see [PFKEY] for an example
+ programming interface, although it only applies to IKEv1), though
+ some implementations might update their SPD in connection with the
+ running of IKE (for an example scenario, see Section 1.1.3).
Traffic Selector (TS) payloads allow endpoints to communicate some of
the information from their SPD to their peers. TS payloads specify
the selection criteria for packets that will be forwarded over the
newly set up SA. This can serve as a consistency check in some
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 39]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
scenarios to assure that the SPDs are consistent. In others, it
guides the dynamic update of the SPD.
by the initiator. This could happen when the configurations of the
two endpoints are being updated but only one end has received the new
information. Since the two endpoints may be configured by different
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 39]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
people, the incompatibility may persist for an extended period even
in the absence of errors. It also allows for intentionally different
configurations, as when one end is configured to tunnel all addresses
initiator SHOULD include as the first traffic selector in each of TSi
and TSr a very specific traffic selector including the addresses in
the packet triggering the request. In the example, the initiator
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 40]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
would include in TSi two traffic selectors: the first containing the
address range (192.0.1.43 - 192.0.1.43) and the source port and IP
protocol from the packet and the second containing (192.0.1.0 -
case, the first values in TSi and TSr can be ranges rather than
specific values.
- The responder performs the narrowing as follows: {{ Clarif-4.10 }}
+ The responder performs the narrowing as follows:
o If the responder's policy does not allow it to accept any part of
the proposed traffic selectors, it responds with TS_UNACCEPTABLE.
subset of TSi and TSr.
When narrowing is done, there may be several subsets that are
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 40]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
acceptable but their union is not. In this case, the responder
arbitrarily chooses one of them, and MAY include an
- ADDITIONAL_TS_POSSIBLE notification in the response. {{ 3.10.1-16386
- }} The ADDITIONAL_TS_POSSIBLE notification asserts that the responder
+ ADDITIONAL_TS_POSSIBLE notification in the response. The
+ ADDITIONAL_TS_POSSIBLE notification asserts that the responder
narrowed the proposed traffic selectors but that other traffic
selectors would also have been acceptable, though only in a separate
SA. There is no data associated with this Notify type. This case
will occur only when the initiator and responder are configured
differently from one another. If the initiator and responder agree
on the granularity of tunnels, the initiator will never request a
- tunnel wider than the responder will accept. {{ Demoted the SHOULD }}
- Such misconfigurations should be recorded in error logs.
+ tunnel wider than the responder will accept. Such misconfigurations
+ should be recorded in error logs.
It is possible for the responder's policy to contain multiple smaller
ranges, all encompassed by the initiator's traffic selector, and with
the responder's policy being that each of those ranges should be sent
over a different SA. Continuing the example above, the responder
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 41]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
might have a policy of being willing to tunnel those addresses to and
from the initiator, but might require that each address pair be on a
separately negotiated Child SA. If the initiator generated its
would have to make a guess or reject the request with a status of
SINGLE_PAIR_REQUIRED.
- {{ 3.10.1-34 }} The SINGLE_PAIR_REQUIRED error indicates that a
- CREATE_CHILD_SA request is unacceptable because its sender is only
- willing to accept traffic selectors specifying a single pair of
- addresses. The requestor is expected to respond by requesting an SA
- for only the specific traffic it is trying to forward.
+ The SINGLE_PAIR_REQUIRED error indicates that a CREATE_CHILD_SA
+ request is unacceptable because its sender is only willing to accept
+ traffic selectors specifying a single pair of addresses. The
+ requestor is expected to respond by requesting an SA for only the
+ specific traffic it is trying to forward.
- {{ Clarif-4.11 }} Few implementations will have policies that require
- separate SAs for each address pair. Because of this, if only some
- parts of the TSi and TSr proposed by the initiator are acceptable to
- the responder, responders SHOULD narrow the selectors to an
- acceptable subset rather than use SINGLE_PAIR_REQUIRED.
+ Few implementations will have policies that require separate SAs for
+ each address pair. Because of this, if only some parts of the TSi
+ and TSr proposed by the initiator are acceptable to the responder,
+ responders SHOULD narrow the selectors to an acceptable subset rather
+ than use SINGLE_PAIR_REQUIRED.
2.9.1. Traffic Selectors Violating Own Policy
- {{ Clarif-4.12 }}
-
When creating a new SA, the initiator needs to avoid proposing
traffic selectors that violate its own policy. If this rule is not
followed, valid traffic may be dropped. If you use decorrelated
This is best illustrated by an example. Suppose that host A has a
policy whose effect is that traffic to 192.0.1.66 is sent via host B
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 41]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
encrypted using AES, and traffic to all other hosts in 192.0.1.0/24
is also sent via B, but must use 3DES. Suppose also that host B
accepts any combination of AES and 3DES.
((192.0.1.0-192.0.1.65),(192.0.1.67-192.0.1.255)) instead.
In general, if (1) the initiator makes a proposal "for traffic X
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 42]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
(TSi/TSr), do SA", and (2) for some subset X' of X, the initiator
does not actually accept traffic X' with SA, and (3) the initiator
would be willing to accept traffic X' with some SA' (!=SA), valid
be randomly chosen, MUST be at least 128 bits in size, and MUST be at
least half the key size of the negotiated prf. ("prf" refers to
"pseudo-random function", one of the cryptographic algorithms
- negotiated in the IKE exchange.) {{ Clarif-7.4 }} However, the
- initiator chooses the nonce before the outcome of the negotiation is
- known. Because of that, the nonce has to be long enough for all the
- PRFs being proposed. If the same random number source is used for
- both keys and nonces, care must be taken to ensure that the latter
- use does not compromise the former.
+ negotiated in the IKE exchange.) However, the initiator chooses the
+ nonce before the outcome of the negotiation is known. Because of
+ that, the nonce has to be long enough for all the PRFs being
+ proposed. If the same random number source is used for both keys and
+ nonces, care must be taken to ensure that the latter use does not
+ compromise the former.
2.11. Address and Port Agility
Network Address Translation (NAT) boxes. An implementation MUST
accept incoming requests even if the source port is not 500 or 4500,
and MUST respond to the address and port from which the request was
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 42]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
received. It MUST specify the address and port at which the request
was received as the source address and port in the response. IKE
functions identically over IPv4 or IPv6.
conversation without doing a brute force search of the session key
space.
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 43]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
Achieving perfect forward secrecy requires that when a connection is
closed, each endpoint MUST forget not only the keys used by the
connection but also any information that could be used to recompute
negotiated: an encryption algorithm, an integrity protection
algorithm, a Diffie-Hellman group, and a pseudo-random function
(prf). The pseudo-random function is used for the construction of
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 43]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
keying material for all of the cryptographic algorithms used in both
the IKE SA and the Child SAs.
Code (HMAC), the fixed key size is the size of the output of the
underlying hash function.
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 44]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
It is assumed that pseudo-random functions (PRFs) accept keys of any
length, but have a preferred key size. The preferred key size is
used as the length of SK_d, SK_pi, and SK_pr (see Section 2.14). For
is a single octet. prf+ in this document is not defined beyond 255
times the size of the prf output.
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 44]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
2.14. Generating Keying Material for the IKE SA
The shared keys are computed as follows. A quantity called SKEYSEED
SKEYSEED and its derivatives are computed as follows:
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 45]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
SKEYSEED = prf(Ni | Nr, g^ir)
{SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr }
octet of the last payload in the second message. Appended to this
(for purposes of computing the signature) are the initiator's nonce
Ni (just the value, not the payload containing it), and the value
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 45]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
prf(SK_pr,IDr') where IDr' is the responder's ID payload excluding
the fixed header. Note that neither the nonce Ni nor the value
prf(SK_pr,IDr') are transmitted. Similarly, the initiator signs the
entire ID payloads excluding the fixed header. It is critical to the
security of the exchange that each side sign the other side's nonce.
- {{ Clarif-3.1 }}
-
The initiator's signed octets can be described as:
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 46]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
InitiatorSignedOctets = RealMessage1 | NonceRData | MACedIDForI
GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR
RealIKEHDR = SPIi | SPIr | . . . | Length
the initiator and responder sign with the same cryptographic
algorithms. The choice of cryptographic algorithms depends on the
type of key each has. In particular, the initiator may be using a
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 46]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
shared key while the responder may have a public signature key and
certificate. It will commonly be the case (but it is not required)
that if a shared secret is used for authentication that the same key
attacks are not prevented in this authentication method.
(Applications using password-based authentication for bootstrapping
and IKE SA should use the authentication method in Section 2.16,
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 47]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
- which is designed to prevent off-line dictionary attacks.) {{ Demoted
- the SHOULD }} The pre-shared key needs to contain as much
- unpredictability as the strongest key being negotiated. In the case
- of a pre-shared key, the AUTH value is computed as:
+ which is designed to prevent off-line dictionary attacks.) The pre-
+ shared key needs to contain as much unpredictability as the strongest
+ key being negotiated. In the case of a pre-shared key, the AUTH
+ value is computed as:
For the initiator:
AUTH = prf( prf( Shared Secret,"Key Pad for IKEv2"),
3748 [EAP]. Typically, these methods are asymmetric (designed for a
user authenticating to a server), and they may not be mutual. For
this reason, these protocols are typically used to authenticate the
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 47]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
initiator to the responder and MUST be used in conjunction with a
public key signature based authentication of the responder to the
initiator. These methods are often associated with mechanisms
additional IKE_AUTH exchanges that MUST be completed in order to
initialize the IKE SA.
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 48]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
An initiator indicates a desire to use extensible authentication by
leaving out the AUTH payload from message 3. By including an IDi
payload but not an AUTH payload, the initiator has declared an
HDR, SK {AUTH} -->
<-- HDR, SK {AUTH, SAr2, TSi, TSr }
- {{ Clarif-3.10 }} As described in Section 2.2, when EAP is used, each
- pair of IKE SA initial setup messages will have their message numbers
- incremented; the first pair of AUTH messages will have an ID of 1,
- the second will be 2, and so on.
+ As described in Section 2.2, when EAP is used, each pair of IKE SA
+ initial setup messages will have their message numbers incremented;
+ the first pair of AUTH messages will have an ID of 1, the second will
+ be 2, and so on.
For EAP methods that create a shared key as a side effect of
authentication, that shared key MUST be used by both the initiator
syntax for shared secrets specified in Section 2.15. The shared key
from EAP is the field from the EAP specification named MSK. This
shared key generated during an IKE exchange MUST NOT be used for any
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 48]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
other purpose.
EAP methods that do not establish a shared key SHOULD NOT be used, as
shared key are used, the AUTH payloads in messages 7 and 8 MUST be
generated using SK_pi and SK_pr, respectively.
- {{ Demoted the SHOULD }} The initiator of an IKE SA using EAP needs
- to be capable of extending the initial protocol exchange to at least
- ten IKE_AUTH exchanges in the event the responder sends notification
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 49]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
- messages and/or retries the authentication prompt. Once the protocol
- exchange defined by the chosen EAP authentication method has
- successfully terminated, the responder MUST send an EAP payload
- containing the Success message. Similarly, if the authentication
- method has failed, the responder MUST send an EAP payload containing
- the Failure message. The responder MAY at any time terminate the IKE
- exchange by sending an EAP payload containing the Failure message.
+ The initiator of an IKE SA using EAP needs to be capable of extending
+ the initial protocol exchange to at least ten IKE_AUTH exchanges in
+ the event the responder sends notification messages and/or retries
+ the authentication prompt. Once the protocol exchange defined by the
+ chosen EAP authentication method has successfully terminated, the
+ responder MUST send an EAP payload containing the Success message.
+ Similarly, if the authentication method has failed, the responder
+ MUST send an EAP payload containing the Failure message. The
+ responder MAY at any time terminate the IKE exchange by sending an
+ EAP payload containing the Failure message.
Following such an extended exchange, the EAP AUTH payloads MUST be
included in the two messages following the one containing the EAP
Success message.
- {{ Clarif-3.5 }} When the initiator authentication uses EAP, it is
- possible that the contents of the IDi payload is used only for AAA
- routing purposes and selecting which EAP method to use. This value
- may be different from the identity authenticated by the EAP method.
- It is important that policy lookups and access control decisions use
- the actual authenticated identity. Often the EAP server is
- implemented in a separate AAA server that communicates with the IKEv2
- responder. In this case, the authenticated identity has to be sent
- from the AAA server to the IKEv2 responder.
+ When the initiator authentication uses EAP, it is possible that the
+ contents of the IDi payload is used only for AAA routing purposes and
+ selecting which EAP method to use. This value may be different from
+ the identity authenticated by the EAP method. It is important that
+ policy lookups and access control decisions use the actual
+ authenticated identity. Often the EAP server is implemented in a
+ separate AAA server that communicates with the IKEv2 responder. In
+ this case, the authenticated identity has to be sent from the AAA
+ server to the IKEv2 responder.
2.17. Generating Keying Material for Child SAs
CREATE_CHILD_SA exchange if this is a subsequent creation.
For CREATE_CHILD_SA exchanges including an optional Diffie-Hellman
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 49]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
exchange, the keying material is defined as:
KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr )
associations (one in each direction). Keying material MUST be taken
from the expanded KEYMAT in the following order:
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 50]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
o The encryption key (if any) for the SA carrying data from the
initiator to the responder.
2.18. Rekeying IKE SAs Using a CREATE_CHILD_SA Exchange
The CREATE_CHILD_SA exchange can be used to rekey an existing IKE SA
- (see Section 2.8). {{ Clarif-5.3 }} New initiator and responder SPIs
- are supplied in the SPI fields in the Proposal structures inside the
- Security Association (SA) payloads (not the SPI fields in the IKE
- header). The TS payloads are omitted when rekeying an IKE SA.
- SKEYSEED for the new IKE SA is computed using SK_d from the existing
- IKE SA as follows:
+ (see Section 2.8). New initiator and responder SPIs are supplied in
+ the SPI fields in the Proposal structures inside the Security
+ Association (SA) payloads (not the SPI fields in the IKE header).
+ The TS payloads are omitted when rekeying an IKE SA. SKEYSEED for
+ the new IKE SA is computed using SK_d from the existing IKE SA as
+ follows:
SKEYSEED = prf(SK_d (old), g^ir (new) | Ni | Nr)
make it the length of the modulus) and Ni and Nr are the two nonces
stripped of any headers.
- {{ Clarif-5.5 }} The old and new IKE SA may have selected a different
- PRF. Because the rekeying exchange belongs to the old IKE SA, it is
- the old IKE SA's PRF that is used.
- {{ Clarif-5.12}} The main reason for rekeying the IKE SA is to ensure
- that the compromise of old keying material does not provide
- information about the current keys, or vice versa. Therefore,
- implementations MUST perform a new Diffie-Hellman exchange when
- rekeying the IKE SA. In other words, an initiator MUST NOT propose
- the value "NONE" for the D-H transform, and a responder MUST NOT
- accept such a proposal. This means that a succesful exchange
- rekeying the IKE SA always includes the KEi/KEr payloads.
+Kaufman, et al. Expires January 9, 2010 [Page 50]
+\f
+Internet-Draft IKEv2bis July 2009
-Kaufman, et al. Expires October 26, 2009 [Page 51]
-\f
-Internet-Draft IKEv2bis April 2009
+ The old and new IKE SA may have selected a different PRF. Because
+ the rekeying exchange belongs to the old IKE SA, it is the old IKE
+ SA's PRF that is used.
+ The main reason for rekeying the IKE SA is to ensure that the
+ compromise of old keying material does not provide information about
+ the current keys, or vice versa. Therefore, implementations MUST
+ perform a new Diffie-Hellman exchange when rekeying the IKE SA. In
+ other words, an initiator MUST NOT propose the value "NONE" for the
+ D-H transform, and a responder MUST NOT accept such a proposal. This
+ means that a succesful exchange rekeying the IKE SA always includes
+ the KEi/KEr payloads.
The new IKE SA MUST reset its message counters to 0.
SK_d, SK_ai, SK_ar, SK_ei, and SK_er are computed from SKEYSEED as
- specified in Section 2.14.
+ specified in Section 2.14, using SPIi, SPIr, Ni, and Nr from the new
+ exchange.
2.19. Requesting an Internal Address on a Remote Network
CP(CFG_REPLY), SAr2,
TSi, TSr}
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 51]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
In all cases, the CP payload MUST be inserted before the SA payload.
In variations of the protocol where there are multiple IKE_AUTH
exchanges, the CP payloads MUST be inserted in the messages
For example, message from initiator to responder:
-
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 52]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
CP(CFG_REQUEST)=
INTERNAL_ADDRESS()
TSi = (0, 0-65535,0.0.0.0-255.255.255.255)
were not included in CP(CFG_REQUEST) and MAY ignore the non-
mandatory attributes that it does not support.
- {{ 3.10.1-37 }} The FAILED_CP_REQUIRED notification is sent by
- responder in the case where CP(CFG_REQUEST) was expected but not
- received, and so is a conflict with locally configured policy. There
- is no associated data.
+ The FAILED_CP_REQUIRED notification is sent by responder in the case
+ where CP(CFG_REQUEST) was expected but not received, and so is a
+ conflict with locally configured policy. There is no associated
+ data.
The responder MUST NOT send a CFG_REPLY without having first received
a CP(CFG_REQUEST) from the initiator, because we do not want the IRAS
Child SA creation fail. The initiator can fix this by later starting
a new configuration payload request.
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 52]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
2.19.1. Configuration Payloads
Editor's note: some of this sub-section is redundant and will go away
In support of the scenario described in Section 1.1.3, an initiator
may request that the responder assign an IP address and tell the
- initiator what it is. {{ Clarif-6.1 }} That request is done using
- configuration payloads, not traffic selectors. An address in a TSi
- payload in a response does not mean that the responder has assigned
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 53]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
- that address to the initiator: it only means that if packets matching
- these traffic selectors are sent by the initiator, IPsec processing
- can be performed as agreed for this SA.
+ initiator what it is. That request is done using configuration
+ payloads, not traffic selectors. An address in a TSi payload in a
+ response does not mean that the responder has assigned that address
+ to the initiator: it only means that if packets matching these
+ traffic selectors are sent by the initiator, IPsec processing can be
+ performed as agreed for this SA.
Configuration payloads are of type CFG_REQUEST/CFG_REPLY or CFG_SET/
CFG_ACK (see CFG Type in the payload description below). CFG_REQUEST
requested or the request is badly formatted.
"CFG_SET/CFG_ACK" allows an IKE endpoint to push configuration data
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 53]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
to its peer. In this case, the CFG_SET Configuration Payload
contains attributes the initiator wants its peer to alter. The
responder MUST return a Configuration Payload if it accepted any of
empty CFG_ACK payload or a response message without a CFG_ACK
payload. There are currently no defined uses for the CFG_SET/CFG_ACK
exchange, though they may be used in connection with extensions based
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 54]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
on Vendor IDs. An minimal implementation of this specification MAY
ignore CFG_SET payloads.
- {{ Demoted the SHOULD }} Extensions via the CP payload should not be
- used for general purpose management. Its main intent is to provide a
- bootstrap mechanism to exchange information within IPsec from IRAS to
- IRAC. While it MAY be useful to use such a method to exchange
- information between some Security Gateways (SGW) or small networks,
- existing management protocols such as DHCP [DHCP], RADIUS [RADIUS],
- SNMP, or LDAP [LDAP] should be preferred for enterprise management as
- well as subsequent information exchanges.
+ Extensions via the CP payload should not be used for general purpose
+ management. Its main intent is to provide a bootstrap mechanism to
+ exchange information within IPsec from IRAS to IRAC. While it MAY be
+ useful to use such a method to exchange information between some
+ Security Gateways (SGW) or small networks, existing management
+ protocols such as DHCP [DHCP], RADIUS [RADIUS], SNMP, or LDAP [LDAP]
+ should be preferred for enterprise management as well as subsequent
+ information exchanges.
2.20. Requesting the Peer's Version
CP(CFG_REPLY) APPLICATION_VERSION("foobar v1.3beta, (c) Foo Bar
Inc.")
+
+
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 54]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
2.21. Error Handling
There are many kinds of errors that can occur during IKE processing.
problem.
Errors that occur before a cryptographically protected IKE SA is
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 55]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
established must be handled very carefully. There is a trade-off
between wanting to be helpful in diagnosing a problem and responding
to it and wanting to avoid being a dupe in a denial of service attack
response is sent, the response MUST be sent to the IP address and
port from whence it came with the same IKE SPIs and the Message ID
copied. The response MUST NOT be cryptographically protected and
- MUST contain a Notify payload indicating INVALID_IKE_SPI. {{ 3.10.1-4
- }} The INVALID_IKE_SPI notification indicates an IKE message was
- received with an unrecognized destination SPI; this usually indicates
- that the recipient has rebooted and forgotten the existence of an IKE
- SA.
+ MUST contain a Notify payload indicating INVALID_IKE_SPI. The
+ INVALID_IKE_SPI notification indicates an IKE message was received
+ with an unrecognized destination SPI; this usually indicates that the
+ recipient has rebooted and forgotten the existence of an IKE SA.
A node receiving such an unprotected Notify payload MUST NOT respond
and MUST NOT change the state of any existing SAs. The message might
be a forgery or might be a response the genuine correspondent was
- tricked into sending. {{ Demoted two SHOULDs }} A node should treat
- such a message (and also a network message like ICMP destination
- unreachable) as a hint that there might be problems with SAs to that
- IP address and should initiate a liveness test for any such IKE SA.
- An implementation SHOULD limit the frequency of such tests to avoid
- being tricked into participating in a denial of service attack.
+ tricked into sending. A node should treat such a message (and also a
+ network message like ICMP destination unreachable) as a hint that
+ there might be problems with SAs to that IP address and should
+ initiate a liveness test for any such IKE SA. An implementation
+ SHOULD limit the frequency of such tests to avoid being tricked into
+ participating in a denial of service attack.
A node receiving a suspicious message from an IP address with which
it has an IKE SA MAY send an IKE Notify payload in an IKE
- INFORMATIONAL exchange over that SA. {{ Demoted the SHOULD }} The
- recipient MUST NOT change the state of any SAs as a result, but may
- wish to audit the event to aid in diagnosing malfunctions. A node
- MUST limit the rate at which it will send messages in response to
- unprotected messages.
+ INFORMATIONAL exchange over that SA. The recipient MUST NOT change
+ the state of any SAs as a result, but may wish to audit the event to
+ aid in diagnosing malfunctions. A node MUST limit the rate at which
+ it will send messages in response to unprotected messages.
+
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 55]
+\f
+Internet-Draft IKEv2bis July 2009
+
2.22. IPComp
corresponding ESP or AH SA goes away. It is not explicitly mentioned
in any DELETE payload.
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 56]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
Negotiation of IP compression is separate from the negotiation of
cryptographic parameters associated with a Child SA. A node
requesting a Child SA MAY advertise its support for one or more
Notify payload of type IPCOMP_SUPPORTED. These payloads MUST NOT
occur in messages that do not contain SA payloads.
- {{ 3.10.1-16387 }}The data associated with this notification includes
- a two-octet IPComp CPI followed by a one-octet transform ID
- optionally followed by attributes whose length and format are defined
- by that transform ID. A message proposing an SA may contain multiple
- IPCOMP_SUPPORTED notifications to indicate multiple supported
- algorithms. A message accepting an SA may contain at most one.
+ The data associated with this notification includes a two-octet
+ IPComp CPI followed by a one-octet transform ID optionally followed
+ by attributes whose length and format are defined by that transform
+ ID. A message proposing an SA may contain multiple IPCOMP_SUPPORTED
+ notifications to indicate multiple supported algorithms. A message
+ accepting an SA may contain at most one.
The transform IDs currently defined are:
MUST NOT compress using an algorithm other than one proposed and
accepted in the setup of the Child SA.
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 56]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
A side effect of separating the negotiation of IPComp from
cryptographic parameters is that it is not possible to propose
multiple cryptographic suites and propose IP compression with some of
appropriate than IP Compression. [ROHCV2] defines the use of ROHC
with IKEv2 and IPsec.
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 57]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
2.23. NAT Traversal
Network Address Translation (NAT) gateways are a controversial
cannot correct the checksums because they are cryptographically
protected. Even in tunnel mode, there are routing problems because
transparently translating the addresses of AH and ESP packets
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 57]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
requires special logic in the NAT and that logic is heuristic and
unreliable in nature. For that reason, IKEv2 will use UDP
encapsulation of IKE and ESP packets. This encoding is slightly less
It is a common practice of NATs to translate TCP and UDP port numbers
as well as addresses and use the port numbers of inbound packets to
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 58]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
decide which internal node should get a given packet. For this
reason, even though IKE packets MUST be sent from and to UDP port 500
or 4500, they MUST be accepted coming from any port and responses
IKE payloads because the payloads are cryptographically protected and
could not be transparently modified by NATs.
- Port 4500 is reserved for UDP-encapsulated ESP and IKE. {{ Clarif-7.6
- }} An IPsec endpoint that discovers a NAT between it and its
- correspondent MUST send all subsequent traffic from port 4500, which
- NATs should not treat specially (as they might with port 500).
+ Port 4500 is reserved for UDP-encapsulated ESP and IKE. An IPsec
+ endpoint that discovers a NAT between it and its correspondent MUST
+ send all subsequent traffic from port 4500, which NATs should not
+ treat specially (as they might with port 500).
An initiator can float to port 4500, regardless whether or not there
is NAT, even at the beginning of IKE. When either side is using port
NAT_DETECTION_DESTINATION_IP. Those payloads can be used to
detect if there is NAT between the hosts, and which end is behind
the NAT. The location of the payloads in the IKE_SA_INIT packets
- is just after the Ni and Nr payloads (before the optional CERTREQ
- payload).
- o {{ 3.10.1-16388 }} The data associated with the
- NAT_DETECTION_SOURCE_IP notification is a SHA-1 digest of the SPIs
- (in the order they appear in the header), IP address, and port on
- which this packet was sent. There MAY be multiple
- NAT_DETECTION_SOURCE_IP payloads in a message if the sender does
- not know which of several network attachments will be used to send
-
-Kaufman, et al. Expires October 26, 2009 [Page 59]
+Kaufman, et al. Expires January 9, 2010 [Page 58]
\f
-Internet-Draft IKEv2bis April 2009
-
+Internet-Draft IKEv2bis July 2009
- the packet.
- o {{ 3.10.1-16389 }} The data associated with the
- NAT_DETECTION_DESTINATION_IP notification is a SHA-1 digest of the
- SPIs (in the order they appear in the header), IP address, and
- port to which this packet was sent.
+ is just after the Ni and Nr payloads (before the optional CERTREQ
+ payload).
- o {{ 3.10.1-16388 }} {{ 3.10.1-16389 }} The recipient of either the
- NAT_DETECTION_SOURCE_IP or NAT_DETECTION_DESTINATION_IP
- notification MAY compare the supplied value to a SHA-1 hash of the
- SPIs, source IP address, and port, and if they don't match it
- SHOULD enable NAT traversal. In the case of a mismatching
- NAT_DETECTION_SOURCE_IP hash, the recipient MAY reject the
- connection attempt if NAT traversal is not supported. In the case
- of a mismatching NAT_DETECTION_DESTINATION_IP hash, it means that
- the system receiving the NAT_DETECTION_DESTINATION_IP payload is
- behind a NAT and that system SHOULD start sending keepalive
- packets as defined in [UDPENCAPS]; alternately, it MAY reject the
- connection attempt if NAT traversal is not supported.
+ o The data associated with the NAT_DETECTION_SOURCE_IP notification
+ is a SHA-1 digest of the SPIs (in the order they appear in the
+ header), IP address, and port on which this packet was sent.
+ There MAY be multiple NAT_DETECTION_SOURCE_IP payloads in a
+ message if the sender does not know which of several network
+ attachments will be used to send the packet.
+
+ o The data associated with the NAT_DETECTION_DESTINATION_IP
+ notification is a SHA-1 digest of the SPIs (in the order they
+ appear in the header), IP address, and port to which this packet
+ was sent.
+
+ o The recipient of either the NAT_DETECTION_SOURCE_IP or
+ NAT_DETECTION_DESTINATION_IP notification MAY compare the supplied
+ value to a SHA-1 hash of the SPIs, source IP address, and port,
+ and if they don't match it SHOULD enable NAT traversal. In the
+ case of a mismatching NAT_DETECTION_SOURCE_IP hash, the recipient
+ MAY reject the connection attempt if NAT traversal is not
+ supported. In the case of a mismatching
+ NAT_DETECTION_DESTINATION_IP hash, it means that the system
+ receiving the NAT_DETECTION_DESTINATION_IP payload is behind a NAT
+ and that system SHOULD start sending keepalive packets as defined
+ in [UDPENCAPS]; alternately, it MAY reject the connection attempt
+ if NAT traversal is not supported.
o If none of the NAT_DETECTION_SOURCE_IP payload(s) received matches
the expected value of the source IP and port found from the IP
future IKE and ESP packets associated with this IKE SA over UDP
port 4500.
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 59]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
o To tunnel IKE packets over UDP port 4500, the IKE header has four
octets of zero prepended and the result immediately follows the
UDP header. To tunnel ESP packets over UDP port 4500, the ESP
validly be zero, it is always possible to distinguish ESP and IKE
messages.
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 60]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
o Implementations MUST process received UDP-encapsulated ESP packets
even when no NAT was detected.
MUST NOT be used when MOBIKE is used. See Section 3.8 of [MOBIKE]
for more information.
+
+
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 60]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
2.24. Explicit Congestion Notification (ECN)
When IPsec tunnels behave as originally specified in [IPSECARCH-OLD],
[ECN]). IKEv2 simplifies this situation by requiring that ECN be
usable in the outer IP headers of all tunnel-mode IPsec SAs created
by IKEv2. Specifically, tunnel encapsulators and decapsulators for
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 61]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
all tunnel-mode SAs created by IKEv2 MUST support the ECN full-
functionality option for tunnels specified in [ECN] and MUST
implement the tunnel encapsulation and decapsulation processing
payloads follow. If a payload of type "Encrypted" is found, that
payload is decrypted and its contents parsed as additional payloads.
An Encrypted payload MUST be the last payload in a packet and an
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 61]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
Encrypted payload MUST NOT contain another Encrypted payload.
The Recipient SPI in the header identifies an instance of an IKE
endian order (also known as "most significant byte first", or
"network byte order").
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 62]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
The format of the IKE header is shown in Figure 4.
1 2 3
o Responder's SPI (8 octets) - A value chosen by the responder to
identify a unique IKE security association. This value MUST be
zero in the first message of an IKE Initial Exchange (including
- repeats of that message including a cookie). {{ The phrase "and
- MUST NOT be zero in any other message" was removed; Clarif-2.1 }}
+ repeats of that message including a cookie).
o Next Payload (1 octet) - Indicates the type of payload that
immediately follows the header. The format and value of each
MUST set the Major Version to 2. Implementations based on
previous versions of IKE and ISAKMP MUST set the Major Version to
1. Implementations based on this version of IKE MUST reject or
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 62]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
ignore messages containing a version number greater than 2 with an
INVALID_MAJOR_VERSION notification message as described in Section
2.5.
MUST set the Minor Version to 0. They MUST ignore the minor
version number of received messages.
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 63]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
o Exchange Type (1 octet) - Indicates the type of exchange being
used. This constrains the payloads sent in each message in an
exchange.
* R(esponse) (bit 5 of Flags) - This bit indicates that this
message is a response to a message containing the same message
- ID. This bit MUST be cleared in all request messages and MUST
- be set in all responses. An IKE endpoint MUST NOT generate a
- response to a message that is marked as being a response.
-
- * X(reserved) (bits 6-7 of Flags) - These bits MUST be cleared
- when sending and MUST be ignored on receipt.
-
+Kaufman, et al. Expires January 9, 2010 [Page 63]
+\f
+Internet-Draft IKEv2bis July 2009
-Kaufman, et al. Expires October 26, 2009 [Page 64]
-\f
-Internet-Draft IKEv2bis April 2009
+ ID. This bit MUST be cleared in all request messages and MUST
+ be set in all responses. An IKE endpoint MUST NOT generate a
+ response to a message that is marked as being a response.
+ * X(reserved) (bits 6-7 of Flags) - These bits MUST be cleared
+ when sending and MUST be ignored on receipt.
o Message ID (4 octets) - Message identifier used to control
retransmission of lost packets and matching of requests and
-
-
-
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 65]
+Kaufman, et al. Expires January 9, 2010 [Page 64]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Next Payload Type Notation Value
-Kaufman, et al. Expires October 26, 2009 [Page 66]
+Kaufman, et al. Expires January 9, 2010 [Page 65]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- {{ Clarif-7.10 }} Many payloads contain fields marked as "RESERVED".
- Some payloads in IKEv2 (and historically in IKEv1) are not aligned to
- 4-octet boundaries.
+ Many payloads contain fields marked as "RESERVED". Some payloads in
+ IKEv2 (and historically in IKEv1) are not aligned to 4-octet
+ boundaries.
3.3. Security Association Payload
-Kaufman, et al. Expires October 26, 2009 [Page 67]
+Kaufman, et al. Expires January 9, 2010 [Page 66]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
proposal would have two proposal structures: ESP with ENCR_AES-CCM_8,
-Kaufman, et al. Expires October 26, 2009 [Page 68]
+Kaufman, et al. Expires January 9, 2010 [Page 67]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
1 2 3
-Kaufman, et al. Expires October 26, 2009 [Page 69]
+Kaufman, et al. Expires January 9, 2010 [Page 68]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
o Proposal # (1 octet) - When a proposal is made, the first proposal
-Kaufman, et al. Expires October 26, 2009 [Page 70]
+Kaufman, et al. Expires January 9, 2010 [Page 69]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
3.3.2. Transform Substructure
-Kaufman, et al. Expires October 26, 2009 [Page 71]
+Kaufman, et al. Expires January 9, 2010 [Page 70]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Description Trans. Used In
-Kaufman, et al. Expires October 26, 2009 [Page 72]
+Kaufman, et al. Expires January 9, 2010 [Page 71]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Name Number Defined In
-Kaufman, et al. Expires October 26, 2009 [Page 73]
+Kaufman, et al. Expires January 9, 2010 [Page 72]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Name Number
Extended Sequence Numbers 1
RESERVED 2 - 65535
- {{ Clarif-4.4 }} Note that an initiator who supports ESNs will
- usually include two ESN transforms, with values "0" and "1", in its
- proposals. A proposal containing a single ESN transform with value
- "1" means that using normal (non-extended) sequence numbers is not
- acceptable.
+ Note that an initiator who supports ESNs will usually include two ESN
+ transforms, with values "0" and "1", in its proposals. A proposal
+ containing a single ESN transform with value "1" means that using
+ normal (non-extended) sequence numbers is not acceptable.
Numerous additional transform types have been defined since the
publication of RFC 4306. Please refer to the IANA IKEv2 registry for
-Kaufman, et al. Expires October 26, 2009 [Page 74]
+
+Kaufman, et al. Expires January 9, 2010 [Page 73]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
It is likely that IANA will add additional transforms in the future,
-Kaufman, et al. Expires October 26, 2009 [Page 75]
+Kaufman, et al. Expires January 9, 2010 [Page 74]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
o Attribute Format (AF) (1 bit) - Indicates whether the data
should not be assigned except to matching values.
The Key Length attribute specifies the key length in bits (MUST use
- network byte order) for certain transforms as follows: {{ Clarif-7.11
- }}
+ network byte order) for certain transforms as follows:
o The Key Length attribute MUST NOT be used with transforms that use
a fixed length key. This includes, e.g., ENCR_DES, ENCR_IDEA, and
o Some transforms specify that the Key Length attribute MUST be
always included (omitting the attribute is not allowed, and
+ proposals not containing it MUST be rejected). This includes,
-Kaufman, et al. Expires October 26, 2009 [Page 76]
+Kaufman, et al. Expires January 9, 2010 [Page 75]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- proposals not containing it MUST be rejected). This includes,
e.g., ENCR_AES_CBC and ENCR_AES_CTR.
o Some transforms allow variable-length keys, but also specify a
group of NONE. In this case, the responder MUST ignore the
initiator's KE payload and omit the KE payload from the response.
+ Negotiating Diffie-Hellman groups presents some special challenges.
-Kaufman, et al. Expires October 26, 2009 [Page 77]
+Kaufman, et al. Expires January 9, 2010 [Page 76]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- Negotiating Diffie-Hellman groups presents some special challenges.
SA offers include proposed attributes and a Diffie-Hellman public
number (KE) in the same message. If in the initial exchange the
initiator offers to use one of several Diffie-Hellman groups, it
proposals in that SA payload specifies a DH Group, the KE payload
MUST NOT be present. If the selected proposal uses a different
Diffie-Hellman group (other than NONE), the message MUST be rejected
+ with a Notify payload of type INVALID_KE_PAYLOAD.
-Kaufman, et al. Expires October 26, 2009 [Page 78]
+Kaufman, et al. Expires January 9, 2010 [Page 77]
\f
-Internet-Draft IKEv2bis April 2009
-
+Internet-Draft IKEv2bis July 2009
- with a Notify payload of type INVALID_KE_PAYLOAD.
The payload type for the Key Exchange payload is thirty four (34).
peers to assert an identity to one another. This identity may be
used for policy lookup, but does not necessarily have to match
anything in the CERT payload; both fields may be used by an
- implementation to perform access control decisions. {{ Clarif-7.1 }}
- When using the ID_IPV4_ADDR/ID_IPV6_ADDR identity types in IDi/IDr
- payloads, IKEv2 does not require this address to match the address in
- the IP header of IKEv2 packets, or anything in the TSi/TSr payloads.
- The contents of IDi/IDr is used purely to fetch the policy and
- authentication data related to the other party.
+ implementation to perform access control decisions. When using the
+ ID_IPV4_ADDR/ID_IPV6_ADDR identity types in IDi/IDr payloads, IKEv2
+ does not require this address to match the address in the IP header
+ of IKEv2 packets, or anything in the TSi/TSr payloads. The contents
+ of IDi/IDr is used purely to fetch the policy and authentication data
+ related to the other party.
NOTE: In IKEv1, two ID payloads were used in each direction to hold
Traffic Selector (TS) information for data passing over the SA. In
computed from the size in the ID payload header.
The payload types for the Identification Payload are thirty five (35)
+ for IDi and thirty six (36) for IDr.
-Kaufman, et al. Expires October 26, 2009 [Page 79]
-\f
-Internet-Draft IKEv2bis April 2009
+Kaufman, et al. Expires January 9, 2010 [Page 78]
+\f
+Internet-Draft IKEv2bis July 2009
- for IDi and thirty six (36) for IDr.
The following table lists the assigned values for the Identification
Type field:
PRIVATE USE 201-255
+ Two implementations will interoperate only if each can generate a
+
-Kaufman, et al. Expires October 26, 2009 [Page 80]
+Kaufman, et al. Expires January 9, 2010 [Page 79]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- Two implementations will interoperate only if each can generate a
type of ID acceptable to the other. To assure maximum
interoperability, implementations MUST be configurable to send at
least one of ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, or ID_KEY_ID, and
accept ID_IPV6_ADDR. IPv6-only implementations MAY be configurable
to send only ID_IPV6_ADDR.
- {{ Clarif-3.4 }} EAP [EAP] does not mandate the use of any particular
- type of identifier, but often EAP is used with Network Access
- Identifiers (NAIs) defined in [NAI]. Although NAIs look a bit like
- email addresses (e.g., "joe@example.com"), the syntax is not exactly
- the same as the syntax of email address in [MAILFORMAT]. For those
- NAIs that include the realm component, the ID_RFC822_ADDR
- identification type SHOULD be used. Responder implementations should
- not attempt to verify that the contents actually conform to the exact
- syntax given in [MAILFORMAT], but instead should accept any
- reasonable-looking NAI. For NAIs that do not include the realm
- component,the ID_KEY_ID identification type SHOULD be used.
+ EAP [EAP] does not mandate the use of any particular type of
+ identifier, but often EAP is used with Network Access Identifiers
+ (NAIs) defined in [NAI]. Although NAIs look a bit like email
+ addresses (e.g., "joe@example.com"), the syntax is not exactly the
+ same as the syntax of email address in [MAILFORMAT]. For those NAIs
+ that include the realm component, the ID_RFC822_ADDR identification
+ type SHOULD be used. Responder implementations should not attempt to
+ verify that the contents actually conform to the exact syntax given
+ in [MAILFORMAT], but instead should accept any reasonable-looking
+ NAI. For NAIs that do not include the realm component,the ID_KEY_ID
+ identification type SHOULD be used.
3.6. Certificate Payload
-Kaufman, et al. Expires October 26, 2009 [Page 81]
+
+Kaufman, et al. Expires January 9, 2010 [Page 80]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
o Certificate Encoding (1 octet) - This field indicates the type of
o Certificate Revocation List (7) contains a DER encoded X.509
certificate revocation list.
- o {{ Added "DER-encoded RSAPublicKey structure" from Clarif-3.6 }}
- Raw RSA Key (11) contains a PKCS #1 encoded RSA key, that is, a
+ o Raw RSA Key (11) contains a PKCS #1 encoded RSA key, that is, a
DER-encoded RSAPublicKey structure (see [RSA] and [PKCS1]).
o Hash and URL encodings (12-13) allow IKE messages to remain short
[SHA]) of the replaced value followed by a variable-length URL
that resolves to the DER encoded data structure itself. This
improves efficiency when the endpoints have certificate data
+ cached and makes IKE less subject to denial of service attacks
-Kaufman, et al. Expires October 26, 2009 [Page 82]
+Kaufman, et al. Expires January 9, 2010 [Page 81]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- cached and makes IKE less subject to denial of service attacks
that become easier to mount when IKE messages are large enough to
require IP fragmentation [DOSUDPPROT].
are trusted and the certificate encoding does not allow a list, then
multiple Certificate Request payloads would need to be transmitted.
+ The Certificate Request Payload is defined as follows:
-Kaufman, et al. Expires October 26, 2009 [Page 83]
+Kaufman, et al. Expires January 9, 2010 [Page 82]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- The Certificate Request Payload is defined as follows:
-
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The twenty-octet hashes are concatenated and included with no other
formatting.
- {{ Clarif-3.6 }} The contents of the "Certification Authority" field
- are defined only for X.509 certificates, which are types 4, 10, 12,
- and 13. Other values SHOULD NOT be used until standards-track
- specifications that specify their use are published.
+ The contents of the "Certification Authority" field are defined only
+ for X.509 certificates, which are types 4, 10, 12, and 13. Other
+ values SHOULD NOT be used until standards-track specifications that
+ specify their use are published.
Note that the term "Certificate Request" is somewhat misleading, in
that values other than certificates are defined in a "Certificate"
such cases is not defined in this document.
The Certificate Request Payload is processed by inspecting the "Cert
+ Encoding" field to determine whether the processor has any
+ certificates of this type. If so, the "Certification Authority"
-Kaufman, et al. Expires October 26, 2009 [Page 84]
+Kaufman, et al. Expires January 9, 2010 [Page 83]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- Encoding" field to determine whether the processor has any
- certificates of this type. If so, the "Certification Authority"
field is inspected to determine if the processor has any certificates
that can be validated up to one of the specified certification
authorities. This can be a chain of certificates.
is a preferred CA sent in the CERTREQ, but an alternate might be
acceptable (perhaps after prompting a human operator).
- {{ 3.10.1-16392 }} The HTTP_CERT_LOOKUP_SUPPORTED notification MAY be
- included in any message that can include a CERTREQ payload and
- indicates that the sender is capable of looking up certificates based
- on an HTTP-based URL (and hence presumably would prefer to receive
- certificate specifications in that format).
+ The HTTP_CERT_LOOKUP_SUPPORTED notification MAY be included in any
+ message that can include a CERTREQ payload and indicates that the
+ sender is capable of looking up certificates based on an HTTP-based
+ URL (and hence presumably would prefer to receive certificate
+ specifications in that format).
3.8. Authentication Payload
The Authentication Payload, denoted AUTH in this memo, contains data
used for authentication purposes. The syntax of the Authentication
+ data varies according to the Auth Method as specified below.
-Kaufman, et al. Expires October 26, 2009 [Page 85]
-\f
-Internet-Draft IKEv2bis April 2009
+Kaufman, et al. Expires January 9, 2010 [Page 84]
+\f
+Internet-Draft IKEv2bis July 2009
- data varies according to the Auth Method as specified below.
The Authentication Payload is defined as follows:
* RSA Digital Signature (1) - Computed as specified in
Section 2.15 using an RSA private key with RSASSA-PKCS1-v1_5
signature scheme specified in [PKCS1] (implementors should note
- that IKEv1 used a different method for RSA signatures) {{
- Clarif-3.3 }}. {{ Clarif-3.2 }} To promote interoperability,
- implementations that support this type SHOULD support
- signatures that use SHA-1 as the hash function and SHOULD use
- SHA-1 as the default hash function when generating signatures.
+ that IKEv1 used a different method for RSA signatures). To
+ promote interoperability, implementations that support this
+ type SHOULD support signatures that use SHA-1 as the hash
+ function and SHOULD use SHA-1 as the default hash function when
+ generating signatures.
* Shared Key Message Integrity Code (2) - Computed as specified
in Section 2.15 using the shared key associated with the
The payload type for the Authentication Payload is thirty nine (39).
+3.9. Nonce Payload
+ The Nonce Payload, denoted Ni and Nr in this memo for the initiator's
+ and responder's nonce respectively, contains random data used to
+ guarantee liveness during an exchange and protect against replay
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 86]
+Kaufman, et al. Expires January 9, 2010 [Page 85]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
-3.9. Nonce Payload
-
- The Nonce Payload, denoted Ni and Nr in this memo for the initiator's
- and responder's nonce respectively, contains random data used to
- guarantee liveness during an exchange and protect against replay
attacks.
The Nonce Payload is defined as follows:
message to indicate sender capabilities or to modify the meaning of
the request.
- The Notify Payload is defined as follows:
+ The Notify Payload is defined as follows:
+
+
+
+
+
-Kaufman, et al. Expires October 26, 2009 [Page 87]
+Kaufman, et al. Expires January 9, 2010 [Page 86]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
1 2 3
o Protocol ID (1 octet) - If this notification concerns an existing
SA whose SPI is given the SPI field, this field indicates the type
of that SA. For notifications concerning IPsec SAs this field
- MUST contain either (2) to indicate AH or (3) to indicate ESP. {{
- Clarif-7.8 }} Of the notifications defined in this document, the
- SPI is included only with INVALID_SELECTORS and REKEY_SA. If the
- SPI field is empty, this field MUST be sent as zero and MUST be
- ignored on receipt. All other values for this field are reserved
- to IANA for future assignment.
+ MUST contain either (2) to indicate AH or (3) to indicate ESP. Of
+ the notifications defined in this document, the SPI is included
+ only with INVALID_SELECTORS and REKEY_SA. If the SPI field is
+ empty, this field MUST be sent as zero and MUST be ignored on
+ receipt. All other values for this field are reserved to IANA for
+ future assignment.
o SPI Size (1 octet) - Length in octets of the SPI as defined by the
IPsec protocol ID or zero if no SPI is applicable. For a
-Kaufman, et al. Expires October 26, 2009 [Page 88]
+Kaufman, et al. Expires January 9, 2010 [Page 87]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
managing an SA database wishes to communicate with a peer process.
Types in the range 0 - 16383 are intended for reporting errors. An
implementation receiving a Notify payload with one of these types
that it does not recognize in a response MUST assume that the
- corresponding request has failed entirely. {{ Demoted the SHOULD }}
- Unrecognized error types in a request and status types in a request
- or response MUST be ignored, and they should be logged.
+ corresponding request has failed entirely. Unrecognized error types
+ in a request and status types in a request or response MUST be
+ ignored, and they should be logged.
Notify payloads with status types MAY be added to any message and
MUST be ignored if not recognized. They are intended to indicate
-Kaufman, et al. Expires October 26, 2009 [Page 89]
+Kaufman, et al. Expires January 9, 2010 [Page 88]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
See Section 1.5.
-Kaufman, et al. Expires October 26, 2009 [Page 90]
+Kaufman, et al. Expires January 9, 2010 [Page 89]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
NOTIFY messages: status types Value
-Kaufman, et al. Expires October 26, 2009 [Page 91]
+Kaufman, et al. Expires January 9, 2010 [Page 90]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
valid. Figure 17 shows the format of the Delete Payload. It is
-Kaufman, et al. Expires October 26, 2009 [Page 92]
+Kaufman, et al. Expires January 9, 2010 [Page 91]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
3.12. Vendor ID Payload
-Kaufman, et al. Expires October 26, 2009 [Page 93]
+Kaufman, et al. Expires January 9, 2010 [Page 92]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
where you were when you chose the ID and some random input. A
for addresses at the initiator's end of the SA and forty five (45)
for addresses at the responder's end.
- {{ Clarif-4.7 }} There is no requirement that TSi and TSr contain the
- same number of individual traffic selectors. Thus, they are
- interpreted as follows: a packet matches a given TSi/TSr if it
- matches at least one of the individual selectors in TSi, and at least
- one of the individual selectors in TSr.
+ There is no requirement that TSi and TSr contain the same number of
+ individual traffic selectors. Thus, they are interpreted as follows:
+ a packet matches a given TSi/TSr if it matches at least one of the
+ individual selectors in TSi, and at least one of the individual
+ selectors in TSr.
-Kaufman, et al. Expires October 26, 2009 [Page 94]
+Kaufman, et al. Expires January 9, 2010 [Page 93]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
For instance, the following traffic selectors:
-Kaufman, et al. Expires October 26, 2009 [Page 95]
+Kaufman, et al. Expires January 9, 2010 [Page 94]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
o Selector Length - Specifies the length of this Traffic Selector
not "ANY" ports, MUST set the start port to 65535 and the end port to
0.
- {{ Added from Clarif-4.8 }} The traffic selector types 7 and 8 can
- also refer to ICMP type and code fields. Note, however, that ICMP
- packets do not have separate source and destination port fields. The
- method for specifying the traffic selectors for ICMP is shown by
- example in Section 4.4.1.3 of [IPSECARCH].
+ The traffic selector types 7 and 8 can also refer to ICMP type and
+ code fields. Note, however, that ICMP packets do not have separate
+ source and destination port fields. The method for specifying the
+ traffic selectors for ICMP is shown by example in Section 4.4.1.3 of
+ [IPSECARCH].
- {{ Added from Clarif-4.9 }} Traffic selectors can use IP Protocol ID
- 135 to match the IPv6 mobility header [MIPV6]. This document does
- not specify how to represent the "MH Type" field in traffic
- selectors, although it is likely that a different document will
- specify this in the future. Note that [IPSECARCH] says that the IPv6
- mobility header (MH) message type is placed in the most significant
- eight bits of the 16-bit local port selector. The direction
- semantics of TSi/TSr port fields are the same as for ICMP.
+ Traffic selectors can use IP Protocol ID 135 to match the IPv6
+ mobility header [MIPV6]. This document does not specify how to
+ represent the "MH Type" field in traffic selectors, although it is
+ likely that a different document will specify this in the future.
+ Note that [IPSECARCH] says that the IPv6 mobility header (MH) message
+ type is placed in the most significant eight bits of the 16-bit local
+ port selector. The direction semantics of TSi/TSr port fields are
+ the same as for ICMP.
-Kaufman, et al. Expires October 26, 2009 [Page 96]
+Kaufman, et al. Expires January 9, 2010 [Page 95]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
The following table lists the assigned values for the Traffic
-Kaufman, et al. Expires October 26, 2009 [Page 97]
+Kaufman, et al. Expires January 9, 2010 [Page 96]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
The payload type for an Encrypted payload is forty six (46). The
-Kaufman, et al. Expires October 26, 2009 [Page 98]
+Kaufman, et al. Expires January 9, 2010 [Page 97]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
o Padding MAY contain any value chosen by the sender, and MUST have
-Kaufman, et al. Expires October 26, 2009 [Page 99]
+Kaufman, et al. Expires January 9, 2010 [Page 98]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
CFG Type Value
-Kaufman, et al. Expires October 26, 2009 [Page 100]
+Kaufman, et al. Expires January 9, 2010 [Page 99]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Multi-
INTERNAL_IP6_ADDRESS 8 YES* 0 or 17 octets
RESERVED 9
INTERNAL_IP6_DNS 10 YES 0 or 16 octets
- INTERNAL_IP6_NBNS 11 YES 0 or 16 octets
+ RESERVED
INTERNAL_IP6_DHCP 12 YES 0 or 16 octets
INTERNAL_IP4_SUBNET 13 YES 0 or 8 octets
SUPPORTED_ATTRIBUTES 14 NO Multiple of 2
o INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS - An address on the
internal network, sometimes called a red node address or private
- address and MAY be a private address on the Internet. {{
- Clarif-6.2}} In a request message, the address specified is a
- requested address (or a zero-length address if no specific address
- is requested). If a specific address is requested, it likely
- indicates that a previous connection existed with this address and
- the requestor would like to reuse that address. With IPv6, a
- requestor MAY supply the low-order address octets it wants to use.
- Multiple internal addresses MAY be requested by requesting
- multiple internal address attributes. The responder MAY only send
- up to the number of addresses requested. The INTERNAL_IP6_ADDRESS
- is made up of two fields: the first is a 16-octet IPv6 address,
- and the second is a one-octet prefix-length as defined in
- [ADDRIPV6]. The requested address is valid until there are no IKE
- SAs between the peers. This is described in more detail in
- Section 3.15.3.
+ address and MAY be a private address on the Internet. In a
+ request message, the address specified is a requested address (or
+ a zero-length address if no specific address is requested). If a
+ specific address is requested, it likely indicates that a previous
+ connection existed with this address and the requestor would like
+ to reuse that address. With IPv6, a requestor MAY supply the low-
+ order address octets it wants to use. Multiple internal addresses
+ MAY be requested by requesting multiple internal address
+ attributes. The responder MAY only send up to the number of
+ addresses requested. The INTERNAL_IP6_ADDRESS is made up of two
+ fields: the first is a 16-octet IPv6 address, and the second is a
+ one-octet prefix-length as defined in [ADDRIPV6]. The requested
+ address is valid as long as this IKE SA (or its rekeyed
+ successors) requesting the address is valid. This is described in
+ more detail in Section 3.15.3.
o INTERNAL_IP4_NETMASK - The internal network's netmask. Only one
netmask is allowed in the request and reply messages (e.g.,
255.255.255.0), and it MUST be used only with an
- INTERNAL_IP4_ADDRESS attribute. {{ Clarif-6.4 }}
- INTERNAL_IP4_NETMASK in a CFG_REPLY means roughly the same thing
+ INTERNAL_IP4_ADDRESS attribute. INTERNAL_IP4_NETMASK in a
+ CFG_REPLY means roughly the same thing as INTERNAL_IP4_SUBNET
-Kaufman, et al. Expires October 26, 2009 [Page 101]
+Kaufman, et al. Expires January 9, 2010 [Page 100]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- as INTERNAL_IP4_SUBNET containing the same information ("send
- traffic to these addresses through me"), but also implies a link
- boundary. For instance, the client could use its own address and
- the netmask to calculate the broadcast address of the link. An
- empty INTERNAL_IP4_NETMASK attribute can be included in a
- CFG_REQUEST to request this information (although the gateway can
- send the information even when not requested). Non-empty values
- for this attribute in a CFG_REQUEST do not make sense and thus
- MUST NOT be included.
+ containing the same information ("send traffic to these addresses
+ through me"), but also implies a link boundary. For instance, the
+ client could use its own address and the netmask to calculate the
+ broadcast address of the link. An empty INTERNAL_IP4_NETMASK
+ attribute can be included in a CFG_REQUEST to request this
+ information (although the gateway can send the information even
+ when not requested). Non-empty values for this attribute in a
+ CFG_REQUEST do not make sense and thus MUST NOT be included.
o INTERNAL_IP4_DNS, INTERNAL_IP6_DNS - Specifies an address of a DNS
server within the network. Multiple DNS servers MAY be requested.
requested. The responder MAY respond with zero or more NBNS
server attributes.
- o INTERNAL_IP6_NBNS - {{ Clarif-6.6 }} NetBIOS is not defined for
- IPv6; therefore, INTERNAL_IP6_NBNS is also unspecified and is only
- retained for compatibility with RFC 4306.
-
o INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP - Instructs the host to send
any internal DHCP requests to the address contained within the
attribute. Multiple DHCP servers MAY be requested. The responder
would state the number of supported attributes contained in the
response.
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 102]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
o INTERNAL_IP6_SUBNET - The protected sub-networks that this edge-
device protects. This attribute is made up of two fields: the
first is a 16-octet IPv6 address, and the second is a one-octet
prefix-length as defined in [ADDRIPV6]. Multiple sub-networks MAY
be requested. The responder MAY respond with zero or more sub-
network attributes. This is discussed in more detail in Section
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 101]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
3.15.2.
Note that no recommendations are made in this document as to how an
3.15.2. Meaning of INTERNAL_IP4_SUBNET/INTERNAL_IP6_SUBNET
- {{ Section added based on Clarif-6.3 }}
-
INTERNAL_IP4/6_SUBNET attributes can indicate additional subnets,
ones that need one or more separate SAs, that can be reached through
the gateway that announces the attributes. INTERNAL_IP4/6_SUBNET
TSr = ((0, 0-65535, 192.0.1.0-192.0.1.63),
(0, 0-65535, 192.0.2.0-192.0.2.255))
+ In these cases, the INTERNAL_IP4_SUBNET does not really carry any
+ useful information.
+ A different possible reply would have been this:
-Kaufman, et al. Expires October 26, 2009 [Page 103]
-\f
-Internet-Draft IKEv2bis April 2009
- In these cases, the INTERNAL_IP4_SUBNET does not really carry any
- useful information.
- A different possible reply would have been this:
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 102]
+\f
+Internet-Draft IKEv2bis July 2009
+
CP(CFG_REPLY) =
INTERNAL_IP4_ADDRESS(192.0.1.234)
TSi = (0, 0-65535, 192.0.1.234-192.0.1.234)
TSr = (0, 0-65535, 192.0.2.155-192.0.2.155)
+ Because the meaning of INTERNAL_IP4_SUBNET/INTERNAL_IP6_SUBNET is in
+ CFG_REQUESTs is unclear, they cannot be used reliably in
+ CFG_REQUESTs.
+
-Kaufman, et al. Expires October 26, 2009 [Page 104]
-\f
-Internet-Draft IKEv2bis April 2009
+Kaufman, et al. Expires January 9, 2010 [Page 103]
+\f
+Internet-Draft IKEv2bis July 2009
- Because the meaning of INTERNAL_IP4_SUBNET/INTERNAL_IP6_SUBNET is in
- CFG_REQUESTs is unclear, they cannot be used reliably in
- CFG_REQUESTs.
3.15.3. Configuration payloads for IPv6
- {{ Added this section from Clarif-6.5 }}
-
The configuration payloads for IPv6 are based on the corresponding
IPv4 payloads, and do not fully follow the "normal IPv6 way of doing
things". In particular, IPv6 stateless autoconfiguration or router
necessarily have link-local addresses, and this may complicate the
use of protocols that assume them, such as [MLDV2].
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 105]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
3.15.4. Address Assignment Failures
- {{ Added this section from Clarif-6.8 }}
-
If the responder encounters an error while attempting to assign an IP
address to the initiator during the processing of a Configuration
Payload, it responds with an INTERNAL_ADDRESS_FAILURE notification.
The IKE SA is still created even if the initial Child SA cannot be
- created because of this failure. {{ 3.10.1-36 }} If this error is
- generated within an IKE_AUTH exchange, no Child SA will be created.
- However, there are some more complex error cases.
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 104]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
+ created because of this failure. If this error is generated within
+ an IKE_AUTH exchange, no Child SA will be created. However, there
+ are some more complex error cases.
If the responder does not support configuration payloads at all, it
can simply ignore all configuration payloads. This type of
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Figure 24: EAP Payload Format
+
+ The payload type for an EAP Payload is forty eight (48).
+
-Kaufman, et al. Expires October 26, 2009 [Page 106]
-\f
-Internet-Draft IKEv2bis April 2009
- Figure 24: EAP Payload Format
- The payload type for an EAP Payload is forty eight (48).
+
+Kaufman, et al. Expires January 9, 2010 [Page 105]
+\f
+Internet-Draft IKEv2bis July 2009
+
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
the associated Response. For the documentation of the EAP
methods, see [EAP].
- {{ Demoted the SHOULD NOT and SHOULD }} Note that since IKE passes an
- indication of initiator identity in message 3 of the protocol, the
+ Note that since IKE passes an indication of initiator identity in
+ message 3 of the protocol, the responder should not send EAP Identity
+ requests. The initiator may, however, respond to such requests if it
+ receives them.
-Kaufman, et al. Expires October 26, 2009 [Page 107]
-\f
-Internet-Draft IKEv2bis April 2009
- responder should not send EAP Identity requests. The initiator may,
- however, respond to such requests if it receives them.
+Kaufman, et al. Expires January 9, 2010 [Page 106]
+\f
+Internet-Draft IKEv2bis July 2009
4. Conformance Requirements
one for ESP or AH). Implementations MAY be initiate-only or respond-
only if appropriate for their platform. Every implementation MUST be
capable of responding to an INFORMATIONAL exchange, but a minimal
+ implementation MAY respond to any INFORMATIONAL message with an empty
+ INFORMATIONAL reply (note that within the context of an IKE SA, an
+ "empty" message consists of an IKE header followed by an Encrypted
+ payload with no payloads contained in it). A minimal implementation
-Kaufman, et al. Expires October 26, 2009 [Page 108]
+Kaufman, et al. Expires January 9, 2010 [Page 107]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
- implementation MAY respond to any INFORMATIONAL message with an empty
- INFORMATIONAL reply (note that within the context of an IKE SA, an
- "empty" message consists of an IKE header followed by an Encrypted
- payload with no payloads contained in it). A minimal implementation
MAY support the CREATE_CHILD_SA exchange only in so far as to
recognize requests and reject them with a Notify payload of type
NO_ADDITIONAL_SAS. A minimal implementation need not be able to
of type INTERNAL_IP4_ADDRESS or INTERNAL_IP6_ADDRESS. If it supports
leasing an address of the appropriate type, it MUST return a CP
payload of type CFG_REPLY containing an address of the requested
- type. {{ Demoted the SHOULD }} The responder may include any other
- related attributes.
+ type. The responder may include any other related attributes.
A minimal IPv4 responder implementation will ignore the contents of
the CP payload except to determine that it includes an
o Shared key authentication where the ID passed is any of ID_KEY_ID,
ID_FQDN, or ID_RFC822_ADDR.
+ o Authentication where the responder is authenticated using PKIX
+ Certificates and the initiator is authenticated using shared key
+ authentication.
-Kaufman, et al. Expires October 26, 2009 [Page 109]
-\f
-Internet-Draft IKEv2bis April 2009
- o Authentication where the responder is authenticated using PKIX
- Certificates and the initiator is authenticated using shared key
- authentication.
+Kaufman, et al. Expires January 9, 2010 [Page 108]
+\f
+Internet-Draft IKEv2bis July 2009
5. Security Considerations
Note that these limitations are on the Diffie-Hellman groups
themselves. There is nothing in IKE that prohibits using stronger
groups nor is there anything that will dilute the strength obtained
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 110]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
from stronger groups (limited by the strength of the other algorithms
negotiated including the prf function). In fact, the extensible
framework of IKE encourages the definition of more groups; use of
elliptical curve groups may greatly increase strength using much
smaller numbers.
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 109]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
It is assumed that all Diffie-Hellman exponents are erased from
memory after use.
Since the IPv4 address space is only 32 bits, and it is usually very
sparse, it would be possible for an attacker to find out the internal
address used behind the NAT box by trying all possible IP addresses
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 111]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
and trying to find the matching hash. The port numbers are normally
fixed to 500, and the SPIs can be extracted from the packet. This
reduces the number of hash calculations to 2^32. With an educated
calculations is much smaller. Designers should therefore not assume
that use of IKE will not leak internal address information.
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 110]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
When using an EAP authentication method that does not generate a
shared key for protecting a subsequent AUTH payload, certain man-in-
the-middle and server impersonation attacks are possible [EAPMITM].
possible. Where they are used, it is extremely important that all
usages of these EAP methods SHOULD utilize a protected tunnel, where
the initiator validates the responder's certificate before initiating
- the EAP authentication. {{ Demoted the SHOULD }} Implementers should
- describe the vulnerabilities of using non-key-generating EAP methods
- in the documentation of their implementations so that the
- administrators deploying IPsec solutions are aware of these dangers.
+ the EAP authentication. Implementers should describe the
+ vulnerabilities of using non-key-generating EAP methods in the
+ documentation of their implementations so that the administrators
+ deploying IPsec solutions are aware of these dangers.
An implementation using EAP MUST also use strong authentication of
the server to the client before the EAP authentication begins, even
Admission control is critical to the security of the protocol. For
example, trust anchors used for identifying IKE peers should probably
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 112]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
be different than those used for other forms of trust, such as those
used to identify public web servers. Moreover, although IKE provides
a great deal of leeway in defining the security policy for a trusted
having such security policy defined explicitly is essential to a
secure implementation.
-5.1. Traffic selector authorization
- {{ Added this section from Clarif-4.13 }}
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 111]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
+5.1. Traffic selector authorization
IKEv2 relies on information in the Peer Authorization Database (PAD)
when determining what kind of IPsec SAs a peer is allowed to create.
address.
It has been recognized that configuring the PAD correctly may be
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 113]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
difficult in some environments. For instance, if IPsec is used
between a pair of hosts whose addresses are allocated dynamically
using DHCP, it is extremely difficult to ensure that the PAD
Due to this limitation, some vendors have been known to configure
their PADs to allow an authenticated peer to create IPsec SAs with
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 112]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
traffic selectors containing the same address that was used for the
IKEv2 packets. In environments where IP spoofing is possible (i.e.,
almost everywhere) this essentially allows any peer to create IPsec
6. IANA Considerations
- {{ This section was changed to not re-define any new IANA registries.
- }}
-
[IKEV2] defined many field types and values. IANA has already
registered those types and values, so the are not listed here again.
No new types or values are registered in this document. However,
Reingold, and Michael Richardson. Many other people contributed to
the design. It is an evolution of IKEv1, ISAKMP, and the IPsec DOI,
each of which has its own list of authors. Hugh Daniel suggested the
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 114]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
feature of having the initiator, in message 3, specify a name for the
responder, and gave the feature the cute name "You Tarzan, Me Jane".
David Faucher and Valery Smyzlov helped refine the design of the
[X.501] [X.509]
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 113]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
8. References
8.1. Normative References
Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003.
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 115]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
[PKIX] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", RFC 3280,
[RFC4615] Song, J., Poovendran, R., Lee, J., and T. Iwata, "The
Advanced Encryption Standard-Cipher-based Message
Authentication Code-Pseudo-Random Function-128 (AES-CMAC-
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 114]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
PRF-128) Algorithm for the Internet Key Exchange Protocol
(IKE)", RFC 4615, August 2006.
V.IT-22 n. 6, June 1977.
[DHCP] Droms, R., "Dynamic Host Configuration Protocol",
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 116]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
RFC 2131, March 1997.
[DIFFSERVARCH]
Field) in the IPv4 and IPv6 Headers", RFC 2474,
December 1998.
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 115]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
[DIFFTUNNEL]
Black, D., "Differentiated Services and Tunnels",
RFC 2983, October 2000.
[H2HIPSEC]
Aura, T., Roe, M., and A. Mohammed, "Experiences with
Host-to-Host IPsec", 13th International Workshop on
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 117]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
Security Protocols, Cambridge, UK, April 2005.
[HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
"Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, March 2003.
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 116]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
[IKEV1] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[MIPV6] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support
in IPv6", RFC 3775, June 2004.
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 118]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
[MLDV2] Vida, R. and L. Costa, "Multicast Listener Discovery
Version 2 (MLDv2) for IPv6", RFC 3810, June 2004.
[NAI] Aboba, B., Beadles, M., Eronen, P., and J. Arkko, "The
Network Access Identifier", RFC 4282, December 2005.
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 117]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
[NATREQ] Aboba, B. and W. Dixon, "IPsec-Network Address Translation
(NAT) Compatibility Requirements", RFC 3715, March 2004.
progress), October 2008.
[RSA] R. Rivest, A. Shamir, and L. Adleman, "A Method for
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 119]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
Obtaining Digital Signatures and Public-Key
Cryptosystems", February 1978.
www.informatik.uni-trier.de/~ley/db/conf/crypto/
crypto2003.html>.
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 118]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
[SKEME] H. Krawczyk, "SKEME: A Versatile Secure Key Exchange
Mechanism for Internet", IEEE Proceedings of the 1996
Symposium on Network and Distributed Systems Security ,
rather than restructuring the entire exchange) see
[EXCHANGEANALYSIS];
-
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 120]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
3. To remove the Domain of Interpretation (DOI), Situation (SIT),
and Labeled Domain Identifier fields, and the Commit and
Authentication only bits;
6. To reduce the number of possible error states by making the
protocol reliable (all messages are acknowledged) and sequenced.
This allows shortening CREATE_CHILD_SA exchanges from 3 messages
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 119]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
to 2;
7. To increase robustness by allowing the responder to not do
These groups were generated by Richard Schroeppel at the University
of Arizona. Properties of these primes are described in [OAKLEY].
-
-
-
-Kaufman, et al. Expires October 26, 2009 [Page 121]
-\f
-Internet-Draft IKEv2bis April 2009
-
-
The strength supplied by group one may not be sufficient for the
mandatory-to-implement encryption algorithm and is here for historic
reasons.
This group is assigned id 1 (one).
+
+
+
+
+
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 120]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }
Its hexadecimal value is:
Appendix C. Exchanges and Payloads
- {{ Clarif-AppA }}
-
This appendix contains a short summary of the IKEv2 exchanges, and
what payloads can appear in which message. This appendix is purely
informative; if it disagrees with the body of this document, the
-Kaufman, et al. Expires October 26, 2009 [Page 122]
+
+
+
+
+
+
+
+
+
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 121]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
C.1. IKE_SA_INIT Exchange
-Kaufman, et al. Expires October 26, 2009 [Page 123]
+Kaufman, et al. Expires January 9, 2010 [Page 122]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
C.2. IKE_AUTH Exchange without EAP
-Kaufman, et al. Expires October 26, 2009 [Page 124]
+Kaufman, et al. Expires January 9, 2010 [Page 123]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
C.3. IKE_AUTH Exchange with EAP
-Kaufman, et al. Expires October 26, 2009 [Page 125]
+Kaufman, et al. Expires January 9, 2010 [Page 124]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
C.4. CREATE_CHILD_SA Exchange for Creating or Rekeying Child SAs
-Kaufman, et al. Expires October 26, 2009 [Page 126]
+Kaufman, et al. Expires January 9, 2010 [Page 125]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
only be changes that involve SHOULD-level or MUST-level requirements,
-Kaufman, et al. Expires October 26, 2009 [Page 127]
+Kaufman, et al. Expires January 9, 2010 [Page 126]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Removed the discussion of INTERNAL_ADDRESS_EXPIRY in many places, and
-Kaufman, et al. Expires October 26, 2009 [Page 128]
+Kaufman, et al. Expires January 9, 2010 [Page 127]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
protocols cannot be negotiated at one time.
-Kaufman, et al. Expires October 26, 2009 [Page 129]
+Kaufman, et al. Expires January 9, 2010 [Page 128]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
In Section 2.1, added "or equal to" in "The responder MUST remember
-Kaufman, et al. Expires October 26, 2009 [Page 130]
+Kaufman, et al. Expires January 9, 2010 [Page 129]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Moved 3.10.1-16392 from Section 3.6 to 3.7.
section. Also reworded the text to make it clearer what the COOKIE
is for.
- Moved text from {{ Clarif-2.1 }} from Section 2.6 to Section 2.7.
+ Moved text from Clarif-2.1 from Section 2.6 to Section 2.7.
In Section 2.13, added "(see Section 3.3.5 for the defintion of the
Key Length transform attribute)".
-Kaufman, et al. Expires October 26, 2009 [Page 131]
+Kaufman, et al. Expires January 9, 2010 [Page 130]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
In Section 3.3, changed "Each proposal may contain a" to "Each
-Kaufman, et al. Expires October 26, 2009 [Page 132]
+Kaufman, et al. Expires January 9, 2010 [Page 131]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
similar issue. Also updated the Abstract to cover this.
-Kaufman, et al. Expires October 26, 2009 [Page 133]
+Kaufman, et al. Expires January 9, 2010 [Page 132]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
the paragraph.
-Kaufman, et al. Expires October 26, 2009 [Page 134]
+Kaufman, et al. Expires January 9, 2010 [Page 133]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Changed the title of 2.6 to "IKE SA SPIs and Cookies". Also, in the
-Kaufman, et al. Expires October 26, 2009 [Page 135]
+Kaufman, et al. Expires January 9, 2010 [Page 134]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
port 500". Also removed the text about why not to do NAT-traversal
-Kaufman, et al. Expires October 26, 2009 [Page 136]
+Kaufman, et al. Expires January 9, 2010 [Page 135]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
In 3.15.4, added "The IKE SA is still created even if the initial
-Kaufman, et al. Expires October 26, 2009 [Page 137]
+Kaufman, et al. Expires January 9, 2010 [Page 136]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
added "In order to allow saving memory, responders are allowed to
-Kaufman, et al. Expires October 26, 2009 [Page 138]
+Kaufman, et al. Expires January 9, 2010 [Page 137]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
of the proposed crypto suites was acceptable. This can be sent in
-Kaufman, et al. Expires October 26, 2009 [Page 139]
+Kaufman, et al. Expires January 9, 2010 [Page 138]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
For the initiator:
Changed "[V+]" to "[V+][N+]" throughout Appendix C. [Issue #63]
+E.11. Changes from draft-ietf-ipsecme-ikev2bis-03 to
+ draft-ietf-ipsecme-ikev2bis-04
+
+ Throughout, removed the marks that showed where text from the
+ Clarifications RFC was inserted, or where a "SHOULD" was demoted to
+ weaker language.
+
+
+
+
+Kaufman, et al. Expires January 9, 2010 [Page 139]
+\f
+Internet-Draft IKEv2bis July 2009
+
+
+ In section 1, added "IKEv2 was a change to the IKE protocol that was
+ not backward compatible. In contrast, the current document not only
+ provides a clarification of IKEv2, but makes minimum changes to the
+ IKE protocol." [Issue #48]
+
+ In 1.5, added "The recipient of this notification cannot tell whether
+ the SPI is for AH or ESP, but this is not important because the SPIs
+ are supposed to be different for the two." [Issue #35]
+
+ In 1.5, added "(INVALID_MAJOR_VERSION is also a one-way message which
+ is sent outside of an IKE SA, although it is sent as a response to
+ the incoming IKE SA creation.)" [Issue #13]
+
+ Added "The Message ID is reset to zero in the new IKE SA after the
+ IKE SA is rekeyed" in the first paragraph of 2.2. [Issue #15]
+
+ In 2.5, changed "implementations MUST send the payloads defined in
+ this specification in the order shown in the figures in Section 2;
+ implementations are explicitly allowed to reject as invalid a message
+ with those payloads in any other order" to "implementations SHOULD
+ send the payloads defined in this specification in the order shown in
+ the figures in Section 2; implementations MUST NOT reject as invalid
+ a message with those payloads in any other order". [Issue #16]
+ [Issue #45]
+
+ In 2.9, added "Maintenance of a system's SPD is outside the scope of
+ IKE (see [PFKEY] for an example programming interface, although it
+ only applies to IKEv1), though some implementations might update
+ their SPD in connection with the running of IKE (for an example
+ scenario, see Section 1.1.3)." This was actually done in -03 but not
+ noted in the change notes. [Issue #64] [Issue #54]
+
+ In 2.18, added "using SPIi, SPIr, Ni, and Nr from the new exchange"
+ to the last sentence.
+
+ Removed INTERNAL_IP6_NBNS from 3.15.1. [Issue #44]
+
+ Changed "The requested address is valid until there are no IKE_SAs
+ between the peers" to "The requested address is valid as long as this
+ IKE SA (or its rekeyed successors) requesting the address is valid."
+ [Issue #43]
-Kaufman, et al. Expires October 26, 2009 [Page 140]
+Kaufman, et al. Expires January 9, 2010 [Page 140]
\f
-Internet-Draft IKEv2bis April 2009
+Internet-Draft IKEv2bis July 2009
Authors' Addresses
-Kaufman, et al. Expires October 26, 2009 [Page 141]
+Kaufman, et al. Expires January 9, 2010 [Page 141]
\f
projects / thirdparty / strongswan.git / commitdiff
