4 Network Working Group Henry Spencer
5 Internet Draft SP Systems
6 Expires: 26 Aug 2002 D. Hugh Redelmeier
10 IKE Implementation Issues
11 <draft-spencer-ipsec-ike-implementation-02.txt>
15 This document is an Internet-Draft and is in full conformance with
16 all provisions of Section 10 of RFC2026.
18 (If approved as an Informational RFC...) This memo provides
19 information for the Internet community. This memo does not specify
20 an Internet standard of any kind.
22 Distribution of this memo is unlimited.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF), its areas, and its working groups. Note that
26 other groups may also distribute working documents as Internet-
29 Internet-Drafts are draft documents valid for a maximum of six months
30 and may be updated, replaced, or obsoleted by other documents at any
31 time. It is inappropriate to use Internet-Drafts as reference
32 material or to cite them other than as "work in progress."
34 The list of current Internet-Drafts can be accessed at
35 http://www.ietf.org/ietf/1id-abstracts.txt.
37 The list of Internet-Draft Shadow Directories can be accessed at
38 http://www.ietf.org/shadow.html.
40 This Internet-Draft will expire on 26 Aug 2002.
44 Copyright (C) The Internet Society 2002. All Rights Reserved.
55 Spencer & Redelmeier [Page 1]
57 Internet Draft IKE Implementation Issues 26 Feb 2002
62 1. Introduction ................................................... 3
63 2. Lower-level Background and Notes ............................... 4
64 2.1. Packet Handling .............................................. 4
65 2.2. Ciphers ...................................................... 5
66 2.3. Interfaces ................................................... 5
67 3. IKE Infrastructural Issues ..................................... 5
68 3.1. Continuous Channel ........................................... 5
69 3.2. Retransmission ............................................... 5
70 3.3. Replay Prevention ............................................ 6
71 4. Basic Keying and Rekeying ...................................... 7
72 4.1. When to Create SAs ........................................... 7
73 4.2. When to Rekey ................................................ 8
74 4.3. Choosing an SA ............................................... 9
75 4.4. Why to Rekey ................................................. 9
76 4.5. Rekeying ISAKMP SAs ......................................... 10
77 4.6. Bulk Negotiation ............................................ 10
78 5. Deletions, Teardowns, Crashes ................................. 11
79 5.1. Deletions ................................................... 11
80 5.2. Teardowns and Shutdowns ..................................... 12
81 5.3. Crashes ..................................................... 13
82 5.4. Network Partitions .......................................... 13
83 5.5. Unknown SAs ................................................. 14
84 6. Misc. IKE Issues .............................................. 16
85 6.1. Groups 1 and 5 .............................................. 16
86 6.2. To PFS Or Not To PFS ........................................ 16
87 6.3. Debugging Tools, Lack Thereof ............................... 16
88 6.4. Terminology, Vagueness Thereof .............................. 17
89 6.5. A Question of Identity ...................................... 17
90 6.6. Opportunistic Encryption .................................... 17
91 6.7. Authentication and RSA Keys ................................. 17
92 6.8. Misc. Snags ................................................. 18
93 7. Security Considerations ....................................... 19
94 8. References .................................................... 19
95 Authors' Addresses ............................................... 20
96 Full Copyright Statement ......................................... 21
111 Spencer & Redelmeier [Page 2]
113 Internet Draft IKE Implementation Issues 26 Feb 2002
118 The current IPsec specifications for key exchange and connection
119 management, RFCs 2408 [ISAKMP] and 2409 [IKE], leave many aspects of
120 connection management unspecified, most prominently rekeying
121 practices. Pending clarifications in future revisions of the
122 specifications, this document sets down some successful experiences,
123 to minimize the extent to which new implementors have to rely on
126 The Linux FreeS/WAN implementation of IPsec interoperates with almost
127 every other IPsec implementation. This document describes how the
128 FreeS/WAN project has resolved some of the gaps in the IPsec
129 specifications (and plans to resolve some others), and what
130 difficulties have been encountered, in hopes that this generally-
131 successful experience might be informative to new implementors.
133 This is offered as an Informational RFC.
135 This -02 revision mainly: discusses ISAKMP SA expiry during IPsec-SA
136 rekeying (4.5), revises the discussion of bidirectional Deletes
137 (5.1), suggests remembering the parameters of successful negotiations
138 for later use (4.2, 5.3), notes an unsuccessful negotiation from the
139 other end as a hint of a possibly broken connection (5.5), and adds
140 sections on network partitions (5.4), authentication methods and the
141 subtleties of RSA public keys (6.7), and miscellaneous
142 interoperability concerns (6.8).
146 The current IPsec specifications for key exchange and connection
147 management, RFCs 2408 [ISAKMP] and 2409 [IKE], leave many aspects of
148 connection management unspecified, most prominently rekeying
149 practices. This is a cryptic puzzle which each group of implementors
150 has to struggle with, and differences in how the ambiguities and gaps
151 are resolved are potentially a fruitful source of interoperability
152 problems. We can hope that future revisions of the specifications
153 will clear this up. Meanwhile, it seems useful to set down some
154 successful experiences, to minimize the extent to which new
155 implementors have to rely on unwritten folklore.
157 The Linux FreeS/WAN implementation of IPsec interoperates with almost
158 every other IPsec implementation, and because of its free nature, it
159 also sees some use as a reference implementation by other
160 implementors. The high degree of interoperability is noteworthy
161 given its organizers' strong minimalist bias, which has caused them
162 to implement only a small subset of the full glory of IPsec. This
163 document describes how the FreeS/WAN project has resolved some of the
167 Spencer & Redelmeier [Page 3]
169 Internet Draft IKE Implementation Issues 26 Feb 2002
172 gaps in the IPsec specifications (and plans to resolve some others),
173 and what difficulties have been encountered, in hopes that this
174 generally-successful experience might be informative to new
177 One small caution about applicability: this experience may not be
178 relevant to severely resource-constrained implementations.
179 FreeS/WAN's target environment is previous-generation PCs, now
180 available at trivial cost (often, within an organization, at no
181 cost), which have quite impressive CPU power and memory by the
182 standards of only a few years ago. Some of the approaches discussed
183 here may be inapplicable to implementations with severe external
184 constraints which prevent them from taking advantage of modern
187 2. Lower-level Background and Notes
191 FreeS/WAN implements ESP [ESP] and AH [AH] straightforwardly,
192 although AH sees little use among our users. Our ESP/AH
193 implementation cannot currently handle packets with IP options;
194 somewhat surprisingly, this has caused little difficulty. We insist
195 on encryption and do not support authentication-only connections, and
196 this has not caused significant difficulty either.
198 MTU and fragmentation issues, by contrast, have been a constant
199 headache. We will not describe the details of our current approach
200 to them, because it still needs work. One difficulty we have
201 encountered is that many combinations of packet source and packet
202 destination apparently cannot cope with an "interior minimum" in the
203 path MTU, e.g. where an IPsec tunnel intervenes and its headers
204 reduce the MTU for an intermediate link. This is particularly
205 prevalent when using common PC software to connect to large well-
206 known web sites; we think it is largely due to misconfigured
207 firewalls which do not pass ICMP Fragmentation Required messages.
208 The only solution we have yet found is to lie about the MTU of the
209 tunnel, accepting the (undesirable) fragmentation of the ESP packets
210 for the sake of preserving connectivity.
212 We currently zero out the TOS field of ESP packets, rather than
213 copying it from the inner header, on the grounds that it lends itself
214 too well to traffic analysis and covert channels. We provide an
215 option to restore RFC 2401 [IPSEC] copying behavior, but this appears
223 Spencer & Redelmeier [Page 4]
225 Internet Draft IKE Implementation Issues 26 Feb 2002
230 We initially implemented both DES [DES] and 3DES [CIPHERS] for both
231 IKE and ESP, but after the Deep Crack effort [CRACK] demonstrated its
232 inherent insecurity, we dropped support for DES. Somewhat
233 surprisingly, our insistence on 3DES has caused almost no
234 interoperability problems, despite DES being officially mandatory. A
235 very few other systems either do not support 3DES or support it only
236 as an optional upgrade, which inconveniences a few would-be users.
237 There have also been one or two cases of systems which don't quite
238 seem to know the difference!
240 See also section 6.1 for a consequence of our insistence on 3DES.
244 We currently employ PF_KEY version 2 [PFKEY], plus various non-
245 standard extensions, as our interface between keying and ESP. This
246 has not proven entirely satisfactory. Our feeling now is that keying
247 issues and policy issues do not really lend themselves to the clean
248 separation that PF_KEY envisions.
250 3. IKE Infrastructural Issues
252 A number of problems in IPsec connection management become easier if
253 some attention is first paid to providing an infrastructure to
254 support solving them.
256 3.1. Continuous Channel
258 FreeS/WAN uses an approximation to the "continuous channel" model, in
259 which ISAKMP SAs are maintained between IKEs so long as any IPsec SAs
260 are open between the two systems. The resource consumption of this
261 is minor: the only substantial overhead is occasional rekeying.
262 IPsec SA management becomes significantly simpler if there is always
263 a channel for transmission of control messages. We suggest (although
264 we do not yet fully implement this) that inability to maintain (e.g.,
265 to rekey) this control path should be grounds for tearing down the
268 As a corollary of this, there is one and only one ISAKMP SA
269 maintained between a pair of IKEs (although see sections 5.3 and 6.5
270 for minor complications).
274 The unreliable nature of UDP transmission is a nuisance. IKE
275 implementations should always be prepared to retransmit the most
279 Spencer & Redelmeier [Page 5]
281 Internet Draft IKE Implementation Issues 26 Feb 2002
284 recent message they sent on an ISAKMP SA, since there is some
285 possibility that the other end did not get it. This means, in
286 particular, that the system sending the supposedly-last message of an
287 exchange cannot relax and assume that the exchange is complete, at
288 least not until a significant timeout has elapsed.
290 Systems must also retain information about the message most recently
291 received in an exchange, so that a duplicate of it can be detected
292 (and possibly interpreted as a NACK for the response).
294 The retransmission rules FreeS/WAN follows are: (1) if a reply is
295 expected, retransmit only if it does not appear before a timeout; and
296 (2) if a reply is not expected (last message of the exchange),
297 retransmit only on receiving a retransmission of the previous
298 message. Notably, in case (1) we do NOT retransmit on receiving a
299 retransmission, which avoids possible congestion problems arising
300 from packet duplication, at the price of slowing response to packet
301 loss. The timeout for case (1) is 10 seconds for the first retry, 20
302 seconds for the second, and 40 seconds for all subsequent retries
303 (normally only one, except when configuration settings call for
304 persistence and the message is the first message of Main Mode with a
305 new peer). These retransmission rules have been entirely successful.
307 (Michael Thomas of Cisco has pointed out that the retry timeouts
308 should include some random jitter, to de-synchronize hosts which are
309 initially synchronized by, e.g., a power outage. We already jitter
310 our rekeying times, as noted in section 4.2, but that does not help
311 with initial startup. We're implementing jittered retries, but
312 cannot yet report on experience with this.)
314 There is a deeper problem, of course, when an entire "exchange"
315 consists of a single message, e.g. the ISAKMP Informational Exchange.
316 Then there is no way to decide whether or when a retransmission is
317 warranted at all. This seems like poor design, to put it mildly (and
318 there is now talk of fixing it). We have no experience in dealing
319 with this problem at this time, although it is part of the reason why
320 we have delayed implementing Notification messages.
322 3.3. Replay Prevention
324 The unsequenced nature of UDP transmission is also troublesome,
325 because it means that higher levels must consider the possibility of
326 replay attacks. FreeS/WAN takes the position that systematically
327 eliminating this possibility at a low level is strongly preferable to
328 forcing careful consideration of possible impacts at every step of an
329 exchange. RFC 2408 [ISAKMP] section 3.1 states that the Message ID
330 of an ISAKMP message must be "unique". FreeS/WAN interprets this
331 literally, as forbidding duplication of Message IDs within the set of
335 Spencer & Redelmeier [Page 6]
337 Internet Draft IKE Implementation Issues 26 Feb 2002
340 all messages sent via a single ISAKMP SA.
342 This requires remembering all Message IDs until the ISAKMP SA is
343 superseded by rekeying, but that is not costly (four bytes per sent
344 or received message), and it ELIMINATES replay attacks from
345 consideration; we believe this investment of resources is well
346 worthwhile. If the resource consumption becomes excessive--in our
347 experience it has not--the ISAKMP SA can be rekeyed early to collect
350 There is theoretically an interoperability problem when talking to
351 implementations which interpret "unique" more loosely and may re-use
352 Message IDs, but it has not been encountered in practice. This
353 approach appears to be completely interoperable.
355 The proposal by Andrew Krywaniuk [REPLAY], which advocates turning
356 the Message ID into an anti-replay counter, would achieve the same
357 goal without the minor per-message memory overhead. This may be
358 preferable, although it means an actual protocol change and more
361 4. Basic Keying and Rekeying
363 4.1. When to Create SAs
365 As Tim Jenkins [REKEY] pointed out, there is a potential race
366 condition in Quick Mode: a fast lightly-loaded Initiator might start
367 using IPsec SAs very shortly after sending QM3 (the third and last
368 message of Quick Mode), while a slow heavily-loaded Responder might
369 not be ready to receive them until after spending a significant
370 amount of time creating its inbound SAs. The problem is even worse
371 if QM3 gets delayed or lost.
373 FreeS/WAN's approach to this is what Jenkins called "Responder Pre-
374 Setup": the Responder creates its inbound IPsec SAs before it sends
375 QM2, so they are always ready and waiting when the Initiator sends
376 QM3 and begins sending traffic. This approach is simple and
377 reliable, and in our experience it interoperates with everybody.
378 (There is potentially still a problem if FreeS/WAN is the Initiator
379 and the Responder does not use Responder Pre-Setup, but no such
380 problems have been seen.) The only real weakness of Responder Pre-
381 Setup is the possibility of replay attacks, which we have eliminated
382 by other means (see section 3.3).
384 With this approach, the Commit Bit is useless, and we ignore it. In
385 fact, until quite recently we discarded any IKE message containing
386 it, and this caused surprisingly few interoperability problems;
387 apparently it is not widely used. We have recently been persuaded
391 Spencer & Redelmeier [Page 7]
393 Internet Draft IKE Implementation Issues 26 Feb 2002
396 that simply ignoring it is preferable; preliminary experience with
397 this indicates that the result is successful interoperation with
398 implementations which set it.
402 To preserve connectivity for user traffic, rekeying of a connection
403 (that is, creation of new IPsec SAs to supersede the current ones)
404 must begin before its current IPsec SAs expire. Preferably one end
405 should predictably start rekeying negotiations first, to avoid the
406 extra overhead of two simultaneous negotiations, although either end
407 should be prepared to rekey if the other does not. There is also a
408 problem with "convoys" of keying negotiations: for example, a "hub"
409 gateway with many IPsec connections can be inundated with rekeying
410 negotiations exactly one connection-expiry time after it reboots, and
411 the massive overload this induces tends to make this situation self-
412 perpetuating, so it recurs regularly. (Convoys can also evolve
413 gradually from initially-unsynchronized negotiations.)
415 FreeS/WAN has the concept of a "rekeying margin", measured in
416 seconds. If FreeS/WAN was the Initiator for the previous rekeying
417 (or the startup, if none) of the connection, it nominally starts
418 rekeying negotiations at expiry time minus one rekeying margin. Some
419 random jitter is added to break up convoys: rather than starting
420 rekeying exactly at minus one margin, it starts at a random time
421 between minus one margin and minus two margins. (The randomness here
422 need not be cryptographic in quality, so long as it varies over time
423 and between hosts. We use an ordinary PRNG seeded with a few bytes
424 from a cryptographic randomness source. The seeding mostly just
425 ensures that the PRNG sequence is different for different hosts, even
426 if they start up simultaneously.)
428 If FreeS/WAN was the Responder for the previous rekeying/startup, and
429 nothing has been heard from the previous Initiator at expiry time
430 minus one-half the rekeying margin, FreeS/WAN will initiate rekeying
431 negotiations. No jitter is applied; we now believe that it should be
432 jittered, say between minus one-half margin and minus one-quarter
435 Having the Initiator lead the way is an obvious way of deciding who
436 should speak first, since there is already an Initiator/Responder
437 asymmetry in the connection. Moreover, our experience has been that
438 Initiator lead gives a significantly higher probability of successful
439 negotiation! The negotiation process itself is asymmetric, because
440 the Initiator must make a few specific proposals which the Responder
441 can only accept or reject, so the Initiator must try to guess where
442 its "acceptable" region (in parameter space) might overlap with the
443 Responder's. We have seen situations where negotiations would
447 Spencer & Redelmeier [Page 8]
449 Internet Draft IKE Implementation Issues 26 Feb 2002
452 succeed or fail depending on which end initiated them, because one
453 end was making better guesses. Given an existing connection, we KNOW
454 that the previous Initiator WAS able to initiate a successful
455 negotiation, so it should (if at all possible) take the lead again.
456 Also, the Responder should remember the Initiator's successful
457 proposal, and start from that rather than from his own default
458 proposals if he must take the lead; we don't currently implement this
459 completely but plan to.
461 FreeS/WAN defaults the rekeying margin to 9 minutes, although this
462 can be changed by configuration. There is also a configuration
463 option to alter the permissible range of jitter. The defaults were
464 chosen somewhat arbitrarily, but they work extremely well and the
465 configuration options are rarely used.
469 Once rekeying has occurred, both old and new IPsec SAs for the
470 connection exist, at least momentarily. FreeS/WAN accepts incoming
471 traffic on either old or new inbound SAs, but sends outgoing traffic
472 only on the new outbound ones. This approach appears to be
473 significantly more robust than using the old ones until they expire,
474 notably in cases where renegotiation has occurred because something
475 has gone wrong on the other end. It avoids having to pay meticulous
476 attention to the state of the other end, state which is difficult to
477 learn reliably given the limitations of IKE.
479 This approach has interoperated successfully with ALMOST all other
480 implementations. The only (well-characterized) problem cases have
481 been implementations which rely on receiving a Delete message for the
482 old SAs to tell them to switch over to the new ones. Since delivery
483 of Delete is unreliable, and support for Delete is optional, this
484 reliance seems like a serious mistake. This is all the more true
485 because Delete announces that the deletion has already occurred
486 [ISAKMP, section 3.15], not that it is about to occur, so packets
487 already in transit in the other direction could be lost. Delete
488 should be used for resource cleanup, not for switchover control.
489 (These matters are discussed further in section 5.)
493 FreeS/WAN currently implements only time-based expiry (life in
494 seconds), although we are working toward supporting volume-based
495 expiry (life in kilobytes) as well. The lack of volume-based expiry
496 has not been an interoperability problem so far.
498 Volume-based expiry does add some minor complications. In
499 particular, it makes explicit Delete of now-disused SAs more
503 Spencer & Redelmeier [Page 9]
505 Internet Draft IKE Implementation Issues 26 Feb 2002
508 important, because once an SA stops being used, it might not expire
509 on its own. We believe this lacks robustness and is generally
510 unwise, especially given the lack of a reliable Delete, and expect to
511 use volume-based expiry only as a supplement to time-based expiry.
512 However, Delete support (see section 5) does seem advisable for use
513 with volume-based expiry.
515 We do not believe that volume-based expiry alters the desirability of
516 switching immediately to the new SAs after rekeying. Rekeying
517 margins are normally a small fraction of the total life of an SA, so
518 we feel there is no great need to "use it all up".
520 4.5. Rekeying ISAKMP SAs
522 The above discussion has focused on rekeying for IPsec SAs, but
523 FreeS/WAN applies the same approaches to rekeying for ISAKMP SAs,
524 with similar success.
526 One issue which we have noticed, but not explicitly dealt with, is
527 that difficulties may ensue if an IPsec-SA rekeying negotiation is in
528 progress at the time when the relevant ISAKMP SA gets rekeyed. The
529 IKE specification [IKE] hints, but does not actually say, that a
530 Quick Mode negotiation should remain on a single ISAKMP SA
533 A reasonable rekeying margin will generally prevent the old ISAKMP SA
534 from actually expiring during a negotiation. Some attention may be
535 needed to prevent in-progress negotiations from being switched to the
536 new ISAKMP SA. Any attempt at pre-expiry deletion of the ISAKMP SA
537 must be postponed until after such dangling negotiations are
538 completed, and there should be enough delay between ISAKMP-SA
539 rekeying and a deletion attempt to (more or less) ensure that there
540 are no negotiation-starting packets still in transit from before the
543 At present, FreeS/WAN does none of this, and we don't KNOW of any
544 resulting trouble. With normal lifetimes, the problem should be
545 uncommon, and we speculate that an occasional disrupted negotiation
548 4.6. Bulk Negotiation
550 Quick Mode nominally provides for negotiating possibly-large numbers
551 of similar but unrelated IPsec SAs simultaneously [IKE, section 9].
552 Nobody appears to do this. FreeS/WAN does not support it, and its
553 absence has caused no problems.
559 Spencer & Redelmeier [Page 10]
561 Internet Draft IKE Implementation Issues 26 Feb 2002
564 5. Deletions, Teardowns, Crashes
566 FreeS/WAN currently ignores all Notifications and Deletes, and never
567 generates them. This has caused little difficulty in
568 interoperability, which shouldn't be surprising (since Notification
569 and Delete support is officially entirely optional) but does seem to
570 surprise some people. Nevertheless, we do plan some changes to this
571 approach based on past experience.
575 As hinted at above, we plan to implement Delete support, done as
576 follows. Shortly after rekeying of IPsec SAs, the Responder issues a
577 Delete for its old inbound SAs (but does not actually delete them
578 yet). The Responder initiates this because the Initiator started
579 using the new SAs on sending QM3, while the Responder started using
580 them only on (or somewhat after) receiving QM3, so there is less
581 chance of old-SA packets still being in transit from the Initiator.
582 The Initiator issues an unsolicited Delete only if it does not hear
583 one from the Responder after a longer delay.
585 Either party, on receiving a Delete for one or more of the old
586 outbound SAs of a connection, deletes ALL the connection's SAs, and
587 acknowledges with a Delete for the old inbound SAs. A Delete for
588 nonexistent SAs (e.g., SAs which have already been expired or
589 deleted) is ignored. There is no retransmission of unacknowledged
592 In the normal case, with prompt reliable transmission (except
593 possibly for loss of the Responder's initial Delete) and conforming
594 implementations on both ends, this results in three Deletes being
595 transmitted, resembling the classic three-way handshake. Loss of a
596 Delete after the first, or multiple losses, will cause the SAs not to
597 be deleted on at least one end. It appears difficult to do much
598 better without at least a distinction between request and
601 RFC 2409 section 9 "strongly suggests" that there be no response to
602 informational messages such as Deletes, but the only rationale
603 offered is prevention of infinite loops endlessly exchanging "I don't
604 understand you" informationals. Since Deletes cannot lead to such a
605 loop (and in any case, the nonexistent-SA rule prevents more than one
606 acknowledgement for the same connection), we believe this
607 recommendation is inapplicable here.
609 As noted in section 4.3, these Deletes are intended for resource
610 cleanup, not to control switching between SAs. But we expect that
611 they will improve interoperability with some broken implementations.
615 Spencer & Redelmeier [Page 11]
617 Internet Draft IKE Implementation Issues 26 Feb 2002
620 We believe strongly that connections need to be considered as a
621 whole, rather than treating each SA as an independent entity. We
622 will issue Deletes only for the full set of inbound SAs of a
623 connection, and will treat a Delete for any outbound SA as equivalent
624 to deletion of all the outbound SAs for the associated connection.
626 The above is phrased in terms of IPsec SAs, but essentially the same
627 approach can be applied to ISAKMP SAs (the Deletes for the old ISAKMP
628 SA should be sent via the new one).
630 5.2. Teardowns and Shutdowns
632 When a connection is not intended to be up permanently, there is a
633 need to coordinate teardown, so that both ends are aware that the
634 connection is down. This is both for recovery of resources, and to
635 avoid routing packets through dangling SAs which can no longer
638 Connection teardown will use the same bidirectional exchange of
639 Deletes as discussed in section 5.1: a Delete received for current
640 IPsec SAs (not yet obsoleted by rekeying) indicates that the other
641 host wishes to tear down the associated connection.
643 A Delete received for a current ISAKMP SA indicates that the other
644 host wishes to tear down not only the ISAKMP SA but also all IPsec
645 SAs currently under the supervision of that ISAKMP SA. The 5.1
646 bidirectional exchange might seem impossible in this case, since
647 reception of an ISAKMP-SA Delete indicates that the other end will
648 ignore further traffic on that ISAKMP SA. We suggest using the same
649 tactic discussed in 5.1 for IPsec SAs: the first Delete is sent
650 without actually doing the deletion, and the response to receiving a
651 Delete is to do the deletion and reply with another Delete. If there
652 is no response to the first Delete, retry a small number of times and
653 then give up and do the deletion; apart from being robust against
654 packet loss, this also maximizes the probability that an
655 implementation which does not do the bidirectional Delete will
656 receive at least one of the Deletes.
658 When a host with current connections knows that it is about to shut
659 down, it will issue Deletes for all SAs involved (both IPsec and
660 ISAKMP), advising its peers (as per the meaning of Delete [ISAKMP,
661 section 3.15]) that the SAs have become useless. It will ignore
662 attempts at rekeying or connection startup thereafter, until it shuts
665 It would be better to have a Final-Contact notification, analogous to
666 Initial-Contact but indicating that no new negotiations should be
667 attempted until further notice. Initial-Contact actually could be
671 Spencer & Redelmeier [Page 12]
673 Internet Draft IKE Implementation Issues 26 Feb 2002
676 used for shutdown notification (!), but in networks where connections
677 are intended to exist permanently, it seems likely to provoke
678 unwanted attempts to renegotiate the lost connections.
682 Systems sometimes crash. Coping with the resulting loss of
683 information is easily the most difficult problem we have found in
684 implementing robust IPsec systems.
686 When connections are intended to be permanent, it is simple to
687 specify renegotiation on reboot. With our approach to SA selection
688 (see section 4.3), this handles such cases robustly and well. We do
689 have to tell users that BOTH hosts should be set this way. In cases
690 where crashes are synchronized (e.g. by power interruptions), this
691 may result in simultaneous negotiations at reboot. We currently
692 allow both negotiations to proceed to completion, but our use-newest
693 selection method effectively ignores one connection or the other, and
694 when one of them rekeys, we notice that the new SAs replace those of
695 both old connections, and we then refrain from rekeying the other.
696 (This duplicate detection is desirable in any event, for robustness,
697 to ensure that the system converges on a reasonable state eventually
698 after it is perturbed by difficulties or bugs.)
700 When connections are not permanent, the situation is less happy. One
701 particular situation in which we see problems is when a number of
702 "Road Warrior" hosts occasionally call in to a central server. The
703 server is normally configured not to initiate such connections, since
704 it does not know when the Road Warrior is available (or what IP
705 address it is using). Unfortunately, if the server crashes and
706 reboots, any Road Warriors then connected have a problem: they don't
707 know that the server has crashed, so they can't renegotiate, and the
708 server has forgotten both the connections and their (transient) IP
709 addresses, so it cannot renegotiate.
711 We believe that the simplest answer to this problem is what John
712 Denker has dubbed "address inertia": the server makes a best-effort
713 attempt to remember (in nonvolatile storage) which connections were
714 active and what the far-end addresses were (and what the successful
715 proposal's parameters were), so that it can attempt renegotiation on
716 reboot. We have not implemented this yet, but intend to; Denker has
717 implemented it himself, although in a somewhat messy way, and reports
720 5.4. Network Partitions
722 A network partition, making the two ends unable to reach each other,
723 has many of the same characteristics as having the other end crash...
727 Spencer & Redelmeier [Page 13]
729 Internet Draft IKE Implementation Issues 26 Feb 2002
732 until the network reconnects. It is desirable that recovery from
735 If the network reconnects before any rekeying attempts or other IKE
736 activities occurred, recovery is fully transparent, because the IKEs
737 have no idea that there was any problem. (Complaints such as ICMP
738 Host Unreachable messages are unauthenticated and hence cannot be
739 given much weight.) This fits the general mold of TCP/IP: if nobody
740 wanted to send any traffic, a network outage doesn't matter.
742 If IKE activity did occur, the IKE implementation will discover that
743 the other end doesn't seem to be responding. The preferred response
744 to this depends on the nature of the connection. If it was intended
745 to be ephemeral (e.g. opportunistic encryption [OE]), closing it down
746 after a few retries is reasonable. If the other end is expected to
747 sometimes drop the connection without warning, it may not be
748 desirable to retry at all. (We support both these forms of
749 configurability, and indeed we also have a configuration option to
750 suppress rekeying entirely on one end.)
752 If the connection was intended to be permanent, however, then
753 persistent attempts to re-establish it are appropriate. Some degree
754 of backoff is appropriate here, so that retries get less frequent as
755 the outage gets prolonged. Backoff should be limited, so that re-
756 established connectivity is not followed by a long delay before a
757 retry. Finally, after many retries (say 24 hours' worth), it may be
758 preferable to just declare the connection down and rely on manual
759 intervention to re-establish it, should this be desirable. We do not
760 yet fully support all this.
764 A more complete solution to crashes would be for an IPsec host to
765 note the arrival of ESP packets on an unknown IPsec SA, and report it
766 somehow to the other host, which can then decide to renegotiate.
767 This arguably might be preferable in any case--if the non-rebooted
768 host has no traffic to send, it does not care whether the connection
769 is intact--but delays and packet loss will be reduced if the
770 connection is renegotiated BEFORE there is traffic for it. So
771 unknown-SA detection is best reserved as a fallback method, with
772 address inertia used to deal with most such cases.
774 A difficulty with unknown-SA detection is, just HOW should the other
775 host be notified? IKE provides no good way to do the notification:
776 Notification payloads (e.g., Initial-Contact) are unauthenticated
777 unless they are sent under protection of an ISAKMP SA. A "Security
778 Failures - Bad SPI" ICMP message [SECFAIL] is an interesting
779 alternative, but has the disadvantage of likewise being
783 Spencer & Redelmeier [Page 14]
785 Internet Draft IKE Implementation Issues 26 Feb 2002
788 unauthenticated. It's fundamentally unlikely that there is a simple
789 solution to this, given that almost any way of arranging or checking
790 authentication for such a notification is costly.
792 We think the best answer to this is a two-step approach. An
793 unauthenticated Initial-Contact or Security Failures - Bad SPI cannot
794 be taken as a reliable report of a problem, but can be taken as a
795 hint that a problem MIGHT exist. Then there needs to be some
796 reliable way of checking such hints, subject to rate limiting since
797 the checks are likely to be costly (and checking the same connection
798 repeatedly at short intervals is unlikely to be worthwhile anyway).
799 So the rebooted host sends the notification, and the non-rebooted
800 host--which still thinks it has a connection--checks whether the
801 connection still works, and renegotiates if not.
803 Also, if an IPsec host which believes it has a connection to another
804 host sees an unsuccessful attempt by that host to negotiate a new
805 one, that is also a hint of possible problems, justifying a check and
806 possible renegotiation. ("Unsuccessful" here means a negotiation
807 failure due to lack of a satisfactory proposal. A failure due to
808 authentication failure suggests a denial-of-service attack by a third
809 party, rather than a genuine problem on the legitimate other end.)
810 As noted in section 4.2, it is possible for negotiations to succeed
811 or fail based on which end initiates them, and some robustness
812 against that is desirable.
814 We have not yet decided what form the notification should take. IKE
815 Initial-Contact is an obvious possibility, but has some
816 disadvantages. It does not specify which connection has had
817 difficulties. Also, the specification [IKE section 4.6.3.3] refers
818 to "remote system" and "sending system" without clearly specifying
819 just what "system" means; in the case of a multi-homed host using
820 multiple forms of identification, the question is not trivial.
821 Initial-Contact does have the fairly-decisive advantage that it is
822 likely to convey the right general meaning even to an implementation
823 which does not do things exactly the way ours does.
825 A more fundamental difficulty is what form the reliable check takes.
826 What is wanted is an "IKE ping", verifying that the ISAKMP SA is
827 still intact (it being unlikely that IPsec SAs have been lost while
828 the ISAKMP SA has not). The lack of such a facility is a serious
829 failing of IKE. An acknowledged Notification of some sort would be
830 ideal, but there is none at present. Some existing implementations
831 are known to use the private Notification values 30000 as ping and
832 30002 as ping reply, and that seems the most attractive choice at
833 present. If it is not recognized, there will probably be no reply,
834 and the result will be an unnecessary renegotiation, so this needs
835 strict rate limiting. (Also, when a new connection is set up, it's
839 Spencer & Redelmeier [Page 15]
841 Internet Draft IKE Implementation Issues 26 Feb 2002
844 probably worth determining by experiment whether the other end
845 supports IKE ping, and remembering that.)
847 While we think this facility is desirable, and is about the best that
848 can be done with the poor tools available, we have not gotten very
849 far in implementation and cannot comment intelligently about how well
850 it works or interoperates.
856 We have dropped support for the first Oakley Group (group 1), despite
857 it being officially mandatory, on the grounds that it is grossly too
858 weak to provide enough randomness for 3DES. There have been some
859 interoperability problems, mostly quite minor: ALMOST everyone
860 supports group 2 as well, although sometimes it has to be explicitly
863 We also support the quasi-standard group 5 [GROUPS]. This has not
864 been seriously exercised yet, because historically we offered group 2
865 first and almost everyone accepted it. We have recently changed to
866 offering group 5 first, and no difficulties have been reported.
868 6.2. To PFS Or Not To PFS
870 A persistent small interoperability problem is that the presence or
871 absence of PFS (for keys [IKE, section 5.5]) is neither negotiated
872 nor announced. We have it enabled by default, and successful
873 interoperation often requires having the other end turn it on in
874 their implementation, or having the FreeS/WAN end disable it. Almost
875 everyone supports it, but it's usually not the default, and
876 interoperability is often impossible unless the two ends somehow
877 reach prior agreement on it.
879 We do not explicitly support the other flavor of PFS, for identities
880 [IKE, section 8], and this has caused no interoperability problems.
882 6.3. Debugging Tools, Lack Thereof
884 We find IKE lacking in basic debugging tools. Section 5.4, above,
885 notes that an IKE ping would be useful for connectivity verification.
886 It would also be extremely helpful for determining that UDP/500
887 packets get back and forth successfully between the two ends, which
888 is often an important first step in debugging.
890 It's also quite common to have IKE negotiate a connection
891 successfully, but to have some firewall along the way blocking ESP.
895 Spencer & Redelmeier [Page 16]
897 Internet Draft IKE Implementation Issues 26 Feb 2002
900 Users find this mysterious and difficult to diagnose. We have no
901 immediate suggestions on what could be done about it.
903 6.4. Terminology, Vagueness Thereof
905 The terminology of IPsec needs work. We feel that both the
906 specifications and user-oriented documentation would be greatly
907 clarified by concise, intelligible names for certain concepts.
909 We semi-consistently use "group" for the set of IPsec SAs which are
910 established in one direction by a single Quick Mode negotiation and
911 are used together to process a packet (e.g., an ESP SA plus an AH
912 SA), "connection" for the logical packet path provided by a
913 succession of pairs of groups (each rekeying providing a new pair,
914 one group in each direction), and "keying channel" for the
915 corresponding supervisory path provided by a sequence of ISAKMP SAs.
917 We think it's a botch that "PFS" is used to refer to two very
918 different things, but we have no specific new terms to suggest, since
919 we only implement one kind of PFS and thus can just ignore the other.
921 6.5. A Question of Identity
923 One specification problem deserves note: exactly when can an existing
924 phase 1 negotiation be re-used for a new phase 2 negotiation, as IKE
925 [IKE, section 4] specifies? Presumably, when it connects the same
926 two "parties"... but exactly what is a "party"?
928 As noted in section 5.4, in cases involving multi-homing and multiple
929 identities, it's not clear exactly what criteria are used for
930 deciding whether the intended far end for a new negotiation is the
931 same one as for a previous negotiation. Is it by Identification
932 Payload? By IP address? Or what?
934 We currently use a somewhat-vague notion of "identity", basically
935 what gets sent in Identification Payloads, for this, and this seems
936 to be successful, but we think this needs better specification.
938 6.6. Opportunistic Encryption
940 Further IKE challenges appear in the context of Opportunistic
941 Encryption [OE], but operational experience with it is too limited as
942 yet for us to comment usefully right now.
944 6.7. Authentication and RSA Keys
946 We provide two IKE authentication methods: shared secrets ("pre-
947 shared keys") and RSA digital signatures. (A user-provided add-on
951 Spencer & Redelmeier [Page 17]
953 Internet Draft IKE Implementation Issues 26 Feb 2002
956 package generalizes the latter to limited support for certificates;
957 we have not worked extensively with it ourselves yet and cannot
960 Shared secrets, despite their administrative difficulties, see
961 considerable use, and are also the method of last resort for
962 interoperability problems.
964 For digital signatures, we have taken the somewhat unorthodox
965 approach of using "bare" RSA public keys, either supplied in
966 configuration files or fetched from DNS, rather than getting involved
967 in the complexity of certificates. We encode our RSA public keys
968 using the DNS KEY encoding [DNSRSA] (aka "RFC 2537", although that
969 RFC is now outdated), which has given us no difficulties and which we
970 highly recommend. We have seen two difficulties in connection with
973 First, while a number of IPsec implementations are able to take
974 "bare" RSA public keys, each one seems to have its own idea of what
975 format should be used for transporting them. We've had little
976 success with interoperability here, mostly because of key-format
977 issues; the implementations generally WILL interoperate successfully
978 if you can somehow get an RSA key into them at all, but that's hard.
979 X.509 certificates seem to be the lowest (!) common denominator for
982 Second, although the content of RSA public keys has been stable,
983 there has been a small but subtle change over time in the content of
984 RSA private keys. The "internal modulus", used to compute the
985 private exponent "d" from the public exponent "e" (or vice-versa) was
986 originally [RSA] [PKCS1v1] [SCHNEIER] specified to be (p-1)*(q-1),
987 where p and q are the two primes. However, more recent definitions
988 [PKCS1v2] call it "lambda(n)" and define it to be lcm(p-1, q-1); this
989 appears to be a minor optimization. The result is that private keys
990 generated with the new definition often fail consistency checks in
991 implementations using the old definition. Fortunately, it is seldom
992 necessary to move private keys around. Our software now consistently
993 uses the new definition (and thus will accept keys generated with
994 either definition), but our key generator also has an option to
995 generate old-definition keys, for the benefit of users who upgrade
996 their networks incrementally.
1000 Nonce size is another characteristic that is neither negotiated nor
1001 announced but that the two ends must somehow be able to agree on.
1002 Our software accepts anything between 8 and 256, and defaults to 16.
1003 These numbers were chosen rather arbitrarily, but we have seen no
1007 Spencer & Redelmeier [Page 18]
1009 Internet Draft IKE Implementation Issues 26 Feb 2002
1012 interoperability failures here.
1014 Nothing in the ISAKMP [ISAKMP] or IKE [IKE] specifications says
1015 explicitly that a normal Message ID must be non-zero, but a zero
1016 Message ID in fact causes failures.
1018 Similarly, there is nothing in the specs which says that ISAKMP
1019 cookies must be non-zero, but zero cookies will in fact cause
1022 7. Security Considerations
1024 Since this document discusses aspects of building robust and
1025 interoperable IPsec implementations, security considerations permeate
1030 [AH] Kent, S., and Atkinson, R., "IP Authentication Header",
1033 [CIPHERS] Pereira, R., and Adams, R., "The ESP CBC-Mode Cipher
1034 Algorithms", RFC 2451, Nov 1998.
1036 [CRACK] Electronic Frontier Foundation, "Cracking DES: Secrets of
1037 Encryption Research, Wiretap Politics and Chip Design",
1038 O'Reilly 1998, ISBN 1-56592-520-3.
1040 [DES] Madson, C., and Doraswamy, N., "The ESP DES-CBC Cipher
1041 Algorithm", RFC 2405, Nov 1998.
1043 [DNSRSA] D. Eastlake 3rd, "RSA/SHA-1 SIGs and RSA KEYs in the
1044 Domain Name System (DNS)", RFC 3110, May 2001.
1046 [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security
1047 Payload (ESP)", RFC 2406, Nov 1998.
1049 [GROUPS] Kivinen, T., and Kojo, M., "More MODP Diffie-Hellman
1050 groups for IKE", <draft-ietf-ipsec-ike-modp-
1051 groups-04.txt>, 13 Dec 2001 (work in progress).
1053 [IKE] Harkins, D., and Carrel, D., "The Internet Key Exchange
1054 (IKE)", RFC 2409, Nov 1998.
1056 [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
1057 Internet Protocol", RFC 2401, Nov 1998.
1063 Spencer & Redelmeier [Page 19]
1065 Internet Draft IKE Implementation Issues 26 Feb 2002
1068 [ISAKMP] Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
1069 "Internet Security Association and Key Management Protocol
1070 (ISAKMP)", RFC 2408, Nov 1998.
1072 [OE] Richardson, M., Redelmeier, D. H., and Spencer, H., "A
1073 method for doing opportunistic encryption with IKE",
1074 <draft-richardson-ipsec-opportunistic-06.txt>, 21 Feb 2002
1077 [PKCS1v1] Kaliski, B., "PKCS #1: RSA Encryption, Version 1.5", RFC
1080 [PKCS1v2] Kaliski, B., and Staddon, J., "PKCS #1: RSA Cryptography
1081 Specifications, Version 2.0", RFC 2437, Oct 1998.
1083 [PFKEY] McDonald, D., Metz, C., and Phan, B., "PF_KEY Key
1084 Management API, Version 2", RFC 2367, July 1998.
1086 [REKEY] Tim Jenkins, "IPsec Re-keying Issues", <draft-jenkins-
1087 ipsec-rekeying-06.txt>, 2 May 2000 (draft expired, work no
1088 longer in progress).
1090 [REPLAY] Krywaniuk, A., "Using Isakmp Message Ids for Replay
1091 Protection", <draft-krywaniuk-ipsec-antireplay-00.txt>, 9
1092 July 2001 (work in progress).
1094 [RSA] Rivest, R.L., Shamir, A., and Adleman, L., "A Method for
1095 Obtaining Digital Signatures and Public-Key
1096 Cryptosystems", Communications of the ACM v21n2, Feb 1978,
1099 [SCHNEIER] Bruce Schneier, "Applied Cryptography", 2nd ed., Wiley
1100 1996, ISBN 0-471-11709-9.
1102 [SECFAIL] Karn, P., and Simpson, W., "ICMP Security Failures
1103 Messages", RFC 2521, March 1999.
1110 Toronto, Ont. M5W1B2
1119 Spencer & Redelmeier [Page 20]
1121 Internet Draft IKE Implementation Issues 26 Feb 2002
1127 Toronto, Ont. M4N2W6
1175 Spencer & Redelmeier [Page 21]
1177 Internet Draft IKE Implementation Issues 26 Feb 2002
1180 Full Copyright Statement
1182 Copyright (C) The Internet Society 2002. All Rights Reserved.
1184 This document and translations of it may be copied and furnished to
1185 others, and derivative works that comment on or otherwise explain it
1186 or assist in its implmentation may be prepared, copied, published and
1187 distributed, in whole or in part, without restriction of any kind,
1188 provided that the above copyright notice and this paragraph are
1189 included on all such copies and derivative works. However, this
1190 document itself may not be modified in any way, such as by removing
1191 the copyright notice or references to the Internet Society or other
1192 Internet organizations, except as needed for the purpose of
1193 developing Internet standards in which case the procedures for
1194 copyrights defined in the Internet Standards process must be
1195 followed, or as required to translate it into languages other than
1198 The limited permissions granted above are perpetual and will not be
1199 revoked by the Internet Society or its successors or assigns.
1201 This document and the information contained herein is provided on an
1202 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1203 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1204 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1205 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1206 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1231 Spencer & Redelmeier [Page 22]
projects / thirdparty / strongswan.git / blob