idnits 2.17.00 (12 Aug 2021) /tmp/idnits26300/draft-kivinen-ipsecme-ikev2-rfc5996bis-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 6, 2014) is 2899 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'CERTREQ' is mentioned on line 2369, but not defined == Missing Reference: 'KEi' is mentioned on line 6344, but not defined == Missing Reference: 'KEr' is mentioned on line 6352, but not defined == Missing Reference: 'CP' is mentioned on line 782, but not defined -- Looks like a reference, but probably isn't: '0' on line 4332 -- Looks like a reference, but probably isn't: '1' on line 4333 == Missing Reference: 'IDr' is mentioned on line 6307, but not defined ** Obsolete normative reference: RFC 2616 (ref. 'HTTP') (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Possible downref: Non-RFC (?) normative reference: ref. 'IKEV2IANA' ** Obsolete normative reference: RFC 3447 (ref. 'PKCS1') (Obsoleted by RFC 8017) ** Obsolete normative reference: RFC 4307 (Obsoleted by RFC 8247) -- Obsolete informational reference (is this intentional?): RFC 4718 (ref. 'Clarif') (Obsoleted by RFC 5996) -- Obsolete informational reference (is this intentional?): RFC 2407 (ref. 'DOI') (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 2409 (ref. 'IKEV1') (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 4306 (ref. 'IKEV2') (Obsoleted by RFC 5996) -- Obsolete informational reference (is this intentional?): RFC 2401 (ref. 'IPSECARCH-OLD') (Obsoleted by RFC 4301) -- Obsolete informational reference (is this intentional?): RFC 2408 (ref. 'ISAKMP') (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 4282 (ref. 'NAI') (Obsoleted by RFC 7542) -- Obsolete informational reference (is this intentional?): RFC 5996 (Obsoleted by RFC 7296) Summary: 3 errors (**), 0 flaws (~~), 9 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Kaufman 3 Internet-Draft Microsoft 4 Obsoletes: 5996 (if approved) P. Hoffman 5 Intended status: Standards Track VPN Consortium 6 Expires: December 8, 2014 Y. Nir 7 Check Point 8 P. Eronen 9 Independent 10 T. Kivinen 11 INSIDE Secure 12 June 6, 2014 14 Internet Key Exchange Protocol Version 2 (IKEv2) 15 draft-kivinen-ipsecme-ikev2-rfc5996bis-04.txt 17 Abstract 19 This document describes version 2 of the Internet Key Exchange (IKE) 20 protocol. IKE is a component of IPsec used for performing mutual 21 authentication and establishing and maintaining Security Associations 22 (SAs). This document obsoletes RFC 5996, and includes all of the 23 errata for it. It advances IKEv2 to be an Internet Standard. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on December 8, 2014. 42 Copyright Notice 44 Copyright (c) 2014 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 This document may contain material from IETF Documents or IETF 58 Contributions published or made publicly available before November 59 10, 2008. The person(s) controlling the copyright in some of this 60 material may not have granted the IETF Trust the right to allow 61 modifications of such material outside the IETF Standards Process. 62 Without obtaining an adequate license from the person(s) controlling 63 the copyright in such materials, this document may not be modified 64 outside the IETF Standards Process, and derivative works of it may 65 not be created outside the IETF Standards Process, except to format 66 it for publication as an RFC or to translate it into languages other 67 than English. 69 Table of Contents 71 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 72 1.1. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . 6 73 1.1.1. Security Gateway to Security Gateway in Tunnel Mode . 7 74 1.1.2. Endpoint-to-Endpoint Transport Mode . . . . . . . . . 7 75 1.1.3. Endpoint to Security Gateway in Tunnel Mode . . . . . 8 76 1.1.4. Other Scenarios . . . . . . . . . . . . . . . . . . . 9 77 1.2. The Initial Exchanges . . . . . . . . . . . . . . . . . . 9 78 1.3. The CREATE_CHILD_SA Exchange . . . . . . . . . . . . . . 13 79 1.3.1. Creating New Child SAs with the CREATE_CHILD_SA 80 Exchange . . . . . . . . . . . . . . . . . . . . . . 14 81 1.3.2. Rekeying IKE SAs with the CREATE_CHILD_SA Exchange . 15 82 1.3.3. Rekeying Child SAs with the CREATE_CHILD_SA 83 Exchange . . . . . . . . . . . . . . . . . . . . . . 16 84 1.4. The INFORMATIONAL Exchange . . . . . . . . . . . . . . . 17 85 1.4.1. Deleting an SA with INFORMATIONAL Exchanges . . . . . 17 86 1.5. Informational Messages outside of an IKE SA . . . . . . . 18 87 1.6. Requirements Terminology . . . . . . . . . . . . . . . . 19 88 1.7. Significant Differences between RFC 4306 and RFC5996 . . 19 89 1.8. Differences between RFC 5996 and This Document . . . . . 22 90 2. IKE Protocol Details and Variations . . . . . . . . . . . . . 23 91 2.1. Use of Retransmission Timers . . . . . . . . . . . . . . 23 92 2.2. Use of Sequence Numbers for Message ID . . . . . . . . . 25 93 2.3. Window Size for Overlapping Requests . . . . . . . . . . 26 94 2.4. State Synchronization and Connection Timeouts . . . . . . 27 95 2.5. Version Numbers and Forward Compatibility . . . . . . . . 29 96 2.6. IKE SA SPIs and Cookies . . . . . . . . . . . . . . . . . 30 97 2.6.1. Interaction of COOKIE and INVALID_KE_PAYLOAD . . . . 33 98 2.7. Cryptographic Algorithm Negotiation . . . . . . . . . . . 34 99 2.8. Rekeying . . . . . . . . . . . . . . . . . . . . . . . . 35 100 2.8.1. Simultaneous Child SA Rekeying . . . . . . . . . . . 37 101 2.8.2. Simultaneous IKE SA Rekeying . . . . . . . . . . . . 39 102 2.8.3. Rekeying the IKE SA versus Reauthentication . . . . . 40 103 2.9. Traffic Selector Negotiation . . . . . . . . . . . . . . 41 104 2.9.1. Traffic Selectors Violating Own Policy . . . . . . . 44 105 2.10. Nonces . . . . . . . . . . . . . . . . . . . . . . . . . 44 106 2.11. Address and Port Agility . . . . . . . . . . . . . . . . 45 107 2.12. Reuse of Diffie-Hellman Exponentials . . . . . . . . . . 45 108 2.13. Generating Keying Material . . . . . . . . . . . . . . . 46 109 2.14. Generating Keying Material for the IKE SA . . . . . . . . 47 110 2.15. Authentication of the IKE SA . . . . . . . . . . . . . . 48 111 2.16. Extensible Authentication Protocol Methods . . . . . . . 50 112 2.17. Generating Keying Material for Child SAs . . . . . . . . 52 113 2.18. Rekeying IKE SAs Using a CREATE_CHILD_SA Exchange . . . . 53 114 2.19. Requesting an Internal Address on a Remote Network . . . 54 115 2.20. Requesting the Peer's Version . . . . . . . . . . . . . . 55 116 2.21. Error Handling . . . . . . . . . . . . . . . . . . . . . 56 117 2.21.1. Error Handling in IKE_SA_INIT . . . . . . . . . . . . 56 118 2.21.2. Error Handling in IKE_AUTH . . . . . . . . . . . . . 57 119 2.21.3. Error Handling after IKE SA is Authenticated . . . . 58 120 2.21.4. Error Handling Outside IKE SA . . . . . . . . . . . . 58 121 2.22. IPComp . . . . . . . . . . . . . . . . . . . . . . . . . 59 122 2.23. NAT Traversal . . . . . . . . . . . . . . . . . . . . . . 60 123 2.23.1. Transport Mode NAT Traversal . . . . . . . . . . . . 64 124 2.24. Explicit Congestion Notification (ECN) . . . . . . . . . 68 125 2.25. Exchange Collisions . . . . . . . . . . . . . . . . . . . 68 126 2.25.1. Collisions while Rekeying or Closing Child SAs . . . 69 127 2.25.2. Collisions while Rekeying or Closing IKE SAs . . . . 70 128 3. Header and Payload Formats . . . . . . . . . . . . . . . . . 70 129 3.1. The IKE Header . . . . . . . . . . . . . . . . . . . . . 70 130 3.2. Generic Payload Header . . . . . . . . . . . . . . . . . 73 131 3.3. Security Association Payload . . . . . . . . . . . . . . 75 132 3.3.1. Proposal Substructure . . . . . . . . . . . . . . . . 79 133 3.3.2. Transform Substructure . . . . . . . . . . . . . . . 80 134 3.3.3. Valid Transform Types by Protocol . . . . . . . . . . 84 135 3.3.4. Mandatory Transform IDs . . . . . . . . . . . . . . . 84 136 3.3.5. Transform Attributes . . . . . . . . . . . . . . . . 85 137 3.3.6. Attribute Negotiation . . . . . . . . . . . . . . . . 87 138 3.4. Key Exchange Payload . . . . . . . . . . . . . . . . . . 88 139 3.5. Identification Payloads . . . . . . . . . . . . . . . . . 89 140 3.6. Certificate Payload . . . . . . . . . . . . . . . . . . . 91 141 3.7. Certificate Request Payload . . . . . . . . . . . . . . . 94 142 3.8. Authentication Payload . . . . . . . . . . . . . . . . . 96 143 3.9. Nonce Payload . . . . . . . . . . . . . . . . . . . . . . 97 144 3.10. Notify Payload . . . . . . . . . . . . . . . . . . . . . 98 145 3.10.1. Notify Message Types . . . . . . . . . . . . . . . . 99 146 3.11. Delete Payload . . . . . . . . . . . . . . . . . . . . . 102 147 3.12. Vendor ID Payload . . . . . . . . . . . . . . . . . . . . 103 148 3.13. Traffic Selector Payload . . . . . . . . . . . . . . . . 105 149 3.13.1. Traffic Selector . . . . . . . . . . . . . . . . . . 106 150 3.14. Encrypted Payload . . . . . . . . . . . . . . . . . . . . 108 151 3.15. Configuration Payload . . . . . . . . . . . . . . . . . . 110 152 3.15.1. Configuration Attributes . . . . . . . . . . . . . . 111 153 3.15.2. Meaning of INTERNAL_IP4_SUBNET and 154 INTERNAL_IP6_SUBNET . . . . . . . . . . . . . . . . . 114 155 3.15.3. Configuration Payloads for IPv6 . . . . . . . . . . . 116 156 3.15.4. Address Assignment Failures . . . . . . . . . . . . . 117 157 3.16. Extensible Authentication Protocol (EAP) Payload . . . . 118 158 4. Conformance Requirements . . . . . . . . . . . . . . . . . . 119 159 5. Security Considerations . . . . . . . . . . . . . . . . . . . 121 160 5.1. Traffic Selector Authorization . . . . . . . . . . . . . 124 161 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 125 162 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 125 163 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 127 164 8.1. Normative References . . . . . . . . . . . . . . . . . . 127 165 8.2. Informative References . . . . . . . . . . . . . . . . . 128 166 Appendix A. Summary of Changes from IKEv1 . . . . . . . . . . . 132 167 Appendix B. Diffie-Hellman Groups . . . . . . . . . . . . . . . 133 168 B.1. Group 1 - 768-bit MODP . . . . . . . . . . . . . . . . . 134 169 B.2. Group 2 - 1024-bit MODP . . . . . . . . . . . . . . . . . 134 170 Appendix C. Exchanges and Payloads . . . . . . . . . . . . . . . 134 171 C.1. IKE_SA_INIT Exchange . . . . . . . . . . . . . . . . . . 135 172 C.2. IKE_AUTH Exchange without EAP . . . . . . . . . . . . . . 136 173 C.3. IKE_AUTH Exchange with EAP . . . . . . . . . . . . . . . 137 174 C.4. CREATE_CHILD_SA Exchange for Creating or Rekeying 175 Child SAs . . . . . . . . . . . . . . . . . . . . . . . . 138 176 C.5. CREATE_CHILD_SA Exchange for Rekeying the IKE SA . . . . 138 177 C.6. INFORMATIONAL Exchange . . . . . . . . . . . . . . . . . 138 179 1. Introduction 181 IP Security (IPsec) provides confidentiality, data integrity, access 182 control, and data source authentication to IP datagrams. These 183 services are provided by maintaining shared state between the source 184 and the sink of an IP datagram. This state defines, among other 185 things, the specific services provided to the datagram, which 186 cryptographic algorithms will be used to provide the services, and 187 the keys used as input to the cryptographic algorithms. 189 Establishing this shared state in a manual fashion does not scale 190 well. Therefore, a protocol to establish this state dynamically is 191 needed. This document describes such a protocol -- the Internet Key 192 Exchange (IKE). Version 1 of IKE was defined in RFCs 2407 [DOI], 193 2408 [ISAKMP], and 2409 [IKEV1]. IKEv2 replaced all of those RFCs. 194 IKEv2 was defined in [IKEV2] (RFC 4306) and was clarified in [Clarif] 195 (RFC 4718). The [RFC5996] replaced and updated RFC 4306 and RFC 196 4718, and this document replaces the RFC 5996 and the intended status 197 for this document will be Internet Standard. IKEv2 as stated in RFC 198 4306 was a change to the IKE protocol that was not backward 199 compatible. RFC 5996 revised RFC 4306 to provide a clarification of 200 IKEv2, making minimum changes to the IKEv2 protocol. The current 201 document slightly revises RFC 5996 to make it suitable for 202 progression to Internet Standard. A list of the significant 203 differences between RFC 4306 and RFC 5996 is given in Section 1.7 and 204 differences between RFC 5996 and this document is given in 205 Section 1.8. 207 IKE performs mutual authentication between two parties and 208 establishes an IKE security association (SA) that includes shared 209 secret information that can be used to efficiently establish SAs for 210 Encapsulating Security Payload (ESP) [ESP] or Authentication Header 211 (AH) [AH] and a set of cryptographic algorithms to be used by the SAs 212 to protect the traffic that they carry. In this document, the term 213 "suite" or "cryptographic suite" refers to a complete set of 214 algorithms used to protect an SA. An initiator proposes one or more 215 suites by listing supported algorithms that can be combined into 216 suites in a mix-and-match fashion. IKE can also negotiate use of IP 217 Compression (IPComp) [IP-COMP] in connection with an ESP or AH SA. 218 The SAs for ESP or AH that get set up through that IKE SA we call 219 "Child SAs". 221 All IKE communications consist of pairs of messages: a request and a 222 response. The pair is called an "exchange", and is sometimes called 223 a "request/response pair". The first exchange of messages 224 establishing an IKE SA are called the IKE_SA_INIT and IKE_AUTH 225 exchanges; subsequent IKE exchanges are called the CREATE_CHILD_SA or 226 INFORMATIONAL exchanges. In the common case, there is a single 227 IKE_SA_INIT exchange and a single IKE_AUTH exchange (a total of four 228 messages) to establish the IKE SA and the first Child SA. In 229 exceptional cases, there may be more than one of each of these 230 exchanges. In all cases, all IKE_SA_INIT exchanges MUST complete 231 before any other exchange type, then all IKE_AUTH exchanges MUST 232 complete, and following that, any number of CREATE_CHILD_SA and 233 INFORMATIONAL exchanges may occur in any order. In some scenarios, 234 only a single Child SA is needed between the IPsec endpoints, and 235 therefore there would be no additional exchanges. Subsequent 236 exchanges MAY be used to establish additional Child SAs between the 237 same authenticated pair of endpoints and to perform housekeeping 238 functions. 240 An IKE message flow always consists of a request followed by a 241 response. It is the responsibility of the requester to ensure 242 reliability. If the response is not received within a timeout 243 interval, the requester needs to retransmit the request (or abandon 244 the connection). 246 The first exchange of an IKE session, IKE_SA_INIT, negotiates 247 security parameters for the IKE SA, sends nonces, and sends Diffie- 248 Hellman values. 250 The second exchange, IKE_AUTH, transmits identities, proves knowledge 251 of the secrets corresponding to the two identities, and sets up an SA 252 for the first (and often only) AH or ESP Child SA (unless there is 253 failure setting up the AH or ESP Child SA, in which case the IKE SA 254 is still established without the Child SA). 256 The types of subsequent exchanges are CREATE_CHILD_SA (which creates 257 a Child SA) and INFORMATIONAL (which deletes an SA, reports error 258 conditions, or does other housekeeping). Every request requires a 259 response. An INFORMATIONAL request with no payloads (other than the 260 empty Encrypted payload required by the syntax) is commonly used as a 261 check for liveness. These subsequent exchanges cannot be used until 262 the initial exchanges have completed. 264 In the description that follows, we assume that no errors occur. 265 Modifications to the flow when errors occur are described in 266 Section 2.21. 268 1.1. Usage Scenarios 270 IKE is used to negotiate ESP or AH SAs in a number of different 271 scenarios, each with its own special requirements. 273 1.1.1. Security Gateway to Security Gateway in Tunnel Mode 275 +-+-+-+-+-+ +-+-+-+-+-+ 276 | | IPsec | | 277 Protected |Tunnel | tunnel |Tunnel | Protected 278 Subnet <-->|Endpoint |<---------->|Endpoint |<--> Subnet 279 | | | | 280 +-+-+-+-+-+ +-+-+-+-+-+ 282 Figure 1: Security Gateway to Security Gateway Tunnel 284 In this scenario, neither endpoint of the IP connection implements 285 IPsec, but network nodes between them protect traffic for part of the 286 way. Protection is transparent to the endpoints, and depends on 287 ordinary routing to send packets through the tunnel endpoints for 288 processing. Each endpoint would announce the set of addresses 289 "behind" it, and packets would be sent in tunnel mode where the inner 290 IP header would contain the IP addresses of the actual endpoints. 292 1.1.2. Endpoint-to-Endpoint Transport Mode 294 +-+-+-+-+-+ +-+-+-+-+-+ 295 | | IPsec transport | | 296 |Protected| or tunnel mode SA |Protected| 297 |Endpoint |<---------------------------------------->|Endpoint | 298 | | | | 299 +-+-+-+-+-+ +-+-+-+-+-+ 301 Figure 2: Endpoint to Endpoint 303 In this scenario, both endpoints of the IP connection implement 304 IPsec, as required of hosts in [IPSECARCH]. Transport mode will 305 commonly be used with no inner IP header. A single pair of addresses 306 will be negotiated for packets to be protected by this SA. These 307 endpoints MAY implement application-layer access controls based on 308 the IPsec authenticated identities of the participants. This 309 scenario enables the end-to-end security that has been a guiding 310 principle for the Internet since [ARCHPRINC], [TRANSPARENCY], and a 311 method of limiting the inherent problems with complexity in networks 312 noted by [ARCHGUIDEPHIL]. Although this scenario may not be fully 313 applicable to the IPv4 Internet, it has been deployed successfully in 314 specific scenarios within intranets using IKEv1. It should be more 315 broadly enabled during the transition to IPv6 and with the adoption 316 of IKEv2. 318 It is possible in this scenario that one or both of the protected 319 endpoints will be behind a network address translation (NAT) node, in 320 which case the tunneled packets will have to be UDP encapsulated so 321 that port numbers in the UDP headers can be used to identify 322 individual endpoints "behind" the NAT (see Section 2.23). 324 1.1.3. Endpoint to Security Gateway in Tunnel Mode 326 +-+-+-+-+-+ +-+-+-+-+-+ 327 | | IPsec | | Protected 328 |Protected| tunnel |Tunnel | Subnet 329 |Endpoint |<------------------------>|Endpoint |<--- and/or 330 | | | | Internet 331 +-+-+-+-+-+ +-+-+-+-+-+ 333 Figure 3: Endpoint to Security Gateway Tunnel 335 In this scenario, a protected endpoint (typically a portable roaming 336 computer) connects back to its corporate network through an IPsec- 337 protected tunnel. It might use this tunnel only to access 338 information on the corporate network, or it might tunnel all of its 339 traffic back through the corporate network in order to take advantage 340 of protection provided by a corporate firewall against Internet-based 341 attacks. In either case, the protected endpoint will want an IP 342 address associated with the security gateway so that packets returned 343 to it will go to the security gateway and be tunneled back. This IP 344 address may be static or may be dynamically allocated by the security 345 gateway. In support of the latter case, IKEv2 includes a mechanism 346 (namely, configuration payloads) for the initiator to request an IP 347 address owned by the security gateway for use for the duration of its 348 SA. 350 In this scenario, packets will use tunnel mode. On each packet from 351 the protected endpoint, the outer IP header will contain the source 352 IP address associated with its current location (i.e., the address 353 that will get traffic routed to the endpoint directly), while the 354 inner IP header will contain the source IP address assigned by the 355 security gateway (i.e., the address that will get traffic routed to 356 the security gateway for forwarding to the endpoint). The outer 357 destination address will always be that of the security gateway, 358 while the inner destination address will be the ultimate destination 359 for the packet. 361 In this scenario, it is possible that the protected endpoint will be 362 behind a NAT. In that case, the IP address as seen by the security 363 gateway will not be the same as the IP address sent by the protected 364 endpoint, and packets will have to be UDP encapsulated in order to be 365 routed properly. Interaction with NATs is covered in detail in 366 Section 2.23. 368 1.1.4. Other Scenarios 370 Other scenarios are possible, as are nested combinations of the 371 above. One notable example combines aspects of Sections 1.1.1 and 372 1.1.3. A subnet may make all external accesses through a remote 373 security gateway using an IPsec tunnel, where the addresses on the 374 subnet are routed to the security gateway by the rest of the 375 Internet. An example would be someone's home network being virtually 376 on the Internet with static IP addresses even though connectivity is 377 provided by an ISP that assigns a single dynamically assigned IP 378 address to the user's security gateway (where the static IP addresses 379 and an IPsec relay are provided by a third party located elsewhere). 381 1.2. The Initial Exchanges 383 Communication using IKE always begins with IKE_SA_INIT and IKE_AUTH 384 exchanges (known in IKEv1 as Phase 1). These initial exchanges 385 normally consist of four messages, though in some scenarios that 386 number can grow. All communications using IKE consist of request/ 387 response pairs. We'll describe the base exchange first, followed by 388 variations. The first pair of messages (IKE_SA_INIT) negotiate 389 cryptographic algorithms, exchange nonces, and do a Diffie-Hellman 390 exchange [DH]. 392 The second pair of messages (IKE_AUTH) authenticate the previous 393 messages, exchange identities and certificates, and establish the 394 first Child SA. Parts of these messages are encrypted and integrity 395 protected with keys established through the IKE_SA_INIT exchange, so 396 the identities are hidden from eavesdroppers and all fields in all 397 the messages are authenticated. See Section 2.14 for information on 398 how the encryption keys are generated. (A man-in-the-middle attacker 399 who cannot complete the IKE_AUTH exchange can nonetheless see the 400 identity of the initiator.) 402 All messages following the initial exchange are cryptographically 403 protected using the cryptographic algorithms and keys negotiated in 404 the IKE_SA_INIT exchange. These subsequent messages use the syntax 405 of the Encrypted payload described in Section 3.14, encrypted with 406 keys that are derived as described in Section 2.14. All subsequent 407 messages include an Encrypted payload, even if they are referred to 408 in the text as "empty". For the CREATE_CHILD_SA, IKE_AUTH, or 409 INFORMATIONAL exchanges, the message following the header is 410 encrypted and the message including the header is integrity protected 411 using the cryptographic algorithms negotiated for the IKE SA. 413 Every IKE message contains a Message ID as part of its fixed header. 414 This Message ID is used to match up requests and responses, and to 415 identify retransmissions of messages. 417 In the following descriptions, the payloads contained in the message 418 are indicated by names as listed below. 420 Notation Payload 421 ----------------------------------------- 422 AUTH Authentication 423 CERT Certificate 424 CERTREQ Certificate Request 425 CP Configuration 426 D Delete 427 EAP Extensible Authentication 428 HDR IKE header (not a payload) 429 IDi Identification - Initiator 430 IDr Identification - Responder 431 KE Key Exchange 432 Ni, Nr Nonce 433 N Notify 434 SA Security Association 435 SK Encrypted and Authenticated 436 TSi Traffic Selector - Initiator 437 TSr Traffic Selector - Responder 438 V Vendor ID 440 The details of the contents of each payload are described in section 441 3. Payloads that may optionally appear will be shown in brackets, 442 such as [CERTREQ]; this indicates that a Certificate Request payload 443 can optionally be included. 445 The initial exchanges are as follows: 447 Initiator Responder 448 ------------------------------------------------------------------- 449 HDR, SAi1, KEi, Ni --> 451 HDR contains the Security Parameter Indexes (SPIs), version numbers, 452 Exchange Type, Message ID, and flags of various sorts. The SAi1 453 payload states the cryptographic algorithms the initiator supports 454 for the IKE SA. The KE payload sends the initiator's Diffie-Hellman 455 value. Ni is the initiator's nonce. 457 <-- HDR, SAr1, KEr, Nr, [CERTREQ] 459 The responder chooses a cryptographic suite from the initiator's 460 offered choices and expresses that choice in the SAr1 payload, 461 completes the Diffie-Hellman exchange with the KEr payload, and sends 462 its nonce in the Nr payload. 464 At this point in the negotiation, each party can generate a quantity 465 called SKEYSEED (see Section 2.14), from which all keys are derived 466 for that IKE SA. The messages that follow are encrypted and 467 integrity protected in their entirety, with the exception of the 468 message headers. The keys used for the encryption and integrity 469 protection are derived from SKEYSEED and are known as SK_e 470 (encryption) and SK_a (authentication, a.k.a. integrity protection); 471 see Sections 2.13 and 2.14 for details on the key derivation. A 472 separate SK_e and SK_a is computed for each direction. In addition 473 to the keys SK_e and SK_a derived from the Diffie-Hellman value for 474 protection of the IKE SA, another quantity SK_d is derived and used 475 for derivation of further keying material for Child SAs. The 476 notation SK { ... } indicates that these payloads are encrypted and 477 integrity protected using that direction's SK_e and SK_a. 479 HDR, SK {IDi, [CERT,] [CERTREQ,] 480 [IDr,] AUTH, SAi2, 481 TSi, TSr} --> 483 The initiator asserts its identity with the IDi payload, proves 484 knowledge of the secret corresponding to IDi and integrity protects 485 the contents of the first message using the AUTH payload (see 486 Section 2.15). It might also send its certificate(s) in CERT 487 payload(s) and a list of its trust anchors in CERTREQ payload(s). If 488 any CERT payloads are included, the first certificate provided MUST 489 contain the public key used to verify the AUTH field. 491 The optional payload IDr enables the initiator to specify to which of 492 the responder's identities it wants to talk. This is useful when the 493 machine on which the responder is running is hosting multiple 494 identities at the same IP address. If the IDr proposed by the 495 initiator is not acceptable to the responder, the responder might use 496 some other IDr to finish the exchange. If the initiator then does 497 not accept the fact that responder used an IDr different than the one 498 that was requested, the initiator can close the SA after noticing the 499 fact. 501 The Traffic Selectors (TSi and TSr) are discussed in Section 2.9. 503 The initiator begins negotiation of a Child SA using the SAi2 504 payload. The final fields (starting with SAi2) are described in the 505 description of the CREATE_CHILD_SA exchange. 507 <-- HDR, SK {IDr, [CERT,] AUTH, 508 SAr2, TSi, TSr} 510 The responder asserts its identity with the IDr payload, optionally 511 sends one or more certificates (again with the certificate containing 512 the public key used to verify AUTH listed first), authenticates its 513 identity and protects the integrity of the second message with the 514 AUTH payload, and completes negotiation of a Child SA with the 515 additional fields described below in the CREATE_CHILD_SA exchange. 517 Both parties in the IKE_AUTH exchange MUST verify that all signatures 518 and Message Authentication Codes (MACs) are computed correctly. If 519 either side uses a shared secret for authentication, the names in the 520 ID payload MUST correspond to the key used to generate the AUTH 521 payload. 523 Because the initiator sends its Diffie-Hellman value in the 524 IKE_SA_INIT, it must guess the Diffie-Hellman group that the 525 responder will select from its list of supported groups. If the 526 initiator guesses wrong, the responder will respond with a Notify 527 payload of type INVALID_KE_PAYLOAD indicating the selected group. In 528 this case, the initiator MUST retry the IKE_SA_INIT with the 529 corrected Diffie-Hellman group. The initiator MUST again propose its 530 full set of acceptable cryptographic suites because the rejection 531 message was unauthenticated and otherwise an active attacker could 532 trick the endpoints into negotiating a weaker suite than a stronger 533 one that they both prefer. 535 If creating the Child SA during the IKE_AUTH exchange fails for some 536 reason, the IKE SA is still created as usual. The list of Notify 537 message types in the IKE_AUTH exchange that do not prevent an IKE SA 538 from being set up include at least the following: NO_PROPOSAL_CHOSEN, 539 TS_UNACCEPTABLE, SINGLE_PAIR_REQUIRED, INTERNAL_ADDRESS_FAILURE, and 540 FAILED_CP_REQUIRED. 542 If the failure is related to creating the IKE SA (for example, an 543 AUTHENTICATION_FAILED Notify error message is returned), the IKE SA 544 is not created. Note that although the IKE_AUTH messages are 545 encrypted and integrity protected, if the peer receiving this Notify 546 error message has not yet authenticated the other end (or if the peer 547 fails to authenticate the other end for some reason), the information 548 needs to be treated with caution. More precisely, assuming that the 549 MAC verifies correctly, the sender of the error Notify message is 550 known to be the responder of the IKE_SA_INIT exchange, but the 551 sender's identity cannot be assured. 553 Note that IKE_AUTH messages do not contain KEi/KEr or Ni/Nr payloads. 554 Thus, the SA payloads in the IKE_AUTH exchange cannot contain 555 Transform Type 4 (Diffie-Hellman group) with any value other than 556 NONE. Implementations SHOULD omit the whole transform substructure 557 instead of sending value NONE. 559 1.3. The CREATE_CHILD_SA Exchange 561 The CREATE_CHILD_SA exchange is used to create new Child SAs and to 562 rekey both IKE SAs and Child SAs. This exchange consists of a single 563 request/response pair, and some of its function was referred to as a 564 Phase 2 exchange in IKEv1. It MAY be initiated by either end of the 565 IKE SA after the initial exchanges are completed. 567 An SA is rekeyed by creating a new SA and then deleting the old one. 568 This section describes the first part of rekeying, the creation of 569 new SAs; Section 2.8 covers the mechanics of rekeying, including 570 moving traffic from old to new SAs and the deletion of the old SAs. 571 The two sections must be read together to understand the entire 572 process of rekeying. 574 Either endpoint may initiate a CREATE_CHILD_SA exchange, so in this 575 section the term initiator refers to the endpoint initiating this 576 exchange. An implementation MAY refuse all CREATE_CHILD_SA requests 577 within an IKE SA. 579 The CREATE_CHILD_SA request MAY optionally contain a KE payload for 580 an additional Diffie-Hellman exchange to enable stronger guarantees 581 of forward secrecy for the Child SA. The keying material for the 582 Child SA is a function of SK_d established during the establishment 583 of the IKE SA, the nonces exchanged during the CREATE_CHILD_SA 584 exchange, and the Diffie-Hellman value (if KE payloads are included 585 in the CREATE_CHILD_SA exchange). 587 If a CREATE_CHILD_SA exchange includes a KEi payload, at least one of 588 the SA offers MUST include the Diffie-Hellman group of the KEi. The 589 Diffie-Hellman group of the KEi MUST be an element of the group the 590 initiator expects the responder to accept (additional Diffie-Hellman 591 groups can be proposed). If the responder selects a proposal using a 592 different Diffie-Hellman group (other than NONE), the responder MUST 593 reject the request and indicate its preferred Diffie-Hellman group in 594 the INVALID_KE_PAYLOAD Notify payload. There are two octets of data 595 associated with this notification: the accepted Diffie-Hellman group 596 number in big endian order. In the case of such a rejection, the 597 CREATE_CHILD_SA exchange fails, and the initiator will probably retry 598 the exchange with a Diffie-Hellman proposal and KEi in the group that 599 the responder gave in the INVALID_KE_PAYLOAD Notify payload. 601 The responder sends a NO_ADDITIONAL_SAS notification to indicate that 602 a CREATE_CHILD_SA request is unacceptable because the responder is 603 unwilling to accept any more Child SAs on this IKE SA. This 604 notification can also be used to reject IKE SA rekey. Some minimal 605 implementations may only accept a single Child SA setup in the 606 context of an initial IKE exchange and reject any subsequent attempts 607 to add more. 609 1.3.1. Creating New Child SAs with the CREATE_CHILD_SA Exchange 611 A Child SA may be created by sending a CREATE_CHILD_SA request. The 612 CREATE_CHILD_SA request for creating a new Child SA is: 614 Initiator Responder 615 ------------------------------------------------------------------- 616 HDR, SK {SA, Ni, [KEi], 617 TSi, TSr} --> 619 The initiator sends SA offer(s) in the SA payload, a nonce in the Ni 620 payload, optionally a Diffie-Hellman value in the KEi payload, and 621 the proposed Traffic Selectors for the proposed Child SA in the TSi 622 and TSr payloads. 624 The CREATE_CHILD_SA response for creating a new Child SA is: 626 <-- HDR, SK {SA, Nr, [KEr], 627 TSi, TSr} 629 The responder replies (using the same Message ID to respond) with the 630 accepted offer in an SA payload, nonce in the Nr payload, and a 631 Diffie-Hellman value in the KEr payload if KEi was included in the 632 request and the selected cryptographic suite includes that group. 634 The Traffic Selectors for traffic to be sent on that SA are specified 635 in the TS payloads in the response, which may be a subset of what the 636 initiator of the Child SA proposed. 638 The USE_TRANSPORT_MODE notification MAY be included in a request 639 message that also includes an SA payload requesting a Child SA. It 640 requests that the Child SA use transport mode rather than tunnel mode 641 for the SA created. If the request is accepted, the response MUST 642 also include a notification of type USE_TRANSPORT_MODE. If the 643 responder declines the request, the Child SA will be established in 644 tunnel mode. If this is unacceptable to the initiator, the initiator 645 MUST delete the SA. Note: Except when using this option to negotiate 646 transport mode, all Child SAs will use tunnel mode. 648 The ESP_TFC_PADDING_NOT_SUPPORTED notification asserts that the 649 sending endpoint will not accept packets that contain Traffic Flow 650 Confidentiality (TFC) padding over the Child SA being negotiated. If 651 neither endpoint accepts TFC padding, this notification is included 652 in both the request and the response. If this notification is 653 included in only one of the messages, TFC padding can still be sent 654 in the other direction. 656 The NON_FIRST_FRAGMENTS_ALSO notification is used for fragmentation 657 control. See [IPSECARCH] for a fuller explanation. Both parties 658 need to agree to sending non-first fragments before either party does 659 so. It is enabled only if NON_FIRST_FRAGMENTS_ALSO notification is 660 included in both the request proposing an SA and the response 661 accepting it. If the responder does not want to send or receive non- 662 first fragments, it only omits NON_FIRST_FRAGMENTS_ALSO notification 663 from its response, but does not reject the whole Child SA creation. 665 An IPCOMP_SUPPORTED notification, covered in Section 2.22, can also 666 be included in the exchange. 668 A failed attempt to create a Child SA SHOULD NOT tear down the IKE 669 SA: there is no reason to lose the work done to set up the IKE SA. 670 See Section 2.21 for a list of error messages that might occur if 671 creating a Child SA fails. 673 1.3.2. Rekeying IKE SAs with the CREATE_CHILD_SA Exchange 675 The CREATE_CHILD_SA request for rekeying an IKE SA is: 677 Initiator Responder 678 ------------------------------------------------------------------- 679 HDR, SK {SA, Ni, KEi} --> 681 The initiator sends SA offer(s) in the SA payload, a nonce in the Ni 682 payload, and a Diffie-Hellman value in the KEi payload. The KEi 683 payload MUST be included. A new initiator SPI is supplied in the SPI 684 field of the SA payload. Once a peer receives a request to rekey an 685 IKE SA or sends a request to rekey an IKE SA, it SHOULD NOT start any 686 new CREATE_CHILD_SA exchanges on the IKE SA that is being rekeyed. 688 The CREATE_CHILD_SA response for rekeying an IKE SA is: 690 <-- HDR, SK {SA, Nr, KEr} 692 The responder replies (using the same Message ID to respond) with the 693 accepted offer in an SA payload, nonce in the Nr payload, and a 694 Diffie-Hellman value in the KEr payload if the selected cryptographic 695 suite includes that group. A new responder SPI is supplied in the 696 SPI field of the SA payload. 698 The new IKE SA has its message counters set to 0, regardless of what 699 they were in the earlier IKE SA. The first IKE requests from both 700 sides on the new IKE SA will have Message ID 0. The old IKE SA 701 retains its numbering, so any further requests (for example, to 702 delete the IKE SA) will have consecutive numbering. The new IKE SA 703 also has its window size reset to 1, and the initiator in this rekey 704 exchange is the new "original initiator" of the new IKE SA. 706 Section 2.18 also covers IKE SA rekeying in detail. 708 1.3.3. Rekeying Child SAs with the CREATE_CHILD_SA Exchange 710 The CREATE_CHILD_SA request for rekeying a Child SA is: 712 Initiator Responder 713 ------------------------------------------------------------------- 714 HDR, SK {N(REKEY_SA), SA, Ni, [KEi], 715 TSi, TSr} --> 717 The initiator sends SA offer(s) in the SA payload, a nonce in the Ni 718 payload, optionally a Diffie-Hellman value in the KEi payload, and 719 the proposed Traffic Selectors for the proposed Child SA in the TSi 720 and TSr payloads. 722 The notifications described in Section 1.3.1 may also be sent in a 723 rekeying exchange. Usually, these will be the same notifications 724 that were used in the original exchange; for example, when rekeying a 725 transport mode SA, the USE_TRANSPORT_MODE notification will be used. 727 The REKEY_SA notification MUST be included in a CREATE_CHILD_SA 728 exchange if the purpose of the exchange is to replace an existing ESP 729 or AH SA. The SA being rekeyed is identified by the SPI field in the 730 Notify payload; this is the SPI the exchange initiator would expect 731 in inbound ESP or AH packets. There is no data associated with this 732 Notify message type. The Protocol ID field of the REKEY_SA 733 notification is set to match the protocol of the SA we are rekeying, 734 for example, 3 for ESP and 2 for AH. 736 The CREATE_CHILD_SA response for rekeying a Child SA is: 738 <-- HDR, SK {SA, Nr, [KEr], 739 TSi, TSr} 741 The responder replies (using the same Message ID to respond) with the 742 accepted offer in an SA payload, nonce in the Nr, and a Diffie- 743 Hellman value in the KEr payload if KEi was included in the request 744 and the selected cryptographic suite includes that group. 746 The Traffic Selectors for traffic to be sent on that SA are specified 747 in the TS payloads in the response, which may be a subset of what the 748 initiator of the Child SA proposed. 750 1.4. The INFORMATIONAL Exchange 752 At various points during the operation of an IKE SA, peers may desire 753 to convey control messages to each other regarding errors or 754 notifications of certain events. To accomplish this, IKE defines an 755 INFORMATIONAL exchange. INFORMATIONAL exchanges MUST ONLY occur 756 after the initial exchanges and are cryptographically protected with 757 the negotiated keys. Note that some informational messages, not 758 exchanges, can be sent outside the context of an IKE SA. Section 759 2.21 also covers error messages in great detail. 761 Control messages that pertain to an IKE SA MUST be sent under that 762 IKE SA. Control messages that pertain to Child SAs MUST be sent 763 under the protection of the IKE SA that generated them (or its 764 successor if the IKE SA was rekeyed). 766 Messages in an INFORMATIONAL exchange contain zero or more 767 Notification, Delete, and Configuration payloads. The recipient of 768 an INFORMATIONAL exchange request MUST send some response; otherwise, 769 the sender will assume the message was lost in the network and will 770 retransmit it. That response MAY be an empty message. The request 771 message in an INFORMATIONAL exchange MAY also contain no payloads. 772 This is the expected way an endpoint can ask the other endpoint to 773 verify that it is alive. 775 The INFORMATIONAL exchange is defined as: 777 Initiator Responder 778 ------------------------------------------------------------------- 779 HDR, SK {[N,] [D,] 780 [CP,] ...} --> 781 <-- HDR, SK {[N,] [D,] 782 [CP], ...} 784 The processing of an INFORMATIONAL exchange is determined by its 785 component payloads. 787 1.4.1. Deleting an SA with INFORMATIONAL Exchanges 789 ESP and AH SAs always exist in pairs, with one SA in each direction. 790 When an SA is closed, both members of the pair MUST be closed (that 791 is, deleted). Each endpoint MUST close its incoming SAs and allow 792 the other endpoint to close the other SA in each pair. To delete an 793 SA, an INFORMATIONAL exchange with one or more Delete payloads is 794 sent listing the SPIs (as they would be expected in the headers of 795 inbound packets) of the SAs to be deleted. The recipient MUST close 796 the designated SAs. Note that one never sends Delete payloads for 797 the two sides of an SA in a single message. If there are many SAs to 798 delete at the same time, one includes Delete payloads for the inbound 799 half of each SA pair in the INFORMATIONAL exchange. 801 Normally, the response in the INFORMATIONAL exchange will contain 802 Delete payloads for the paired SAs going in the other direction. 803 There is one exception. If, by chance, both ends of a set of SAs 804 independently decide to close them, each may send a Delete payload 805 and the two requests may cross in the network. If a node receives a 806 delete request for SAs for which it has already issued a delete 807 request, it MUST delete the outgoing SAs while processing the request 808 and the incoming SAs while processing the response. In that case, 809 the responses MUST NOT include Delete payloads for the deleted SAs, 810 since that would result in duplicate deletion and could in theory 811 delete the wrong SA. 813 Similar to ESP and AH SAs, IKE SAs are also deleted by sending an 814 Informational exchange. Deleting an IKE SA implicitly closes any 815 remaining Child SAs negotiated under it. The response to a request 816 that deletes the IKE SA is an empty INFORMATIONAL response. 818 Half-closed ESP or AH connections are anomalous, and a node with 819 auditing capability should probably audit their existence if they 820 persist. Note that this specification does not specify time periods, 821 so it is up to individual endpoints to decide how long to wait. A 822 node MAY refuse to accept incoming data on half-closed connections 823 but MUST NOT unilaterally close them and reuse the SPIs. If 824 connection state becomes sufficiently messed up, a node MAY close the 825 IKE SA, as described above. It can then rebuild the SAs it needs on 826 a clean base under a new IKE SA. 828 1.5. Informational Messages outside of an IKE SA 830 There are some cases in which a node receives a packet that it cannot 831 process, but it may want to notify the sender about this situation. 833 o If an ESP or AH packet arrives with an unrecognized SPI. This 834 might be due to the receiving node having recently crashed and 835 lost state, or because of some other system malfunction or attack. 837 o If an encrypted IKE request packet arrives on port 500 or 4500 838 with an unrecognized IKE SPI. This might be due to the receiving 839 node having recently crashed and lost state, or because of some 840 other system malfunction or attack. 842 o If an IKE request packet arrives with a higher major version 843 number than the implementation supports. 845 In the first case, if the receiving node has an active IKE SA to the 846 IP address from whence the packet came, it MAY send an INVALID_SPI 847 notification of the wayward packet over that IKE SA in an 848 INFORMATIONAL exchange. The Notification Data contains the SPI of 849 the invalid packet. The recipient of this notification cannot tell 850 whether the SPI is for AH or ESP, but this is not important because 851 in many cases the SPIs will be different for the two. If no suitable 852 IKE SA exists, the node MAY send an informational message without 853 cryptographic protection to the source IP address, using the source 854 UDP port as the destination port if the packet was UDP (UDP- 855 encapsulated ESP or AH). In this case, it should only be used by the 856 recipient as a hint that something might be wrong (because it could 857 easily be forged). This message is not part of an INFORMATIONAL 858 exchange, and the receiving node MUST NOT respond to it because doing 859 so could cause a message loop. The message is constructed as 860 follows: there are no IKE SPI values that would be meaningful to the 861 recipient of such a notification; using zero values or random values 862 are both acceptable, this being the exception to the rule in 863 Section 3.1 that prohibits zero IKE Initiator SPIs. The Initiator 864 flag is set to 1, the Response flag is set to 0, and the version 865 flags are set in the normal fashion; these flags are described in 866 Section 3.1. 868 In the second and third cases, the message is always sent without 869 cryptographic protection (outside of an IKE SA), and includes either 870 an INVALID_IKE_SPI or an INVALID_MAJOR_VERSION notification (with no 871 notification data). The message is a response message, and thus it 872 is sent to the IP address and port from whence it came with the same 873 IKE SPIs and the Message ID and Exchange Type are copied from the 874 request. The Response flag is set to 1, and the version flags are 875 set in the normal fashion. 877 1.6. Requirements Terminology 879 Definitions of the primitive terms in this document (such as Security 880 Association or SA) can be found in [IPSECARCH]. It should be noted 881 that parts of IKEv2 rely on some of the processing rules in 882 [IPSECARCH], as described in various sections of this document. 884 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 885 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 886 document are to be interpreted as described in [MUSTSHOULD]. 888 1.7. Significant Differences between RFC 4306 and RFC5996 890 This document contains clarifications and amplifications to IKEv2 891 [IKEV2]. Many of the clarifications are based on [Clarif]. The 892 changes listed in that document were discussed in the IPsec Working 893 Group and, after the Working Group was disbanded, on the IPsec 894 mailing list. That document contains detailed explanations of areas 895 that were unclear in IKEv2, and is thus useful to implementers of 896 IKEv2. 898 The protocol described in this document retains the same major 899 version number (2) and minor version number (0) as was used in RFC 900 4306. That is, the version number is *not* changed from RFC 4306. 901 The small number of technical changes listed here are not expected to 902 affect RFC 4306 implementations that have already been deployed at 903 the time of publication of this document. 905 This document makes the figures and references a bit more consistent 906 than they were in [IKEV2]. 908 IKEv2 developers have noted that the SHOULD-level requirements in RFC 909 4306 are often unclear in that they don't say when it is OK to not 910 obey the requirements. They also have noted that there are MUST- 911 level requirements that are not related to interoperability. This 912 document has more explanation of some of these requirements. All 913 non-capitalized uses of the words SHOULD and MUST now mean their 914 normal English sense, not the interoperability sense of [MUSTSHOULD]. 916 IKEv2 (and IKEv1) developers have noted that there is a great deal of 917 material in the tables of codes in Section 3.10.1 in RFC 4306. This 918 leads to implementers not having all the needed information in the 919 main body of the document. Much of the material from those tables 920 has been moved into the associated parts of the main body of the 921 document. 923 This document removes discussion of nesting AH and ESP. This was a 924 mistake in RFC 4306 caused by the lag between finishing RFC 4306 and 925 RFC 4301. Basically, IKEv2 is based on RFC 4301, which does not 926 include "SA bundles" that were part of RFC 2401. While a single 927 packet can go through IPsec processing multiple times, each of these 928 passes uses a separate SA, and the passes are coordinated by the 929 forwarding tables. In IKEv2, each of these SAs has to be created 930 using a separate CREATE_CHILD_SA exchange. 932 This document removes discussion of the INTERNAL_ADDRESS_EXPIRY 933 configuration attribute because its implementation was very 934 problematic. Implementations that conform to this document MUST 935 ignore proposals that have configuration attribute type 5, the old 936 value for INTERNAL_ADDRESS_EXPIRY. This document also removed 937 INTERNAL_IP6_NBNS as a configuration attribute. 939 This document removes the allowance for rejecting messages in which 940 the payloads were not in the "right" order; now implementations MUST 941 NOT reject them. This is due to the lack of clarity where the orders 942 for the payloads are described. 944 The lists of items from RFC 4306 that ended up in the IANA registry 945 were trimmed to only include items that were actually defined in RFC 946 4306. Also, many of those lists are now preceded with the very 947 important instruction to developers that they really should look at 948 the IANA registry at the time of development because new items have 949 been added since RFC 4306. 951 This document adds clarification on when notifications are and are 952 not sent encrypted, depending on the state of the negotiation at the 953 time. 955 This document discusses more about how to negotiate combined-mode 956 ciphers. 958 In Section 1.3.2, "The KEi payload SHOULD be included" was changed to 959 be "The KEi payload MUST be included". This also led to changes in 960 Section 2.18. 962 In Section 2.1, there is new material covering how the initiator's 963 SPI and/or IP is used to differentiate if this is a "half-open" IKE 964 SA or a new request. 966 This document clarifies the use of the critical flag in Section 2.5. 968 In Section 2.8, "Note that, when rekeying, the new Child SA MAY have 969 different Traffic Selectors and algorithms than the old one" was 970 changed to "Note that, when rekeying, the new Child SA SHOULD NOT 971 have different Traffic Selectors and algorithms than the old one". 973 The new Section 2.8.2 covers simultaneous IKE SA rekeying. 975 The new Section 2.9.2 covers Traffic Selectors in rekeying. 977 This document adds the restriction in Section 2.13 that all 978 pseudorandom functions (PRFs) used with IKEv2 MUST take variable- 979 sized keys. This should not affect any implementations because there 980 were no standardized PRFs that have fixed-size keys. 982 Section 2.18 requires doing a Diffie-Hellman exchange when rekeying 983 the IKE_SA. In theory, RFC 4306 allowed a policy where the Diffie- 984 Hellman exchange was optional, but this was not useful (or 985 appropriate) when rekeying the IKE_SA. 987 Section 2.21 has been greatly expanded to cover the different cases 988 where error responses are needed and the appropriate responses to 989 them. 991 Section 2.23 clarified that, in NAT traversal, now both UDP- 992 encapsulated IPsec packets and non-UDP-encapsulated IPsec packets 993 need to be understood when receiving. 995 Added Section 2.23.1 to describe NAT traversal when transport mode is 996 requested. 998 Added Section 2.25 to explain how to act when there are timing 999 collisions when deleting and/or rekeying SAs, and two new error 1000 notifications (TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND) were 1001 defined. 1003 In Section 3.6, "Implementations MUST support the HTTP method for 1004 hash-and-URL lookup. The behavior of other URL methods is not 1005 currently specified, and such methods SHOULD NOT be used in the 1006 absence of a document specifying them" was added. 1008 In Section 3.15.3, a pointer to a new document that is related to 1009 configuration of IPv6 addresses was added. 1011 Appendix C was expanded and clarified. 1013 1.8. Differences between RFC 5996 and This Document 1015 Fixed section 3.6 and 3.10 as specified in the RFC5996 errata 2707 1016 and 3036. 1018 Deprecated Raw RSA Public keys. There is new work ongoing to replace 1019 that with more generic format for generic raw public keys. 1021 Added reference to the RFC6989 when using non Sophie-Germain Diffie- 1022 Hellman groups, or when reusing Diffie-Hellman Exponentials. 1024 Added reference to the RFC4945 in the Identification Payloads 1025 section. 1027 Added IANA Considerations section note about deprecating the Raw RSA 1028 Key, and removed the old contents which was already done during 1029 RFC5996 processing. Added note that IANA should update IKEv2 1030 registry to point to this document instead of RFC5996. 1032 Clarified that the intended status of this document is Internet 1033 Standard both in abstract and Introduction section. 1035 Added name Last Substruc for the Proposal and Transform Substructure 1036 header for the 0 (last) or 2/3 (more) field. 1038 2. IKE Protocol Details and Variations 1040 IKE normally listens and sends on UDP port 500, though IKE messages 1041 may also be received on UDP port 4500 with a slightly different 1042 format (see Section 2.23). Since UDP is a datagram (unreliable) 1043 protocol, IKE includes in its definition recovery from transmission 1044 errors, including packet loss, packet replay, and packet forgery. 1045 IKE is designed to function so long as (1) at least one of a series 1046 of retransmitted packets reaches its destination before timing out; 1047 and (2) the channel is not so full of forged and replayed packets so 1048 as to exhaust the network or CPU capacities of either endpoint. Even 1049 in the absence of those minimum performance requirements, IKE is 1050 designed to fail cleanly (as though the network were broken). 1052 Although IKEv2 messages are intended to be short, they contain 1053 structures with no hard upper bound on size (in particular, digital 1054 certificates), and IKEv2 itself does not have a mechanism for 1055 fragmenting large messages. IP defines a mechanism for fragmentation 1056 of oversized UDP messages, but implementations vary in the maximum 1057 message size supported. Furthermore, use of IP fragmentation opens 1058 an implementation to denial-of-service (DoS) attacks [DOSUDPPROT]. 1059 Finally, some NAT and/or firewall implementations may block IP 1060 fragments. 1062 All IKEv2 implementations MUST be able to send, receive, and process 1063 IKE messages that are up to 1280 octets long, and they SHOULD be able 1064 to send, receive, and process messages that are up to 3000 octets 1065 long. IKEv2 implementations need to be aware of the maximum UDP 1066 message size supported and MAY shorten messages by leaving out some 1067 certificates or cryptographic suite proposals if that will keep 1068 messages below the maximum. Use of the "Hash and URL" formats rather 1069 than including certificates in exchanges where possible can avoid 1070 most problems. Implementations and configuration need to keep in 1071 mind, however, that if the URL lookups are possible only after the 1072 Child SA is established, recursion issues could prevent this 1073 technique from working. 1075 The UDP payload of all packets containing IKE messages sent on port 1076 4500 MUST begin with the prefix of four zeros; otherwise, the 1077 receiver won't know how to handle them. 1079 2.1. Use of Retransmission Timers 1081 All messages in IKE exist in pairs: a request and a response. The 1082 setup of an IKE SA normally consists of two exchanges. Once the IKE 1083 SA is set up, either end of the Security Association may initiate 1084 requests at any time, and there can be many requests and responses 1085 "in flight" at any given moment. But each message is labeled as 1086 either a request or a response, and for each exchange, one end of the 1087 Security Association is the initiator and the other is the responder. 1089 For every pair of IKE messages, the initiator is responsible for 1090 retransmission in the event of a timeout. The responder MUST never 1091 retransmit a response unless it receives a retransmission of the 1092 request. In that event, the responder MUST ignore the retransmitted 1093 request except insofar as it causes a retransmission of the response. 1094 The initiator MUST remember each request until it receives the 1095 corresponding response. The responder MUST remember each response 1096 until it receives a request whose sequence number is larger than or 1097 equal to the sequence number in the response plus its window size 1098 (see Section 2.3). In order to allow saving memory, responders are 1099 allowed to forget the response after a timeout of several minutes. 1100 If the responder receives a retransmitted request for which it has 1101 already forgotten the response, it MUST ignore the request (and not, 1102 for example, attempt constructing a new response). 1104 IKE is a reliable protocol: the initiator MUST retransmit a request 1105 until it either receives a corresponding response or deems the IKE SA 1106 to have failed. In the latter case, the initiator discards all state 1107 associated with the IKE SA and any Child SAs that were negotiated 1108 using that IKE SA. A retransmission from the initiator MUST be 1109 bitwise identical to the original request. That is, everything 1110 starting from the IKE header (the IKE SA initiator's SPI onwards) 1111 must be bitwise identical; items before it (such as the IP and UDP 1112 headers) do not have to be identical. 1114 Retransmissions of the IKE_SA_INIT request require some special 1115 handling. When a responder receives an IKE_SA_INIT request, it has 1116 to determine whether the packet is a retransmission belonging to an 1117 existing "half-open" IKE SA (in which case the responder retransmits 1118 the same response), or a new request (in which case the responder 1119 creates a new IKE SA and sends a fresh response), or it belongs to an 1120 existing IKE SA where the IKE_AUTH request has been already received 1121 (in which case the responder ignores it). 1123 It is not sufficient to use the initiator's SPI and/or IP address to 1124 differentiate between these three cases because two different peers 1125 behind a single NAT could choose the same initiator SPI. Instead, a 1126 robust responder will do the IKE SA lookup using the whole packet, 1127 its hash, or the Ni payload. 1129 The retransmission policy for one-way messages is somewhat different 1130 from that for regular messages. Because no acknowledgement is ever 1131 sent, there is no reason to gratuitously retransmit one-way messages. 1132 Given that all these messages are errors, it makes sense to send them 1133 only once per "offending" packet, and only retransmit if further 1134 offending packets are received. Still, it also makes sense to limit 1135 retransmissions of such error messages. 1137 2.2. Use of Sequence Numbers for Message ID 1139 Every IKE message contains a Message ID as part of its fixed header. 1140 This Message ID is used to match up requests and responses and to 1141 identify retransmissions of messages. Retransmission of a message 1142 MUST use the same Message ID as the original message. 1144 The Message ID is a 32-bit quantity, which is zero for the 1145 IKE_SA_INIT messages (including retries of the message due to 1146 responses such as COOKIE and INVALID_KE_PAYLOAD), and incremented for 1147 each subsequent exchange. Thus, the first pair of IKE_AUTH messages 1148 will have an ID of 1, the second (when EAP is used) will be 2, and so 1149 on. The Message ID is reset to zero in the new IKE SA after the IKE 1150 SA is rekeyed. 1152 Each endpoint in the IKE Security Association maintains two "current" 1153 Message IDs: the next one to be used for a request it initiates and 1154 the next one it expects to see in a request from the other end. 1155 These counters increment as requests are generated and received. 1156 Responses always contain the same Message ID as the corresponding 1157 request. That means that after the initial exchange, each integer n 1158 may appear as the Message ID in four distinct messages: the nth 1159 request from the original IKE initiator, the corresponding response, 1160 the nth request from the original IKE responder, and the 1161 corresponding response. If the two ends make a very different number 1162 of requests, the Message IDs in the two directions can be very 1163 different. There is no ambiguity in the messages, however, because 1164 the Initiator and Response flags in the message header specify which 1165 of the four messages a particular one is. 1167 Throughout this document, "initiator" refers to the party who 1168 initiated the exchange being described. The "original initiator" 1169 always refers to the party who initiated the exchange that resulted 1170 in the current IKE SA. In other words, if the "original responder" 1171 starts rekeying the IKE SA, that party becomes the "original 1172 initiator" of the new IKE SA. 1174 Note that Message IDs are cryptographically protected and provide 1175 protection against message replays. In the unlikely event that 1176 Message IDs grow too large to fit in 32 bits, the IKE SA MUST be 1177 closed or rekeyed. 1179 2.3. Window Size for Overlapping Requests 1181 The SET_WINDOW_SIZE notification asserts that the sending endpoint is 1182 capable of keeping state for multiple outstanding exchanges, 1183 permitting the recipient to send multiple requests before getting a 1184 response to the first. The data associated with a SET_WINDOW_SIZE 1185 notification MUST be 4 octets long and contain the big endian 1186 representation of the number of messages the sender promises to keep. 1187 The window size is always one until the initial exchanges complete. 1189 An IKE endpoint MUST wait for a response to each of its messages 1190 before sending a subsequent message unless it has received a 1191 SET_WINDOW_SIZE Notify message from its peer informing it that the 1192 peer is prepared to maintain state for multiple outstanding messages 1193 in order to allow greater throughput. 1195 After an IKE SA is set up, in order to maximize IKE throughput, an 1196 IKE endpoint MAY issue multiple requests before getting a response to 1197 any of them, up to the limit set by its peer's SET_WINDOW_SIZE. 1198 These requests may pass one another over the network. An IKE 1199 endpoint MUST be prepared to accept and process a request while it 1200 has a request outstanding in order to avoid a deadlock in this 1201 situation. An IKE endpoint may also accept and process multiple 1202 requests while it has a request outstanding. 1204 An IKE endpoint MUST NOT exceed the peer's stated window size for 1205 transmitted IKE requests. In other words, if the responder stated 1206 its window size is N, then when the initiator needs to make a request 1207 X, it MUST wait until it has received responses to all requests up 1208 through request X-N. An IKE endpoint MUST keep a copy of (or be able 1209 to regenerate exactly) each request it has sent until it receives the 1210 corresponding response. An IKE endpoint MUST keep a copy of (or be 1211 able to regenerate exactly) the number of previous responses equal to 1212 its declared window size in case its response was lost and the 1213 initiator requests its retransmission by retransmitting the request. 1215 An IKE endpoint supporting a window size greater than one ought to be 1216 capable of processing incoming requests out of order to maximize 1217 performance in the event of network failures or packet reordering. 1219 The window size is normally a (possibly configurable) property of a 1220 particular implementation, and is not related to congestion control 1221 (unlike the window size in TCP, for example). In particular, what 1222 the responder should do when it receives a SET_WINDOW_SIZE 1223 notification containing a smaller value than is currently in effect 1224 is not defined. Thus, there is currently no way to reduce the window 1225 size of an existing IKE SA; you can only increase it. When rekeying 1226 an IKE SA, the new IKE SA starts with window size 1 until it is 1227 explicitly increased by sending a new SET_WINDOW_SIZE notification. 1229 The INVALID_MESSAGE_ID notification is sent when an IKE Message ID 1230 outside the supported window is received. This Notify message MUST 1231 NOT be sent in a response; the invalid request MUST NOT be 1232 acknowledged. Instead, inform the other side by initiating an 1233 INFORMATIONAL exchange with Notification data containing the four- 1234 octet invalid Message ID. Sending this notification is OPTIONAL, and 1235 notifications of this type MUST be rate limited. 1237 2.4. State Synchronization and Connection Timeouts 1239 An IKE endpoint is allowed to forget all of its state associated with 1240 an IKE SA and the collection of corresponding Child SAs at any time. 1241 This is the anticipated behavior in the event of an endpoint crash 1242 and restart. It is important when an endpoint either fails or 1243 reinitializes its state that the other endpoint detect those 1244 conditions and not continue to waste network bandwidth by sending 1245 packets over discarded SAs and having them fall into a black hole. 1247 The INITIAL_CONTACT notification asserts that this IKE SA is the only 1248 IKE SA currently active between the authenticated identities. It MAY 1249 be sent when an IKE SA is established after a crash, and the 1250 recipient MAY use this information to delete any other IKE SAs it has 1251 to the same authenticated identity without waiting for a timeout. 1252 This notification MUST NOT be sent by an entity that may be 1253 replicated (e.g., a roaming user's credentials where the user is 1254 allowed to connect to the corporate firewall from two remote systems 1255 at the same time). The INITIAL_CONTACT notification, if sent, MUST 1256 be in the first IKE_AUTH request or response, not as a separate 1257 exchange afterwards; receiving parties MAY ignore it in other 1258 messages. 1260 Since IKE is designed to operate in spite of DoS attacks from the 1261 network, an endpoint MUST NOT conclude that the other endpoint has 1262 failed based on any routing information (e.g., ICMP messages) or IKE 1263 messages that arrive without cryptographic protection (e.g., Notify 1264 messages complaining about unknown SPIs). An endpoint MUST conclude 1265 that the other endpoint has failed only when repeated attempts to 1266 contact it have gone unanswered for a timeout period or when a 1267 cryptographically protected INITIAL_CONTACT notification is received 1268 on a different IKE SA to the same authenticated identity. An 1269 endpoint should suspect that the other endpoint has failed based on 1270 routing information and initiate a request to see whether the other 1271 endpoint is alive. To check whether the other side is alive, IKE 1272 specifies an empty INFORMATIONAL message that (like all IKE requests) 1273 requires an acknowledgement (note that within the context of an IKE 1274 SA, an "empty" message consists of an IKE header followed by an 1275 Encrypted payload that contains no payloads). If a cryptographically 1276 protected (fresh, i.e., not retransmitted) message has been received 1277 from the other side recently, unprotected Notify messages MAY be 1278 ignored. Implementations MUST limit the rate at which they take 1279 actions based on unprotected messages. 1281 The number of retries and length of timeouts are not covered in this 1282 specification because they do not affect interoperability. It is 1283 suggested that messages be retransmitted at least a dozen times over 1284 a period of at least several minutes before giving up on an SA, but 1285 different environments may require different rules. To be a good 1286 network citizen, retransmission times MUST increase exponentially to 1287 avoid flooding the network and making an existing congestion 1288 situation worse. If there has only been outgoing traffic on all of 1289 the SAs associated with an IKE SA, it is essential to confirm 1290 liveness of the other endpoint to avoid black holes. If no 1291 cryptographically protected messages have been received on an IKE SA 1292 or any of its Child SAs recently, the system needs to perform a 1293 liveness check in order to prevent sending messages to a dead peer. 1294 (This is sometimes called "dead peer detection" or "DPD", although it 1295 is really detecting live peers, not dead ones.) Receipt of a fresh 1296 cryptographically protected message on an IKE SA or any of its Child 1297 SAs ensures liveness of the IKE SA and all of its Child SAs. Note 1298 that this places requirements on the failure modes of an IKE 1299 endpoint. An implementation needs to stop sending over any SA if 1300 some failure prevents it from receiving on all of the associated SAs. 1301 If a system creates Child SAs that can fail independently from one 1302 another without the associated IKE SA being able to send a delete 1303 message, then the system MUST negotiate such Child SAs using separate 1304 IKE SAs. 1306 There is a DoS attack on the initiator of an IKE SA that can be 1307 avoided if the initiator takes the proper care. Since the first two 1308 messages of an SA setup are not cryptographically protected, an 1309 attacker could respond to the initiator's message before the genuine 1310 responder and poison the connection setup attempt. To prevent this, 1311 the initiator MAY be willing to accept multiple responses to its 1312 first message, treat each as potentially legitimate, respond to it, 1313 and then discard all the invalid half-open connections when it 1314 receives a valid cryptographically protected response to any one of 1315 its requests. Once a cryptographically valid response is received, 1316 all subsequent responses should be ignored whether or not they are 1317 cryptographically valid. 1319 Note that with these rules, there is no reason to negotiate and agree 1320 upon an SA lifetime. If IKE presumes the partner is dead, based on 1321 repeated lack of acknowledgement to an IKE message, then the IKE SA 1322 and all Child SAs set up through that IKE SA are deleted. 1324 An IKE endpoint may at any time delete inactive Child SAs to recover 1325 resources used to hold their state. If an IKE endpoint chooses to 1326 delete Child SAs, it MUST send Delete payloads to the other end 1327 notifying it of the deletion. It MAY similarly time out the IKE SA. 1328 Closing the IKE SA implicitly closes all associated Child SAs. In 1329 this case, an IKE endpoint SHOULD send a Delete payload indicating 1330 that it has closed the IKE SA unless the other endpoint is no longer 1331 responding. 1333 2.5. Version Numbers and Forward Compatibility 1335 This document describes version 2.0 of IKE, meaning the major version 1336 number is 2 and the minor version number is 0. This document is a 1337 replacement for [IKEV2]. It is likely that some implementations will 1338 want to support version 1.0 and version 2.0, and in the future, other 1339 versions. 1341 The major version number should be incremented only if the packet 1342 formats or required actions have changed so dramatically that an 1343 older version node would not be able to interoperate with a newer 1344 version node if it simply ignored the fields it did not understand 1345 and took the actions specified in the older specification. The minor 1346 version number indicates new capabilities, and MUST be ignored by a 1347 node with a smaller minor version number, but used for informational 1348 purposes by the node with the larger minor version number. For 1349 example, it might indicate the ability to process a newly defined 1350 Notify message type. The node with the larger minor version number 1351 would simply note that its correspondent would not be able to 1352 understand that message and therefore would not send it. 1354 If an endpoint receives a message with a higher major version number, 1355 it MUST drop the message and SHOULD send an unauthenticated Notify 1356 message of type INVALID_MAJOR_VERSION containing the highest 1357 (closest) version number it supports. If an endpoint supports major 1358 version n, and major version m, it MUST support all versions between 1359 n and m. If it receives a message with a major version that it 1360 supports, it MUST respond with that version number. In order to 1361 prevent two nodes from being tricked into corresponding with a lower 1362 major version number than the maximum that they both support, IKE has 1363 a flag that indicates that the node is capable of speaking a higher 1364 major version number. 1366 Thus, the major version number in the IKE header indicates the 1367 version number of the message, not the highest version number that 1368 the transmitter supports. If the initiator is capable of speaking 1369 versions n, n+1, and n+2, and the responder is capable of speaking 1370 versions n and n+1, then they will negotiate speaking n+1, where the 1371 initiator will set a flag indicating its ability to speak a higher 1372 version. If they mistakenly (perhaps through an active attacker 1373 sending error messages) negotiate to version n, then both will notice 1374 that the other side can support a higher version number, and they 1375 MUST break the connection and reconnect using version n+1. 1377 Note that IKEv1 does not follow these rules, because there is no way 1378 in v1 of noting that you are capable of speaking a higher version 1379 number. So an active attacker can trick two v2-capable nodes into 1380 speaking v1. When a v2-capable node negotiates down to v1, it should 1381 note that fact in its logs. 1383 Also, for forward compatibility, all fields marked RESERVED MUST be 1384 set to zero by an implementation running version 2.0, and their 1385 content MUST be ignored by an implementation running version 2.0 ("Be 1386 conservative in what you send and liberal in what you receive" [IP]). 1387 In this way, future versions of the protocol can use those fields in 1388 a way that is guaranteed to be ignored by implementations that do not 1389 understand them. Similarly, payload types that are not defined are 1390 reserved for future use; implementations of a version where they are 1391 undefined MUST skip over those payloads and ignore their contents. 1393 IKEv2 adds a "critical" flag to each payload header for further 1394 flexibility for forward compatibility. If the critical flag is set 1395 and the payload type is unrecognized, the message MUST be rejected 1396 and the response to the IKE request containing that payload MUST 1397 include a Notify payload UNSUPPORTED_CRITICAL_PAYLOAD, indicating an 1398 unsupported critical payload was included. In that Notify payload, 1399 the notification data contains the one-octet payload type. If the 1400 critical flag is not set and the payload type is unsupported, that 1401 payload MUST be ignored. Payloads sent in IKE response messages MUST 1402 NOT have the critical flag set. Note that the critical flag applies 1403 only to the payload type, not the contents. If the payload type is 1404 recognized, but the payload contains something that is not (such as 1405 an unknown transform inside an SA payload, or an unknown Notify 1406 Message Type inside a Notify payload), the critical flag is ignored. 1408 Although new payload types may be added in the future and may appear 1409 interleaved with the fields defined in this specification, 1410 implementations SHOULD send the payloads defined in this 1411 specification in the order shown in the figures in Sections 1 and 2; 1412 implementations MUST NOT reject as invalid a message with those 1413 payloads in any other order. 1415 2.6. IKE SA SPIs and Cookies 1417 The initial two eight-octet fields in the header, called the "IKE 1418 SPIs", are used as a connection identifier at the beginning of IKE 1419 packets. Each endpoint chooses one of the two SPIs and MUST choose 1420 them so as to be unique identifiers of an IKE SA. An SPI value of 1421 zero is special: it indicates that the remote SPI value is not yet 1422 known by the sender. 1424 Incoming IKE packets are mapped to an IKE SA only using the packet's 1425 SPI, not using (for example) the source IP address of the packet. 1427 Unlike ESP and AH where only the recipient's SPI appears in the 1428 header of a message, in IKE the sender's SPI is also sent in every 1429 message. Since the SPI chosen by the original initiator of the IKE 1430 SA is always sent first, an endpoint with multiple IKE SAs open that 1431 wants to find the appropriate IKE SA using the SPI it assigned must 1432 look at the Initiator flag in the header to determine whether it 1433 assigned the first or the second eight octets. 1435 In the first message of an initial IKE exchange, the initiator will 1436 not know the responder's SPI value and will therefore set that field 1437 to zero. When the IKE_SA_INIT exchange does not result in the 1438 creation of an IKE SA due to INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN, 1439 or COOKIE, the responder's SPI will be zero also in the response 1440 message. However, if the responder sends a non-zero responder SPI, 1441 the initiator should not reject the response for only that reason. 1443 Two expected attacks against IKE are state and CPU exhaustion, where 1444 the target is flooded with session initiation requests from forged IP 1445 addresses. These attacks can be made less effective if a responder 1446 uses minimal CPU and commits no state to an SA until it knows the 1447 initiator can receive packets at the address from which it claims to 1448 be sending them. 1450 When a responder detects a large number of half-open IKE SAs, it 1451 SHOULD reply to IKE_SA_INIT requests with a response containing the 1452 COOKIE notification. The data associated with this notification MUST 1453 be between 1 and 64 octets in length (inclusive), and its generation 1454 is described later in this section. If the IKE_SA_INIT response 1455 includes the COOKIE notification, the initiator MUST then retry the 1456 IKE_SA_INIT request, and include the COOKIE notification containing 1457 the received data as the first payload, and all other payloads 1458 unchanged. The initial exchange will then be as follows: 1460 Initiator Responder 1461 ------------------------------------------------------------------- 1462 HDR(A,0), SAi1, KEi, Ni --> 1463 <-- HDR(A,0), N(COOKIE) 1464 HDR(A,0), N(COOKIE), SAi1, 1465 KEi, Ni --> 1466 <-- HDR(A,B), SAr1, KEr, 1467 Nr, [CERTREQ] 1468 HDR(A,B), SK {IDi, [CERT,] 1469 [CERTREQ,] [IDr,] AUTH, 1470 SAi2, TSi, TSr} --> 1471 <-- HDR(A,B), SK {IDr, [CERT,] 1472 AUTH, SAr2, TSi, TSr} 1474 The first two messages do not affect any initiator or responder state 1475 except for communicating the cookie. In particular, the message 1476 sequence numbers in the first four messages will all be zero and the 1477 message sequence numbers in the last two messages will be one. 'A' 1478 is the SPI assigned by the initiator, while 'B' is the SPI assigned 1479 by the responder. 1481 An IKE implementation can implement its responder cookie generation 1482 in such a way as to not require any saved state to recognize its 1483 valid cookie when the second IKE_SA_INIT message arrives. The exact 1484 algorithms and syntax used to generate cookies do not affect 1485 interoperability and hence are not specified here. The following is 1486 an example of how an endpoint could use cookies to implement limited 1487 DoS protection. 1489 A good way to do this is to set the responder cookie to be: 1491 Cookie = | Hash(Ni | IPi | SPIi | ) 1493 where is a randomly generated secret known only to the 1494 responder and periodically changed and | indicates concatenation. 1495 should be changed whenever is 1496 regenerated. The cookie can be recomputed when the IKE_SA_INIT 1497 arrives the second time and compared to the cookie in the received 1498 message. If it matches, the responder knows that the cookie was 1499 generated since the last change to and that IPi must be the 1500 same as the source address it saw the first time. Incorporating SPIi 1501 into the calculation ensures that if multiple IKE SAs are being set 1502 up in parallel they will all get different cookies (assuming the 1503 initiator chooses unique SPIi's). Incorporating Ni in the hash 1504 ensures that an attacker who sees only message 2 can't successfully 1505 forge a message 3. Also, incorporating SPIi in the hash prevents an 1506 attacker from fetching one cookie from the other end, and then 1507 initiating many IKE_SA_INIT exchanges all with different initiator 1508 SPIs (and perhaps port numbers) so that the responder thinks that 1509 there are a lot of machines behind one NAT box that are all trying to 1510 connect. 1512 If a new value for is chosen while there are connections in 1513 the process of being initialized, an IKE_SA_INIT might be returned 1514 with other than the current . The responder in 1515 that case MAY reject the message by sending another response with a 1516 new cookie or it MAY keep the old value of around for a 1517 short time and accept cookies computed from either one. The 1518 responder should not accept cookies indefinitely after is 1519 changed, since that would defeat part of the DoS protection. The 1520 responder should change the value of frequently, especially 1521 if under attack. 1523 When one party receives an IKE_SA_INIT request containing a cookie 1524 whose contents do not match the value expected, that party MUST 1525 ignore the cookie and process the message as if no cookie had been 1526 included; usually this means sending a response containing a new 1527 cookie. The initiator should limit the number of cookie exchanges it 1528 tries before giving up, possibly using exponential back-off. An 1529 attacker can forge multiple cookie responses to the initiator's 1530 IKE_SA_INIT message, and each of those forged cookie replies will 1531 cause two packets to be sent: one packet from the initiator to the 1532 responder (which will reject those cookies), and one response from 1533 responder to initiator that includes the correct cookie. 1535 A note on terminology: the term "cookies" originates with Karn and 1536 Simpson [PHOTURIS] in Photuris, an early proposal for key management 1537 with IPsec, and it has persisted. The Internet Security Association 1538 and Key Management Protocol (ISAKMP) [ISAKMP] fixed message header 1539 includes two eight-octet fields called "cookies", and that syntax is 1540 used by both IKEv1 and IKEv2, although in IKEv2 they are referred to 1541 as the "IKE SPI" and there is a new separate field in a Notify 1542 payload holding the cookie. 1544 2.6.1. Interaction of COOKIE and INVALID_KE_PAYLOAD 1546 There are two common reasons why the initiator may have to retry the 1547 IKE_SA_INIT exchange: the responder requests a cookie or wants a 1548 different Diffie-Hellman group than was included in the KEi payload. 1549 If the initiator receives a cookie from the responder, the initiator 1550 needs to decide whether or not to include the cookie in only the next 1551 retry of the IKE_SA_INIT request, or in all subsequent retries as 1552 well. 1554 If the initiator includes the cookie only in the next retry, one 1555 additional round trip may be needed in some cases. An additional 1556 round trip is needed also if the initiator includes the cookie in all 1557 retries, but the responder does not support this. For instance, if 1558 the responder includes the KEi payloads in cookie calculation, it 1559 will reject the request by sending a new cookie. 1561 If both peers support including the cookie in all retries, a slightly 1562 shorter exchange can happen. 1564 Initiator Responder 1565 ----------------------------------------------------------- 1566 HDR(A,0), SAi1, KEi, Ni --> 1567 <-- HDR(A,0), N(COOKIE) 1568 HDR(A,0), N(COOKIE), SAi1, KEi, Ni --> 1569 <-- HDR(A,0), N(INVALID_KE_PAYLOAD) 1570 HDR(A,0), N(COOKIE), SAi1, KEi', Ni --> 1571 <-- HDR(A,B), SAr1, KEr, Nr 1573 Implementations SHOULD support this shorter exchange, but MUST NOT 1574 fail if other implementations do not support this shorter exchange. 1576 2.7. Cryptographic Algorithm Negotiation 1578 The payload type known as "SA" indicates a proposal for a set of 1579 choices of IPsec protocols (IKE, ESP, or AH) for the SA as well as 1580 cryptographic algorithms associated with each protocol. 1582 An SA payload consists of one or more proposals. Each proposal 1583 includes one protocol. Each protocol contains one or more transforms 1584 -- each specifying a cryptographic algorithm. Each transform 1585 contains zero or more attributes (attributes are needed only if the 1586 Transform ID does not completely specify the cryptographic 1587 algorithm). 1589 This hierarchical structure was designed to efficiently encode 1590 proposals for cryptographic suites when the number of supported 1591 suites is large because multiple values are acceptable for multiple 1592 transforms. The responder MUST choose a single suite, which may be 1593 any subset of the SA proposal following the rules below. 1595 Each proposal contains one protocol. If a proposal is accepted, the 1596 SA response MUST contain the same protocol. The responder MUST 1597 accept a single proposal or reject them all and return an error. The 1598 error is given in a notification of type NO_PROPOSAL_CHOSEN. 1600 Each IPsec protocol proposal contains one or more transforms. Each 1601 transform contains a Transform Type. The accepted cryptographic 1602 suite MUST contain exactly one transform of each type included in the 1603 proposal. For example: if an ESP proposal includes transforms 1604 ENCR_3DES, ENCR_AES w/keysize 128, ENCR_AES w/keysize 256, 1605 AUTH_HMAC_MD5, and AUTH_HMAC_SHA, the accepted suite MUST contain one 1606 of the ENCR_ transforms and one of the AUTH_ transforms. Thus, six 1607 combinations are acceptable. 1609 If an initiator proposes both normal ciphers with integrity 1610 protection as well as combined-mode ciphers, then two proposals are 1611 needed. One of the proposals includes the normal ciphers with the 1612 integrity algorithms for them, and the other proposal includes all 1613 the combined-mode ciphers without the integrity algorithms (because 1614 combined-mode ciphers are not allowed to have any integrity algorithm 1615 other than "none"). 1617 2.8. Rekeying 1619 IKE, ESP, and AH Security Associations use secret keys that should be 1620 used only for a limited amount of time and to protect a limited 1621 amount of data. This limits the lifetime of the entire Security 1622 Association. When the lifetime of a Security Association expires, 1623 the Security Association MUST NOT be used. If there is demand, new 1624 Security Associations MAY be established. Reestablishment of 1625 Security Associations to take the place of ones that expire is 1626 referred to as "rekeying". 1628 To allow for minimal IPsec implementations, the ability to rekey SAs 1629 without restarting the entire IKE SA is optional. An implementation 1630 MAY refuse all CREATE_CHILD_SA requests within an IKE SA. If an SA 1631 has expired or is about to expire and rekeying attempts using the 1632 mechanisms described here fail, an implementation MUST close the IKE 1633 SA and any associated Child SAs and then MAY start new ones. 1634 Implementations may wish to support in-place rekeying of SAs, since 1635 doing so offers better performance and is likely to reduce the number 1636 of packets lost during the transition. 1638 To rekey a Child SA within an existing IKE SA, create a new, 1639 equivalent SA (see Section 2.17 below), and when the new one is 1640 established, delete the old one. Note that, when rekeying, the new 1641 Child SA SHOULD NOT have different Traffic Selectors and algorithms 1642 than the old one. 1644 To rekey an IKE SA, establish a new equivalent IKE SA (see 1645 Section 2.18 below) with the peer to whom the old IKE SA is shared 1646 using a CREATE_CHILD_SA within the existing IKE SA. An IKE SA so 1647 created inherits all of the original IKE SA's Child SAs, and the new 1648 IKE SA is used for all control messages needed to maintain those 1649 Child SAs. After the new equivalent IKE SA is created, the initiator 1650 deletes the old IKE SA, and the Delete payload to delete itself MUST 1651 be the last request sent over the old IKE SA. 1653 SAs should be rekeyed proactively, i.e., the new SA should be 1654 established before the old one expires and becomes unusable. Enough 1655 time should elapse between the time the new SA is established and the 1656 old one becomes unusable so that traffic can be switched over to the 1657 new SA. 1659 A difference between IKEv1 and IKEv2 is that in IKEv1 SA lifetimes 1660 were negotiated. In IKEv2, each end of the SA is responsible for 1661 enforcing its own lifetime policy on the SA and rekeying the SA when 1662 necessary. If the two ends have different lifetime policies, the end 1663 with the shorter lifetime will end up always being the one to request 1664 the rekeying. If an SA has been inactive for a long time and if an 1665 endpoint would not initiate the SA in the absence of traffic, the 1666 endpoint MAY choose to close the SA instead of rekeying it when its 1667 lifetime expires. It can also do so if there has been no traffic 1668 since the last time the SA was rekeyed. 1670 Note that IKEv2 deliberately allows parallel SAs with the same 1671 Traffic Selectors between common endpoints. One of the purposes of 1672 this is to support traffic quality of service (QoS) differences among 1673 the SAs (see [DIFFSERVFIELD], [DIFFSERVARCH], and Section 4.1 of 1674 [DIFFTUNNEL]). Hence unlike IKEv1, the combination of the endpoints 1675 and the Traffic Selectors may not uniquely identify an SA between 1676 those endpoints, so the IKEv1 rekeying heuristic of deleting SAs on 1677 the basis of duplicate Traffic Selectors SHOULD NOT be used. 1679 There are timing windows -- particularly in the presence of lost 1680 packets -- where endpoints may not agree on the state of an SA. The 1681 responder to a CREATE_CHILD_SA MUST be prepared to accept messages on 1682 an SA before sending its response to the creation request, so there 1683 is no ambiguity for the initiator. The initiator MAY begin sending 1684 on an SA as soon as it processes the response. The initiator, 1685 however, cannot receive on a newly created SA until it receives and 1686 processes the response to its CREATE_CHILD_SA request. How, then, is 1687 the responder to know when it is OK to send on the newly created SA? 1689 From a technical correctness and interoperability perspective, the 1690 responder MAY begin sending on an SA as soon as it sends its response 1691 to the CREATE_CHILD_SA request. In some situations, however, this 1692 could result in packets unnecessarily being dropped, so an 1693 implementation MAY defer such sending. 1695 The responder can be assured that the initiator is prepared to 1696 receive messages on an SA if either (1) it has received a 1697 cryptographically valid message on the other half of the SA pair, or 1698 (2) the new SA rekeys an existing SA and it receives an IKE request 1699 to close the replaced SA. When rekeying an SA, the responder 1700 continues to send traffic on the old SA until one of those events 1701 occurs. When establishing a new SA, the responder MAY defer sending 1702 messages on a new SA until either it receives one or a timeout has 1703 occurred. If an initiator receives a message on an SA for which it 1704 has not received a response to its CREATE_CHILD_SA request, it 1705 interprets that as a likely packet loss and retransmits the 1706 CREATE_CHILD_SA request. An initiator MAY send a dummy ESP message 1707 on a newly created ESP SA if it has no messages queued in order to 1708 assure the responder that the initiator is ready to receive messages. 1710 2.8.1. Simultaneous Child SA Rekeying 1712 If the two ends have the same lifetime policies, it is possible that 1713 both will initiate a rekeying at the same time (which will result in 1714 redundant SAs). To reduce the probability of this happening, the 1715 timing of rekeying requests SHOULD be jittered (delayed by a random 1716 amount of time after the need for rekeying is noticed). 1718 This form of rekeying may temporarily result in multiple similar SAs 1719 between the same pairs of nodes. When there are two SAs eligible to 1720 receive packets, a node MUST accept incoming packets through either 1721 SA. If redundant SAs are created though such a collision, the SA 1722 created with the lowest of the four nonces used in the two exchanges 1723 SHOULD be closed by the endpoint that created it. "Lowest" means an 1724 octet-by-octet comparison (instead of, for instance, comparing the 1725 nonces as large integers). In other words, start by comparing the 1726 first octet; if they're equal, move to the next octet, and so on. If 1727 you reach the end of one nonce, that nonce is the lower one. The 1728 node that initiated the surviving rekeyed SA should delete the 1729 replaced SA after the new one is established. 1731 The following is an explanation on the impact this has on 1732 implementations. Assume that hosts A and B have an existing Child SA 1733 pair with SPIs (SPIa1,SPIb1), and both start rekeying it at the same 1734 time: 1736 Host A Host B 1737 ------------------------------------------------------------------- 1738 send req1: N(REKEY_SA,SPIa1), 1739 SA(..,SPIa2,..),Ni1,.. --> 1740 <-- send req2: N(REKEY_SA,SPIb1), 1741 SA(..,SPIb2,..),Ni2 1742 recv req2 <-- 1744 At this point, A knows there is a simultaneous rekeying happening. 1745 However, it cannot yet know which of the exchanges will have the 1746 lowest nonce, so it will just note the situation and respond as 1747 usual. 1749 send resp2: SA(..,SPIa3,..), 1750 Nr1,.. --> 1751 --> recv req1 1753 Now B also knows that simultaneous rekeying is going on. It responds 1754 as usual. 1756 <-- send resp1: SA(..,SPIb3,..), 1757 Nr2,.. 1758 recv resp1 <-- 1759 --> recv resp2 1761 At this point, there are three Child SA pairs between A and B (the 1762 old one and two new ones). A and B can now compare the nonces. 1763 Suppose that the lowest nonce was Nr1 in message resp2; in this case, 1764 B (the sender of req2) deletes the redundant new SA, and A (the node 1765 that initiated the surviving rekeyed SA), deletes the old one. 1767 send req3: D(SPIa1) --> 1768 <-- send req4: D(SPIb2) 1769 --> recv req3 1770 <-- send resp3: D(SPIb1) 1771 recv req4 <-- 1772 send resp4: D(SPIa3) --> 1774 The rekeying is now finished. 1776 However, there is a second possible sequence of events that can 1777 happen if some packets are lost in the network, resulting in 1778 retransmissions. The rekeying begins as usual, but A's first packet 1779 (req1) is lost. 1781 Host A Host B 1782 ------------------------------------------------------------------- 1783 send req1: N(REKEY_SA,SPIa1), 1784 SA(..,SPIa2,..), 1785 Ni1,.. --> (lost) 1786 <-- send req2: N(REKEY_SA,SPIb1), 1787 SA(..,SPIb2,..),Ni2 1788 recv req2 <-- 1789 send resp2: SA(..,SPIa3,..), 1790 Nr1,.. --> 1791 --> recv resp2 1792 <-- send req3: D(SPIb1) 1793 recv req3 <-- 1794 send resp3: D(SPIa1) --> 1795 --> recv resp3 1797 From B's point of view, the rekeying is now completed, and since it 1798 has not yet received A's req1, it does not even know that there was 1799 simultaneous rekeying. However, A will continue retransmitting the 1800 message, and eventually it will reach B. 1802 resend req1 --> 1803 --> recv req1 1805 To B, it looks like A is trying to rekey an SA that no longer exists; 1806 thus, B responds to the request with something non-fatal such as 1807 CHILD_SA_NOT_FOUND. 1809 <-- send resp1: N(CHILD_SA_NOT_FOUND) 1810 recv resp1 <-- 1812 When A receives this error, it already knows there was simultaneous 1813 rekeying, so it can ignore the error message. 1815 2.8.2. Simultaneous IKE SA Rekeying 1817 Probably the most complex case occurs when both peers try to rekey 1818 the IKE_SA at the same time. Basically, the text in Section 2.8 1819 applies to this case as well; however, it is important to ensure that 1820 the Child SAs are inherited by the correct IKE_SA. 1822 The case where both endpoints notice the simultaneous rekeying works 1823 the same way as with Child SAs. After the CREATE_CHILD_SA exchanges, 1824 three IKE SAs exist between A and B: the old IKE SA and two new IKE 1825 SAs. The new IKE SA containing the lowest nonce SHOULD be deleted by 1826 the node that created it, and the other surviving new IKE SA MUST 1827 inherit all the Child SAs. 1829 In addition to normal simultaneous rekeying cases, there is a special 1830 case where one peer finishes its rekey before it even notices that 1831 other peer is doing a rekey. If only one peer detects a simultaneous 1832 rekey, redundant SAs are not created. In this case, when the peer 1833 that did not notice the simultaneous rekey gets the request to rekey 1834 the IKE SA that it has already successfully rekeyed, it SHOULD return 1835 TEMPORARY_FAILURE because it is an IKE SA that it is currently trying 1836 to close (whether or not it has already sent the delete notification 1837 for the SA). If the peer that did notice the simultaneous rekey gets 1838 the delete request from the other peer for the old IKE SA, it knows 1839 that the other peer did not detect the simultaneous rekey, and the 1840 first peer can forget its own rekey attempt. 1842 Host A Host B 1843 ------------------------------------------------------------------- 1844 send req1: 1845 SA(..,SPIa1,..),Ni1,.. --> 1846 <-- send req2: SA(..,SPIb1,..),Ni2,.. 1847 --> recv req1 1848 <-- send resp1: SA(..,SPIb2,..),Nr2,.. 1849 recv resp1 <-- 1850 send req3: D() --> 1851 --> recv req3 1853 At this point, host B sees a request to close the IKE_SA. There's 1854 not much more to do than to reply as usual. However, at this point 1855 host B should stop retransmitting req2, since once host A receives 1856 resp3, it will delete all the state associated with the old IKE_SA 1857 and will not be able to reply to it. 1859 <-- send resp3: () 1861 The TEMPORARY_FAILURE notification was not included in RFC 4306, and 1862 support of the TEMPORARY_FAILURE notification is not negotiated. 1863 Thus, older peers that implement RFC 4306 but not this document may 1864 receive these notifications. In that case, they will treat it the 1865 same as any other unknown error notification, and will stop the 1866 exchange. Because the other peer has already rekeyed the exchange, 1867 doing so does not have any ill effects. 1869 2.8.3. Rekeying the IKE SA versus Reauthentication 1871 Rekeying the IKE SA and reauthentication are different concepts in 1872 IKEv2. Rekeying the IKE SA establishes new keys for the IKE SA and 1873 resets the Message ID counters, but it does not authenticate the 1874 parties again (no AUTH or EAP payloads are involved). 1876 Although rekeying the IKE SA may be important in some environments, 1877 reauthentication (the verification that the parties still have access 1878 to the long-term credentials) is often more important. 1880 IKEv2 does not have any special support for reauthentication. 1881 Reauthentication is done by creating a new IKE SA from scratch (using 1882 IKE_SA_INIT/IKE_AUTH exchanges, without any REKEY_SA Notify 1883 payloads), creating new Child SAs within the new IKE SA (without 1884 REKEY_SA Notify payloads), and finally deleting the old IKE SA (which 1885 deletes the old Child SAs as well). 1887 This means that reauthentication also establishes new keys for the 1888 IKE SA and Child SAs. Therefore, while rekeying can be performed 1889 more often than reauthentication, the situation where "authentication 1890 lifetime" is shorter than "key lifetime" does not make sense. 1892 While creation of a new IKE SA can be initiated by either party 1893 (initiator or responder in the original IKE SA), the use of EAP 1894 and/or Configuration payloads means in practice that reauthentication 1895 has to be initiated by the same party as the original IKE SA. IKEv2 1896 does not currently allow the responder to request reauthentication in 1897 this case; however, there are extensions that add this functionality 1898 such as [REAUTH]. 1900 2.9. Traffic Selector Negotiation 1902 When an RFC4301-compliant IPsec subsystem receives an IP packet that 1903 matches a "protect" selector in its Security Policy Database (SPD), 1904 the subsystem protects that packet with IPsec. When no SA exists 1905 yet, it is the task of IKE to create it. Maintenance of a system's 1906 SPD is outside the scope of IKE, although some implementations might 1907 update their SPD in connection with the running of IKE (for an 1908 example scenario, see Section 1.1.3). 1910 Traffic Selector (TS) payloads allow endpoints to communicate some of 1911 the information from their SPD to their peers. These must be 1912 communicated to IKE from the SPD (for example, the PF_KEY API [PFKEY] 1913 uses the SADB_ACQUIRE message). TS payloads specify the selection 1914 criteria for packets that will be forwarded over the newly set up SA. 1915 This can serve as a consistency check in some scenarios to assure 1916 that the SPDs are consistent. In others, it guides the dynamic 1917 update of the SPD. 1919 Two TS payloads appear in each of the messages in the exchange that 1920 creates a Child SA pair. Each TS payload contains one or more 1921 Traffic Selectors. Each Traffic Selector consists of an address 1922 range (IPv4 or IPv6), a port range, and an IP protocol ID. 1924 The first of the two TS payloads is known as TSi (Traffic Selector- 1925 initiator). The second is known as TSr (Traffic Selector-responder). 1926 TSi specifies the source address of traffic forwarded from (or the 1927 destination address of traffic forwarded to) the initiator of the 1928 Child SA pair. TSr specifies the destination address of the traffic 1929 forwarded to (or the source address of the traffic forwarded from) 1930 the responder of the Child SA pair. For example, if the original 1931 initiator requests the creation of a Child SA pair, and wishes to 1932 tunnel all traffic from subnet 198.51.100.* on the initiator's side 1933 to subnet 192.0.2.* on the responder's side, the initiator would 1934 include a single Traffic Selector in each TS payload. TSi would 1935 specify the address range (198.51.100.0 - 198.51.100.255) and TSr 1936 would specify the address range (192.0.2.0 - 192.0.2.255). Assuming 1937 that proposal was acceptable to the responder, it would send 1938 identical TS payloads back. 1940 IKEv2 allows the responder to choose a subset of the traffic proposed 1941 by the initiator. This could happen when the configurations of the 1942 two endpoints are being updated but only one end has received the new 1943 information. Since the two endpoints may be configured by different 1944 people, the incompatibility may persist for an extended period even 1945 in the absence of errors. It also allows for intentionally different 1946 configurations, as when one end is configured to tunnel all addresses 1947 and depends on the other end to have the up-to-date list. 1949 When the responder chooses a subset of the traffic proposed by the 1950 initiator, it narrows the Traffic Selectors to some subset of the 1951 initiator's proposal (provided the set does not become the null set). 1952 If the type of Traffic Selector proposed is unknown, the responder 1953 ignores that Traffic Selector, so that the unknown type is not 1954 returned in the narrowed set. 1956 To enable the responder to choose the appropriate range in this case, 1957 if the initiator has requested the SA due to a data packet, the 1958 initiator SHOULD include as the first Traffic Selector in each of TSi 1959 and TSr a very specific Traffic Selector including the addresses in 1960 the packet triggering the request. In the example, the initiator 1961 would include in TSi two Traffic Selectors: the first containing the 1962 address range (198.51.100.43 - 198.51.100.43) and the source port and 1963 IP protocol from the packet and the second containing (198.51.100.0 - 1964 198.51.100.255) with all ports and IP protocols. The initiator would 1965 similarly include two Traffic Selectors in TSr. If the initiator 1966 creates the Child SA pair not in response to an arriving packet, but 1967 rather, say, upon startup, then there may be no specific addresses 1968 the initiator prefers for the initial tunnel over any other. In that 1969 case, the first values in TSi and TSr can be ranges rather than 1970 specific values. 1972 The responder performs the narrowing as follows: 1974 o If the responder's policy does not allow it to accept any part of 1975 the proposed Traffic Selectors, it responds with a TS_UNACCEPTABLE 1976 Notify message. 1978 o If the responder's policy allows the entire set of traffic covered 1979 by TSi and TSr, no narrowing is necessary, and the responder can 1980 return the same TSi and TSr values. 1982 o If the responder's policy allows it to accept the first selector 1983 of TSi and TSr, then the responder MUST narrow the Traffic 1984 Selectors to a subset that includes the initiator's first choices. 1985 In this example above, the responder might respond with TSi being 1986 (198.51.100.43 - 198.51.100.43) with all ports and IP protocols. 1988 o If the responder's policy does not allow it to accept the first 1989 selector of TSi and TSr, the responder narrows to an acceptable 1990 subset of TSi and TSr. 1992 When narrowing is done, there may be several subsets that are 1993 acceptable but their union is not. In this case, the responder 1994 arbitrarily chooses one of them, and MAY include an 1995 ADDITIONAL_TS_POSSIBLE notification in the response. The 1996 ADDITIONAL_TS_POSSIBLE notification asserts that the responder 1997 narrowed the proposed Traffic Selectors but that other Traffic 1998 Selectors would also have been acceptable, though only in a separate 1999 SA. There is no data associated with this Notify type. This case 2000 will occur only when the initiator and responder are configured 2001 differently from one another. If the initiator and responder agree 2002 on the granularity of tunnels, the initiator will never request a 2003 tunnel wider than the responder will accept. 2005 It is possible for the responder's policy to contain multiple smaller 2006 ranges, all encompassed by the initiator's Traffic Selector, and with 2007 the responder's policy being that each of those ranges should be sent 2008 over a different SA. Continuing the example above, the responder 2009 might have a policy of being willing to tunnel those addresses to and 2010 from the initiator, but might require that each address pair be on a 2011 separately negotiated Child SA. If the initiator didn't generate its 2012 request based on the packet, but (for example) upon startup, there 2013 would not be the very specific first Traffic Selectors helping the 2014 responder to select the correct range. There would be no way for the 2015 responder to determine which pair of addresses should be included in 2016 this tunnel, and it would have to make a guess or reject the request 2017 with a SINGLE_PAIR_REQUIRED Notify message. 2019 The SINGLE_PAIR_REQUIRED error indicates that a CREATE_CHILD_SA 2020 request is unacceptable because its sender is only willing to accept 2021 Traffic Selectors specifying a single pair of addresses. The 2022 requestor is expected to respond by requesting an SA for only the 2023 specific traffic it is trying to forward. 2025 Few implementations will have policies that require separate SAs for 2026 each address pair. Because of this, if only some parts of the TSi 2027 and TSr proposed by the initiator are acceptable to the responder, 2028 responders SHOULD narrow the selectors to an acceptable subset rather 2029 than use SINGLE_PAIR_REQUIRED. 2031 2.9.1. Traffic Selectors Violating Own Policy 2033 When creating a new SA, the initiator needs to avoid proposing 2034 Traffic Selectors that violate its own policy. If this rule is not 2035 followed, valid traffic may be dropped. If you use decorrelated 2036 policies from [IPSECARCH], this kind of policy violations cannot 2037 happen. 2039 This is best illustrated by an example. Suppose that host A has a 2040 policy whose effect is that traffic to 198.51.100.66 is sent via host 2041 B encrypted using AES, and traffic to all other hosts in 2042 198.51.100.0/24 is also sent via B, but must use 3DES. Suppose also 2043 that host B accepts any combination of AES and 3DES. 2045 If host A now proposes an SA that uses 3DES, and includes TSr 2046 containing (198.51.100.0-198.51.100.255), this will be accepted by 2047 host B. Now, host B can also use this SA to send traffic from 2048 198.51.100.66, but those packets will be dropped by A since it 2049 requires the use of AES for this traffic. Even if host A creates a 2050 new SA only for 198.51.100.66 that uses AES, host B may freely 2051 continue to use the first SA for the traffic. In this situation, 2052 when proposing the SA, host A should have followed its own policy, 2053 and included a TSr containing ((198.51.100.0- 2054 198.51.100.65),(198.51.100.67-198.51.100.255)) instead. 2056 In general, if (1) the initiator makes a proposal "for traffic X 2057 (TSi/TSr), do SA", and (2) for some subset X' of X, the initiator 2058 does not actually accept traffic X' with SA, and (3) the initiator 2059 would be willing to accept traffic X' with some SA' (!=SA), valid 2060 traffic can be unnecessarily dropped since the responder can apply 2061 either SA or SA' to traffic X'. 2063 2.10. Nonces 2065 The IKE_SA_INIT messages each contain a nonce. These nonces are used 2066 as inputs to cryptographic functions. The CREATE_CHILD_SA request 2067 and the CREATE_CHILD_SA response also contain nonces. These nonces 2068 are used to add freshness to the key derivation technique used to 2069 obtain keys for Child SA, and to ensure creation of strong 2070 pseudorandom bits from the Diffie-Hellman key. Nonces used in IKEv2 2071 MUST be randomly chosen, MUST be at least 128 bits in size, and MUST 2072 be at least half the key size of the negotiated pseudorandom function 2073 (PRF). However, the initiator chooses the nonce before the outcome 2074 of the negotiation is known. Because of that, the nonce has to be 2075 long enough for all the PRFs being proposed. If the same random 2076 number source is used for both keys and nonces, care must be taken to 2077 ensure that the latter use does not compromise the former. 2079 2.11. Address and Port Agility 2081 IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and 2082 AH associations for the same IP addresses over which it runs. The IP 2083 addresses and ports in the outer header are, however, not themselves 2084 cryptographically protected, and IKE is designed to work even through 2085 Network Address Translation (NAT) boxes. An implementation MUST 2086 accept incoming requests even if the source port is not 500 or 4500, 2087 and MUST respond to the address and port from which the request was 2088 received. It MUST specify the address and port at which the request 2089 was received as the source address and port in the response. IKE 2090 functions identically over IPv4 or IPv6. 2092 2.12. Reuse of Diffie-Hellman Exponentials 2094 IKE generates keying material using an ephemeral Diffie-Hellman 2095 exchange in order to gain the property of "perfect forward secrecy". 2096 This means that once a connection is closed and its corresponding 2097 keys are forgotten, even someone who has recorded all of the data 2098 from the connection and gets access to all of the long-term keys of 2099 the two endpoints cannot reconstruct the keys used to protect the 2100 conversation without doing a brute force search of the session key 2101 space. 2103 Achieving perfect forward secrecy requires that when a connection is 2104 closed, each endpoint MUST forget not only the keys used by the 2105 connection but also any information that could be used to recompute 2106 those keys. 2108 Because computing Diffie-Hellman exponentials is computationally 2109 expensive, an endpoint may find it advantageous to reuse those 2110 exponentials for multiple connection setups. There are several 2111 reasonable strategies for doing this. An endpoint could choose a new 2112 exponential only periodically though this could result in less-than- 2113 perfect forward secrecy if some connection lasts for less than the 2114 lifetime of the exponential. Or it could keep track of which 2115 exponential was used for each connection and delete the information 2116 associated with the exponential only when some corresponding 2117 connection was closed. This would allow the exponential to be reused 2118 without losing perfect forward secrecy at the cost of maintaining 2119 more state. 2121 Whether and when to reuse Diffie-Hellman exponentials are private 2122 decisions in the sense that they will not affect interoperability. 2123 An implementation that reuses exponentials MAY choose to remember the 2124 exponential used by the other endpoint on past exchanges and if one 2125 is reused to avoid the second half of the calculation. See [REUSE] 2126 and [RFC6989] for a security analysis of this practice and for 2127 additional security considerations when reusing ephemeral Diffie- 2128 Hellman keys. 2130 2.13. Generating Keying Material 2132 In the context of the IKE SA, four cryptographic algorithms are 2133 negotiated: an encryption algorithm, an integrity protection 2134 algorithm, a Diffie-Hellman group, and a pseudorandom function (PRF). 2135 The PRF is used for the construction of keying material for all of 2136 the cryptographic algorithms used in both the IKE SA and the Child 2137 SAs. 2139 We assume that each encryption algorithm and integrity protection 2140 algorithm uses a fixed-size key and that any randomly chosen value of 2141 that fixed size can serve as an appropriate key. For algorithms that 2142 accept a variable-length key, a fixed key size MUST be specified as 2143 part of the cryptographic transform negotiated (see Section 3.3.5 for 2144 the definition of the Key Length transform attribute). For 2145 algorithms for which not all values are valid keys (such as DES or 2146 3DES with key parity), the algorithm by which keys are derived from 2147 arbitrary values MUST be specified by the cryptographic transform. 2148 For integrity protection functions based on Hashed Message 2149 Authentication Code (HMAC), the fixed key size is the size of the 2150 output of the underlying hash function. 2152 It is assumed that PRFs accept keys of any length, but have a 2153 preferred key size. The preferred key size MUST be used as the 2154 length of SK_d, SK_pi, and SK_pr (see Section 2.14). For PRFs based 2155 on the HMAC construction, the preferred key size is equal to the 2156 length of the output of the underlying hash function. Other types of 2157 PRFs MUST specify their preferred key size. 2159 Keying material will always be derived as the output of the 2160 negotiated PRF algorithm. Since the amount of keying material needed 2161 may be greater than the size of the output of the PRF, the PRF is 2162 used iteratively. The term "prf+" describes a function that outputs 2163 a pseudorandom stream based on the inputs to a pseudorandom function 2164 called "prf". 2166 In the following, | indicates concatenation. prf+ is defined as: 2168 prf+ (K,S) = T1 | T2 | T3 | T4 | ... 2170 where: 2171 T1 = prf (K, S | 0x01) 2172 T2 = prf (K, T1 | S | 0x02) 2173 T3 = prf (K, T2 | S | 0x03) 2174 T4 = prf (K, T3 | S | 0x04) 2175 ... 2177 This continues until all the material needed to compute all required 2178 keys has been output from prf+. The keys are taken from the output 2179 string without regard to boundaries (e.g., if the required keys are a 2180 256-bit Advanced Encryption Standard (AES) key and a 160-bit HMAC 2181 key, and the prf function generates 160 bits, the AES key will come 2182 from T1 and the beginning of T2, while the HMAC key will come from 2183 the rest of T2 and the beginning of T3). 2185 The constant concatenated to the end of each prf function is a single 2186 octet. The prf+ function is not defined beyond 255 times the size of 2187 the prf function output. 2189 2.14. Generating Keying Material for the IKE SA 2191 The shared keys are computed as follows. A quantity called SKEYSEED 2192 is calculated from the nonces exchanged during the IKE_SA_INIT 2193 exchange and the Diffie-Hellman shared secret established during that 2194 exchange. SKEYSEED is used to calculate seven other secrets: SK_d 2195 used for deriving new keys for the Child SAs established with this 2196 IKE SA; SK_ai and SK_ar used as a key to the integrity protection 2197 algorithm for authenticating the component messages of subsequent 2198 exchanges; SK_ei and SK_er used for encrypting (and of course 2199 decrypting) all subsequent exchanges; and SK_pi and SK_pr, which are 2200 used when generating an AUTH payload. The lengths of SK_d, SK_pi, 2201 and SK_pr MUST be the preferred key length of the PRF agreed upon. 2203 SKEYSEED and its derivatives are computed as follows: 2205 SKEYSEED = prf(Ni | Nr, g^ir) 2207 {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } 2208 = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr ) 2210 (indicating that the quantities SK_d, SK_ai, SK_ar, SK_ei, SK_er, 2211 SK_pi, and SK_pr are taken in order from the generated bits of the 2212 prf+). g^ir is the shared secret from the ephemeral Diffie-Hellman 2213 exchange. g^ir is represented as a string of octets in big endian 2214 order padded with zeros if necessary to make it the length of the 2215 modulus. Ni and Nr are the nonces, stripped of any headers. For 2216 historical backward-compatibility reasons, there are two PRFs that 2217 are treated specially in this calculation. If the negotiated PRF is 2218 AES-XCBC-PRF-128 [AESXCBCPRF128] or AES-CMAC-PRF-128 [AESCMACPRF128], 2219 only the first 64 bits of Ni and the first 64 bits of Nr are used in 2220 calculating SKEYSEED, but all the bits are used for input to the prf+ 2221 function. 2223 The two directions of traffic flow use different keys. The keys used 2224 to protect messages from the original initiator are SK_ai and SK_ei. 2225 The keys used to protect messages in the other direction are SK_ar 2226 and SK_er. 2228 2.15. Authentication of the IKE SA 2230 When not using extensible authentication (see Section 2.16), the 2231 peers are authenticated by having each sign (or MAC using a padded 2232 shared secret as the key, as described later in this section) a block 2233 of data. In these calculations, IDi' and IDr' are the entire ID 2234 payloads excluding the fixed header. For the responder, the octets 2235 to be signed start with the first octet of the first SPI in the 2236 header of the second message (IKE_SA_INIT response) and end with the 2237 last octet of the last payload in the second message. Appended to 2238 this (for the purposes of computing the signature) are the 2239 initiator's nonce Ni (just the value, not the payload containing it), 2240 and the value prf(SK_pr, IDr'). Note that neither the nonce Ni nor 2241 the value prf(SK_pr, IDr') are transmitted. Similarly, the initiator 2242 signs the first message (IKE_SA_INIT request), starting with the 2243 first octet of the first SPI in the header and ending with the last 2244 octet of the last payload. Appended to this (for purposes of 2245 computing the signature) are the responder's nonce Nr, and the value 2246 prf(SK_pi, IDi'). It is critical to the security of the exchange 2247 that each side sign the other side's nonce. 2249 The initiator's signed octets can be described as: 2251 InitiatorSignedOctets = RealMessage1 | NonceRData | MACedIDForI 2252 GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR 2253 RealIKEHDR = SPIi | SPIr | . . . | Length 2254 RealMessage1 = RealIKEHDR | RestOfMessage1 2255 NonceRPayload = PayloadHeader | NonceRData 2256 InitiatorIDPayload = PayloadHeader | RestOfInitIDPayload 2257 RestOfInitIDPayload = IDType | RESERVED | InitIDData 2258 MACedIDForI = prf(SK_pi, RestOfInitIDPayload) 2260 The responder's signed octets can be described as: 2262 ResponderSignedOctets = RealMessage2 | NonceIData | MACedIDForR 2263 GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR 2264 RealIKEHDR = SPIi | SPIr | . . . | Length 2265 RealMessage2 = RealIKEHDR | RestOfMessage2 2266 NonceIPayload = PayloadHeader | NonceIData 2267 ResponderIDPayload = PayloadHeader | RestOfRespIDPayload 2268 RestOfRespIDPayload = IDType | RESERVED | RespIDData 2269 MACedIDForR = prf(SK_pr, RestOfRespIDPayload) 2270 Note that all of the payloads are included under the signature, 2271 including any payload types not defined in this document. If the 2272 first message of the exchange is sent multiple times (such as with a 2273 responder cookie and/or a different Diffie-Hellman group), it is the 2274 latest version of the message that is signed. 2276 Optionally, messages 3 and 4 MAY include a certificate, or 2277 certificate chain providing evidence that the key used to compute a 2278 digital signature belongs to the name in the ID payload. The 2279 signature or MAC will be computed using algorithms dictated by the 2280 type of key used by the signer, and specified by the Auth Method 2281 field in the Authentication payload. There is no requirement that 2282 the initiator and responder sign with the same cryptographic 2283 algorithms. The choice of cryptographic algorithms depends on the 2284 type of key each has. In particular, the initiator may be using a 2285 shared key while the responder may have a public signature key and 2286 certificate. It will commonly be the case (but it is not required) 2287 that, if a shared secret is used for authentication, the same key is 2288 used in both directions. 2290 Note that it is a common but typically insecure practice to have a 2291 shared key derived solely from a user-chosen password without 2292 incorporating another source of randomness. This is typically 2293 insecure because user-chosen passwords are unlikely to have 2294 sufficient unpredictability to resist dictionary attacks and these 2295 attacks are not prevented in this authentication method. 2296 (Applications using password-based authentication for bootstrapping 2297 and IKE SA should use the authentication method in Section 2.16, 2298 which is designed to prevent off-line dictionary attacks.) The pre- 2299 shared key needs to contain as much unpredictability as the strongest 2300 key being negotiated. In the case of a pre-shared key, the AUTH 2301 value is computed as: 2303 For the initiator: 2304 AUTH = prf( prf(Shared Secret, "Key Pad for IKEv2"), 2305 ) 2306 For the responder: 2307 AUTH = prf( prf(Shared Secret, "Key Pad for IKEv2"), 2308 ) 2310 where the string "Key Pad for IKEv2" is 17 ASCII characters without 2311 null termination. The shared secret can be variable length. The pad 2312 string is added so that if the shared secret is derived from a 2313 password, the IKE implementation need not store the password in 2314 cleartext, but rather can store the value prf(Shared Secret,"Key Pad 2315 for IKEv2"), which could not be used as a password equivalent for 2316 protocols other than IKEv2. As noted above, deriving the shared 2317 secret from a password is not secure. This construction is used 2318 because it is anticipated that people will do it anyway. The 2319 management interface by which the shared secret is provided MUST 2320 accept ASCII strings of at least 64 octets and MUST NOT add a null 2321 terminator before using them as shared secrets. It MUST also accept 2322 a hex encoding of the shared secret. The management interface MAY 2323 accept other encodings if the algorithm for translating the encoding 2324 to a binary string is specified. 2326 There are two types of EAP authentication (described in 2327 Section 2.16), and each type uses different values in the AUTH 2328 computations shown above. If the EAP method is key-generating, 2329 substitute master session key (MSK) for the shared secret in the 2330 computation. For non-key-generating methods, substitute SK_pi and 2331 SK_pr, respectively, for the shared secret in the two AUTH 2332 computations. 2334 2.16. Extensible Authentication Protocol Methods 2336 In addition to authentication using public key signatures and shared 2337 secrets, IKE supports authentication using methods defined in RFC 2338 3748 [EAP]. Typically, these methods are asymmetric (designed for a 2339 user authenticating to a server), and they may not be mutual. For 2340 this reason, these protocols are typically used to authenticate the 2341 initiator to the responder and MUST be used in conjunction with a 2342 public-key-signature-based authentication of the responder to the 2343 initiator. These methods are often associated with mechanisms 2344 referred to as "Legacy Authentication" mechanisms. 2346 While this document references [EAP] with the intent that new methods 2347 can be added in the future without updating this specification, some 2348 simpler variations are documented here. [EAP] defines an 2349 authentication protocol requiring a variable number of messages. 2350 Extensible Authentication is implemented in IKE as additional 2351 IKE_AUTH exchanges that MUST be completed in order to initialize the 2352 IKE SA. 2354 An initiator indicates a desire to use EAP by leaving out the AUTH 2355 payload from the first message in the IKE_AUTH exchange. (Note that 2356 the AUTH payload is required for non-EAP authentication, and is thus 2357 not marked as optional in the rest of this document.) By including 2358 an IDi payload but not an AUTH payload, the initiator has declared an 2359 identity but has not proven it. If the responder is willing to use 2360 an EAP method, it will place an Extensible Authentication Protocol 2361 (EAP) payload in the response of the IKE_AUTH exchange and defer 2362 sending SAr2, TSi, and TSr until initiator authentication is complete 2363 in a subsequent IKE_AUTH exchange. In the case of a minimal EAP 2364 method, the initial SA establishment will appear as follows: 2366 Initiator Responder 2367 ------------------------------------------------------------------- 2368 HDR, SAi1, KEi, Ni --> 2369 <-- HDR, SAr1, KEr, Nr, [CERTREQ] 2370 HDR, SK {IDi, [CERTREQ,] 2371 [IDr,] SAi2, 2372 TSi, TSr} --> 2373 <-- HDR, SK {IDr, [CERT,] AUTH, 2374 EAP } 2375 HDR, SK {EAP} --> 2376 <-- HDR, SK {EAP (success)} 2377 HDR, SK {AUTH} --> 2378 <-- HDR, SK {AUTH, SAr2, TSi, TSr } 2380 As described in Section 2.2, when EAP is used, each pair of IKE SA 2381 initial setup messages will have their message numbers incremented; 2382 the first pair of IKE_AUTH messages will have an ID of 1, the second 2383 will be 2, and so on. 2385 For EAP methods that create a shared key as a side effect of 2386 authentication, that shared key MUST be used by both the initiator 2387 and responder to generate AUTH payloads in messages 7 and 8 using the 2388 syntax for shared secrets specified in Section 2.15. The shared key 2389 from EAP is the field from the EAP specification named MSK. This 2390 shared key generated during an IKE exchange MUST NOT be used for any 2391 other purpose. 2393 EAP methods that do not establish a shared key SHOULD NOT be used, as 2394 they are subject to a number of man-in-the-middle attacks [EAPMITM] 2395 if these EAP methods are used in other protocols that do not use a 2396 server-authenticated tunnel. Please see the Security Considerations 2397 section for more details. If EAP methods that do not generate a 2398 shared key are used, the AUTH payloads in messages 7 and 8 MUST be 2399 generated using SK_pi and SK_pr, respectively. 2401 The initiator of an IKE SA using EAP needs to be capable of extending 2402 the initial protocol exchange to at least ten IKE_AUTH exchanges in 2403 the event the responder sends notification messages and/or retries 2404 the authentication prompt. Once the protocol exchange defined by the 2405 chosen EAP authentication method has successfully terminated, the 2406 responder MUST send an EAP payload containing the Success message. 2407 Similarly, if the authentication method has failed, the responder 2408 MUST send an EAP payload containing the Failure message. The 2409 responder MAY at any time terminate the IKE exchange by sending an 2410 EAP payload containing the Failure message. 2412 Following such an extended exchange, the EAP AUTH payloads MUST be 2413 included in the two messages following the one containing the EAP 2414 Success message. 2416 When the initiator authentication uses EAP, it is possible that the 2417 contents of the IDi payload is used only for Authentication, 2418 Authorization, and Accounting (AAA) routing purposes and selecting 2419 which EAP method to use. This value may be different from the 2420 identity authenticated by the EAP method. It is important that 2421 policy lookups and access control decisions use the actual 2422 authenticated identity. Often the EAP server is implemented in a 2423 separate AAA server that communicates with the IKEv2 responder. In 2424 this case, the authenticated identity, if different from that in the 2425 IDi payload, has to be sent from the AAA server to the IKEv2 2426 responder. 2428 2.17. Generating Keying Material for Child SAs 2430 A single Child SA is created by the IKE_AUTH exchange, and additional 2431 Child SAs can optionally be created in CREATE_CHILD_SA exchanges. 2432 Keying material for them is generated as follows: 2434 KEYMAT = prf+(SK_d, Ni | Nr) 2436 Where Ni and Nr are the nonces from the IKE_SA_INIT exchange if this 2437 request is the first Child SA created or the fresh Ni and Nr from the 2438 CREATE_CHILD_SA exchange if this is a subsequent creation. 2440 For CREATE_CHILD_SA exchanges including an optional Diffie-Hellman 2441 exchange, the keying material is defined as: 2443 KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ) 2445 where g^ir (new) is the shared secret from the ephemeral Diffie- 2446 Hellman exchange of this CREATE_CHILD_SA exchange (represented as an 2447 octet string in big endian order padded with zeros in the high-order 2448 bits if necessary to make it the length of the modulus). 2450 A single CREATE_CHILD_SA negotiation may result in multiple Security 2451 Associations. ESP and AH SAs exist in pairs (one in each direction), 2452 so two SAs are created in a single Child SA negotiation for them. 2453 Furthermore, Child SA negotiation may include some future IPsec 2454 protocol(s) in addition to, or instead of, ESP or AH (for example, 2455 ROHC_INTEG as described in [ROHCV2]). In any case, keying material 2456 for each Child SA MUST be taken from the expanded KEYMAT using the 2457 following rules: 2459 o All keys for SAs carrying data from the initiator to the responder 2460 are taken before SAs going from the responder to the initiator. 2462 o If multiple IPsec protocols are negotiated, keying material for 2463 each Child SA is taken in the order in which the protocol headers 2464 will appear in the encapsulated packet. 2466 o If an IPsec protocol requires multiple keys, the order in which 2467 they are taken from the SA's keying material needs to be described 2468 in the protocol's specification. For ESP and AH, [IPSECARCH] 2469 defines the order, namely: the encryption key (if any) MUST be 2470 taken from the first bits and the integrity key (if any) MUST be 2471 taken from the remaining bits. 2473 Each cryptographic algorithm takes a fixed number of bits of keying 2474 material specified as part of the algorithm, or negotiated in SA 2475 payloads (see Section 2.13 for description of key lengths, and 2476 Section 3.3.5 for the definition of the Key Length transform 2477 attribute). 2479 2.18. Rekeying IKE SAs Using a CREATE_CHILD_SA Exchange 2481 The CREATE_CHILD_SA exchange can be used to rekey an existing IKE SA 2482 (see Sections 1.3.2 and 2.8). New initiator and responder SPIs are 2483 supplied in the SPI fields in the Proposal structures inside the 2484 Security Association (SA) payloads (not the SPI fields in the IKE 2485 header). The TS payloads are omitted when rekeying an IKE SA. 2486 SKEYSEED for the new IKE SA is computed using SK_d from the existing 2487 IKE SA as follows: 2489 SKEYSEED = prf(SK_d (old), g^ir (new) | Ni | Nr) 2491 where g^ir (new) is the shared secret from the ephemeral Diffie- 2492 Hellman exchange of this CREATE_CHILD_SA exchange (represented as an 2493 octet string in big endian order padded with zeros if necessary to 2494 make it the length of the modulus) and Ni and Nr are the two nonces 2495 stripped of any headers. 2497 The old and new IKE SA may have selected a different PRF. Because 2498 the rekeying exchange belongs to the old IKE SA, it is the old IKE 2499 SA's PRF that is used to generate SKEYSEED. 2501 The main reason for rekeying the IKE SA is to ensure that the 2502 compromise of old keying material does not provide information about 2503 the current keys, or vice versa. Therefore, implementations MUST 2504 perform a new Diffie-Hellman exchange when rekeying the IKE SA. In 2505 other words, an initiator MUST NOT propose the value "NONE" for the 2506 Diffie-Hellman transform, and a responder MUST NOT accept such a 2507 proposal. This means that a successful exchange rekeying the IKE SA 2508 always includes the KEi/KEr payloads. 2510 The new IKE SA MUST reset its message counters to 0. 2512 SK_d, SK_ai, SK_ar, SK_ei, and SK_er are computed from SKEYSEED as 2513 specified in Section 2.14, using SPIi, SPIr, Ni, and Nr from the new 2514 exchange, and using the new IKE SA's PRF. 2516 2.19. Requesting an Internal Address on a Remote Network 2518 Most commonly occurring in the endpoint-to-security-gateway scenario, 2519 an endpoint may need an IP address in the network protected by the 2520 security gateway and may need to have that address dynamically 2521 assigned. A request for such a temporary address can be included in 2522 any request to create a Child SA (including the implicit request in 2523 message 3) by including a CP payload. Note, however, it is usual to 2524 only assign one IP address during the IKE_AUTH exchange. That 2525 address persists at least until the deletion of the IKE SA. 2527 This function provides address allocation to an IPsec Remote Access 2528 Client (IRAC) trying to tunnel into a network protected by an IPsec 2529 Remote Access Server (IRAS). Since the IKE_AUTH exchange creates an 2530 IKE SA and a Child SA, the IRAC MUST request the IRAS-controlled 2531 address (and optionally other information concerning the protected 2532 network) in the IKE_AUTH exchange. The IRAS may procure an address 2533 for the IRAC from any number of sources such as a DHCP/BOOTP 2534 (Bootstrap Protocol) server or its own address pool. 2536 Initiator Responder 2537 ------------------------------------------------------------------- 2538 HDR, SK {IDi, [CERT,] 2539 [CERTREQ,] [IDr,] AUTH, 2540 CP(CFG_REQUEST), SAi2, 2541 TSi, TSr} --> 2542 <-- HDR, SK {IDr, [CERT,] AUTH, 2543 CP(CFG_REPLY), SAr2, 2544 TSi, TSr} 2546 In all cases, the CP payload MUST be inserted before the SA payload. 2547 In variations of the protocol where there are multiple IKE_AUTH 2548 exchanges, the CP payloads MUST be inserted in the messages 2549 containing the SA payloads. 2551 CP(CFG_REQUEST) MUST contain at least an INTERNAL_ADDRESS attribute 2552 (either IPv4 or IPv6) but MAY contain any number of additional 2553 attributes the initiator wants returned in the response. 2555 For example, message from initiator to responder: 2557 CP(CFG_REQUEST)= 2558 INTERNAL_ADDRESS() 2559 TSi = (0, 0-65535,0.0.0.0-255.255.255.255) 2560 TSr = (0, 0-65535,0.0.0.0-255.255.255.255) 2562 NOTE: Traffic Selectors contain (protocol, port range, address 2563 range). 2565 Message from responder to initiator: 2567 CP(CFG_REPLY)= 2568 INTERNAL_ADDRESS(192.0.2.202) 2569 INTERNAL_NETMASK(255.255.255.0) 2570 INTERNAL_SUBNET(192.0.2.0/255.255.255.0) 2571 TSi = (0, 0-65535,192.0.2.202-192.0.2.202) 2572 TSr = (0, 0-65535,192.0.2.0-192.0.2.255) 2574 All returned values will be implementation dependent. As can be seen 2575 in the above example, the IRAS MAY also send other attributes that 2576 were not included in CP(CFG_REQUEST) and MAY ignore the non- 2577 mandatory attributes that it does not support. 2579 The responder MUST NOT send a CFG_REPLY without having first received 2580 a CP(CFG_REQUEST) from the initiator, because we do not want the IRAS 2581 to perform an unnecessary configuration lookup if the IRAC cannot 2582 process the REPLY. 2584 In the case where the IRAS's configuration requires that CP be used 2585 for a given identity IDi, but IRAC has failed to send a 2586 CP(CFG_REQUEST), IRAS MUST fail the request, and terminate the Child 2587 SA creation with a FAILED_CP_REQUIRED error. The FAILED_CP_REQUIRED 2588 is not fatal to the IKE SA; it simply causes the Child SA creation to 2589 fail. The initiator can fix this by later starting a new 2590 Configuration payload request. There is no associated data in the 2591 FAILED_CP_REQUIRED error. 2593 2.20. Requesting the Peer's Version 2595 An IKE peer wishing to inquire about the other peer's IKE software 2596 version information MAY use the method below. This is an example of 2597 a configuration request within an INFORMATIONAL exchange, after the 2598 IKE SA and first Child SA have been created. 2600 An IKE implementation MAY decline to give out version information 2601 prior to authentication or even after authentication in case some 2602 implementation is known to have some security weakness. In that 2603 case, it MUST either return an empty string or no CP payload if CP is 2604 not supported. 2606 Initiator Responder 2607 ------------------------------------------------------------------- 2608 HDR, SK{CP(CFG_REQUEST)} --> 2609 <-- HDR, SK{CP(CFG_REPLY)} 2611 CP(CFG_REQUEST)= 2612 APPLICATION_VERSION("") 2614 CP(CFG_REPLY) APPLICATION_VERSION("foobar v1.3beta, (c) Foo Bar 2615 Inc.") 2617 2.21. Error Handling 2619 There are many kinds of errors that can occur during IKE processing. 2620 The general rule is that if a request is received that is badly 2621 formatted, or unacceptable for reasons of policy (such as no matching 2622 cryptographic algorithms), the response contains a Notify payload 2623 indicating the error. The decision whether or not to send such a 2624 response depends whether or not there is an authenticated IKE SA. 2626 If there is an error parsing or processing a response packet, the 2627 general rule is to not send back any error message because responses 2628 should not generate new requests (and a new request would be the only 2629 way to send back an error message). Such errors in parsing or 2630 processing response packets should still cause the recipient to clean 2631 up the IKE state (for example, by sending a Delete for a bad SA). 2633 Only authentication failures (AUTHENTICATION_FAILED and EAP failure) 2634 and malformed messages (INVALID_SYNTAX) lead to a deletion of the IKE 2635 SA without requiring an explicit INFORMATIONAL exchange carrying a 2636 Delete payload. Other error conditions MAY require such an exchange 2637 if policy dictates that this is needed. If the exchange is 2638 terminated with EAP Failure, an AUTHENTICATION_FAILED notification is 2639 not sent. 2641 2.21.1. Error Handling in IKE_SA_INIT 2643 Errors that occur before a cryptographically protected IKE SA is 2644 established need to be handled very carefully. There is a trade-off 2645 between wanting to help the peer to diagnose a problem and thus 2646 responding to the error and wanting to avoid being part of a DoS 2647 attack based on forged messages. 2649 In an IKE_SA_INIT exchange, any error notification causes the 2650 exchange to fail. Note that some error notifications such as COOKIE, 2651 INVALID_KE_PAYLOAD or INVALID_MAJOR_VERSION may lead to a subsequent 2652 successful exchange. Because all error notifications are completely 2653 unauthenticated, the recipient should continue trying for some time 2654 before giving up. The recipient should not immediately act based on 2655 the error notification unless corrective actions are defined in this 2656 specification, such as for COOKIE, INVALID_KE_PAYLOAD, and 2657 INVALID_MAJOR_VERSION. 2659 2.21.2. Error Handling in IKE_AUTH 2661 All errors that occur in an IKE_AUTH exchange, causing the 2662 authentication to fail for whatever reason (invalid shared secret, 2663 invalid ID, untrusted certificate issuer, revoked or expired 2664 certificate, etc.) SHOULD result in an AUTHENTICATION_FAILED 2665 notification. If the error occurred on the responder, the 2666 notification is returned in the protected response, and is usually 2667 the only payload in that response. Although the IKE_AUTH messages 2668 are encrypted and integrity protected, if the peer receiving this 2669 notification has not authenticated the other end yet, that peer needs 2670 to treat the information with caution. 2672 If the error occurs on the initiator, the notification MAY be 2673 returned in a separate INFORMATIONAL exchange, usually with no other 2674 payloads. This is an exception for the general rule of not starting 2675 new exchanges based on errors in responses. 2677 Note, however, that request messages that contain an unsupported 2678 critical payload, or where the whole message is malformed (rather 2679 than just bad payload contents), MUST be rejected in their entirety, 2680 and MUST only lead to an UNSUPPORTED_CRITICAL_PAYLOAD or 2681 INVALID_SYNTAX Notification sent as a response. The receiver should 2682 not verify the payloads related to authentication in this case. 2684 If authentication has succeeded in the IKE_AUTH exchange, the IKE SA 2685 is established; however, establishing the Child SA or requesting 2686 configuration information may still fail. This failure does not 2687 automatically cause the IKE SA to be deleted. Specifically, a 2688 responder may include all the payloads associated with authentication 2689 (IDr, CERT, and AUTH) while sending error notifications for the 2690 piggybacked exchanges (FAILED_CP_REQUIRED, NO_PROPOSAL_CHOSEN, and so 2691 on), and the initiator MUST NOT fail the authentication because of 2692 this. The initiator MAY, of course, for reasons of policy later 2693 delete such an IKE SA. 2695 In an IKE_AUTH exchange, or in the INFORMATIONAL exchange immediately 2696 following it (in case an error happened when processing a response to 2697 IKE_AUTH), the UNSUPPORTED_CRITICAL_PAYLOAD, INVALID_SYNTAX, and 2698 AUTHENTICATION_FAILED notifications are the only ones to cause the 2699 IKE SA to be deleted or not created, without a Delete payload. 2700 Extension documents may define new error notifications with these 2701 semantics, but MUST NOT use them unless the peer has been shown to 2702 understand them, such as by using the Vendor ID payload. 2704 2.21.3. Error Handling after IKE SA is Authenticated 2706 After the IKE SA is authenticated, all requests having errors MUST 2707 result in a response notifying about the error. 2709 In normal situations, there should not be cases where a valid 2710 response from one peer results in an error situation in the other 2711 peer, so there should not be any reason for a peer to send error 2712 messages to the other end except as a response. Because sending such 2713 error messages as an INFORMATIONAL exchange might lead to further 2714 errors that could cause loops, such errors SHOULD NOT be sent. If 2715 errors are seen that indicate that the peers do not have the same 2716 state, it might be good to delete the IKE SA to clean up state and 2717 start over. 2719 If a peer parsing a request notices that it is badly formatted (after 2720 it has passed the message authentication code checks and window 2721 checks) and it returns an INVALID_SYNTAX notification, then this 2722 error notification is considered fatal in both peers, meaning that 2723 the IKE SA is deleted without needing an explicit Delete payload. 2725 2.21.4. Error Handling Outside IKE SA 2727 A node needs to limit the rate at which it will send messages in 2728 response to unprotected messages. 2730 If a node receives a message on UDP port 500 or 4500 outside the 2731 context of an IKE SA known to it (and the message is not a request to 2732 start an IKE SA), this may be the result of a recent crash of the 2733 node. If the message is marked as a response, the node can audit the 2734 suspicious event but MUST NOT respond. If the message is marked as a 2735 request, the node can audit the suspicious event and MAY send a 2736 response. If a response is sent, the response MUST be sent to the IP 2737 address and port from where it came with the same IKE SPIs and the 2738 Message ID copied. The response MUST NOT be cryptographically 2739 protected and MUST contain an INVALID_IKE_SPI Notify payload. The 2740 INVALID_IKE_SPI notification indicates an IKE message was received 2741 with an unrecognized destination SPI; this usually indicates that the 2742 recipient has rebooted and forgotten the existence of an IKE SA. 2744 A peer receiving such an unprotected Notify payload MUST NOT respond 2745 and MUST NOT change the state of any existing SAs. The message might 2746 be a forgery or might be a response that a genuine correspondent was 2747 tricked into sending. A node should treat such a message (and also a 2748 network message like ICMP destination unreachable) as a hint that 2749 there might be problems with SAs to that IP address and should 2750 initiate a liveness check for any such IKE SA. An implementation 2751 SHOULD limit the frequency of such tests to avoid being tricked into 2752 participating in a DoS attack. 2754 If an error occurs outside the context of an IKE request (e.g., the 2755 node is getting ESP messages on a nonexistent SPI), the node SHOULD 2756 initiate an INFORMATIONAL exchange with a Notify payload describing 2757 the problem. 2759 A node receiving a suspicious message from an IP address (and port, 2760 if NAT traversal is used) with which it has an IKE SA SHOULD send an 2761 IKE Notify payload in an IKE INFORMATIONAL exchange over that SA. 2762 The recipient MUST NOT change the state of any SAs as a result, but 2763 may wish to audit the event to aid in diagnosing malfunctions. 2765 2.22. IPComp 2767 Use of IP Compression [IP-COMP] can be negotiated as part of the 2768 setup of a Child SA. While IP Compression involves an extra header 2769 in each packet and a compression parameter index (CPI), the virtual 2770 "compression association" has no life outside the ESP or AH SA that 2771 contains it. Compression associations disappear when the 2772 corresponding ESP or AH SA goes away. It is not explicitly mentioned 2773 in any Delete payload. 2775 Negotiation of IP Compression is separate from the negotiation of 2776 cryptographic parameters associated with a Child SA. A node 2777 requesting a Child SA MAY advertise its support for one or more 2778 compression algorithms through one or more Notify payloads of type 2779 IPCOMP_SUPPORTED. This Notify message may be included only in a 2780 message containing an SA payload negotiating a Child SA and indicates 2781 a willingness by its sender to use IPComp on this SA. The response 2782 MAY indicate acceptance of a single compression algorithm with a 2783 Notify payload of type IPCOMP_SUPPORTED. These payloads MUST NOT 2784 occur in messages that do not contain SA payloads. 2786 The data associated with this Notify message includes a two-octet 2787 IPComp CPI followed by a one-octet Transform ID optionally followed 2788 by attributes whose length and format are defined by that Transform 2789 ID. A message proposing an SA may contain multiple IPCOMP_SUPPORTED 2790 notifications to indicate multiple supported algorithms. A message 2791 accepting an SA may contain at most one. 2793 The Transform IDs are listed here. The values in the following table 2794 are only current as of the publication date of RFC 4306. Other 2795 values may have been added since then or will be added after the 2796 publication of this document. Readers should refer to [IKEV2IANA] 2797 for the latest values. 2799 Name Number Defined In 2800 ------------------------------------- 2801 IPCOMP_OUI 1 2802 IPCOMP_DEFLATE 2 RFC 2394 2803 IPCOMP_LZS 3 RFC 2395 2804 IPCOMP_LZJH 4 RFC 3051 2806 Although there has been discussion of allowing multiple compression 2807 algorithms to be accepted and to have different compression 2808 algorithms available for the two directions of a Child SA, 2809 implementations of this specification MUST NOT accept an IPComp 2810 algorithm that was not proposed, MUST NOT accept more than one, and 2811 MUST NOT compress using an algorithm other than one proposed and 2812 accepted in the setup of the Child SA. 2814 A side effect of separating the negotiation of IPComp from 2815 cryptographic parameters is that it is not possible to propose 2816 multiple cryptographic suites and propose IP Compression with some of 2817 them but not others. 2819 In some cases, Robust Header Compression (ROHC) may be more 2820 appropriate than IP Compression. [ROHCV2] defines the use of ROHC 2821 with IKEv2 and IPsec. 2823 2.23. NAT Traversal 2825 Network Address Translation (NAT) gateways are a controversial 2826 subject. This section briefly describes what they are and how they 2827 are likely to act on IKE traffic. Many people believe that NATs are 2828 evil and that we should not design our protocols so as to make them 2829 work better. IKEv2 does specify some unintuitive processing rules in 2830 order that NATs are more likely to work. 2832 NATs exist primarily because of the shortage of IPv4 addresses, 2833 though there are other rationales. IP nodes that are "behind" a NAT 2834 have IP addresses that are not globally unique, but rather are 2835 assigned from some space that is unique within the network behind the 2836 NAT but that are likely to be reused by nodes behind other NATs. 2837 Generally, nodes behind NATs can communicate with other nodes behind 2838 the same NAT and with nodes with globally unique addresses, but not 2839 with nodes behind other NATs. There are exceptions to that rule. 2840 When those nodes make connections to nodes on the real Internet, the 2841 NAT gateway "translates" the IP source address to an address that 2842 will be routed back to the gateway. Messages to the gateway from the 2843 Internet have their destination addresses "translated" to the 2844 internal address that will route the packet to the correct endnode. 2846 NATs are designed to be "transparent" to endnodes. Neither software 2847 on the node behind the NAT nor the node on the Internet requires 2848 modification to communicate through the NAT. Achieving this 2849 transparency is more difficult with some protocols than with others. 2850 Protocols that include IP addresses of the endpoints within the 2851 payloads of the packet will fail unless the NAT gateway understands 2852 the protocol and modifies the internal references as well as those in 2853 the headers. Such knowledge is inherently unreliable, is a network 2854 layer violation, and often results in subtle problems. 2856 Opening an IPsec connection through a NAT introduces special 2857 problems. If the connection runs in transport mode, changing the IP 2858 addresses on packets will cause the checksums to fail and the NAT 2859 cannot correct the checksums because they are cryptographically 2860 protected. Even in tunnel mode, there are routing problems because 2861 transparently translating the addresses of AH and ESP packets 2862 requires special logic in the NAT and that logic is heuristic and 2863 unreliable in nature. For that reason, IKEv2 will use UDP 2864 encapsulation of IKE and ESP packets. This encoding is slightly less 2865 efficient but is easier for NATs to process. In addition, firewalls 2866 may be configured to pass UDP-encapsulated IPsec traffic but not 2867 plain, unencapsulated ESP/AH or vice versa. 2869 It is a common practice of NATs to translate TCP and UDP port numbers 2870 as well as addresses and use the port numbers of inbound packets to 2871 decide which internal node should get a given packet. For this 2872 reason, even though IKE packets MUST be sent to and from UDP port 500 2873 or 4500, they MUST be accepted coming from any port and responses 2874 MUST be sent to the port from whence they came. This is because the 2875 ports may be modified as the packets pass through NATs. Similarly, 2876 IP addresses of the IKE endpoints are generally not included in the 2877 IKE payloads because the payloads are cryptographically protected and 2878 could not be transparently modified by NATs. 2880 Port 4500 is reserved for UDP-encapsulated ESP and IKE. An IPsec 2881 endpoint that discovers a NAT between it and its correspondent (as 2882 described below) MUST send all subsequent traffic from port 4500, 2883 which NATs should not treat specially (as they might with port 500). 2885 An initiator can use port 4500 for both IKE and ESP, regardless of 2886 whether or not there is a NAT, even at the beginning of IKE. When 2887 either side is using port 4500, sending ESP with UDP encapsulation is 2888 not required, but understanding received UDP-encapsulated ESP packets 2889 is required. UDP encapsulation MUST NOT be done on port 500. If 2890 Network Address Translation Traversal (NAT-T) is supported (that is, 2891 if NAT_DETECTION_*_IP payloads were exchanged during IKE_SA_INIT), 2892 all devices MUST be able to receive and process both UDP-encapsulated 2893 ESP and non-UDP-encapsulated ESP packets at any time. Either side 2894 can decide whether or not to use UDP encapsulation for ESP 2895 irrespective of the choice made by the other side. However, if a NAT 2896 is detected, both devices MUST use UDP encapsulation for ESP. 2898 The specific requirements for supporting NAT traversal [NATREQ] are 2899 listed below. Support for NAT traversal is optional. In this 2900 section only, requirements listed as MUST apply only to 2901 implementations supporting NAT traversal. 2903 o Both the IKE initiator and responder MUST include in their 2904 IKE_SA_INIT packets Notify payloads of type 2905 NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP. Those 2906 payloads can be used to detect if there is NAT between the hosts, 2907 and which end is behind the NAT. The location of the payloads in 2908 the IKE_SA_INIT packets is just after the Ni and Nr payloads 2909 (before the optional CERTREQ payload). 2911 o The data associated with the NAT_DETECTION_SOURCE_IP notification 2912 is a SHA-1 digest of the SPIs (in the order they appear in the 2913 header), IP address, and port from which this packet was sent. 2914 There MAY be multiple NAT_DETECTION_SOURCE_IP payloads in a 2915 message if the sender does not know which of several network 2916 attachments will be used to send the packet. 2918 o The data associated with the NAT_DETECTION_DESTINATION_IP 2919 notification is a SHA-1 digest of the SPIs (in the order they 2920 appear in the header), IP address, and port to which this packet 2921 was sent. 2923 o The recipient of either the NAT_DETECTION_SOURCE_IP or 2924 NAT_DETECTION_DESTINATION_IP notification MAY compare the supplied 2925 value to a SHA-1 hash of the SPIs, source or recipient IP address 2926 (respectively), address, and port, and if they don't match, it 2927 SHOULD enable NAT traversal. In the case there is a mismatch of 2928 the NAT_DETECTION_SOURCE_IP hash with all of the 2929 NAT_DETECTION_SOURCE_IP payloads received, the recipient MAY 2930 reject the connection attempt if NAT traversal is not supported. 2931 In the case of a mismatching NAT_DETECTION_DESTINATION_IP hash, it 2932 means that the system receiving the NAT_DETECTION_DESTINATION_IP 2933 payload is behind a NAT and that system SHOULD start sending 2934 keepalive packets as defined in [UDPENCAPS]; alternately, it MAY 2935 reject the connection attempt if NAT traversal is not supported. 2937 o If none of the NAT_DETECTION_SOURCE_IP payload(s) received matches 2938 the expected value of the source IP and port found from the IP 2939 header of the packet containing the payload, it means that the 2940 system sending those payloads is behind a NAT (i.e., someone along 2941 the route changed the source address of the original packet to 2942 match the address of the NAT box). In this case, the system 2943 receiving the payloads should allow dynamic updates of the other 2944 systems' IP address, as described later. 2946 o The IKE initiator MUST check the NAT_DETECTION_SOURCE_IP or 2947 NAT_DETECTION_DESTINATION_IP payloads if present, and if they do 2948 not match the addresses in the outer packet, MUST tunnel all 2949 future IKE and ESP packets associated with this IKE SA over UDP 2950 port 4500. 2952 o To tunnel IKE packets over UDP port 4500, the IKE header has four 2953 octets of zero prepended and the result immediately follows the 2954 UDP header. To tunnel ESP packets over UDP port 4500, the ESP 2955 header immediately follows the UDP header. Since the first four 2956 octets of the ESP header contain the SPI, and the SPI cannot 2957 validly be zero, it is always possible to distinguish ESP and IKE 2958 messages. 2960 o Implementations MUST process received UDP-encapsulated ESP packets 2961 even when no NAT was detected. 2963 o The original source and destination IP address required for the 2964 transport mode TCP and UDP packet checksum fixup (see [UDPENCAPS]) 2965 are obtained from the Traffic Selectors associated with the 2966 exchange. In the case of transport mode NAT traversal, the 2967 Traffic Selectors MUST contain exactly one IP address, which is 2968 then used as the original IP address. This is covered in greater 2969 detail in Section 2.23.1. 2971 o There are cases where a NAT box decides to remove mappings that 2972 are still alive (for example, the keepalive interval is too long, 2973 or the NAT box is rebooted). This will be apparent to a host if 2974 it receives a packet whose integrity protection validates, but has 2975 a different port, address, or both from the one that was 2976 associated with the SA in the validated packet. When such a 2977 validated packet is found, a host that does not support other 2978 methods of recovery such as IKEv2 Mobility and Multihoming 2979 (MOBIKE) [MOBIKE], and that is not behind a NAT, SHOULD send all 2980 packets (including retransmission packets) to the IP address and 2981 port in the validated packet, and SHOULD store this as the new 2982 address and port combination for the SA (that is, they SHOULD 2983 dynamically update the address). A host behind a NAT SHOULD NOT 2984 do this type of dynamic address update if a validated packet has 2985 different port and/or address values because it opens a possible 2986 DoS attack (such as allowing an attacker to break the connection 2987 with a single packet). Also, dynamic address update should only 2988 be done in response to a new packet; otherwise, an attacker can 2989 revert the addresses with old replayed packets. Because of this, 2990 dynamic updates can only be done safely if replay protection is 2991 enabled. When IKEv2 is used with MOBIKE, dynamically updating the 2992 addresses described above interferes with MOBIKE's way of 2993 recovering from the same situation. See Section 3.8 of [MOBIKE] 2994 for more information. 2996 2.23.1. Transport Mode NAT Traversal 2998 Transport mode used with NAT Traversal requires special handling of 2999 the Traffic Selectors used in the IKEv2. The complete scenario looks 3000 like: 3002 +------+ +------+ +------+ +------+ 3003 |Client| IP1 | NAT | IPN1 IPN2 | NAT | IP2 |Server| 3004 |node |<------>| A |<---------->| B |<------->| | 3005 +------+ +------+ +------+ +------+ 3007 (Other scenarios are simplifications of this complex case, so this 3008 discussion uses the complete scenario.) 3010 In this scenario, there are two address translating NATs: NAT A and 3011 NAT B. NAT A is a dynamic NAT that maps the client's source address 3012 IP1 to IPN1. NAT B is a static NAT configured so that connections 3013 coming to IPN2 address are mapped to the gateway's address IP2, that 3014 is, IPN2 destination address is mapped to IP2. This allows the 3015 client to connect to a server by connecting to the IPN2. NAT B does 3016 not necessarily need to be a static NAT, but the client needs to know 3017 how to connect to the server, and it can only do that if it somehow 3018 knows the outer address of the NAT B, that is, the IPN2 address. If 3019 NAT B is a static NAT, then its address can be configured to the 3020 client's configuration. Another option would be to find it using 3021 some other protocol (like DNS), but that is outside of scope of 3022 IKEv2. 3024 In this scenario, both the client and server are configured to use 3025 transport mode for the traffic originating from the client node and 3026 destined to the server. 3028 When the client starts creating the IKEv2 SA and Child SA for sending 3029 traffic to the server, it may have a triggering packet with source IP 3030 address of IP1, and a destination IP address of IPN2. Its Peer 3031 Authorization Database (PAD) and SPD needs to have a configuration 3032 matching those addresses (or wildcard entries covering them). 3033 Because this is transport mode, it uses exactly same addresses as the 3034 Traffic Selectors and outer IP address of the IKE packets. For 3035 transport mode, it MUST use exactly one IP address in the TSi and TSr 3036 payloads. It can have multiple Traffic Selectors if it has, for 3037 example, multiple port ranges that it wants to negotiate, but all TSi 3038 entries must use the IP1-IP1 range as the IP addresses, and all TSr 3039 entries must have the IPN2-IPN2 range as IP addresses. The first 3040 Traffic Selector of TSi and TSr SHOULD have very specific Traffic 3041 Selectors including protocol and port numbers, such as from the 3042 packet triggering the request. 3044 NAT A will then replace the source address of the IKE packet from IP1 3045 to IPN1, and NAT B will replace the destination address of the IKE 3046 packet from IPN2 to IP2, so when the packet arrives to the server it 3047 will still have the exactly same Traffic Selectors that were sent by 3048 the client, but the IP address of the IKE packet has been replaced by 3049 IPN1 and IP2. 3051 When the server receives this packet, it normally looks in the Peer 3052 Authorization Database (PAD) described in RFC 4301 [IPSECARCH] based 3053 on the ID and then searches the SPD based on the Traffic Selectors. 3054 Because IP1 does not really mean anything to the server (it is the 3055 address client has behind the NAT), it is useless to do a lookup 3056 based on that if transport mode is used. On the other hand, the 3057 server cannot know whether transport mode is allowed by its policy 3058 before it finds the matching SPD entry. 3060 In this case, the server should first check that the initiator 3061 requested transport mode, and then do address substitution on the 3062 Traffic Selectors. It needs to first store the old Traffic Selector 3063 IP addresses to be used later for the incremental checksum fixup (the 3064 IP address in the TSi can be stored as the original source address 3065 and the IP address in the TSr can be stored as the original 3066 destination address). After that, if the other end was detected as 3067 being behind a NAT, the server replaces the IP address in TSi 3068 payloads with the IP address obtained from the source address of the 3069 IKE packet received (that is, it replaces IP1 in TSi with IPN1). If 3070 the server's end was detected to be behind NAT, it replaces the IP 3071 address in the TSr payloads with the IP address obtained from the 3072 destination address of the IKE packet received (that is, it replaces 3073 IPN2 in TSr with IP2). 3075 After this address substitution, both the Traffic Selectors and the 3076 IKE UDP source/destination addresses look the same, and the server 3077 does SPD lookup based on those new Traffic Selectors. If an entry is 3078 found and it allows transport mode, then that entry is used. If an 3079 entry is found but it does not allow transport mode, then the server 3080 MAY undo the address substitution and redo the SPD lookup using the 3081 original Traffic Selectors. If the second lookup succeeds, the 3082 server will create an SA in tunnel mode using real Traffic Selectors 3083 sent by the other end. 3085 This address substitution in transport mode is needed because the SPD 3086 is looked up using the addresses that will be seen by the local host. 3088 This also will make sure the Security Association Database (SAD) 3089 entries for the tunnel exit checks and return packets is added using 3090 the addresses as seen by the local operating system stack. 3092 The most common case is that the server's SPD will contain wildcard 3093 entries matching any addresses, but this also allows making different 3094 SPD entries, for example, for different known NATs' outer addresses. 3096 After the SPD lookup, the server will do Traffic Selector narrowing 3097 based on the SPD entry it found. It will again use the already 3098 substituted Traffic Selectors, and it will thus send back Traffic 3099 Selectors having IPN1 and IP2 as their IP addresses; it can still 3100 narrow down the protocol number or port ranges used by the Traffic 3101 Selectors. The SAD entry created for the Child SA will have the 3102 addresses as seen by the server, namely IPN1 and IP2. 3104 When the client receives the server's response to the Child SA, it 3105 will do similar processing. If the transport mode SA was created, 3106 the client can store the original returned Traffic Selectors as 3107 original source and destination addresses. It will replace the IP 3108 addresses in the Traffic Selectors with the ones from the IP header 3109 of the IKE packet: it will replace IPN1 with IP1 and IP2 with IPN2. 3110 Then, it will use those Traffic Selectors when verifying the SA 3111 against sent Traffic Selectors, and when installing the SAD entry. 3113 A summary of the rules for NAT traversal in transport mode is: 3115 For the client proposing transport mode: 3117 - The TSi entries MUST have exactly one IP address, and that MUST 3118 match the source address of the IKE SA. 3120 - The TSr entries MUST have exactly one IP address, and that MUST 3121 match the destination address of the IKE SA. 3123 - The first TSi and TSr Traffic Selectors SHOULD have very specific 3124 Traffic Selectors including protocol and port numbers, such as 3125 from the packet triggering the request. 3127 - There MAY be multiple TSi and TSr entries. 3129 - If transport mode for the SA was selected (that is, if the server 3130 included USE_TRANSPORT_MODE notification in its response): 3132 - Store the original Traffic Selectors as the received source and 3133 destination address. 3135 - If the server is behind a NAT, substitute the IP address in the 3136 TSr entries with the remote address of the IKE SA. 3138 - If the client is behind a NAT, substitute the IP address in the 3139 TSi entries with the local address of the IKE SA. 3141 - Do address substitution before using those Traffic Selectors 3142 for anything other than storing original content of them. 3143 This includes verification that Traffic Selectors were narrowed 3144 correctly by the other end, creation of the SAD entry, and so on. 3146 For the responder, when transport mode is proposed by client: 3148 - Store the original Traffic Selector IP addresses as received source 3149 and destination address, in case undo address 3150 substitution is needed, to use as the "real source and destination 3151 address" specified by [UDPENCAPS], and for TCP/UDP checksum fixup. 3153 - If the client is behind a NAT, substitute the IP address in the 3154 TSi entries with the remote address of the IKE SA. 3156 - If the server is behind a NAT, substitute the IP address in the 3157 TSr entries with the local address of the IKE SA. 3159 - Do PAD and SPD lookup using the ID and substituted Traffic 3160 Selectors. 3162 - If no SPD entry was found, or if found SPD entry does not 3163 allow transport mode, undo the Traffic Selector substitutions. 3164 Do PAD and SPD lookup again using the ID and original Traffic 3165 Selectors, but also searching for tunnel mode SPD entry (that 3166 is, fall back to tunnel mode). 3168 - However, if a transport mode SPD entry was found, do normal 3169 traffic selection narrowing based on the substituted Traffic 3170 Selectors and SPD entry. Use the resulting Traffic Selectors when 3171 creating SAD entries, and when sending Traffic Selectors back to 3172 the client. 3174 2.24. Explicit Congestion Notification (ECN) 3176 When IPsec tunnels behave as originally specified in [IPSECARCH-OLD], 3177 ECN usage is not appropriate for the outer IP headers because tunnel 3178 decapsulation processing discards ECN congestion indications to the 3179 detriment of the network. ECN support for IPsec tunnels for IKEv1- 3180 based IPsec requires multiple operating modes and negotiation (see 3181 [ECN]). IKEv2 simplifies this situation by requiring that ECN be 3182 usable in the outer IP headers of all tunnel mode Child SAs created 3183 by IKEv2. Specifically, tunnel encapsulators and decapsulators for 3184 all tunnel mode SAs created by IKEv2 MUST support the ECN full- 3185 functionality option for tunnels specified in [ECN] and MUST 3186 implement the tunnel encapsulation and decapsulation processing 3187 specified in [IPSECARCH] to prevent discarding of ECN congestion 3188 indications. 3190 2.25. Exchange Collisions 3192 Because IKEv2 exchanges can be initiated by either peer, it is 3193 possible that two exchanges affecting the same SA partly overlap. 3195 This can lead to a situation where the SA state information is 3196 temporarily not synchronized, and a peer can receive a request that 3197 it cannot process in a normal fashion. 3199 Obviously, using a window size greater than 1 leads to more complex 3200 situations, especially if requests are processed out of order. This 3201 section concentrates on problems that can arise even with a window 3202 size of 1, and recommends solutions. 3204 A TEMPORARY_FAILURE notification SHOULD be sent when a peer receives 3205 a request that cannot be completed due to a temporary condition such 3206 as a rekeying operation. When a peer receives a TEMPORARY_FAILURE 3207 notification, it MUST NOT immediately retry the operation; it MUST 3208 wait so that the sender may complete whatever operation caused the 3209 temporary condition. The recipient MAY retry the request one or more 3210 times over a period of several minutes. If a peer continues to 3211 receive TEMPORARY_FAILURE on the same IKE SA after several minutes, 3212 it SHOULD conclude that the state information is out of sync and 3213 close the IKE SA. 3215 A CHILD_SA_NOT_FOUND notification SHOULD be sent when a peer receives 3216 a request to rekey a Child SA that does not exist. The SA that the 3217 initiator attempted to rekey is indicated by the SPI field in the 3218 Notify payload, which is copied from the SPI field in the REKEY_SA 3219 notification. A peer that receives a CHILD_SA_NOT_FOUND notification 3220 SHOULD silently delete the Child SA (if it still exists) and send a 3221 request to create a new Child SA from scratch (if the Child SA does 3222 not yet exist). 3224 2.25.1. Collisions while Rekeying or Closing Child SAs 3226 If a peer receives a request to rekey a Child SA that it is currently 3227 trying to close, it SHOULD reply with TEMPORARY_FAILURE. If a peer 3228 receives a request to rekey a Child SA that it is currently rekeying, 3229 it SHOULD reply as usual, and SHOULD prepare to close redundant SAs 3230 later based on the nonces (see Section 2.8.1). If a peer receives a 3231 request to rekey a Child SA that does not exist, it SHOULD reply with 3232 CHILD_SA_NOT_FOUND. 3234 If a peer receives a request to close a Child SA that it is currently 3235 trying to close, it SHOULD reply without a Delete payload (see 3236 Section 1.4.1). If a peer receives a request to close a Child SA 3237 that it is currently rekeying, it SHOULD reply as usual, with a 3238 Delete payload. If a peer receives a request to close a Child SA 3239 that does not exist, it SHOULD reply without a Delete payload. 3241 If a peer receives a request to rekey the IKE SA, and it is currently 3242 creating, rekeying, or closing a Child SA of that IKE SA, it SHOULD 3243 reply with TEMPORARY_FAILURE. 3245 2.25.2. Collisions while Rekeying or Closing IKE SAs 3247 If a peer receives a request to rekey an IKE SA that it is currently 3248 rekeying, it SHOULD reply as usual, and SHOULD prepare to close 3249 redundant SAs and move inherited Child SAs later based on the nonces 3250 (see Section 2.8.2). If a peer receives a request to rekey an IKE SA 3251 that it is currently trying to close, it SHOULD reply with 3252 TEMPORARY_FAILURE. 3254 If a peer receives a request to close an IKE SA that it is currently 3255 rekeying, it SHOULD reply as usual, and forget about its own rekeying 3256 request. If a peer receives a request to close an IKE SA that it is 3257 currently trying to close, it SHOULD reply as usual, and forget about 3258 its own close request. 3260 If a peer receives a request to create or rekey a Child SA when it is 3261 currently rekeying the IKE SA, it SHOULD reply with 3262 TEMPORARY_FAILURE. If a peer receives a request to delete a Child SA 3263 when it is currently rekeying the IKE SA, it SHOULD reply as usual, 3264 with a Delete payload. 3266 3. Header and Payload Formats 3268 In the tables in this section, some cryptographic primitives and 3269 configuration attributes are marked as "UNSPECIFIED". These are 3270 items for which there are no known specifications and therefore 3271 interoperability is currently impossible. A future specification may 3272 describe their use, but until such specification is made, 3273 implementations SHOULD NOT attempt to use items marked as 3274 "UNSPECIFIED" in implementations that are meant to be interoperable. 3276 3.1. The IKE Header 3278 IKE messages use UDP ports 500 and/or 4500, with one IKE message per 3279 UDP datagram. Information from the beginning of the packet through 3280 the UDP header is largely ignored except that the IP addresses and 3281 UDP ports from the headers are reversed and used for return packets. 3282 When sent on UDP port 500, IKE messages begin immediately following 3283 the UDP header. When sent on UDP port 4500, IKE messages have 3284 prepended four octets of zero. These four octets of zeros are not 3285 part of the IKE message and are not included in any of the length 3286 fields or checksums defined by IKE. Each IKE message begins with the 3287 IKE header, denoted HDR in this document. Following the header are 3288 one or more IKE payloads each identified by a "Next Payload" field in 3289 the preceding payload. Payloads are identified in the order in which 3290 they appear in an IKE message by looking in the "Next Payload" field 3291 in the IKE header, and subsequently according to the "Next Payload" 3292 field in the IKE payload itself until a "Next Payload" field of zero 3293 indicates that no payloads follow. If a payload of type "Encrypted" 3294 is found, that payload is decrypted and its contents parsed as 3295 additional payloads. An Encrypted payload MUST be the last payload 3296 in a packet and an Encrypted payload MUST NOT contain another 3297 Encrypted payload. 3299 The responder's SPI in the header identifies an instance of an IKE 3300 Security Association. It is therefore possible for a single instance 3301 of IKE to multiplex distinct sessions with multiple peers, including 3302 multiple sessions per peer. 3304 All multi-octet fields representing integers are laid out in big 3305 endian order (also known as "most significant byte first", or 3306 "network byte order"). 3308 The format of the IKE header is shown in Figure 4. 3310 1 2 3 3311 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3312 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3313 | IKE SA Initiator's SPI | 3314 | | 3315 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3316 | IKE SA Responder's SPI | 3317 | | 3318 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3319 | Next Payload | MjVer | MnVer | Exchange Type | Flags | 3320 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3321 | Message ID | 3322 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3323 | Length | 3324 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3326 Figure 4: IKE Header Format 3328 o Initiator's SPI (8 octets) - A value chosen by the initiator to 3329 identify a unique IKE Security Association. This value MUST NOT 3330 be zero. 3332 o Responder's SPI (8 octets) - A value chosen by the responder to 3333 identify a unique IKE Security Association. This value MUST be 3334 zero in the first message of an IKE initial exchange (including 3335 repeats of that message including a cookie). 3337 o Next Payload (1 octet) - Indicates the type of payload that 3338 immediately follows the header. The format and value of each 3339 payload are defined below. 3341 o Major Version (4 bits) - Indicates the major version of the IKE 3342 protocol in use. Implementations based on this version of IKE 3343 MUST set the major version to 2. Implementations based on 3344 previous versions of IKE and ISAKMP MUST set the major version to 3345 1. Implementations based on this document's version (version 2) 3346 of IKE MUST reject or ignore messages containing a version number 3347 greater than 2 with an INVALID_MAJOR_VERSION notification message 3348 as described in Section 2.5. 3350 o Minor Version (4 bits) - Indicates the minor version of the IKE 3351 protocol in use. Implementations based on this version of IKE 3352 MUST set the minor version to 0. They MUST ignore the minor 3353 version number of received messages. 3355 o Exchange Type (1 octet) - Indicates the type of exchange being 3356 used. This constrains the payloads sent in each message in an 3357 exchange. The values in the following table are only current as 3358 of the publication date of RFC 4306. Other values may have been 3359 added since then or will be added after the publication of this 3360 document. Readers should refer to [IKEV2IANA] for the latest 3361 values. 3363 Exchange Type Value 3364 ---------------------------------- 3365 IKE_SA_INIT 34 3366 IKE_AUTH 35 3367 CREATE_CHILD_SA 36 3368 INFORMATIONAL 37 3370 o Flags (1 octet) - Indicates specific options that are set for the 3371 message. Presence of options is indicated by the appropriate bit 3372 in the flags field being set. The bits are as follows: 3374 +-+-+-+-+-+-+-+-+ 3375 |X|X|R|V|I|X|X|X| 3376 +-+-+-+-+-+-+-+-+ 3378 In the description below, a bit being 'set' means its value is 3379 '1', while 'cleared' means its value is '0'. 'X' bits MUST be 3380 cleared when sending and MUST be ignored on receipt. 3382 * R (Response) - This bit indicates that this message is a 3383 response to a message containing the same Message ID. This bit 3384 MUST be cleared in all request messages and MUST be set in all 3385 responses. An IKE endpoint MUST NOT generate a response to a 3386 message that is marked as being a response (with one exception; 3387 see Section 2.21.2). 3389 * V (Version) - This bit indicates that the transmitter is 3390 capable of speaking a higher major version number of the 3391 protocol than the one indicated in the major version number 3392 field. Implementations of IKEv2 MUST clear this bit when 3393 sending and MUST ignore it in incoming messages. 3395 * I (Initiator) - This bit MUST be set in messages sent by the 3396 original initiator of the IKE SA and MUST be cleared in 3397 messages sent by the original responder. It is used by the 3398 recipient to determine which eight octets of the SPI were 3399 generated by the recipient. This bit changes to reflect who 3400 initiated the last rekey of the IKE SA. 3402 o Message ID (4 octets, unsigned integer) - Message identifier used 3403 to control retransmission of lost packets and matching of requests 3404 and responses. It is essential to the security of the protocol 3405 because it is used to prevent message replay attacks. See 3406 Sections 2.1 and 2.2. 3408 o Length (4 octets, unsigned integer) - Length of the total message 3409 (header + payloads) in octets. 3411 3.2. Generic Payload Header 3413 Each IKE payload defined in Sections 3.3 through 3.16 begins with a 3414 generic payload header, shown in Figure 5. Figures for each payload 3415 below will include the generic payload header, but for brevity, the 3416 description of each field will be omitted. 3418 1 2 3 3419 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3420 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3421 | Next Payload |C| RESERVED | Payload Length | 3422 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3424 Figure 5: Generic Payload Header 3426 The Generic Payload Header fields are defined as follows: 3428 o Next Payload (1 octet) - Identifier for the payload type of the 3429 next payload in the message. If the current payload is the last 3430 in the message, then this field will be 0. This field provides a 3431 "chaining" capability whereby additional payloads can be added to 3432 a message by appending each one to the end of the message and 3433 setting the "Next Payload" field of the preceding payload to 3434 indicate the new payload's type. An Encrypted payload, which must 3435 always be the last payload of a message, is an exception. It 3436 contains data structures in the format of additional payloads. In 3437 the header of an Encrypted payload, the Next Payload field is set 3438 to the payload type of the first contained payload (instead of 0); 3439 conversely, the Next Payload field of the last contained payload 3440 is set to zero. The payload type values are listed here. The 3441 values in the following table are only current as of the 3442 publication date of RFC 4306. Other values may have been added 3443 since then or will be added after the publication of this 3444 document. Readers should refer to [IKEV2IANA] for the latest 3445 values. 3447 Next Payload Type Notation Value 3448 -------------------------------------------------- 3449 No Next Payload 0 3450 Security Association SA 33 3451 Key Exchange KE 34 3452 Identification - Initiator IDi 35 3453 Identification - Responder IDr 36 3454 Certificate CERT 37 3455 Certificate Request CERTREQ 38 3456 Authentication AUTH 39 3457 Nonce Ni, Nr 40 3458 Notify N 41 3459 Delete D 42 3460 Vendor ID V 43 3461 Traffic Selector - Initiator TSi 44 3462 Traffic Selector - Responder TSr 45 3463 Encrypted and Authenticated SK 46 3464 Configuration CP 47 3465 Extensible Authentication EAP 48 3467 (Payload type values 1-32 should not be assigned in the 3468 future so that there is no overlap with the code assignments 3469 for IKEv1.) 3471 o Critical (1 bit) - MUST be set to zero if the sender wants the 3472 recipient to skip this payload if it does not understand the 3473 payload type code in the Next Payload field of the previous 3474 payload. MUST be set to one if the sender wants the recipient to 3475 reject this entire message if it does not understand the payload 3476 type. MUST be ignored by the recipient if the recipient 3477 understands the payload type code. MUST be set to zero for 3478 payload types defined in this document. Note that the critical 3479 bit applies to the current payload rather than the "next" payload 3480 whose type code appears in the first octet. The reasoning behind 3481 not setting the critical bit for payloads defined in this document 3482 is that all implementations MUST understand all payload types 3483 defined in this document and therefore must ignore the critical 3484 bit's value. Skipped payloads are expected to have valid Next 3485 Payload and Payload Length fields. See Section 2.5 for more 3486 information on this bit. 3488 o RESERVED (7 bits) - MUST be sent as zero; MUST be ignored on 3489 receipt. 3491 o Payload Length (2 octets, unsigned integer) - Length in octets of 3492 the current payload, including the generic payload header. 3494 Many payloads contain fields marked as "RESERVED". Some payloads in 3495 IKEv2 (and historically in IKEv1) are not aligned to 4-octet 3496 boundaries. 3498 3.3. Security Association Payload 3500 The Security Association payload, denoted SA in this document, is 3501 used to negotiate attributes of a Security Association. Assembly of 3502 Security Association payloads requires great peace of mind. An SA 3503 payload MAY contain multiple proposals. If there is more than one, 3504 they MUST be ordered from most preferred to least preferred. Each 3505 proposal contains a single IPsec protocol (where a protocol is IKE, 3506 ESP, or AH), each protocol MAY contain multiple transforms, and each 3507 transform MAY contain multiple attributes. When parsing an SA, an 3508 implementation MUST check that the total Payload Length is consistent 3509 with the payload's internal lengths and counts. Proposals, 3510 Transforms, and Attributes each have their own variable-length 3511 encodings. They are nested such that the Payload Length of an SA 3512 includes the combined contents of the SA, Proposal, Transform, and 3513 Attribute information. The length of a Proposal includes the lengths 3514 of all Transforms and Attributes it contains. The length of a 3515 Transform includes the lengths of all Attributes it contains. 3517 The syntax of Security Associations, Proposals, Transforms, and 3518 Attributes is based on ISAKMP; however, the semantics are somewhat 3519 different. The reason for the complexity and the hierarchy is to 3520 allow for multiple possible combinations of algorithms to be encoded 3521 in a single SA. Sometimes there is a choice of multiple algorithms, 3522 whereas other times there is a combination of algorithms. For 3523 example, an initiator might want to propose using ESP with either 3524 (3DES and HMAC_MD5) or (AES and HMAC_SHA1). 3526 One of the reasons the semantics of the SA payload have changed from 3527 ISAKMP and IKEv1 is to make the encodings more compact in common 3528 cases. 3530 The Proposal structure contains within it a Proposal Num and an IPsec 3531 protocol ID. Each structure MUST have a proposal number one (1) 3532 greater than the previous structure. The first Proposal in the 3533 initiator's SA payload MUST have a Proposal Num of one (1). One 3534 reason to use multiple proposals is to propose both standard crypto 3535 ciphers and combined-mode ciphers. Combined-mode ciphers include 3536 both integrity and encryption in a single encryption algorithm, and 3537 MUST either offer no integrity algorithm or a single integrity 3538 algorithm of "none", with no integrity algorithm being the 3539 RECOMMENDED method. If an initiator wants to propose both combined- 3540 mode ciphers and normal ciphers, it must include two proposals: one 3541 will have all the combined-mode ciphers, and the other will have all 3542 the normal ciphers with the integrity algorithms. For example, one 3543 such proposal would have two proposal structures. Proposal 1 is ESP 3544 with AES-128, AES-192, and AES-256 bits in Cipher Block Chaining 3545 (CBC) mode, with either HMAC-SHA1-96 or XCBC-96 as the integrity 3546 algorithm; Proposal 2 is AES-128 or AES-256 in GCM mode with an 3547 8-octet Integrity Check Value (ICV). Both proposals allow but do not 3548 require the use of ESNs (Extended Sequence Numbers). This can be 3549 illustrated as: 3551 SA Payload 3552 | 3553 +--- Proposal #1 ( Proto ID = ESP(3), SPI size = 4, 3554 | | 7 transforms, SPI = 0x052357bb ) 3555 | | 3556 | +-- Transform ENCR ( Name = ENCR_AES_CBC ) 3557 | | +-- Attribute ( Key Length = 128 ) 3558 | | 3559 | +-- Transform ENCR ( Name = ENCR_AES_CBC ) 3560 | | +-- Attribute ( Key Length = 192 ) 3561 | | 3562 | +-- Transform ENCR ( Name = ENCR_AES_CBC ) 3563 | | +-- Attribute ( Key Length = 256 ) 3564 | | 3565 | +-- Transform INTEG ( Name = AUTH_HMAC_SHA1_96 ) 3566 | +-- Transform INTEG ( Name = AUTH_AES_XCBC_96 ) 3567 | +-- Transform ESN ( Name = ESNs ) 3568 | +-- Transform ESN ( Name = No ESNs ) 3569 | 3570 +--- Proposal #2 ( Proto ID = ESP(3), SPI size = 4, 3571 | 4 transforms, SPI = 0x35a1d6f2 ) 3572 | 3573 +-- Transform ENCR ( Name = AES-GCM with a 8 octet ICV ) 3574 | +-- Attribute ( Key Length = 128 ) 3575 | 3576 +-- Transform ENCR ( Name = AES-GCM with a 8 octet ICV ) 3577 | +-- Attribute ( Key Length = 256 ) 3578 | 3579 +-- Transform ESN ( Name = ESNs ) 3580 +-- Transform ESN ( Name = No ESNs ) 3582 Each Proposal/Protocol structure is followed by one or more transform 3583 structures. The number of different transforms is generally 3584 determined by the Protocol. AH generally has two transforms: 3585 Extended Sequence Numbers (ESNs) and an integrity check algorithm. 3586 ESP generally has three: ESN, an encryption algorithm, and an 3587 integrity check algorithm. IKE generally has four transforms: a 3588 Diffie-Hellman group, an integrity check algorithm, a PRF algorithm, 3589 and an encryption algorithm. For each Protocol, the set of 3590 permissible transforms is assigned Transform ID numbers, which appear 3591 in the header of each transform. 3593 If there are multiple transforms with the same Transform Type, the 3594 proposal is an OR of those transforms. If there are multiple 3595 transforms with different Transform Types, the proposal is an AND of 3596 the different groups. For example, to propose ESP with (3DES or AES- 3597 CBC) and (HMAC_MD5 or HMAC_SHA), the ESP proposal would contain two 3598 Transform Type 1 candidates (one for 3DES and one for AEC-CBC) and 3599 two Transform Type 3 candidates (one for HMAC_MD5 and one for 3600 HMAC_SHA). This effectively proposes four combinations of 3601 algorithms. If the initiator wanted to propose only a subset of 3602 those, for example (3DES and HMAC_MD5) or (IDEA and HMAC_SHA), there 3603 is no way to encode that as multiple transforms within a single 3604 Proposal. Instead, the initiator would have to construct two 3605 different Proposals, each with two transforms. 3607 A given transform MAY have one or more Attributes. Attributes are 3608 necessary when the transform can be used in more than one way, as 3609 when an encryption algorithm has a variable key size. The transform 3610 would specify the algorithm and the attribute would specify the key 3611 size. Most transforms do not have attributes. A transform MUST NOT 3612 have multiple attributes of the same type. To propose alternate 3613 values for an attribute (for example, multiple key sizes for the AES 3614 encryption algorithm), an implementation MUST include multiple 3615 transforms with the same Transform Type each with a single Attribute. 3617 Note that the semantics of Transforms and Attributes are quite 3618 different from those in IKEv1. In IKEv1, a single Transform carried 3619 multiple algorithms for a protocol with one carried in the Transform 3620 and the others carried in the Attributes. 3622 1 2 3 3623 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3624 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3625 | Next Payload |C| RESERVED | Payload Length | 3626 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3627 | | 3628 ~ ~ 3629 | | 3630 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3632 Figure 6: Security Association Payload 3634 o Proposals (variable) - One or more proposal substructures. 3636 The payload type for the Security Association payload is thirty-three 3637 (33). 3639 3.3.1. Proposal Substructure 3641 1 2 3 3642 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3643 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3644 | Last Substruc | RESERVED | Proposal Length | 3645 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3646 | Proposal Num | Protocol ID | SPI Size |Num Transforms| 3647 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3648 ~ SPI (variable) ~ 3649 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3650 | | 3651 ~ ~ 3652 | | 3653 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3655 Figure 7: Proposal Substructure 3657 o Last Substruc (1 octet) - Specifies whether or not this is the 3658 last Proposal Substructure in the SA. This field has a value of 0 3659 if this was last Proposal Substructure, and a value of 2 if there 3660 are more Proposal Substructures. This syntax is inherited from 3661 ISAKMP, but is unnecessary because the last Proposal could be 3662 identified from the length of the SA. The value (2) corresponds 3663 to a payload type of Proposal in IKEv1, and the first four octets 3664 of the Proposal structure are designed to look somewhat like the 3665 header of a payload. 3667 o RESERVED (1 octet) - MUST be sent as zero; MUST be ignored on 3668 receipt. 3670 o Proposal Length (2 octets, unsigned integer) - Length of this 3671 proposal, including all transforms and attributes that follow. 3673 o Proposal Num (1 octet) - When a proposal is made, the first 3674 proposal in an SA payload MUST be 1, and subsequent proposals MUST 3675 be one more than the previous proposal (indicating an OR of the 3676 two proposals). When a proposal is accepted, the proposal number 3677 in the SA payload MUST match the number on the proposal sent that 3678 was accepted. 3680 o Protocol ID (1 octet) - Specifies the IPsec protocol identifier 3681 for the current negotiation. The values in the following table 3682 are only current as of the publication date of RFC 4306. Other 3683 values may have been added since then or will be added after the 3684 publication of this document. Readers should refer to [IKEV2IANA] 3685 for the latest values. 3687 Protocol Protocol ID 3688 ----------------------------------- 3689 IKE 1 3690 AH 2 3691 ESP 3 3693 o SPI Size (1 octet) - For an initial IKE SA negotiation, this field 3694 MUST be zero; the SPI is obtained from the outer header. During 3695 subsequent negotiations, it is equal to the size, in octets, of 3696 the SPI of the corresponding protocol (8 for IKE, 4 for ESP and 3697 AH). 3699 o Num Transforms (1 octet) - Specifies the number of transforms in 3700 this proposal. 3702 o SPI (variable) - The sending entity's SPI. Even if the SPI Size 3703 is not a multiple of 4 octets, there is no padding applied to the 3704 payload. When the SPI Size field is zero, this field is not 3705 present in the Security Association payload. 3707 o Transforms (variable) - One or more transform substructures. 3709 3.3.2. Transform Substructure 3711 1 2 3 3712 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3713 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3714 | Last Substruc | RESERVED | Transform Length | 3715 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3716 |Transform Type | RESERVED | Transform ID | 3717 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3718 | | 3719 ~ Transform Attributes ~ 3720 | | 3721 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3723 Figure 8: Transform Substructure 3725 o Last Substruc (1 octet) - Specifies whether or not this is the 3726 last Transform Substructure in the Proposal. This field has a 3727 value of 0 if this was last Transform Substructure, and a value of 3728 3 if there are more Transform Substructures. This syntax is 3729 inherited from ISAKMP, but is unnecessary because the last 3730 transform could be identified from the length of the proposal. 3731 The value (3) corresponds to a payload type of Transform in IKEv1, 3732 and the first four octets of the Transform structure are designed 3733 to look somewhat like the header of a payload. 3735 o RESERVED - MUST be sent as zero; MUST be ignored on receipt. 3737 o Transform Length - The length (in octets) of the Transform 3738 Substructure including Header and Attributes. 3740 o Transform Type (1 octet) - The type of transform being specified 3741 in this transform. Different protocols support different 3742 Transform Types. For some protocols, some of the transforms may 3743 be optional. If a transform is optional and the initiator wishes 3744 to propose that the transform be omitted, no transform of the 3745 given type is included in the proposal. If the initiator wishes 3746 to make use of the transform optional to the responder, it 3747 includes a transform substructure with Transform ID = 0 as one of 3748 the options. 3750 o Transform ID (2 octets) - The specific instance of the Transform 3751 Type being proposed. 3753 The Transform Type values are listed below. The values in the 3754 following table are only current as of the publication date of RFC 3755 4306. Other values may have been added since then or will be added 3756 after the publication of this document. Readers should refer to 3757 [IKEV2IANA] for the latest values. 3759 Description Trans. Used In 3760 Type 3761 ------------------------------------------------------------------ 3762 Encryption Algorithm (ENCR) 1 IKE and ESP 3763 Pseudorandom Function (PRF) 2 IKE 3764 Integrity Algorithm (INTEG) 3 IKE*, AH, optional in ESP 3765 Diffie-Hellman group (D-H) 4 IKE, optional in AH & ESP 3766 Extended Sequence Numbers (ESN) 5 AH and ESP 3768 (*) Negotiating an integrity algorithm is mandatory for the 3769 Encrypted payload format specified in this document. For example, 3770 [AEAD] specifies additional formats based on authenticated 3771 encryption, in which a separate integrity algorithm is not 3772 negotiated. 3774 For Transform Type 1 (Encryption Algorithm), the Transform IDs are 3775 listed below. The values in the following table are only current as 3776 of the publication date of RFC 4306. Other values may have been 3777 added since then or will be added after the publication of this 3778 document. Readers should refer to [IKEV2IANA] for the latest values. 3780 Name Number Defined In 3781 --------------------------------------------------- 3782 ENCR_DES_IV64 1 (UNSPECIFIED) 3783 ENCR_DES 2 (RFC2405), [DES] 3784 ENCR_3DES 3 (RFC2451) 3785 ENCR_RC5 4 (RFC2451) 3786 ENCR_IDEA 5 (RFC2451), [IDEA] 3787 ENCR_CAST 6 (RFC2451) 3788 ENCR_BLOWFISH 7 (RFC2451) 3789 ENCR_3IDEA 8 (UNSPECIFIED) 3790 ENCR_DES_IV32 9 (UNSPECIFIED) 3791 ENCR_NULL 11 (RFC2410) 3792 ENCR_AES_CBC 12 (RFC3602) 3793 ENCR_AES_CTR 13 (RFC3686) 3795 For Transform Type 2 (Pseudorandom Function), the Transform IDs are 3796 listed below. The values in the following table are only current as 3797 of the publication date of RFC 4306. Other values may have been 3798 added since then or will be added after the publication of this 3799 document. Readers should refer to [IKEV2IANA] for the latest values. 3801 Name Number Defined In 3802 ------------------------------------------------------ 3803 PRF_HMAC_MD5 1 (RFC2104), [MD5] 3804 PRF_HMAC_SHA1 2 (RFC2104), [SHA] 3805 PRF_HMAC_TIGER 3 (UNSPECIFIED) 3807 For Transform Type 3 (Integrity Algorithm), defined Transform IDs are 3808 listed below. The values in the following table are only current as 3809 of the publication date of RFC 4306. Other values may have been 3810 added since then or will be added after the publication of this 3811 document. Readers should refer to [IKEV2IANA] for the latest values. 3813 Name Number Defined In 3814 ---------------------------------------- 3815 NONE 0 3816 AUTH_HMAC_MD5_96 1 (RFC2403) 3817 AUTH_HMAC_SHA1_96 2 (RFC2404) 3818 AUTH_DES_MAC 3 (UNSPECIFIED) 3819 AUTH_KPDK_MD5 4 (UNSPECIFIED) 3820 AUTH_AES_XCBC_96 5 (RFC3566) 3822 For Transform Type 4 (Diffie-Hellman group), defined Transform IDs 3823 are listed below. The values in the following table are only current 3824 as of the publication date of RFC 4306. Other values may have been 3825 added since then or will be added after the publication of this 3826 document. Readers should refer to [IKEV2IANA] for the latest values. 3828 Name Number Defined In 3829 ---------------------------------------- 3830 NONE 0 3831 768-bit MODP 1 Appendix B 3832 1024-bit MODP 2 Appendix B 3833 1536-bit MODP 5 [ADDGROUP] 3834 2048-bit MODP 14 [ADDGROUP] 3835 3072-bit MODP 15 [ADDGROUP] 3836 4096-bit MODP 16 [ADDGROUP] 3837 6144-bit MODP 17 [ADDGROUP] 3838 8192-bit MODP 18 [ADDGROUP] 3840 Although ESP and AH do not directly include a Diffie-Hellman 3841 exchange, a Diffie-Hellman group MAY be negotiated for the Child SA. 3842 This allows the peers to employ Diffie-Hellman in the CREATE_CHILD_SA 3843 exchange, providing perfect forward secrecy for the generated Child 3844 SA keys. 3846 Note, that MODP Diffie-Hellman groups listed above does not need any 3847 special validity tests to be performed, but other types of groups 3848 (ECP and MODP groups with small subgroups) need to have some 3849 additional tests to be performed on them to use them securely. See 3850 "Additional Diffie-Hellman Tests for IKEv2" ([RFC6989]) for more 3851 information. 3853 For Transform Type 5 (Extended Sequence Numbers), defined Transform 3854 IDs are listed below. The values in the following table are only 3855 current as of the publication date of RFC 4306. Other values may 3856 have been added since then or will be added after the publication of 3857 this document. Readers should refer to [IKEV2IANA] for the latest 3858 values. 3860 Name Number 3861 -------------------------------------------- 3862 No Extended Sequence Numbers 0 3863 Extended Sequence Numbers 1 3865 Note that an initiator who supports ESNs will usually include two ESN 3866 transforms, with values "0" and "1", in its proposals. A proposal 3867 containing a single ESN transform with value "1" means that using 3868 normal (non-extended) sequence numbers is not acceptable. 3870 Numerous additional Transform Types have been defined since the 3871 publication of RFC 4306. Please refer to the IANA IKEv2 registry for 3872 details. 3874 3.3.3. Valid Transform Types by Protocol 3876 The number and type of transforms that accompany an SA payload are 3877 dependent on the protocol in the SA itself. An SA payload proposing 3878 the establishment of an SA has the following mandatory and optional 3879 Transform Types. A compliant implementation MUST understand all 3880 mandatory and optional types for each protocol it supports (though it 3881 need not accept proposals with unacceptable suites). A proposal MAY 3882 omit the optional types if the only value for them it will accept is 3883 NONE. 3885 Protocol Mandatory Types Optional Types 3886 --------------------------------------------------- 3887 IKE ENCR, PRF, INTEG*, D-H 3888 ESP ENCR, ESN INTEG, D-H 3889 AH INTEG, ESN D-H 3891 (*) Negotiating an integrity algorithm is mandatory for the 3892 Encrypted payload format specified in this document. For example, 3893 [AEAD] specifies additional formats based on authenticated 3894 encryption, in which a separate integrity algorithm is not 3895 negotiated. 3897 3.3.4. Mandatory Transform IDs 3899 The specification of suites that MUST and SHOULD be supported for 3900 interoperability has been removed from this document because they are 3901 likely to change more rapidly than this document evolves. At the 3902 time of publication of this document, [RFC4307] specifies these 3903 suites, but note that it might be updated in the future, and other 3904 RFCs might specify different sets of suites. 3906 An important lesson learned from IKEv1 is that no system should only 3907 implement the mandatory algorithms and expect them to be the best 3908 choice for all customers. 3910 It is likely that IANA will add additional transforms in the future, 3911 and some users may want to use private suites, especially for IKE 3912 where implementations should be capable of supporting different 3913 parameters, up to certain size limits. In support of this goal, all 3914 implementations of IKEv2 SHOULD include a management facility that 3915 allows specification (by a user or system administrator) of Diffie- 3916 Hellman parameters (the generator, modulus, and exponent lengths and 3917 values) for new Diffie-Hellman groups. Implementations SHOULD 3918 provide a management interface through which these parameters and the 3919 associated Transform IDs may be entered (by a user or system 3920 administrator), to enable negotiating such groups. 3922 All implementations of IKEv2 MUST include a management facility that 3923 enables a user or system administrator to specify the suites that are 3924 acceptable for use with IKE. Upon receipt of a payload with a set of 3925 Transform IDs, the implementation MUST compare the transmitted 3926 Transform IDs against those locally configured via the management 3927 controls, to verify that the proposed suite is acceptable based on 3928 local policy. The implementation MUST reject SA proposals that are 3929 not authorized by these IKE suite controls. Note that cryptographic 3930 suites that MUST be implemented need not be configured as acceptable 3931 to local policy. 3933 3.3.5. Transform Attributes 3935 Each transform in a Security Association payload may include 3936 attributes that modify or complete the specification of the 3937 transform. The set of valid attributes depends on the transform. 3938 Currently, only a single attribute type is defined: the Key Length 3939 attribute is used by certain encryption transforms with variable- 3940 length keys (see below for details). 3942 The attributes are type/value pairs and are defined below. 3943 Attributes can have a value with a fixed two-octet length or a 3944 variable-length value. For the latter, the attribute is encoded as 3945 type/length/value. 3947 1 2 3 3948 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3949 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3950 |A| Attribute Type | AF=0 Attribute Length | 3951 |F| | AF=1 Attribute Value | 3952 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3953 | AF=0 Attribute Value | 3954 | AF=1 Not Transmitted | 3955 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3957 Figure 9: Data Attributes 3959 o Attribute Format (AF) (1 bit) - Indicates whether the data 3960 attribute follows the Type/Length/Value (TLV) format or a 3961 shortened Type/Value (TV) format. If the AF bit is zero (0), then 3962 the attribute uses TLV format; if the AF bit is one (1), the TV 3963 format (with two-byte value) is used. 3965 o Attribute Type (15 bits) - Unique identifier for each type of 3966 attribute (see below). 3968 o Attribute Value (variable length) - Value of the attribute 3969 associated with the attribute type. If the AF bit is a zero (0), 3970 this field has a variable length defined by the Attribute Length 3971 field. If the AF bit is a one (1), the Attribute Value has a 3972 length of 2 octets. 3974 The only currently defined attribute type (Key Length) is fixed 3975 length; the variable-length encoding specification is included only 3976 for future extensions. Attributes described as fixed length MUST NOT 3977 be encoded using the variable-length encoding unless that length 3978 exceeds two bytes. Variable-length attributes MUST NOT be encoded as 3979 fixed-length even if their value can fit into two octets. Note: This 3980 is a change from IKEv1, where increased flexibility may have 3981 simplified the composer of messages but certainly complicated the 3982 parser. 3984 The values in the following table are only current as of the 3985 publication date of RFC 4306. Other values may have been added since 3986 then or will be added after the publication of this document. 3987 Readers should refer to [IKEV2IANA] for the latest values. 3989 Attribute Type Value Attribute Format 3990 ------------------------------------------------------------ 3991 Key Length (in bits) 14 TV 3993 Values 0-13 and 15-17 were used in a similar context in IKEv1, and 3994 should not be assigned except to matching values. 3996 The Key Length attribute specifies the key length in bits (MUST use 3997 network byte order) for certain transforms as follows: 3999 o The Key Length attribute MUST NOT be used with transforms that use 4000 a fixed-length key. For example, this includes ENCR_DES, 4001 ENCR_IDEA, and all the Type 2 (Pseudorandom function) and Type 3 4002 (Integrity Algorithm) transforms specified in this document. It 4003 is recommended that future Type 2 or 3 transforms do not use this 4004 attribute. 4006 o Some transforms specify that the Key Length attribute MUST be 4007 always included (omitting the attribute is not allowed, and 4008 proposals not containing it MUST be rejected). For example, this 4009 includes ENCR_AES_CBC and ENCR_AES_CTR. 4011 o Some transforms allow variable-length keys, but also specify a 4012 default key length if the attribute is not included. For example, 4013 these transforms include ENCR_RC5 and ENCR_BLOWFISH. 4015 Implementation note: To further interoperability and to support 4016 upgrading endpoints independently, implementers of this protocol 4017 SHOULD accept values that they deem to supply greater security. For 4018 instance, if a peer is configured to accept a variable-length cipher 4019 with a key length of X bits and is offered that cipher with a larger 4020 key length, the implementation SHOULD accept the offer if it supports 4021 use of the longer key. 4023 Support for this capability allows a responder to express a concept 4024 of "at least" a certain level of security -- "a key length of _at 4025 least_ X bits for cipher Y". However, as the attribute is always 4026 returned unchanged (see the next section), an initiator willing to 4027 accept multiple key lengths has to include multiple transforms with 4028 the same Transform Type, each with a different Key Length attribute. 4030 3.3.6. Attribute Negotiation 4032 During Security Association negotiation initiators present offers to 4033 responders. Responders MUST select a single complete set of 4034 parameters from the offers (or reject all offers if none are 4035 acceptable). If there are multiple proposals, the responder MUST 4036 choose a single proposal. If the selected proposal has multiple 4037 transforms with the same type, the responder MUST choose a single 4038 one. Any attributes of a selected transform MUST be returned 4039 unmodified. The initiator of an exchange MUST check that the 4040 accepted offer is consistent with one of its proposals, and if not 4041 MUST terminate the exchange. 4043 If the responder receives a proposal that contains a Transform Type 4044 it does not understand, or a proposal that is missing a mandatory 4045 Transform Type, it MUST consider this proposal unacceptable; however, 4046 other proposals in the same SA payload are processed as usual. 4047 Similarly, if the responder receives a transform that it does not 4048 understand, or one that contains a Transform Attribute it does not 4049 understand, it MUST consider this transform unacceptable; other 4050 transforms with the same Transform Type are processed as usual. This 4051 allows new Transform Types and Transform Attributes to be defined in 4052 the future. 4054 Negotiating Diffie-Hellman groups presents some special challenges. 4055 SA offers include proposed attributes and a Diffie-Hellman public 4056 number (KE) in the same message. If in the initial exchange the 4057 initiator offers to use one of several Diffie-Hellman groups, it 4058 SHOULD pick the one the responder is most likely to accept and 4059 include a KE corresponding to that group. If the responder selects a 4060 proposal using a different Diffie-Hellman group (other than NONE), 4061 the responder will indicate the correct group in the response and the 4062 initiator SHOULD pick an element of that group for its KE value when 4063 retrying the first message. It SHOULD, however, continue to propose 4064 its full supported set of groups in order to prevent a man-in-the- 4065 middle downgrade attack. If one of the proposals offered is for the 4066 Diffie-Hellman group of NONE, and the responder selects that Diffie- 4067 Hellman group, then it MUST ignore the initiator's KE payload and 4068 omit the KE payload from the response. 4070 3.4. Key Exchange Payload 4072 The Key Exchange payload, denoted KE in this document, is used to 4073 exchange Diffie-Hellman public numbers as part of a Diffie-Hellman 4074 key exchange. The Key Exchange payload consists of the IKE generic 4075 payload header followed by the Diffie-Hellman public value itself. 4077 1 2 3 4078 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4079 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4080 | Next Payload |C| RESERVED | Payload Length | 4081 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4082 | Diffie-Hellman Group Num | RESERVED | 4083 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4084 | | 4085 ~ Key Exchange Data ~ 4086 | | 4087 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4089 Figure 10: Key Exchange Payload Format 4091 A Key Exchange payload is constructed by copying one's Diffie-Hellman 4092 public value into the "Key Exchange Data" portion of the payload. 4093 The length of the Diffie-Hellman public value for modular 4094 exponentiation group (MODP) groups MUST be equal to the length of the 4095 prime modulus over which the exponentiation was performed, prepending 4096 zero bits to the value if necessary. 4098 The Diffie-Hellman Group Num identifies the Diffie-Hellman group in 4099 which the Key Exchange Data was computed (see Section 3.3.2). This 4100 Diffie-Hellman Group Num MUST match a Diffie-Hellman group specified 4101 in a proposal in the SA payload that is sent in the same message, and 4102 SHOULD match the Diffie-Hellman group in the first group in the first 4103 proposal, if such exists. If none of the proposals in that SA 4104 payload specifies a Diffie-Hellman group, the KE payload MUST NOT be 4105 present. If the selected proposal uses a different Diffie-Hellman 4106 group (other than NONE), the message MUST be rejected with a Notify 4107 payload of type INVALID_KE_PAYLOAD. See also Sections 1.2 and 2.7. 4109 The payload type for the Key Exchange payload is thirty-four (34). 4111 3.5. Identification Payloads 4113 The Identification payloads, denoted IDi and IDr in this document, 4114 allow peers to assert an identity to one another. This identity may 4115 be used for policy lookup, but does not necessarily have to match 4116 anything in the CERT payload; both fields may be used by an 4117 implementation to perform access control decisions. When using the 4118 ID_IPV4_ADDR/ID_IPV6_ADDR identity types in IDi/IDr payloads, IKEv2 4119 does not require this address to match the address in the IP header 4120 of IKEv2 packets, or anything in the TSi/TSr payloads. The contents 4121 of IDi/IDr are used purely to fetch the policy and authentication 4122 data related to the other party. 4124 NOTE: In IKEv1, two ID payloads were used in each direction to hold 4125 Traffic Selector (TS) information for data passing over the SA. In 4126 IKEv2, this information is carried in TS payloads (see Section 3.13). 4128 The Peer Authorization Database (PAD) as described in RFC 4301 4129 [IPSECARCH] describes the use of the ID payload in IKEv2 and provides 4130 a formal model for the binding of identity to policy in addition to 4131 providing services that deal more specifically with the details of 4132 policy enforcement. The PAD is intended to provide a link between 4133 the SPD and the IKE Security Association management. See Section 4134 4.4.3 of RFC 4301 for more details. 4136 The Identification payload consists of the IKE generic payload header 4137 followed by identification fields as follows: 4139 1 2 3 4140 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4142 | Next Payload |C| RESERVED | Payload Length | 4143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4144 | ID Type | RESERVED | 4145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4146 | | 4147 ~ Identification Data ~ 4148 | | 4149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4151 Figure 11: Identification Payload Format 4153 o ID Type (1 octet) - Specifies the type of Identification being 4154 used. 4156 o RESERVED - MUST be sent as zero; MUST be ignored on receipt. 4158 o Identification Data (variable length) - Value, as indicated by the 4159 Identification Type. The length of the Identification Data is 4160 computed from the size in the ID payload header. 4162 The payload types for the Identification payload are thirty-five (35) 4163 for IDi and thirty-six (36) for IDr. 4165 The following table lists the assigned semantics for the 4166 Identification Type field. The values in the following table are 4167 only current as of the publication date of RFC 4306. Other values 4168 may have been added since then or will be added after the publication 4169 of this document. Readers should refer to [IKEV2IANA] for the latest 4170 values. 4172 ID Type Value 4173 ------------------------------------------------------------------- 4174 ID_IPV4_ADDR 1 4175 A single four (4) octet IPv4 address. 4177 ID_FQDN 2 4178 A fully-qualified domain name string. An example of an ID_FQDN 4179 is "example.com". The string MUST NOT contain any terminators 4180 (e.g., NULL, CR, etc.). All characters in the ID_FQDN are ASCII; 4181 for an "internationalized domain name", the syntax is as defined 4182 in [IDNA], for example "xn--tmonesimerkki-bfbb.example.net". 4184 ID_RFC822_ADDR 3 4185 A fully-qualified RFC 822 email address string. An example of a 4186 ID_RFC822_ADDR is "jsmith@example.com". The string MUST NOT 4187 contain any terminators. Because of [EAI], implementations would 4188 be wise to treat this field as UTF-8 encoded text, not as 4189 pure ASCII. 4191 ID_IPV6_ADDR 5 4192 A single sixteen (16) octet IPv6 address. 4194 ID_DER_ASN1_DN 9 4195 The binary Distinguished Encoding Rules (DER) encoding of an 4196 ASN.1 X.500 Distinguished Name [PKIX]. 4198 ID_DER_ASN1_GN 10 4199 The binary DER encoding of an ASN.1 X.509 GeneralName [PKIX]. 4201 ID_KEY_ID 11 4202 An opaque octet stream that may be used to pass vendor- 4203 specific information necessary to do certain proprietary 4204 types of identification. 4206 Two implementations will interoperate only if each can generate a 4207 type of ID acceptable to the other. To assure maximum 4208 interoperability, implementations MUST be configurable to send at 4209 least one of ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, or ID_KEY_ID, and 4210 MUST be configurable to accept all of these four types. 4211 Implementations SHOULD be capable of generating and accepting all of 4212 these types. IPv6-capable implementations MUST additionally be 4213 configurable to accept ID_IPV6_ADDR. IPv6-only implementations MAY 4214 be configurable to send only ID_IPV6_ADDR instead of ID_IPV4_ADDR for 4215 IP addresses. 4217 EAP [EAP] does not mandate the use of any particular type of 4218 identifier, but often EAP is used with Network Access Identifiers 4219 (NAIs) defined in [NAI]. Although NAIs look a bit like email 4220 addresses (e.g., "joe@example.com"), the syntax is not exactly the 4221 same as the syntax of email address in [MAILFORMAT]. For those NAIs 4222 that include the realm component, the ID_RFC822_ADDR identification 4223 type SHOULD be used. Responder implementations should not attempt to 4224 verify that the contents actually conform to the exact syntax given 4225 in [MAILFORMAT], but instead should accept any reasonable-looking 4226 NAI. For NAIs that do not include the realm component, the ID_KEY_ID 4227 identification type SHOULD be used. 4229 See "IPsec PKI Profile of IKEv1, IKEv2 and PKIX" ([RFC4945]) for more 4230 information about matching Identification payloads and the contents 4231 of the PKIX Certificates. 4233 3.6. Certificate Payload 4235 The Certificate payload, denoted CERT in this document, provides a 4236 means to transport certificates or other authentication-related 4237 information via IKE. Certificate payloads SHOULD be included in an 4238 exchange if certificates are available to the sender. The Hash and 4239 URL formats of the Certificate payloads should be used in case the 4240 peer has indicated an ability to retrieve this information from 4241 elsewhere using an HTTP_CERT_LOOKUP_SUPPORTED Notify payload. Note 4242 that the term "Certificate payload" is somewhat misleading, because 4243 not all authentication mechanisms use certificates and data other 4244 than certificates may be passed in this payload. 4246 The Certificate payload is defined as follows: 4248 1 2 3 4249 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4250 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4251 | Next Payload |C| RESERVED | Payload Length | 4252 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4253 | Cert Encoding | | 4254 +-+-+-+-+-+-+-+-+ | 4255 ~ Certificate Data ~ 4256 | | 4257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4259 Figure 12: Certificate Payload Format 4261 o Certificate Encoding (1 octet) - This field indicates the type of 4262 certificate or certificate-related information contained in the 4263 Certificate Data field. The values in the following table are 4264 only current as of the publication date of RFC 4306. Other values 4265 may have been added since then or will be added after the 4266 publication of this document. Readers should refer to [IKEV2IANA] 4267 for the latest values. 4269 Certificate Encoding Value 4270 ---------------------------------------------------- 4271 PKCS #7 wrapped X.509 certificate 1 UNSPECIFIED 4272 PGP Certificate 2 UNSPECIFIED 4273 DNS Signed Key 3 UNSPECIFIED 4274 X.509 Certificate - Signature 4 4275 Kerberos Token 6 UNSPECIFIED 4276 Certificate Revocation List (CRL) 7 4277 Authority Revocation List (ARL) 8 UNSPECIFIED 4278 SPKI Certificate 9 UNSPECIFIED 4279 X.509 Certificate - Attribute 10 UNSPECIFIED 4280 Deprecated (Was Raw RSA Key) 11 DEPRECATED 4281 Hash and URL of X.509 certificate 12 4282 Hash and URL of X.509 bundle 13 4284 o Certificate Data (variable length) - Actual encoding of 4285 certificate data. The type of certificate is indicated by the 4286 Certificate Encoding field. 4288 The payload type for the Certificate payload is thirty-seven (37). 4290 Specific syntax for some of the certificate type codes above is not 4291 defined in this document. The types whose syntax is defined in this 4292 document are: 4294 o "X.509 Certificate - Signature" contains a DER-encoded X.509 4295 certificate whose public key is used to validate the sender's AUTH 4296 payload. Note that with this encoding, if a chain of certificates 4297 needs to be sent, multiple CERT payloads are used, only the first 4298 of which holds the public key used to validate the sender's AUTH 4299 payload. 4301 o "Certificate Revocation List" contains a DER-encoded X.509 4302 certificate revocation list. 4304 o Hash and URL encodings allow IKE messages to remain short by 4305 replacing long data structures with a 20-octet SHA-1 hash (see 4306 [SHA]) of the replaced value followed by a variable-length URL 4307 that resolves to the DER-encoded data structure itself. This 4308 improves efficiency when the endpoints have certificate data 4309 cached and makes IKE less subject to DoS attacks that become 4310 easier to mount when IKE messages are large enough to require IP 4311 fragmentation [DOSUDPPROT]. 4313 The "Hash and URL of a bundle" type uses the following ASN.1 4314 definition for the X.509 bundle: 4316 CertBundle 4317 { iso(1) identified-organization(3) dod(6) internet(1) 4318 security(5) mechanisms(5) pkix(7) id-mod(0) 4319 id-mod-cert-bundle(34) } 4321 DEFINITIONS EXPLICIT TAGS ::= 4322 BEGIN 4324 IMPORTS 4325 Certificate, CertificateList 4326 FROM PKIX1Explicit88 4327 { iso(1) identified-organization(3) dod(6) 4328 internet(1) security(5) mechanisms(5) pkix(7) 4329 id-mod(0) id-pkix1-explicit(18) } ; 4331 CertificateOrCRL ::= CHOICE { 4332 cert [0] Certificate, 4333 crl [1] CertificateList } 4335 CertificateBundle ::= SEQUENCE OF CertificateOrCRL 4337 END 4339 Implementations MUST be capable of being configured to send and 4340 accept up to four X.509 certificates in support of authentication, 4341 and also MUST be capable of being configured to send and accept the 4342 two Hash and URL formats (with HTTP URLs). If multiple certificates 4343 are sent, the first certificate MUST contain the public key 4344 associated with the private key used to sign the AUTH payload. The 4345 other certificates may be sent in any order. 4347 Implementations MUST support the HTTP [HTTP] method for hash-and-URL 4348 lookup. The behavior of other URL methods [URLS] is not currently 4349 specified, and such methods SHOULD NOT be used in the absence of a 4350 document specifying them. 4352 3.7. Certificate Request Payload 4354 The Certificate Request payload, denoted CERTREQ in this document, 4355 provides a means to request preferred certificates via IKE and can 4356 appear in the IKE_INIT_SA response and/or the IKE_AUTH request. 4357 Certificate Request payloads MAY be included in an exchange when the 4358 sender needs to get the certificate of the receiver. 4360 The Certificate Request payload is defined as follows: 4362 1 2 3 4363 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4364 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4365 | Next Payload |C| RESERVED | Payload Length | 4366 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4367 | Cert Encoding | | 4368 +-+-+-+-+-+-+-+-+ | 4369 ~ Certification Authority ~ 4370 | | 4371 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4373 Figure 13: Certificate Request Payload Format 4375 o Certificate Encoding (1 octet) - Contains an encoding of the type 4376 or format of certificate requested. Values are listed in 4377 Section 3.6. 4379 o Certification Authority (variable length) - Contains an encoding 4380 of an acceptable certification authority for the type of 4381 certificate requested. 4383 The payload type for the Certificate Request payload is thirty-eight 4384 (38). 4386 The Certificate Encoding field has the same values as those defined 4387 in Section 3.6. The Certification Authority field contains an 4388 indicator of trusted authorities for this certificate type. The 4389 Certification Authority value is a concatenated list of SHA-1 hashes 4390 of the public keys of trusted Certification Authorities (CAs). Each 4391 is encoded as the SHA-1 hash of the Subject Public Key Info element 4392 (see section 4.1.2.7 of [PKIX]) from each Trust Anchor certificate. 4393 The 20-octet hashes are concatenated and included with no other 4394 formatting. 4396 The contents of the "Certification Authority" field are defined only 4397 for X.509 certificates, which are types 4, 12, and 13. Other values 4398 SHOULD NOT be used until Standards-Track specifications that specify 4399 their use are published. 4401 Note that the term "Certificate Request" is somewhat misleading, in 4402 that values other than certificates are defined in a "Certificate" 4403 payload and requests for those values can be present in a Certificate 4404 Request payload. The syntax of the Certificate Request payload in 4405 such cases is not defined in this document. 4407 The Certificate Request payload is processed by inspecting the "Cert 4408 Encoding" field to determine whether the processor has any 4409 certificates of this type. If so, the "Certification Authority" 4410 field is inspected to determine if the processor has any certificates 4411 that can be validated up to one of the specified certification 4412 authorities. This can be a chain of certificates. 4414 If an end-entity certificate exists that satisfies the criteria 4415 specified in the CERTREQ, a certificate or certificate chain SHOULD 4416 be sent back to the certificate requestor if the recipient of the 4417 CERTREQ: 4419 o is configured to use certificate authentication, 4421 o is allowed to send a CERT payload, 4423 o has matching CA trust policy governing the current negotiation, 4424 and 4426 o has at least one time-wise and usage-appropriate end-entity 4427 certificate chaining to a CA provided in the CERTREQ. 4429 Certificate revocation checking must be considered during the 4430 chaining process used to select a certificate. Note that even if two 4431 peers are configured to use two different CAs, cross-certification 4432 relationships should be supported by appropriate selection logic. 4434 The intent is not to prevent communication through the strict 4435 adherence of selection of a certificate based on CERTREQ, when an 4436 alternate certificate could be selected by the sender that would 4437 still enable the recipient to successfully validate and trust it 4438 through trust conveyed by cross-certification, CRLs, or other out-of- 4439 band configured means. Thus, the processing of a CERTREQ should be 4440 seen as a suggestion for a certificate to select, not a mandated one. 4441 If no certificates exist, then the CERTREQ is ignored. This is not 4442 an error condition of the protocol. There may be cases where there 4443 is a preferred CA sent in the CERTREQ, but an alternate might be 4444 acceptable (perhaps after prompting a human operator). 4446 The HTTP_CERT_LOOKUP_SUPPORTED notification MAY be included in any 4447 message that can include a CERTREQ payload and indicates that the 4448 sender is capable of looking up certificates based on an HTTP-based 4449 URL (and hence presumably would prefer to receive certificate 4450 specifications in that format). 4452 3.8. Authentication Payload 4454 The Authentication payload, denoted AUTH in this document, contains 4455 data used for authentication purposes. The syntax of the 4456 Authentication data varies according to the Auth Method as specified 4457 below. 4459 The Authentication payload is defined as follows: 4461 1 2 3 4462 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4463 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4464 | Next Payload |C| RESERVED | Payload Length | 4465 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4466 | Auth Method | RESERVED | 4467 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4468 | | 4469 ~ Authentication Data ~ 4470 | | 4471 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4473 Figure 14: Authentication Payload Format 4475 o Auth Method (1 octet) - Specifies the method of authentication 4476 used. The types of signatures are listed here. The values in the 4477 following table are only current as of the publication date of RFC 4478 4306. Other values may have been added since then or will be 4479 added after the publication of this document. Readers should 4480 refer to [IKEV2IANA] for the latest values. 4482 Mechanism Value 4483 ----------------------------------------------------------------- 4484 RSA Digital Signature 1 4485 Computed as specified in Section 2.15 using an RSA private key 4486 with RSASSA-PKCS1-v1_5 signature scheme specified in [PKCS1] 4487 (implementers should note that IKEv1 used a different method for 4488 RSA signatures). To promote interoperability, implementations 4489 that support this type SHOULD support signatures that use SHA-1 4490 as the hash function and SHOULD use SHA-1 as the default hash 4491 function when generating signatures. Implementations can use the 4492 certificates received from a given peer as a hint for selecting a 4493 mutually understood hash function for the AUTH payload signature. 4494 Note, however, that the hash algorithm used in the AUTH payload 4495 signature doesn't have to be the same as any hash algorithm(s) 4496 used in the certificate(s). 4498 Shared Key Message Integrity Code 2 4499 Computed as specified in Section 2.15 using the shared key 4500 associated with the identity in the ID payload and the negotiated 4501 PRF. 4503 DSS Digital Signature 3 4504 Computed as specified in Section 2.15 using a DSS private key 4505 (see [DSS]) over a SHA-1 hash. 4507 o Authentication Data (variable length) - see Section 2.15. 4509 The payload type for the Authentication payload is thirty-nine (39). 4511 3.9. Nonce Payload 4513 The Nonce payload, denoted as Ni and Nr in this document for the 4514 initiator's and responder's nonce, respectively, contains random data 4515 used to guarantee liveness during an exchange and protect against 4516 replay attacks. 4518 The Nonce payload is defined as follows: 4520 1 2 3 4521 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4522 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4523 | Next Payload |C| RESERVED | Payload Length | 4524 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4525 | | 4526 ~ Nonce Data ~ 4527 | | 4528 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4529 Figure 15: Nonce Payload Format 4531 o Nonce Data (variable length) - Contains the random data generated 4532 by the transmitting entity. 4534 The payload type for the Nonce payload is forty (40). 4536 The size of the Nonce Data MUST be between 16 and 256 octets, 4537 inclusive. Nonce values MUST NOT be reused. 4539 3.10. Notify Payload 4541 The Notify payload, denoted N in this document, is used to transmit 4542 informational data, such as error conditions and state transitions, 4543 to an IKE peer. A Notify payload may appear in a response message 4544 (usually specifying why a request was rejected), in an INFORMATIONAL 4545 Exchange (to report an error not in an IKE request), or in any other 4546 message to indicate sender capabilities or to modify the meaning of 4547 the request. 4549 The Notify payload is defined as follows: 4551 1 2 3 4552 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4553 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4554 | Next Payload |C| RESERVED | Payload Length | 4555 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4556 | Protocol ID | SPI Size | Notify Message Type | 4557 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4558 | | 4559 ~ Security Parameter Index (SPI) ~ 4560 | | 4561 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4562 | | 4563 ~ Notification Data ~ 4564 | | 4565 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4567 Figure 16: Notify Payload Format 4569 o Protocol ID (1 octet) - If this notification concerns an existing 4570 SA whose SPI is given in the SPI field, this field indicates the 4571 type of that SA. For notifications concerning Child SAs, this 4572 field MUST contain either (2) to indicate AH or (3) to indicate 4573 ESP. Of the notifications defined in this document, the SPI is 4574 included only with INVALID_SELECTORS, REKEY_SA and 4575 CHILD_SA_NOT_FOUND. If the SPI field is empty, this field MUST be 4576 sent as zero and MUST be ignored on receipt. 4578 o SPI Size (1 octet) - Length in octets of the SPI as defined by the 4579 IPsec protocol ID or zero if no SPI is applicable. For a 4580 notification concerning the IKE SA, the SPI Size MUST be zero and 4581 the field must be empty. 4583 o Notify Message Type (2 octets) - Specifies the type of 4584 notification message. 4586 o SPI (variable length) - Security Parameter Index. 4588 o Notification Data (variable length) - Status or error data 4589 transmitted in addition to the Notify Message Type. Values for 4590 this field are type specific (see below). 4592 The payload type for the Notify payload is forty-one (41). 4594 3.10.1. Notify Message Types 4596 Notification information can be error messages specifying why an SA 4597 could not be established. It can also be status data that a process 4598 managing an SA database wishes to communicate with a peer process. 4599 The table below lists the Notification messages and their 4600 corresponding values. The number of different error statuses was 4601 greatly reduced from IKEv1 both for simplification and to avoid 4602 giving configuration information to probers. 4604 Types in the range 0 - 16383 are intended for reporting errors. An 4605 implementation receiving a Notify payload with one of these types 4606 that it does not recognize in a response MUST assume that the 4607 corresponding request has failed entirely. Unrecognized error types 4608 in a request and status types in a request or response MUST be 4609 ignored, and they should be logged. 4611 Notify payloads with status types MAY be added to any message and 4612 MUST be ignored if not recognized. They are intended to indicate 4613 capabilities, and as part of SA negotiation, are used to negotiate 4614 non-cryptographic parameters. 4616 More information on error handling can be found in Section 2.21. 4618 The values in the following table are only current as of the 4619 publication date of RFC 4306, plus two error types added in this 4620 document. Other values may have been added since then or will be 4621 added after the publication of this document. Readers should refer 4622 to [IKEV2IANA] for the latest values. 4624 NOTIFY messages: error types Value 4625 ------------------------------------------------------------------- 4626 UNSUPPORTED_CRITICAL_PAYLOAD 1 4627 See Section 2.5. 4629 INVALID_IKE_SPI 4 4630 See Section 2.21. 4632 INVALID_MAJOR_VERSION 5 4633 See Section 2.5. 4635 INVALID_SYNTAX 7 4636 Indicates the IKE message that was received was invalid because 4637 some type, length, or value was out of range or because the 4638 request was rejected for policy reasons. To avoid a DoS 4639 attack using forged messages, this status may only be 4640 returned for and in an encrypted packet if the Message ID and 4641 cryptographic checksum were valid. To avoid leaking information 4642 to someone probing a node, this status MUST be sent in response 4643 to any error not covered by one of the other status types. 4644 To aid debugging, more detailed error information should be 4645 written to a console or log. 4647 INVALID_MESSAGE_ID 9 4648 See Section 2.3. 4650 INVALID_SPI 11 4651 See Section 1.5. 4653 NO_PROPOSAL_CHOSEN 14 4654 None of the proposed crypto suites was acceptable. This can be 4655 sent in any case where the offered proposals (including but not 4656 limited to SA payload values, USE_TRANSPORT_MODE notify, 4657 IPCOMP_SUPPORTED notify) are not acceptable for the responder. 4658 This can also be used as "generic" Child SA error when Child SA 4659 cannot be created for some other reason. See also Section 2.7. 4661 INVALID_KE_PAYLOAD 17 4662 See Sections 1.2 and 1.3. 4664 AUTHENTICATION_FAILED 24 4665 Sent in the response to an IKE_AUTH message when, for some 4666 reason, the authentication failed. There is no associated 4667 data. See also Section 2.21.2. 4669 SINGLE_PAIR_REQUIRED 34 4670 See Section 2.9. 4672 NO_ADDITIONAL_SAS 35 4673 See Section 1.3. 4675 INTERNAL_ADDRESS_FAILURE 36 4676 See Section 3.15.4. 4678 FAILED_CP_REQUIRED 37 4679 See Section 2.19. 4681 TS_UNACCEPTABLE 38 4682 See Section 2.9. 4684 INVALID_SELECTORS 39 4685 MAY be sent in an IKE INFORMATIONAL exchange when a node receives 4686 an ESP or AH packet whose selectors do not match those of the SA 4687 on which it was delivered (and that caused the packet to be 4688 dropped). The Notification Data contains the start of the 4689 offending packet (as in ICMP messages) and the SPI field of the 4690 notification is set to match the SPI of the Child SA. 4692 TEMPORARY_FAILURE 43 4693 See section 2.25. 4695 CHILD_SA_NOT_FOUND 44 4696 See section 2.25. 4698 NOTIFY messages: status types Value 4699 ------------------------------------------------------------------- 4700 INITIAL_CONTACT 16384 4701 See Section 2.4. 4703 SET_WINDOW_SIZE 16385 4704 See Section 2.3. 4706 ADDITIONAL_TS_POSSIBLE 16386 4707 See Section 2.9. 4709 IPCOMP_SUPPORTED 16387 4710 See Section 2.22. 4712 NAT_DETECTION_SOURCE_IP 16388 4713 See Section 2.23. 4715 NAT_DETECTION_DESTINATION_IP 16389 4716 See Section 2.23. 4718 COOKIE 16390 4719 See Section 2.6. 4721 USE_TRANSPORT_MODE 16391 4722 See Section 1.3.1. 4724 HTTP_CERT_LOOKUP_SUPPORTED 16392 4725 See Section 3.6. 4727 REKEY_SA 16393 4728 See Section 1.3.3. 4730 ESP_TFC_PADDING_NOT_SUPPORTED 16394 4731 See Section 1.3.1. 4733 NON_FIRST_FRAGMENTS_ALSO 16395 4734 See Section 1.3.1. 4736 3.11. Delete Payload 4738 The Delete payload, denoted D in this document, contains a protocol- 4739 specific Security Association identifier that the sender has removed 4740 from its Security Association database and is, therefore, no longer 4741 valid. Figure 17 shows the format of the Delete payload. It is 4742 possible to send multiple SPIs in a Delete payload; however, each SPI 4743 MUST be for the same protocol. Mixing of protocol identifiers MUST 4744 NOT be performed in the Delete payload. It is permitted, however, to 4745 include multiple Delete payloads in a single INFORMATIONAL exchange 4746 where each Delete payload lists SPIs for a different protocol. 4748 Deletion of the IKE SA is indicated by a protocol ID of 1 (IKE) but 4749 no SPIs. Deletion of a Child SA, such as ESP or AH, will contain the 4750 IPsec protocol ID of that protocol (2 for AH, 3 for ESP), and the SPI 4751 is the SPI the sending endpoint would expect in inbound ESP or AH 4752 packets. 4754 The Delete payload is defined as follows: 4756 1 2 3 4757 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4758 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4759 | Next Payload |C| RESERVED | Payload Length | 4760 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4761 | Protocol ID | SPI Size | Num of SPIs | 4762 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4763 | | 4764 ~ Security Parameter Index(es) (SPI) ~ 4765 | | 4766 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4768 Figure 17: Delete Payload Format 4770 o Protocol ID (1 octet) - Must be 1 for an IKE SA, 2 for AH, or 3 4771 for ESP. 4773 o SPI Size (1 octet) - Length in octets of the SPI as defined by the 4774 protocol ID. It MUST be zero for IKE (SPI is in message header) 4775 or four for AH and ESP. 4777 o Num of SPIs (2 octets, unsigned integer) - The number of SPIs 4778 contained in the Delete payload. The size of each SPI is defined 4779 by the SPI Size field. 4781 o Security Parameter Index(es) (variable length) - Identifies the 4782 specific Security Association(s) to delete. The length of this 4783 field is determined by the SPI Size and Num of SPIs fields. 4785 The payload type for the Delete payload is forty-two (42). 4787 3.12. Vendor ID Payload 4789 The Vendor ID payload, denoted V in this document, contains a vendor- 4790 defined constant. The constant is used by vendors to identify and 4791 recognize remote instances of their implementations. This mechanism 4792 allows a vendor to experiment with new features while maintaining 4793 backward compatibility. 4795 A Vendor ID payload MAY announce that the sender is capable of 4796 accepting certain extensions to the protocol, or it MAY simply 4797 identify the implementation as an aid in debugging. A Vendor ID 4798 payload MUST NOT change the interpretation of any information defined 4799 in this specification (i.e., the critical bit MUST be set to 0). 4800 Multiple Vendor ID payloads MAY be sent. An implementation is not 4801 required to send any Vendor ID payload at all. 4803 A Vendor ID payload may be sent as part of any message. Reception of 4804 a familiar Vendor ID payload allows an implementation to make use of 4805 private use numbers described throughout this document, such as 4806 private payloads, private exchanges, private notifications, etc. 4807 Unfamiliar Vendor IDs MUST be ignored. 4809 Writers of documents who wish to extend this protocol MUST define a 4810 Vendor ID payload to announce the ability to implement the extension 4811 in the document. It is expected that documents that gain acceptance 4812 and are standardized will be given "magic numbers" out of the Future 4813 Use range by IANA, and the requirement to use a Vendor ID will go 4814 away. 4816 The Vendor ID payload fields are defined as follows: 4818 1 2 3 4819 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4820 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4821 | Next Payload |C| RESERVED | Payload Length | 4822 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4823 | | 4824 ~ Vendor ID (VID) ~ 4825 | | 4826 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4828 Figure 18: Vendor ID Payload Format 4830 o Vendor ID (variable length) - It is the responsibility of the 4831 person choosing the Vendor ID to assure its uniqueness in spite of 4832 the absence of any central registry for IDs. Good practice is to 4833 include a company name, a person name, or some such information. 4834 If you want to show off, you might include the latitude and 4835 longitude and time where you were when you chose the ID and some 4836 random input. A message digest of a long unique string is 4837 preferable to the long unique string itself. 4839 The payload type for the Vendor ID payload is forty-three (43). 4841 3.13. Traffic Selector Payload 4843 The Traffic Selector payload, denoted TS in this document, allows 4844 peers to identify packet flows for processing by IPsec security 4845 services. The Traffic Selector payload consists of the IKE generic 4846 payload header followed by individual Traffic Selectors as follows: 4848 1 2 3 4849 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4850 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4851 | Next Payload |C| RESERVED | Payload Length | 4852 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4853 | Number of TSs | RESERVED | 4854 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4855 | | 4856 ~ ~ 4857 | | 4858 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4860 Figure 19: Traffic Selectors Payload Format 4862 o Number of TSs (1 octet) - Number of Traffic Selectors being 4863 provided. 4865 o RESERVED - This field MUST be sent as zero and MUST be ignored on 4866 receipt. 4868 o Traffic Selectors (variable length) - One or more individual 4869 Traffic Selectors. 4871 The length of the Traffic Selector payload includes the TS header and 4872 all the Traffic Selectors. 4874 The payload type for the Traffic Selector payload is forty-four (44) 4875 for addresses at the initiator's end of the SA and forty-five (45) 4876 for addresses at the responder's end. 4878 There is no requirement that TSi and TSr contain the same number of 4879 individual Traffic Selectors. Thus, they are interpreted as follows: 4880 a packet matches a given TSi/TSr if it matches at least one of the 4881 individual selectors in TSi, and at least one of the individual 4882 selectors in TSr. 4884 For instance, the following Traffic Selectors: 4886 TSi = ((17, 100, 198.51.100.66-198.51.100.66), 4887 (17, 200, 198.51.100.66-198.51.100.66)) 4888 TSr = ((17, 300, 0.0.0.0-255.255.255.255), 4889 (17, 400, 0.0.0.0-255.255.255.255)) 4891 would match UDP packets from 198.51.100.66 to anywhere, with any of 4892 the four combinations of source/destination ports (100,300), 4893 (100,400), (200,300), and (200, 400). 4895 Thus, some types of policies may require several Child SA pairs. For 4896 instance, a policy matching only source/destination ports (100,300) 4897 and (200,400), but not the other two combinations, cannot be 4898 negotiated as a single Child SA pair. 4900 3.13.1. Traffic Selector 4902 1 2 3 4903 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 4904 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4905 | TS Type |IP Protocol ID*| Selector Length | 4906 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4907 | Start Port* | End Port* | 4908 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4909 | | 4910 ~ Starting Address* ~ 4911 | | 4912 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4913 | | 4914 ~ Ending Address* ~ 4915 | | 4916 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4918 Figure 20: Traffic Selector 4920 *Note: All fields other than TS Type and Selector Length depend on 4921 the TS Type. The fields shown are for TS Types 7 and 8, the only two 4922 values currently defined. 4924 o TS Type (one octet) - Specifies the type of Traffic Selector. 4926 o IP protocol ID (1 octet) - Value specifying an associated IP 4927 protocol ID (such as UDP, TCP, and ICMP). A value of zero means 4928 that the protocol ID is not relevant to this Traffic Selector -- 4929 the SA can carry all protocols. 4931 o Selector Length - Specifies the length of this Traffic Selector 4932 substructure including the header. 4934 o Start Port (2 octets, unsigned integer) - Value specifying the 4935 smallest port number allowed by this Traffic Selector. For 4936 protocols for which port is undefined (including protocol 0), or 4937 if all ports are allowed, this field MUST be zero. ICMP and 4938 ICMPv6 Type and Code values, as well as Mobile IP version 6 4939 (MIPv6) mobility header (MH) Type values, are represented in this 4940 field as specified in Section 4.4.1.1 of [IPSECARCH]. ICMP Type 4941 and Code values are treated as a single 16-bit integer port 4942 number, with Type in the most significant eight bits and Code in 4943 the least significant eight bits. MIPv6 MH Type values are 4944 treated as a single 16-bit integer port number, with Type in the 4945 most significant eight bits and the least significant eight bits 4946 set to zero. 4948 o End Port (2 octets, unsigned integer) - Value specifying the 4949 largest port number allowed by this Traffic Selector. For 4950 protocols for which port is undefined (including protocol 0), or 4951 if all ports are allowed, this field MUST be 65535. ICMP and 4952 ICMPv6 Type and Code values, as well as MIPv6 MH Type values, are 4953 represented in this field as specified in Section 4.4.1.1 of 4954 [IPSECARCH]. ICMP Type and Code values are treated as a single 4955 16-bit integer port number, with Type in the most significant 4956 eight bits and Code in the least significant eight bits. MIPv6 MH 4957 Type values are treated as a single 16-bit integer port number, 4958 with Type in the most significant eight bits and the least 4959 significant eight bits set to zero. 4961 o Starting Address - The smallest address included in this Traffic 4962 Selector (length determined by TS Type). 4964 o Ending Address - The largest address included in this Traffic 4965 Selector (length determined by TS Type). 4967 Systems that are complying with [IPSECARCH] that wish to indicate 4968 "ANY" ports MUST set the start port to 0 and the end port to 65535; 4969 note that according to [IPSECARCH], "ANY" includes "OPAQUE". Systems 4970 working with [IPSECARCH] that wish to indicate "OPAQUE" ports, but 4971 not "ANY" ports, MUST set the start port to 65535 and the end port to 4972 0. 4974 The Traffic Selector types 7 and 8 can also refer to ICMP or ICMPv6 4975 type and code fields, as well as MH Type fields for the IPv6 mobility 4976 header [MIPV6]. Note, however, that neither ICMP nor MIPv6 packets 4977 have separate source and destination fields. The method for 4978 specifying the Traffic Selectors for ICMP and MIPv6 is shown by 4979 example in Section 4.4.1.3 of [IPSECARCH]. 4981 The following table lists values for the Traffic Selector Type field 4982 and the corresponding Address Selector Data. The values in the 4983 following table are only current as of the publication date of RFC 4984 4306. Other values may have been added since then or will be added 4985 after the publication of this document. Readers should refer to 4986 [IKEV2IANA] for the latest values. 4988 TS Type Value 4989 ------------------------------------------------------------------- 4990 TS_IPV4_ADDR_RANGE 7 4992 A range of IPv4 addresses, represented by two four-octet 4993 values. The first value is the beginning IPv4 address 4994 (inclusive) and the second value is the ending IPv4 address 4995 (inclusive). All addresses falling between the two specified 4996 addresses are considered to be within the list. 4998 TS_IPV6_ADDR_RANGE 8 5000 A range of IPv6 addresses, represented by two sixteen-octet 5001 values. The first value is the beginning IPv6 address 5002 (inclusive) and the second value is the ending IPv6 address 5003 (inclusive). All addresses falling between the two specified 5004 addresses are considered to be within the list. 5006 3.14. Encrypted Payload 5008 The Encrypted payload, denoted SK{...} in this document, contains 5009 other payloads in encrypted form. The Encrypted payload, if present 5010 in a message, MUST be the last payload in the message. Often, it is 5011 the only payload in the message. This payload is also called the 5012 "Encrypted and Authenticated" payload. 5014 The algorithms for encryption and integrity protection are negotiated 5015 during IKE SA setup, and the keys are computed as specified in 5016 Sections 2.14 and 2.18. 5018 This document specifies the cryptographic processing of Encrypted 5019 payloads using a block cipher in CBC mode and an integrity check 5020 algorithm that computes a fixed-length checksum over a variable size 5021 message. The design is modeled after the ESP algorithms described in 5022 RFCs 2104 [HMAC], 4303 [ESP], and 2451 [ESPCBC]. This document 5023 completely specifies the cryptographic processing of IKE data, but 5024 those documents should be consulted for design rationale. Future 5025 documents may specify the processing of Encrypted payloads for other 5026 types of transforms, such as counter mode encryption and 5027 authenticated encryption algorithms. Peers MUST NOT negotiate 5028 transforms for which no such specification exists. 5030 When an authenticated encryption algorithm is used to protect the IKE 5031 SA, the construction of the Encrypted payload is different than what 5032 is described here. See [AEAD] for more information on authenticated 5033 encryption algorithms and their use in IKEv2. 5035 The payload type for an Encrypted payload is forty-six (46). The 5036 Encrypted payload consists of the IKE generic payload header followed 5037 by individual fields as follows: 5039 1 2 3 5040 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 5041 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5042 | Next Payload |C| RESERVED | Payload Length | 5043 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5044 | Initialization Vector | 5045 | (length is block size for encryption algorithm) | 5046 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5047 ~ Encrypted IKE Payloads ~ 5048 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5049 | | Padding (0-255 octets) | 5050 +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ 5051 | | Pad Length | 5052 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5053 ~ Integrity Checksum Data ~ 5054 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5056 Figure 21: Encrypted Payload Format 5058 o Next Payload - The payload type of the first embedded payload. 5059 Note that this is an exception in the standard header format, 5060 since the Encrypted payload is the last payload in the message and 5061 therefore the Next Payload field would normally be zero. But 5062 because the content of this payload is embedded payloads and there 5063 was no natural place to put the type of the first one, that type 5064 is placed here. 5066 o Payload Length - Includes the lengths of the header, 5067 initialization vector (IV), Encrypted IKE payloads, Padding, Pad 5068 Length, and Integrity Checksum Data. 5070 o Initialization Vector - For CBC mode ciphers, the length of the 5071 initialization vector (IV) is equal to the block length of the 5072 underlying encryption algorithm. Senders MUST select a new 5073 unpredictable IV for every message; recipients MUST accept any 5074 value. The reader is encouraged to consult [MODES] for advice on 5075 IV generation. In particular, using the final ciphertext block of 5076 the previous message is not considered unpredictable. For modes 5077 other than CBC, the IV format and processing is specified in the 5078 document specifying the encryption algorithm and mode. 5080 o IKE payloads are as specified earlier in this section. This field 5081 is encrypted with the negotiated cipher. 5083 o Padding MAY contain any value chosen by the sender, and MUST have 5084 a length that makes the combination of the payloads, the Padding, 5085 and the Pad Length to be a multiple of the encryption block size. 5086 This field is encrypted with the negotiated cipher. 5088 o Pad Length is the length of the Padding field. The sender SHOULD 5089 set the Pad Length to the minimum value that makes the combination 5090 of the payloads, the Padding, and the Pad Length a multiple of the 5091 block size, but the recipient MUST accept any length that results 5092 in proper alignment. This field is encrypted with the negotiated 5093 cipher. 5095 o Integrity Checksum Data is the cryptographic checksum of the 5096 entire message starting with the Fixed IKE header through the Pad 5097 Length. The checksum MUST be computed over the encrypted message. 5098 Its length is determined by the integrity algorithm negotiated. 5100 3.15. Configuration Payload 5102 The Configuration payload, denoted CP in this document, is used to 5103 exchange configuration information between IKE peers. The exchange 5104 is for an IRAC to request an internal IP address from an IRAS and to 5105 exchange other information of the sort that one would acquire with 5106 Dynamic Host Configuration Protocol (DHCP) if the IRAC were directly 5107 connected to a LAN. 5109 The Configuration payload is defined as follows: 5111 1 2 3 5112 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 5113 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5114 | Next Payload |C| RESERVED | Payload Length | 5115 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5116 | CFG Type | RESERVED | 5117 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5118 | | 5119 ~ Configuration Attributes ~ 5120 | | 5121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5123 Figure 22: Configuration Payload Format 5125 The payload type for the Configuration payload is forty-seven (47). 5127 o CFG Type (1 octet) - The type of exchange represented by the 5128 Configuration Attributes. The values in the following table are 5129 only current as of the publication date of RFC 4306. Other values 5130 may have been added since then or will be added after the 5131 publication of this document. Readers should refer to [IKEV2IANA] 5132 for the latest values. 5134 CFG Type Value 5135 -------------------------- 5136 CFG_REQUEST 1 5137 CFG_REPLY 2 5138 CFG_SET 3 5139 CFG_ACK 4 5141 o RESERVED (3 octets) - MUST be sent as zero; MUST be ignored on 5142 receipt. 5144 o Configuration Attributes (variable length) - These are type length 5145 value (TLV) structures specific to the Configuration payload and 5146 are defined below. There may be zero or more Configuration 5147 Attributes in this payload. 5149 3.15.1. Configuration Attributes 5151 1 2 3 5152 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 5153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5154 |R| Attribute Type | Length | 5155 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5156 | | 5157 ~ Value ~ 5158 | | 5159 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5161 Figure 23: Configuration Attribute Format 5163 o Reserved (1 bit) - This bit MUST be set to zero and MUST be 5164 ignored on receipt. 5166 o Attribute Type (15 bits) - A unique identifier for each of the 5167 Configuration Attribute Types. 5169 o Length (2 octets, unsigned integer) - Length in octets of value. 5171 o Value (0 or more octets) - The variable-length value of this 5172 Configuration Attribute. The following lists the attribute types. 5174 The values in the following table are only current as of the 5175 publication date of RFC 4306 (except INTERNAL_ADDRESS_EXPIRY and 5176 INTERNAL_IP6_NBNS which were removed by this document). Other values 5177 may have been added since then or will be added after the publication 5178 of this document. Readers should refer to [IKEV2IANA] for the latest 5179 values. 5181 Attribute Type Value Multi-Valued Length 5182 ------------------------------------------------------------ 5183 INTERNAL_IP4_ADDRESS 1 YES* 0 or 4 octets 5184 INTERNAL_IP4_NETMASK 2 NO 0 or 4 octets 5185 INTERNAL_IP4_DNS 3 YES 0 or 4 octets 5186 INTERNAL_IP4_NBNS 4 YES 0 or 4 octets 5187 INTERNAL_IP4_DHCP 6 YES 0 or 4 octets 5188 APPLICATION_VERSION 7 NO 0 or more 5189 INTERNAL_IP6_ADDRESS 8 YES* 0 or 17 octets 5190 INTERNAL_IP6_DNS 10 YES 0 or 16 octets 5191 INTERNAL_IP6_DHCP 12 YES 0 or 16 octets 5192 INTERNAL_IP4_SUBNET 13 YES 0 or 8 octets 5193 SUPPORTED_ATTRIBUTES 14 NO Multiple of 2 5194 INTERNAL_IP6_SUBNET 15 YES 17 octets 5196 * These attributes may be multi-valued on return only if 5197 multiple values were requested. 5199 o INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS - An address on the 5200 internal network, sometimes called a red node address or private 5201 address, and it MAY be a private address on the Internet. In a 5202 request message, the address specified is a requested address (or 5203 a zero-length address if no specific address is requested). If a 5204 specific address is requested, it likely indicates that a previous 5205 connection existed with this address and the requestor would like 5206 to reuse that address. With IPv6, a requestor MAY supply the low- 5207 order address octets it wants to use. Multiple internal addresses 5208 MAY be requested by requesting multiple internal address 5209 attributes. The responder MAY only send up to the number of 5210 addresses requested. The INTERNAL_IP6_ADDRESS is made up of two 5211 fields: the first is a 16-octet IPv6 address, and the second is a 5212 one-octet prefix-length as defined in [ADDRIPV6]. The requested 5213 address is valid as long as this IKE SA (or its rekeyed 5214 successors) requesting the address is valid. This is described in 5215 more detail in Section 3.15.3. 5217 o INTERNAL_IP4_NETMASK - The internal network's netmask. Only one 5218 netmask is allowed in the request and response messages (e.g., 5219 255.255.255.0), and it MUST be used only with an 5220 INTERNAL_IP4_ADDRESS attribute. INTERNAL_IP4_NETMASK in a 5221 CFG_REPLY means roughly the same thing as INTERNAL_IP4_SUBNET 5222 containing the same information ("send traffic to these addresses 5223 through me"), but also implies a link boundary. For instance, the 5224 client could use its own address and the netmask to calculate the 5225 broadcast address of the link. An empty INTERNAL_IP4_NETMASK 5226 attribute can be included in a CFG_REQUEST to request this 5227 information (although the gateway can send the information even 5228 when not requested). Non-empty values for this attribute in a 5229 CFG_REQUEST do not make sense and thus MUST NOT be included. 5231 o INTERNAL_IP4_DNS, INTERNAL_IP6_DNS - Specifies an address of a DNS 5232 server within the network. Multiple DNS servers MAY be requested. 5233 The responder MAY respond with zero or more DNS server attributes. 5235 o INTERNAL_IP4_NBNS - Specifies an address of a NetBios Name Server 5236 (WINS) within the network. Multiple NBNS servers MAY be 5237 requested. The responder MAY respond with zero or more NBNS 5238 server attributes. 5240 o INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP - Instructs the host to send 5241 any internal DHCP requests to the address contained within the 5242 attribute. Multiple DHCP servers MAY be requested. The responder 5243 MAY respond with zero or more DHCP server attributes. 5245 o APPLICATION_VERSION - The version or application information of 5246 the IPsec host. This is a string of printable ASCII characters 5247 that is NOT null terminated. 5249 o INTERNAL_IP4_SUBNET - The protected sub-networks that this edge- 5250 device protects. This attribute is made up of two fields: the 5251 first being an IP address and the second being a netmask. 5252 Multiple sub-networks MAY be requested. The responder MAY respond 5253 with zero or more sub-network attributes. This is discussed in 5254 more detail in Section 3.15.2. 5256 o SUPPORTED_ATTRIBUTES - When used within a Request, this attribute 5257 MUST be zero-length and specifies a query to the responder to 5258 reply back with all of the attributes that it supports. The 5259 response contains an attribute that contains a set of attribute 5260 identifiers each in 2 octets. The length divided by 2 (octets) 5261 would state the number of supported attributes contained in the 5262 response. 5264 o INTERNAL_IP6_SUBNET - The protected sub-networks that this edge- 5265 device protects. This attribute is made up of two fields: the 5266 first is a 16-octet IPv6 address, and the second is a one-octet 5267 prefix-length as defined in [ADDRIPV6]. Multiple sub-networks MAY 5268 be requested. The responder MAY respond with zero or more sub- 5269 network attributes. This is discussed in more detail in 5270 Section 3.15.2. 5272 Note that no recommendations are made in this document as to how an 5273 implementation actually figures out what information to send in a 5274 response. That is, we do not recommend any specific method of an 5275 IRAS determining which DNS server should be returned to a requesting 5276 IRAC. 5278 The CFG_REQUEST and CFG_REPLY pair allows an IKE endpoint to request 5279 information from its peer. If an attribute in the CFG_REQUEST 5280 Configuration payload is not zero-length, it is taken as a suggestion 5281 for that attribute. The CFG_REPLY Configuration payload MAY return 5282 that value, or a new one. It MAY also add new attributes and not 5283 include some requested ones. Unrecognized or unsupported attributes 5284 MUST be ignored in both requests and responses. 5286 The CFG_SET and CFG_ACK pair allows an IKE endpoint to push 5287 configuration data to its peer. In this case, the CFG_SET 5288 Configuration payload contains attributes the initiator wants its 5289 peer to alter. The responder MUST return a Configuration payload if 5290 it accepted any of the configuration data and it MUST contain the 5291 attributes that the responder accepted with zero-length data. Those 5292 attributes that it did not accept MUST NOT be in the CFG_ACK 5293 Configuration payload. If no attributes were accepted, the responder 5294 MUST return either an empty CFG_ACK payload or a response message 5295 without a CFG_ACK payload. There are currently no defined uses for 5296 the CFG_SET/CFG_ACK exchange, though they may be used in connection 5297 with extensions based on Vendor IDs. An implementation of this 5298 specification MAY ignore CFG_SET payloads. 5300 3.15.2. Meaning of INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET 5302 INTERNAL_IP4/6_SUBNET attributes can indicate additional subnets, 5303 ones that need one or more separate SAs, that can be reached through 5304 the gateway that announces the attributes. INTERNAL_IP4/6_SUBNET 5305 attributes may also express the gateway's policy about what traffic 5306 should be sent through the gateway; the client can choose whether 5307 other traffic (covered by TSr, but not in INTERNAL_IP4/6_SUBNET) is 5308 sent through the gateway or directly to the destination. Thus, 5309 traffic to the addresses listed in the INTERNAL_IP4/6_SUBNET 5310 attributes should be sent through the gateway that announces the 5311 attributes. If there are no existing Child SAs whose Traffic 5312 Selectors cover the address in question, new SAs need to be created. 5314 For instance, if there are two subnets, 198.51.100.0/26 and 5315 192.0.2.0/24, and the client's request contains the following: 5317 CP(CFG_REQUEST) = 5318 INTERNAL_IP4_ADDRESS() 5319 TSi = (0, 0-65535, 0.0.0.0-255.255.255.255) 5320 TSr = (0, 0-65535, 0.0.0.0-255.255.255.255) 5322 then a valid response could be the following (in which TSr and 5323 INTERNAL_IP4_SUBNET contain the same information): 5325 CP(CFG_REPLY) = 5326 INTERNAL_IP4_ADDRESS(198.51.100.234) 5327 INTERNAL_IP4_SUBNET(198.51.100.0/255.255.255.192) 5328 INTERNAL_IP4_SUBNET(192.0.2.0/255.255.255.0) 5329 TSi = (0, 0-65535, 198.51.100.234-198.51.100.234) 5330 TSr = ((0, 0-65535, 198.51.100.0-198.51.100.63), 5331 (0, 0-65535, 192.0.2.0-192.0.2.255)) 5333 In these cases, the INTERNAL_IP4_SUBNET does not really carry any 5334 useful information. 5336 A different possible response would have been this: 5338 CP(CFG_REPLY) = 5339 INTERNAL_IP4_ADDRESS(198.51.100.234) 5340 INTERNAL_IP4_SUBNET(198.51.100.0/255.255.255.192) 5341 INTERNAL_IP4_SUBNET(192.0.2.0/255.255.255.0) 5342 TSi = (0, 0-65535, 198.51.100.234-198.51.100.234) 5343 TSr = (0, 0-65535, 0.0.0.0-255.255.255.255) 5345 That response would mean that the client can send all its traffic 5346 through the gateway, but the gateway does not mind if the client 5347 sends traffic not included by INTERNAL_IP4_SUBNET directly to the 5348 destination (without going through the gateway). 5350 A different situation arises if the gateway has a policy that 5351 requires the traffic for the two subnets to be carried in separate 5352 SAs. Then a response like this would indicate to the client that if 5353 it wants access to the second subnet, it needs to create a separate 5354 SA: 5356 CP(CFG_REPLY) = 5357 INTERNAL_IP4_ADDRESS(198.51.100.234) 5358 INTERNAL_IP4_SUBNET(198.51.100.0/255.255.255.192) 5359 INTERNAL_IP4_SUBNET(192.0.2.0/255.255.255.0) 5360 TSi = (0, 0-65535, 198.51.100.234-198.51.100.234) 5361 TSr = (0, 0-65535, 198.51.100.0-198.51.100.63) 5363 INTERNAL_IP4_SUBNET can also be useful if the client's TSr included 5364 only part of the address space. For instance, if the client requests 5365 the following: 5367 CP(CFG_REQUEST) = 5368 INTERNAL_IP4_ADDRESS() 5369 TSi = (0, 0-65535, 0.0.0.0-255.255.255.255) 5370 TSr = (0, 0-65535, 192.0.2.155-192.0.2.155) 5372 then the gateway's response might be: 5374 CP(CFG_REPLY) = 5375 INTERNAL_IP4_ADDRESS(198.51.100.234) 5376 INTERNAL_IP4_SUBNET(198.51.100.0/255.255.255.192) 5377 INTERNAL_IP4_SUBNET(192.0.2.0/255.255.255.0) 5378 TSi = (0, 0-65535, 198.51.100.234-198.51.100.234) 5379 TSr = (0, 0-65535, 192.0.2.155-192.0.2.155) 5381 Because the meaning of INTERNAL_IP4_SUBNET/INTERNAL_IP6_SUBNET in 5382 CFG_REQUESTs is unclear, they cannot be used reliably in 5383 CFG_REQUESTs. 5385 3.15.3. Configuration Payloads for IPv6 5387 The Configuration payloads for IPv6 are based on the corresponding 5388 IPv4 payloads, and do not fully follow the "normal IPv6 way of doing 5389 things". In particular, IPv6 stateless autoconfiguration or router 5390 advertisement messages are not used, neither is neighbor discovery. 5391 Note that there is an additional document that discusses IPv6 5392 configuration in IKEv2, [IPV6CONFIG]. At the present time, it is an 5393 experimental document, but there is a hope that with more 5394 implementation experience, it will gain the same standards treatment 5395 as this document. 5397 A client can be assigned an IPv6 address using the 5398 INTERNAL_IP6_ADDRESS Configuration payload. A minimal exchange might 5399 look like this: 5401 CP(CFG_REQUEST) = 5402 INTERNAL_IP6_ADDRESS() 5403 INTERNAL_IP6_DNS() 5404 TSi = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF) 5405 TSr = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF) 5407 CP(CFG_REPLY) = 5408 INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64) 5409 INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44) 5410 TSi = (0, 0-65535, 2001:DB8:0:1:2:3:4:5 - 2001:DB8:0:1:2:3:4:5) 5411 TSr = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF) 5413 The client MAY send a non-empty INTERNAL_IP6_ADDRESS attribute in the 5414 CFG_REQUEST to request a specific address or interface identifier. 5416 The gateway first checks if the specified address is acceptable, and 5417 if it is, returns that one. If the address was not acceptable, the 5418 gateway attempts to use the interface identifier with some other 5419 prefix; if even that fails, the gateway selects another interface 5420 identifier. 5422 The INTERNAL_IP6_ADDRESS attribute also contains a prefix length 5423 field. When used in a CFG_REPLY, this corresponds to the 5424 INTERNAL_IP4_NETMASK attribute in the IPv4 case. 5426 Although this approach to configuring IPv6 addresses is reasonably 5427 simple, it has some limitations. IPsec tunnels configured using 5428 IKEv2 are not fully featured "interfaces" in the IPv6 addressing 5429 architecture sense [ADDRIPV6]. In particular, they do not 5430 necessarily have link-local addresses, and this may complicate the 5431 use of protocols that assume them, such as [MLDV2]. 5433 3.15.4. Address Assignment Failures 5435 If the responder encounters an error while attempting to assign an IP 5436 address to the initiator during the processing of a Configuration 5437 payload, it responds with an INTERNAL_ADDRESS_FAILURE notification. 5438 The IKE SA is still created even if the initial Child SA cannot be 5439 created because of this failure. If this error is generated within 5440 an IKE_AUTH exchange, no Child SA will be created. However, there 5441 are some more complex error cases. 5443 If the responder does not support Configuration payloads at all, it 5444 can simply ignore all Configuration payloads. This type of 5445 implementation never sends INTERNAL_ADDRESS_FAILURE notifications. 5446 If the initiator requires the assignment of an IP address, it will 5447 treat a response without CFG_REPLY as an error. 5449 The initiator may request a particular type of address (IPv4 or IPv6) 5450 that the responder does not support, even though the responder 5451 supports Configuration payloads. In this case, the responder simply 5452 ignores the type of address it does not support and processes the 5453 rest of the request as usual. 5455 If the initiator requests multiple addresses of a type that the 5456 responder supports, and some (but not all) of the requests fail, the 5457 responder replies with the successful addresses only. The responder 5458 sends INTERNAL_ADDRESS_FAILURE only if no addresses can be assigned. 5460 If the initiator does not receive the IP address(es) required by its 5461 policy, it MAY keep the IKE SA up and retry the Configuration payload 5462 as separate INFORMATIONAL exchange after suitable timeout, or it MAY 5463 tear down the IKE SA by sending a Delete payload inside a separate 5464 INFORMATIONAL exchange and later retry IKE SA from the beginning 5465 after some timeout. Such a timeout should not be too short 5466 (especially if the IKE SA is started from the beginning) because 5467 these error situations may not be able to be fixed quickly; the 5468 timeout should likely be several minutes. For example, an address 5469 shortage problem on the responder will probably only be fixed when 5470 more entries are returned to the address pool when other clients 5471 disconnect or when responder is reconfigured with larger address 5472 pool. 5474 3.16. Extensible Authentication Protocol (EAP) Payload 5476 The Extensible Authentication Protocol payload, denoted EAP in this 5477 document, allows IKE SAs to be authenticated using the protocol 5478 defined in RFC 3748 [EAP] and subsequent extensions to that protocol. 5479 When using EAP, an appropriate EAP method needs to be selected. Many 5480 of these methods have been defined, specifying the protocol's use 5481 with various authentication mechanisms. EAP method types are listed 5482 in [EAP-IANA]. A short summary of the EAP format is included here 5483 for clarity. 5485 1 2 3 5486 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 5487 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5488 | Next Payload |C| RESERVED | Payload Length | 5489 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5490 | | 5491 ~ EAP Message ~ 5492 | | 5493 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5495 Figure 24: EAP Payload Format 5497 The payload type for an EAP payload is forty-eight (48). 5499 1 2 3 5500 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 5501 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5502 | Code | Identifier | Length | 5503 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5504 | Type | Type_Data... 5505 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 5507 Figure 25: EAP Message Format 5509 o Code (1 octet) indicates whether this message is a Request (1), 5510 Response (2), Success (3), or Failure (4). 5512 o Identifier (1 octet) is used in PPP to distinguish replayed 5513 messages from repeated ones. Since in IKE, EAP runs over a 5514 reliable protocol, it serves no function here. In a response 5515 message, this octet MUST be set to match the identifier in the 5516 corresponding request. 5518 o Length (2 octets, unsigned integer) is the length of the EAP 5519 message and MUST be four less than the Payload Length of the 5520 encapsulating payload. 5522 o Type (1 octet) is present only if the Code field is Request (1) or 5523 Response (2). For other codes, the EAP message length MUST be 5524 four octets and the Type and Type_Data fields MUST NOT be present. 5525 In a Request (1) message, Type indicates the data being requested. 5526 In a Response (2) message, Type MUST either be Nak or match the 5527 type of the data requested. Note that since IKE passes an 5528 indication of initiator identity in the first message in the 5529 IKE_AUTH exchange, the responder SHOULD NOT send EAP Identity 5530 requests (type 1). The initiator MAY, however, respond to such 5531 requests if it receives them. 5533 o Type_Data (Variable Length) varies with the Type of Request and 5534 the associated Response. For the documentation of the EAP 5535 methods, see [EAP]. 5537 Note that since IKE passes an indication of initiator identity in the 5538 first message in the IKE_AUTH exchange, the responder should not send 5539 EAP Identity requests. The initiator may, however, respond to such 5540 requests if it receives them. 5542 4. Conformance Requirements 5544 In order to assure that all implementations of IKEv2 can 5545 interoperate, there are "MUST support" requirements in addition to 5546 those listed elsewhere. Of course, IKEv2 is a security protocol, and 5547 one of its major functions is to allow only authorized parties to 5548 successfully complete establishment of SAs. So a particular 5549 implementation may be configured with any of a number of restrictions 5550 concerning algorithms and trusted authorities that will prevent 5551 universal interoperability. 5553 IKEv2 is designed to permit minimal implementations that can 5554 interoperate with all compliant implementations. The following are 5555 features that can be omitted in a minimal implementation: 5557 o Ability to negotiate SAs through a NAT and tunnel the resulting 5558 ESP SA over UDP. 5560 o Ability to request (and respond to a request for) a temporary IP 5561 address on the remote end of a tunnel. 5563 o Ability to support EAP-based authentication. 5565 o Ability to support window sizes greater than one. 5567 o Ability to establish multiple ESP or AH SAs within a single IKE 5568 SA. 5570 o Ability to rekey SAs. 5572 To assure interoperability, all implementations MUST be capable of 5573 parsing all payload types (if only to skip over them) and to ignore 5574 payload types that it does not support unless the critical bit is set 5575 in the payload header. If the critical bit is set in an unsupported 5576 payload header, all implementations MUST reject the messages 5577 containing those payloads. 5579 Every implementation MUST be capable of doing four-message 5580 IKE_SA_INIT and IKE_AUTH exchanges establishing two SAs (one for IKE, 5581 one for ESP or AH). Implementations MAY be initiate-only or respond- 5582 only if appropriate for their platform. Every implementation MUST be 5583 capable of responding to an INFORMATIONAL exchange, but a minimal 5584 implementation MAY respond to any request in the INFORMATIONAL 5585 exchange with an empty response (note that within the context of an 5586 IKE SA, an "empty" message consists of an IKE header followed by an 5587 Encrypted payload with no payloads contained in it). A minimal 5588 implementation MAY support the CREATE_CHILD_SA exchange only in so 5589 far as to recognize requests and reject them with a Notify payload of 5590 type NO_ADDITIONAL_SAS. A minimal implementation need not be able to 5591 initiate CREATE_CHILD_SA or INFORMATIONAL exchanges. When an SA 5592 expires (based on locally configured values of either lifetime or 5593 octets passed), and implementation MAY either try to renew it with a 5594 CREATE_CHILD_SA exchange or it MAY delete (close) the old SA and 5595 create a new one. If the responder rejects the CREATE_CHILD_SA 5596 request with a NO_ADDITIONAL_SAS notification, the implementation 5597 MUST be capable of instead deleting the old SA and creating a new 5598 one. 5600 Implementations are not required to support requesting temporary IP 5601 addresses or responding to such requests. If an implementation does 5602 support issuing such requests and its policy requires using temporary 5603 IP addresses, it MUST include a CP payload in the first message in 5604 the IKE_AUTH exchange containing at least a field of type 5605 INTERNAL_IP4_ADDRESS or INTERNAL_IP6_ADDRESS. All other fields are 5606 optional. If an implementation supports responding to such requests, 5607 it MUST parse the CP payload of type CFG_REQUEST in the first message 5608 in the IKE_AUTH exchange and recognize a field of type 5609 INTERNAL_IP4_ADDRESS or INTERNAL_IP6_ADDRESS. If it supports leasing 5610 an address of the appropriate type, it MUST return a CP payload of 5611 type CFG_REPLY containing an address of the requested type. The 5612 responder may include any other related attributes. 5614 For an implementation to be called conforming to this specification, 5615 it MUST be possible to configure it to accept the following: 5617 o Public Key Infrastructure using X.509 (PKIX) Certificates 5618 containing and signed by RSA keys of size 1024 or 2048 bits, where 5619 the ID passed is any of ID_KEY_ID, ID_FQDN, ID_RFC822_ADDR, or 5620 ID_DER_ASN1_DN. 5622 o Shared key authentication where the ID passed is any of ID_KEY_ID, 5623 ID_FQDN, or ID_RFC822_ADDR. 5625 o Authentication where the responder is authenticated using PKIX 5626 Certificates and the initiator is authenticated using shared key 5627 authentication. 5629 5. Security Considerations 5631 While this protocol is designed to minimize disclosure of 5632 configuration information to unauthenticated peers, some such 5633 disclosure is unavoidable. One peer or the other must identify 5634 itself first and prove its identity first. To avoid probing, the 5635 initiator of an exchange is required to identify itself first, and 5636 usually is required to authenticate itself first. The initiator can, 5637 however, learn that the responder supports IKE and what cryptographic 5638 protocols it supports. The responder (or someone impersonating the 5639 responder) can probe the initiator not only for its identity, but 5640 using CERTREQ payloads may be able to determine what certificates the 5641 initiator is willing to use. 5643 Use of EAP authentication changes the probing possibilities somewhat. 5644 When EAP authentication is used, the responder proves its identity 5645 before the initiator does, so an initiator that knew the name of a 5646 valid initiator could probe the responder for both its name and 5647 certificates. 5649 Repeated rekeying using CREATE_CHILD_SA without additional Diffie- 5650 Hellman exchanges leaves all SAs vulnerable to cryptanalysis of a 5651 single key. Implementers should take note of this fact and set a 5652 limit on CREATE_CHILD_SA exchanges between exponentiations. This 5653 document does not prescribe such a limit. 5655 The strength of a key derived from a Diffie-Hellman exchange using 5656 any of the groups defined here depends on the inherent strength of 5657 the group, the size of the exponent used, and the entropy provided by 5658 the random number generator used. Due to these inputs, it is 5659 difficult to determine the strength of a key for any of the defined 5660 groups. Diffie-Hellman group number two, when used with a strong 5661 random number generator and an exponent no less than 200 bits, is 5662 common for use with 3DES. Group five provides greater security than 5663 group two. Group one is for historic purposes only and does not 5664 provide sufficient strength except for use with DES, which is also 5665 for historic use only. Implementations should make note of these 5666 estimates when establishing policy and negotiating security 5667 parameters. 5669 Note that these limitations are on the Diffie-Hellman groups 5670 themselves. There is nothing in IKE that prohibits using stronger 5671 groups nor is there anything that will dilute the strength obtained 5672 from stronger groups (limited by the strength of the other algorithms 5673 negotiated including the PRF). In fact, the extensible framework of 5674 IKE encourages the definition of more groups; use of elliptic curve 5675 groups may greatly increase strength using much smaller numbers. 5677 It is assumed that all Diffie-Hellman exponents are erased from 5678 memory after use. 5680 The IKE_SA_INIT and IKE_AUTH exchanges happen before the initiator 5681 has been authenticated. As a result, an implementation of this 5682 protocol needs to be completely robust when deployed on any insecure 5683 network. Implementation vulnerabilities, particularly DoS attacks, 5684 can be exploited by unauthenticated peers. This issue is 5685 particularly worrisome because of the unlimited number of messages in 5686 EAP-based authentication. 5688 The strength of all keys is limited by the size of the output of the 5689 negotiated PRF. For this reason, a PRF whose output is less than 128 5690 bits (e.g., 3DES-CBC) MUST NOT be used with this protocol. 5692 The security of this protocol is critically dependent on the 5693 randomness of the randomly chosen parameters. These should be 5694 generated by a strong random or properly seeded pseudorandom source 5695 (see [RANDOMNESS]). Implementers should take care to ensure that use 5696 of random numbers for both keys and nonces is engineered in a fashion 5697 that does not undermine the security of the keys. 5699 For information on the rationale of many of the cryptographic design 5700 choices in this protocol, see [SIGMA] and [SKEME]. Though the 5701 security of negotiated Child SAs does not depend on the strength of 5702 the encryption and integrity protection negotiated in the IKE SA, 5703 implementations MUST NOT negotiate NONE as the IKE integrity 5704 protection algorithm or ENCR_NULL as the IKE encryption algorithm. 5706 When using pre-shared keys, a critical consideration is how to assure 5707 the randomness of these secrets. The strongest practice is to ensure 5708 that any pre-shared key contain as much randomness as the strongest 5709 key being negotiated. Deriving a shared secret from a password, 5710 name, or other low-entropy source is not secure. These sources are 5711 subject to dictionary and social-engineering attacks, among others. 5713 The NAT_DETECTION_*_IP notifications contain a hash of the addresses 5714 and ports in an attempt to hide internal IP addresses behind a NAT. 5715 Since the IPv4 address space is only 32 bits, and it is usually very 5716 sparse, it would be possible for an attacker to find out the internal 5717 address used behind the NAT box by trying all possible IP addresses 5718 and trying to find the matching hash. The port numbers are normally 5719 fixed to 500, and the SPIs can be extracted from the packet. This 5720 reduces the number of hash calculations to 2^32. With an educated 5721 guess of the use of private address space, the number of hash 5722 calculations is much smaller. Designers should therefore not assume 5723 that use of IKE will not leak internal address information. 5725 When using an EAP authentication method that does not generate a 5726 shared key for protecting a subsequent AUTH payload, certain man-in- 5727 the-middle and server-impersonation attacks are possible [EAPMITM]. 5728 These vulnerabilities occur when EAP is also used in protocols that 5729 are not protected with a secure tunnel. Since EAP is a general- 5730 purpose authentication protocol, which is often used to provide 5731 single-signon facilities, a deployed IPsec solution that relies on an 5732 EAP authentication method that does not generate a shared key (also 5733 known as a non-key-generating EAP method) can become compromised due 5734 to the deployment of an entirely unrelated application that also 5735 happens to use the same non-key-generating EAP method, but in an 5736 unprotected fashion. Note that this vulnerability is not limited to 5737 just EAP, but can occur in other scenarios where an authentication 5738 infrastructure is reused. For example, if the EAP mechanism used by 5739 IKEv2 utilizes a token authenticator, a man-in-the-middle attacker 5740 could impersonate the web server, intercept the token authentication 5741 exchange, and use it to initiate an IKEv2 connection. For this 5742 reason, use of non-key-generating EAP methods SHOULD be avoided where 5743 possible. Where they are used, it is extremely important that all 5744 usages of these EAP methods SHOULD utilize a protected tunnel, where 5745 the initiator validates the responder's certificate before initiating 5746 the EAP authentication. Implementers should describe the 5747 vulnerabilities of using non-key-generating EAP methods in the 5748 documentation of their implementations so that the administrators 5749 deploying IPsec solutions are aware of these dangers. 5751 An implementation using EAP MUST also use a public-key-based 5752 authentication of the server to the client before the EAP 5753 authentication begins, even if the EAP method offers mutual 5754 authentication. This avoids having additional IKEv2 protocol 5755 variations and protects the EAP data from active attackers. 5757 If the messages of IKEv2 are long enough that IP-level fragmentation 5758 is necessary, it is possible that attackers could prevent the 5759 exchange from completing by exhausting the reassembly buffers. The 5760 chances of this can be minimized by using the Hash and URL encodings 5761 instead of sending certificates (see Section 3.6). Additional 5762 mitigations are discussed in [DOSUDPPROT]. 5764 Admission control is critical to the security of the protocol. For 5765 example, trust anchors used for identifying IKE peers should probably 5766 be different than those used for other forms of trust, such as those 5767 used to identify public web servers. Moreover, although IKE provides 5768 a great deal of leeway in defining the security policy for a trusted 5769 peer's identity, credentials, and the correlation between them, 5770 having such security policy defined explicitly is essential to a 5771 secure implementation. 5773 5.1. Traffic Selector Authorization 5775 IKEv2 relies on information in the Peer Authorization Database (PAD) 5776 when determining what kind of Child SAs a peer is allowed to create. 5777 This process is described in Section 4.4.3 of [IPSECARCH]. When a 5778 peer requests the creation of an Child SA with some Traffic 5779 Selectors, the PAD must contain "Child SA Authorization Data" linking 5780 the identity authenticated by IKEv2 and the addresses permitted for 5781 Traffic Selectors. 5783 For example, the PAD might be configured so that authenticated 5784 identity "sgw23.example.com" is allowed to create Child SAs for 5785 192.0.2.0/24, meaning this security gateway is a valid 5786 "representative" for these addresses. Host-to-host IPsec requires 5787 similar entries, linking, for example, "fooserver4.example.com" with 5788 198.51.100.66/32, meaning this identity is a valid "owner" or 5789 "representative" of the address in question. 5791 As noted in [IPSECARCH], "It is necessary to impose these constraints 5792 on creation of child SAs to prevent an authenticated peer from 5793 spoofing IDs associated with other, legitimate peers". In the 5794 example given above, a correct configuration of the PAD prevents 5795 sgw23 from creating Child SAs with address 198.51.100.66, and 5796 prevents fooserver4 from creating Child SAs with addresses from 5797 192.0.2.0/24. 5799 It is important to note that simply sending IKEv2 packets using some 5800 particular address does not imply a permission to create Child SAs 5801 with that address in the Traffic Selectors. For example, even if 5802 sgw23 would be able to spoof its IP address as 198.51.100.66, it 5803 could not create Child SAs matching fooserver4's traffic. 5805 The IKEv2 specification does not specify how exactly IP address 5806 assignment using Configuration payloads interacts with the PAD. Our 5807 interpretation is that when a security gateway assigns an address 5808 using Configuration payloads, it also creates a temporary PAD entry 5809 linking the authenticated peer identity and the newly allocated inner 5810 address. 5812 It has been recognized that configuring the PAD correctly may be 5813 difficult in some environments. For instance, if IPsec is used 5814 between a pair of hosts whose addresses are allocated dynamically 5815 using DHCP, it is extremely difficult to ensure that the PAD 5816 specifies the correct "owner" for each IP address. This would 5817 require a mechanism to securely convey address assignments from the 5818 DHCP server, and link them to identities authenticated using IKEv2. 5820 Due to this limitation, some vendors have been known to configure 5821 their PADs to allow an authenticated peer to create Child SAs with 5822 Traffic Selectors containing the same address that was used for the 5823 IKEv2 packets. In environments where IP spoofing is possible (i.e., 5824 almost everywhere) this essentially allows any peer to create Child 5825 SAs with any Traffic Selectors. This is not an appropriate or secure 5826 configuration in most circumstances. See [H2HIPSEC] for an extensive 5827 discussion about this issue, and the limitations of host-to-host 5828 IPsec in general. 5830 6. IANA Considerations 5832 [IKEV2] defined many field types and values. IANA has already 5833 registered those types and values in [IKEV2IANA], so they are not 5834 listed here again. 5836 One item has been deprecated from the IKEv2 Certificate Encodings 5837 table: "Raw RSA Key". 5839 IANA has updated all references to RFC 5996 to point to this 5840 document. 5842 7. Acknowledgements 5844 Many individuals in the IPsecME Working Group were very helpful in 5845 contributing ideas and text for this document, as well as in 5846 reviewing the clarifications suggested by others. 5848 The acknowledgements from the IKEv2 document were: 5850 This document is a collaborative effort of the entire IPsec WG. If 5851 there were no limit to the number of authors that could appear on an 5852 RFC, the following, in alphabetical order, would have been listed: 5853 Bill Aiello, Stephane Beaulieu, Steve Bellovin, Sara Bitan, Matt 5854 Blaze, Ran Canetti, Darren Dukes, Dan Harkins, Paul Hoffman, John 5855 Ioannidis, Charlie Kaufman, Steve Kent, Angelos Keromytis, Tero 5856 Kivinen, Hugo Krawczyk, Andrew Krywaniuk, Radia Perlman, Omer 5857 Reingold, and Michael Richardson. Many other people contributed to 5858 the design. It is an evolution of IKEv1, ISAKMP, and the IPsec DOI, 5859 each of which has its own list of authors. Hugh Daniel suggested the 5860 feature of having the initiator, in message 3, specify a name for the 5861 responder, and gave the feature the cute name "You Tarzan, Me Jane". 5862 David Faucher and Valery Smyslov helped refine the design of the 5863 Traffic Selector negotiation. 5865 8. References 5867 8.1. Normative References 5869 [ADDGROUP] 5870 Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) 5871 Diffie-Hellman groups for Internet Key Exchange (IKE)", 5872 RFC 3526, May 2003. 5874 [ADDRIPV6] 5875 Hinden, R. and S. Deering, "IP Version 6 Addressing 5876 Architecture", RFC 4291, February 2006. 5878 [AEAD] Black, D. and D. McGrew, "Using Authenticated Encryption 5879 Algorithms with the Encrypted Payload of the Internet Key 5880 Exchange version 2 (IKEv2) Protocol", RFC 5282, 5881 August 2008. 5883 [AESCMACPRF128] 5884 Song, J., Poovendran, R., Lee, J., and T. Iwata, "The 5885 Advanced Encryption Standard-Cipher-based Message 5886 Authentication Code-Pseudo-Random Function-128 (AES-CMAC- 5887 PRF-128) Algorithm for the Internet Key Exchange Protocol 5888 (IKE)", RFC 4615, August 2006. 5890 [AESXCBCPRF128] 5891 Hoffman, P., "The AES-XCBC-PRF-128 Algorithm for the 5892 Internet Key Exchange Protocol (IKE)", RFC 4434, 5893 February 2006. 5895 [EAP] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. 5896 Levkowetz, "Extensible Authentication Protocol (EAP)", 5897 RFC 3748, June 2004. 5899 [ECN] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 5900 of Explicit Congestion Notification (ECN) to IP", 5901 RFC 3168, September 2001. 5903 [ESPCBC] Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher 5904 Algorithms", RFC 2451, November 1998. 5906 [HTTP] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 5907 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 5908 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 5910 [IKEV2IANA] 5911 "Internet Key Exchange Version 2 (IKEv2) Parameters", . 5915 [IPSECARCH] 5916 Kent, S. and K. Seo, "Security Architecture for the 5917 Internet Protocol", RFC 4301, December 2005. 5919 [MUSTSHOULD] 5920 Bradner, S., "Key words for use in RFCs to Indicate 5921 Requirement Levels", BCP 14, RFC 2119, March 1997. 5923 [PKCS1] Jonsson, J. and B. Kaliski, "Public-Key Cryptography 5924 Standards (PKCS) #1: RSA Cryptography Specifications 5925 Version 2.1", RFC 3447, February 2003. 5927 [PKIX] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 5928 Housley, R., and W. Polk, "Internet X.509 Public Key 5929 Infrastructure Certificate and Certificate Revocation List 5930 (CRL) Profile", RFC 5280, May 2008. 5932 [RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the 5933 Internet Key Exchange Version 2 (IKEv2)", RFC 4307, 5934 December 2005. 5936 [UDPENCAPS] 5937 Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. 5938 Stenberg, "UDP Encapsulation of IPsec ESP Packets", 5939 RFC 3948, January 2005. 5941 [URLS] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 5942 Resource Identifier (URI): Generic Syntax", STD 66, 5943 RFC 3986, January 2005. 5945 8.2. Informative References 5947 [AH] Kent, S., "IP Authentication Header", RFC 4302, 5948 December 2005. 5950 [ARCHGUIDEPHIL] 5951 Bush, R. and D. Meyer, "Some Internet Architectural 5952 Guidelines and Philosophy", RFC 3439, December 2002. 5954 [ARCHPRINC] 5955 Carpenter, B., "Architectural Principles of the Internet", 5956 RFC 1958, June 1996. 5958 [Clarif] Eronen, P. and P. Hoffman, "IKEv2 Clarifications and 5959 Implementation Guidelines", RFC 4718, October 2006. 5961 [DES] American National Standards Institute, "American National 5962 Standard for Information Systems-Data Link Encryption", 5963 ANSI X3.106, 1983. 5965 [DH] Diffie, W. and M. Hellman, "New Directions in 5966 Cryptography", IEEE Transactions on Information Theory, 5967 V.IT-22 n. 6, June 1977. 5969 [DIFFSERVARCH] 5970 Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., 5971 and W. Weiss, "An Architecture for Differentiated 5972 Services", RFC 2475, December 1998. 5974 [DIFFSERVFIELD] 5975 Nichols, K., Blake, S., Baker, F., and D. Black, 5976 "Definition of the Differentiated Services Field (DS 5977 Field) in the IPv4 and IPv6 Headers", RFC 2474, 5978 December 1998. 5980 [DIFFTUNNEL] 5981 Black, D., "Differentiated Services and Tunnels", 5982 RFC 2983, October 2000. 5984 [DOI] Piper, D., "The Internet IP Security Domain of 5985 Interpretation for ISAKMP", RFC 2407, November 1998. 5987 [DOSUDPPROT] 5988 C. Kaufman, R. Perlman, and B. Sommerfeld, "DoS protection 5989 for UDP-based protocols", ACM Conference on Computer and 5990 Communications Security, October 2003. 5992 [DSS] National Institute of Standards and Technology, U.S. 5993 Department of Commerce, "Digital Signature Standard", 5994 Draft FIPS 186-3, June 2008. 5996 [EAI] Yang, A., Steele, S., and N. Freed, "Internationalized 5997 Email Headers", RFC 6532, February 2012. 5999 [EAP-IANA] 6000 "Extensible Authentication Protocol (EAP) Registry: Method 6001 Types", . 6003 [EAPMITM] N. Asokan, V. Nierni, and K. Nyberg, "Man-in-the-Middle in 6004 Tunneled Authentication Protocols", November 2002, 6005 . 6007 [ESP] Kent, S., "IP Encapsulating Security Payload (ESP)", 6008 RFC 4303, December 2005. 6010 [EXCHANGEANALYSIS] 6011 R. Perlman and C. Kaufman, "Analysis of the IPsec key 6012 exchange Standard", WET-ICE Security Conference, MIT, 6013 2001, 6014 . 6016 [H2HIPSEC] 6017 Aura, T., Roe, M., and A. Mohammed, "Experiences with 6018 Host-to-Host IPsec", 13th International Workshop on 6019 Security Protocols, Cambridge, UK, April 2005. 6021 [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 6022 Hashing for Message Authentication", RFC 2104, 6023 February 1997. 6025 [IDEA] X. Lai, "On the Design and Security of Block Ciphers", ETH 6026 Series in Information Processing, v. 1, Konstanz: Hartung- 6027 Gorre Verlag, 1992. 6029 [IDNA] Klensin, J., "Internationalized Domain Names for 6030 Applications (IDNA): Definitions and Document Framework", 6031 RFC 5890, August 2010. 6033 [IKEV1] Harkins, D. and D. Carrel, "The Internet Key Exchange 6034 (IKE)", RFC 2409, November 1998. 6036 [IKEV2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", 6037 RFC 4306, December 2005. 6039 [IP] Postel, J., "Internet Protocol", STD 5, RFC 791, 6040 September 1981. 6042 [IP-COMP] Shacham, A., Monsour, B., Pereira, R., and M. Thomas, "IP 6043 Payload Compression Protocol (IPComp)", RFC 3173, 6044 September 2001. 6046 [IPSECARCH-OLD] 6047 Kent, S. and R. Atkinson, "Security Architecture for the 6048 Internet Protocol", RFC 2401, November 1998. 6050 [IPV6CONFIG] 6051 Eronen, P., Laganier, J., and C. Madson, "IPv6 6052 Configuration in Internet Key Exchange Protocol Version 2 6053 (IKEv2)", RFC 5739, February 2010. 6055 [ISAKMP] Maughan, D., Schneider, M., and M. Schertler, "Internet 6056 Security Association and Key Management Protocol 6057 (ISAKMP)", RFC 2408, November 1998. 6059 [MAILFORMAT] 6060 Resnick, P., Ed., "Internet Message Format", RFC 5322, 6061 October 2008. 6063 [MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 6064 April 1992. 6066 [MIPV6] Perkins, C., Johnson, D., and J. Arkko, "Mobility Support 6067 in IPv6", RFC 6275, July 2011. 6069 [MLDV2] Vida, R. and L. Costa, "Multicast Listener Discovery 6070 Version 2 (MLDv2) for IPv6", RFC 3810, June 2004. 6072 [MOBIKE] Eronen, P., "IKEv2 Mobility and Multihoming Protocol 6073 (MOBIKE)", RFC 4555, June 2006. 6075 [MODES] National Institute of Standards and Technology, U.S. 6076 Department of Commerce, "Recommendation for Block Cipher 6077 Modes of Operation", SP 800-38A, 2001. 6079 [NAI] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The 6080 Network Access Identifier", RFC 4282, December 2005. 6082 [NATREQ] Aboba, B. and W. Dixon, "IPsec-Network Address Translation 6083 (NAT) Compatibility Requirements", RFC 3715, March 2004. 6085 [OAKLEY] Orman, H., "The OAKLEY Key Determination Protocol", 6086 RFC 2412, November 1998. 6088 [PFKEY] McDonald, D., Metz, C., and B. Phan, "PF_KEY Key 6089 Management API, Version 2", RFC 2367, July 1998. 6091 [PHOTURIS] 6092 Karn, P. and W. Simpson, "Photuris: Session-Key Management 6093 Protocol", RFC 2522, March 1999. 6095 [RANDOMNESS] 6096 Eastlake, D., Schiller, J., and S. Crocker, "Randomness 6097 Requirements for Security", BCP 106, RFC 4086, June 2005. 6099 [REAUTH] Nir, Y., "Repeated Authentication in Internet Key Exchange 6100 (IKEv2) Protocol", RFC 4478, April 2006. 6102 [REUSE] Menezes, A. and B. Ustaoglu, "On Reusing Ephemeral Keys In 6103 Diffie-Hellman Key Agreement Protocols", December 2008, < 6104 http://www.cacr.math.uwaterloo.ca/techreports/2008/ 6105 cacr2008-24.pdf>. 6107 [RFC4945] Korver, B., "The Internet IP Security PKI Profile of 6108 IKEv1/ISAKMP, IKEv2, and PKIX", RFC 4945, August 2007. 6110 [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, 6111 "Internet Key Exchange Protocol Version 2 (IKEv2)", 6112 RFC 5996, September 2010. 6114 [RFC6989] Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman 6115 Tests for the Internet Key Exchange Protocol Version 2 6116 (IKEv2)", RFC 6989, July 2013. 6118 [ROHCV2] Ertekin, E., Christou, C., Jasani, R., Kivinen, T., and C. 6119 Bormann, "IKEv2 Extensions to Support Robust Header 6120 Compression over IPsec", RFC 5857, May 2010. 6122 [SHA] National Institute of Standards and Technology, U.S. 6123 Department of Commerce, "Secure Hash Standard", 6124 FIPS 180-3, October 2008. 6126 [SIGMA] H. Krawczyk, "SIGMA: the `SIGn-and-MAc' Approach to 6127 Authenticated Diffie-Hellman and its Use in the IKE 6128 Protocols", Advances in Cryptography - CRYPTO 2003 6129 Proceedings LNCS 2729, 2003, . 6133 [SKEME] H. Krawczyk, "SKEME: A Versatile Secure Key Exchange 6134 Mechanism for Internet", IEEE Proceedings of the 1996 6135 Symposium on Network and Distributed Systems Security , 6136 1996. 6138 [TRANSPARENCY] 6139 Carpenter, B., "Internet Transparency", RFC 2775, 6140 February 2000. 6142 Appendix A. Summary of Changes from IKEv1 6144 The goals of this revision to IKE are: 6146 1. To define the entire IKE protocol in a single document, 6147 replacing RFCs 2407, 2408, and 2409 and incorporating subsequent 6148 changes to support NAT Traversal, Extensible Authentication, and 6149 Remote Address acquisition; 6151 2. To simplify IKE by replacing the eight different initial 6152 exchanges with a single four-message exchange (with changes in 6153 authentication mechanisms affecting only a single AUTH payload 6154 rather than restructuring the entire exchange) see 6156 [EXCHANGEANALYSIS]; 6158 3. To remove the Domain of Interpretation (DOI), Situation (SIT), 6159 and Labeled Domain Identifier fields, and the Commit and 6160 Authentication only bits; 6162 4. To decrease IKE's latency in the common case by making the 6163 initial exchange be 2 round trips (4 messages), and allowing the 6164 ability to piggyback setup of a Child SA on that exchange; 6166 5. To replace the cryptographic syntax for protecting the IKE 6167 messages themselves with one based closely on ESP to simplify 6168 implementation and security analysis; 6170 6. To reduce the number of possible error states by making the 6171 protocol reliable (all messages are acknowledged) and sequenced. 6172 This allows shortening CREATE_CHILD_SA exchanges from 3 messages 6173 to 2; 6175 7. To increase robustness by allowing the responder to not do 6176 significant processing until it receives a message proving that 6177 the initiator can receive messages at its claimed IP address; 6179 8. To fix cryptographic weaknesses such as the problem with 6180 symmetries in hashes used for authentication (documented by Tero 6181 Kivinen); 6183 9. To specify Traffic Selectors in their own payloads type rather 6184 than overloading ID payloads, and making more flexible the 6185 Traffic Selectors that may be specified; 6187 10. To specify required behavior under certain error conditions or 6188 when data that is not understood is received in order to make it 6189 easier to make future revisions in a way that does not break 6190 backward compatibility; 6192 11. To simplify and clarify how shared state is maintained in the 6193 presence of network failures and DoS attacks; and 6195 12. To maintain existing syntax and magic numbers to the extent 6196 possible to make it likely that implementations of IKEv1 can be 6197 enhanced to support IKEv2 with minimum effort. 6199 Appendix B. Diffie-Hellman Groups 6201 There are two Diffie-Hellman groups defined here for use in IKE. 6202 These groups were generated by Richard Schroeppel at the University 6203 of Arizona. Properties of these primes are described in [OAKLEY]. 6205 The strength supplied by group 1 may not be sufficient for typical 6206 uses and is here for historic reasons. 6208 Additional Diffie-Hellman groups have been defined in [ADDGROUP]. 6210 B.1. Group 1 - 768-bit MODP 6212 This group is assigned ID 1 (one). 6214 The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 } 6215 Its hexadecimal value is: 6217 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 6218 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD 6219 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 6220 E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF 6222 The generator is 2. 6224 B.2. Group 2 - 1024-bit MODP 6226 This group is assigned ID 2 (two). 6228 The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }. 6229 Its hexadecimal value is: 6231 FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 6232 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD 6233 EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 6234 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED 6235 EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 6236 FFFFFFFF FFFFFFFF 6238 The generator is 2. 6240 Appendix C. Exchanges and Payloads 6242 This appendix contains a short summary of the IKEv2 exchanges, and 6243 what payloads can appear in which message. This appendix is purely 6244 informative; if it disagrees with the body of this document, the 6245 other text is considered correct. 6247 Vendor ID (V) payloads may be included in any place in any message. 6248 This sequence here shows what are the most logical places for them. 6250 C.1. IKE_SA_INIT Exchange 6252 request --> [N(COOKIE)], 6253 SA, KE, Ni, 6254 [N(NAT_DETECTION_SOURCE_IP)+, 6255 N(NAT_DETECTION_DESTINATION_IP)], 6256 [V+][N+] 6258 normal response <-- SA, KE, Nr, 6259 (no cookie) [N(NAT_DETECTION_SOURCE_IP), 6260 N(NAT_DETECTION_DESTINATION_IP)], 6261 [[N(HTTP_CERT_LOOKUP_SUPPORTED)], CERTREQ+], 6262 [V+][N+] 6264 cookie response <-- N(COOKIE), 6265 [V+][N+] 6267 different Diffie- <-- N(INVALID_KE_PAYLOAD), 6268 Hellman group [V+][N+] 6269 wanted 6271 C.2. IKE_AUTH Exchange without EAP 6273 request --> IDi, [CERT+], 6274 [N(INITIAL_CONTACT)], 6275 [[N(HTTP_CERT_LOOKUP_SUPPORTED)], CERTREQ+], 6276 [IDr], 6277 AUTH, 6278 [CP(CFG_REQUEST)], 6279 [N(IPCOMP_SUPPORTED)+], 6280 [N(USE_TRANSPORT_MODE)], 6281 [N(ESP_TFC_PADDING_NOT_SUPPORTED)], 6282 [N(NON_FIRST_FRAGMENTS_ALSO)], 6283 SA, TSi, TSr, 6284 [V+][N+] 6286 response <-- IDr, [CERT+], 6287 AUTH, 6288 [CP(CFG_REPLY)], 6289 [N(IPCOMP_SUPPORTED)], 6290 [N(USE_TRANSPORT_MODE)], 6291 [N(ESP_TFC_PADDING_NOT_SUPPORTED)], 6292 [N(NON_FIRST_FRAGMENTS_ALSO)], 6293 SA, TSi, TSr, 6294 [N(ADDITIONAL_TS_POSSIBLE)], 6295 [V+][N+] 6297 error in Child SA <-- IDr, [CERT+], 6298 creation AUTH, 6299 N(error), 6300 [V+][N+] 6302 C.3. IKE_AUTH Exchange with EAP 6304 first request --> IDi, 6305 [N(INITIAL_CONTACT)], 6306 [[N(HTTP_CERT_LOOKUP_SUPPORTED)], CERTREQ+], 6307 [IDr], 6308 [CP(CFG_REQUEST)], 6309 [N(IPCOMP_SUPPORTED)+], 6310 [N(USE_TRANSPORT_MODE)], 6311 [N(ESP_TFC_PADDING_NOT_SUPPORTED)], 6312 [N(NON_FIRST_FRAGMENTS_ALSO)], 6313 SA, TSi, TSr, 6314 [V+][N+] 6316 first response <-- IDr, [CERT+], AUTH, 6317 EAP, 6318 [V+][N+] 6320 / --> EAP 6321 repeat 1..N times | 6322 \ <-- EAP 6324 last request --> AUTH 6326 last response <-- AUTH, 6327 [CP(CFG_REPLY)], 6328 [N(IPCOMP_SUPPORTED)], 6329 [N(USE_TRANSPORT_MODE)], 6330 [N(ESP_TFC_PADDING_NOT_SUPPORTED)], 6331 [N(NON_FIRST_FRAGMENTS_ALSO)], 6332 SA, TSi, TSr, 6333 [N(ADDITIONAL_TS_POSSIBLE)], 6334 [V+][N+] 6336 C.4. CREATE_CHILD_SA Exchange for Creating or Rekeying Child SAs 6338 request --> [N(REKEY_SA)], 6339 [CP(CFG_REQUEST)], 6340 [N(IPCOMP_SUPPORTED)+], 6341 [N(USE_TRANSPORT_MODE)], 6342 [N(ESP_TFC_PADDING_NOT_SUPPORTED)], 6343 [N(NON_FIRST_FRAGMENTS_ALSO)], 6344 SA, Ni, [KEi], TSi, TSr 6345 [V+][N+] 6347 normal <-- [CP(CFG_REPLY)], 6348 response [N(IPCOMP_SUPPORTED)], 6349 [N(USE_TRANSPORT_MODE)], 6350 [N(ESP_TFC_PADDING_NOT_SUPPORTED)], 6351 [N(NON_FIRST_FRAGMENTS_ALSO)], 6352 SA, Nr, [KEr], TSi, TSr, 6353 [N(ADDITIONAL_TS_POSSIBLE)] 6354 [V+][N+] 6356 error case <-- N(error) 6358 different Diffie- <-- N(INVALID_KE_PAYLOAD), 6359 Hellman group [V+][N+] 6360 wanted 6362 C.5. CREATE_CHILD_SA Exchange for Rekeying the IKE SA 6364 request --> SA, Ni, KEi 6365 [V+][N+] 6367 response <-- SA, Nr, KEr 6368 [V+][N+] 6370 C.6. INFORMATIONAL Exchange 6372 request --> [N+], 6373 [D+], 6374 [CP(CFG_REQUEST)] 6376 response <-- [N+], 6377 [D+], 6378 [CP(CFG_REPLY)] 6380 Authors' Addresses 6382 Charlie Kaufman 6383 Microsoft 6384 1 Microsoft Way 6385 Redmond, WA 98052 6386 US 6388 Phone: 1-425-707-3335 6389 EMail: charliek@microsoft.com 6391 Paul Hoffman 6392 VPN Consortium 6393 127 Segre Place 6394 Santa Cruz, CA 95060 6395 US 6397 Phone: 1-831-426-9827 6398 EMail: paul.hoffman@vpnc.org 6400 Yoav Nir 6401 Check Point Software Technologies Ltd. 6402 5 Hasolelim St. 6403 Tel Aviv 6789735 6404 Israel 6406 EMail: ynir@checkpoint.com 6408 Pasi Eronen 6409 Independent 6411 EMail: pe@iki.fi 6413 Tero Kivinen 6414 INSIDE Secure 6415 Eerikinkatu 28 6416 HELSINKI FI-00180 6417 FI 6419 EMail: kivinen@iki.fi