One document matched: draft-kivinen-ipsecme-ikev2-rfc5996bis-02.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc6989 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6989.xml'>
<!ENTITY rfc4945 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4945.xml'>
<!ENTITY rfc5996 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5996.xml'>
]>
<rfc ipr="pre5378Trust200902"
submissionType="IETF"
category="std"
obsoletes="5996"
docName="draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt">
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc rfcedstyle="yes" ?>
<?rfc subcompact="no" ?>
<front>
<title abbrev="IKEv2bis">
Internet Key Exchange Protocol Version 2 (IKEv2)</title>
<author initials='C.' surname="Kaufman" fullname='Charlie Kaufman'>
<organization>Microsoft</organization>
<address>
<postal>
<street>1 Microsoft Way</street>
<city>Redmond</city> <region>WA</region><code>98052</code>
<country>US</country>
</postal>
<phone>1-425-707-3335</phone>
<email>charliek@microsoft.com</email>
</address>
</author>
<author initials='P.' surname="Hoffman" fullname='Paul Hoffman'>
<organization>VPN Consortium</organization>
<address>
<postal>
<street>127 Segre Place</street>
<city>Santa Cruz</city> <region>CA</region><code>95060</code>
<country>US</country>
</postal>
<phone>1-831-426-9827</phone>
<email>paul.hoffman@vpnc.org</email>
</address>
</author>
<author initials='Y' surname="Nir" fullname='Yoav Nir'>
<organization abbrev='Check Point'>Check Point Software Technologies Ltd.</organization>
<address>
<postal>
<street>5 Hasolelim St.</street>
<city>Tel Aviv 6789735</city>
<country>Israel</country>
</postal>
<email>ynir@checkpoint.com</email>
</address>
</author>
<author initials='P.' surname="Eronen" fullname='Pasi Eronen'>
<organization abbrev='Independent'>Independent</organization>
<address>
<postal>
<street></street>
<city></city>
<country></country>
</postal>
<email>pe@iki.fi</email>
</address>
</author>
<author initials='T.' surname='Kivinen' fullname='Tero Kivinen'>
<organization>INSIDE Secure</organization>
<address>
<postal>
<street>Eerikinkatu 28</street>
<code>FI-00180</code>
<city>HELSINKI</city>
<country>FI</country>
</postal>
<email>kivinen@iki.fi</email>
</address>
</author>
<date month="November" year="2013"/>
<keyword>IKE</keyword>
<keyword>IPsec</keyword>
<abstract>
<t>This document describes version 2 of the Internet Key Exchange
(IKE) protocol. IKE is a component of IPsec used for performing mutual
authentication and establishing and maintaining Security Associations
(SAs). This document replaces and updates RFC 5996, and includes all
of the errata for it, and it is intended to update IKEv2 to be
Internet Standard.</t>
</abstract>
</front>
<middle>
<section anchor='sect-1' title='Introduction'>
<t>IP Security (IPsec) provides confidentiality, data integrity, access
control, and data source authentication to IP datagrams. These services
are provided by maintaining shared state between the source and the sink
of an IP datagram. This state defines, among other things, the specific
services provided to the datagram, which cryptographic algorithms will
be used to provide the services, and the keys used as input to the
cryptographic algorithms.</t>
<t>Establishing this shared state in a manual fashion does not scale
well. Therefore, a protocol to establish this state dynamically is
needed. This document describes such a protocol -- the Internet Key
Exchange (IKE). Version 1 of IKE was defined in RFCs 2407 <xref
target='DOI'/>, 2408 <xref target='ISAKMP'/>, and 2409 <xref
target='IKEV1'/>. IKEv2 replaced all of those RFCs. IKEv2 was defined
in <xref target='IKEV2'/> (RFC 4306) and was clarified in <xref
target='Clarif'/> (RFC 4718). The <xref target='RFC5996'/> replaced
and updated RFC 4306 and RFC 4718, and this document replaces the RFC
5996 and the intended status for this document will be Internet
Standard. IKEv2 as stated in RFC 4306 was a change to the IKE protocol
that was not backward compatible. RFC 5996 revised RFC 4306 to provide
a clarification of IKEv2, making minimum changes to the IKEv2
protocol. The current document slightly revises RFC 5996 to make it
suitable for progression to Internet Standard. A list of the
significant differences between RFC 4306 and RFC 5996 is given in
<xref target='sect-1.7'/> and differences between RFC 5996 and this
document is given in <xref target='sect-1.8' />.</t>
<t>IKE performs mutual authentication between two parties and
establishes an IKE security association (SA) that includes shared
secret information that can be used to efficiently establish SAs for
Encapsulating Security Payload (ESP) <xref target='ESP'/>
or Authentication Header (AH) <xref target='AH'/> and a
set of cryptographic algorithms to be used by the SAs to protect the
traffic that they carry. In this document, the term "suite" or
"cryptographic suite" refers to a complete set of algorithms used to
protect an SA. An initiator proposes one or more suites by listing
supported algorithms that can be combined into suites in a
mix-and-match fashion. IKE can also negotiate use of IP Compression
(IPComp) <xref target='IP-COMP'/> in connection with an ESP or AH
SA. The SAs for ESP or AH that
get set up through that IKE SA we call "Child SAs".</t>
<t>All IKE communications consist of pairs of messages: a request and a
response. The pair is called an "exchange", and is sometimes called a
"request/response pair". The first exchange of messages
establishing an IKE SA are called the IKE_SA_INIT and IKE_AUTH exchanges; subsequent
IKE exchanges are called the CREATE_CHILD_SA or INFORMATIONAL exchanges. In the common
case, there is a single IKE_SA_INIT exchange and a single IKE_AUTH
exchange (a total of four messages) to establish the IKE SA and the
first Child SA. In exceptional cases, there may be more than one of each
of these exchanges. In all cases, all IKE_SA_INIT exchanges MUST
complete before any other exchange type, then all IKE_AUTH exchanges
MUST complete, and following that, any number of CREATE_CHILD_SA and
INFORMATIONAL exchanges may occur in any order. In some scenarios, only
a single Child SA is needed between the IPsec endpoints, and therefore
there would be no additional exchanges. Subsequent exchanges MAY be used
to establish additional Child SAs between the same authenticated pair of
endpoints and to perform housekeeping functions.</t>
<t>An IKE message flow always consists of a request followed by a response.
It is the responsibility of the requester to ensure reliability. If the
response is not received within a timeout interval, the requester needs
to retransmit the request (or abandon the connection).</t>
<t>The first exchange of an IKE session, IKE_SA_INIT, negotiates
security parameters for the IKE SA, sends nonces, and sends
Diffie-Hellman values.</t>
<t>The second exchange, IKE_AUTH, transmits identities, proves
knowledge of the secrets corresponding to the two identities, and sets
up an SA for the first (and often only) AH or ESP Child SA
(unless there is failure setting up the AH or ESP Child SA, in
which case the IKE SA is still established without the Child SA).</t>
<t>The types of subsequent exchanges are CREATE_CHILD_SA (which
creates a Child SA) and INFORMATIONAL (which deletes an SA, reports
error conditions, or does other housekeeping). Every request
requires a response. An INFORMATIONAL request with no payloads
(other than the empty Encrypted payload required by the syntax) is
commonly used as a check for liveness. These subsequent exchanges
cannot be used until the initial exchanges have completed.</t>
<t>In the description that follows, we assume that no errors occur.
Modifications to the flow when errors occur are described in
<xref target='sect-2.21'/>.</t>
<section anchor='sect-1.1' title='Usage Scenarios'>
<t>IKE is used to negotiate ESP or AH SAs in a number
of different scenarios, each with its own special requirements.</t>
<section anchor='sect-1.1.1' title='Security Gateway to Security Gateway in Tunnel Mode'>
<figure><artwork><![CDATA[
+-+-+-+-+-+ +-+-+-+-+-+
| | IPsec | |
Protected |Tunnel | tunnel |Tunnel | Protected
Subnet <-->|Endpoint |<---------->|Endpoint |<--> Subnet
| | | |
+-+-+-+-+-+ +-+-+-+-+-+
Figure 1: Security Gateway to Security Gateway Tunnel
]]></artwork></figure>
<t>In this scenario, neither endpoint of the IP connection implements
IPsec, but network nodes between them protect traffic for part of
the way. Protection is transparent to the endpoints, and depends
on ordinary routing to send packets through the tunnel endpoints
for processing. Each endpoint would announce the set of addresses
"behind" it, and packets would be sent in tunnel mode where the
inner IP header would contain the IP addresses of the actual endpoints.</t>
</section>
<section anchor='sect-1.1.2' title='Endpoint-to-Endpoint Transport Mode'>
<figure><artwork><![CDATA[
+-+-+-+-+-+ +-+-+-+-+-+
| | IPsec transport | |
|Protected| or tunnel mode SA |Protected|
|Endpoint |<---------------------------------------->|Endpoint |
| | | |
+-+-+-+-+-+ +-+-+-+-+-+
Figure 2: Endpoint to Endpoint
]]></artwork></figure>
<t>In this scenario, both endpoints of the IP connection implement
IPsec, as required of hosts in <xref target='IPSECARCH'/>. Transport
mode will commonly be used with no inner IP header.
A single pair of addresses will be negotiated for packets to be
protected by this SA. These endpoints MAY implement application-layer
access controls based on the IPsec authenticated identities of the
participants. This scenario enables the end-to-end security that has
been a guiding principle for the Internet since <xref
target='ARCHPRINC'/>, <xref target='TRANSPARENCY'/>, and a method of limiting
the inherent problems with complexity in networks noted by
<xref target='ARCHGUIDEPHIL'/>.
Although this scenario
may not be fully applicable to the IPv4 Internet, it has been
deployed successfully in specific scenarios within intranets using
IKEv1. It should be more broadly enabled during the transition to
IPv6 and with the adoption of IKEv2.</t>
<t>It is possible in this scenario that one or both of the protected
endpoints will be behind a network address translation (NAT) node, in
which case the tunneled packets will have to be UDP encapsulated so that
port numbers in the UDP headers can be used to identify individual
endpoints "behind" the NAT (see <xref target='sect-2.23'/>).</t>
</section>
<section anchor='sect-1.1.3' title='Endpoint to Security Gateway in Tunnel Mode'>
<figure><artwork><![CDATA[
+-+-+-+-+-+ +-+-+-+-+-+
| | IPsec | | Protected
|Protected| tunnel |Tunnel | Subnet
|Endpoint |<------------------------>|Endpoint |<--- and/or
| | | | Internet
+-+-+-+-+-+ +-+-+-+-+-+
Figure 3: Endpoint to Security Gateway Tunnel
]]></artwork></figure>
<t>In this scenario, a protected endpoint (typically a portable roaming
computer) connects back to its corporate network through an
IPsec-protected tunnel. It might use this tunnel only to access information
on the corporate network, or it might tunnel all of its traffic back
through the corporate network in order to take advantage of protection
provided by a corporate firewall against Internet-based attacks. In
either case, the protected endpoint will want an IP address associated
with the security gateway so that packets returned to it will go to the
security gateway and be tunneled back. This IP address may be static or
may be dynamically allocated by the security gateway.
In support of the latter case, IKEv2 includes a mechanism (namely,
configuration payloads) for the initiator to request an IP address owned
by the security gateway for use for the duration of its SA.</t>
<t>In this scenario, packets will use tunnel mode. On each packet from
the protected endpoint, the outer IP header will contain the source
IP address associated with its current location (i.e., the address
that will get traffic routed to the endpoint directly), while the
inner IP header will contain the source IP address assigned by the
security gateway (i.e., the address that will get traffic routed to
the security gateway for forwarding to the endpoint). The outer
destination address will always be that of the security gateway,
while the inner destination address will be the ultimate destination
for the packet.</t>
<t>In this scenario, it is possible that the protected endpoint will be
behind a NAT. In that case, the IP address as seen by the security
gateway will not be the same as the IP address sent by the protected
endpoint, and packets will have to be UDP encapsulated in order to be
routed properly. Interaction with NATs is covered in detail in
<xref target='sect-2.23'/>.</t>
</section>
<section anchor='sect-1.1.4' title='Other Scenarios'>
<t>Other scenarios are possible, as are nested combinations of the above.
One notable example combines aspects of Sections <xref target="sect-1.1.1" format="counter"/> and <xref target="sect-1.1.3" format="counter" />. A subnet
may make all external accesses through a remote security gateway using
an IPsec tunnel, where the addresses on the subnet are routed to the
security gateway by the rest of the Internet. An example would be
someone's home network being virtually on the Internet with static IP
addresses even though connectivity is provided by an ISP that assigns a
single dynamically assigned IP address to the user's security gateway
(where the static IP addresses and an IPsec relay are provided by a third
party located elsewhere).</t>
</section>
</section>
<section anchor='sect-1.2' title='The Initial Exchanges'>
<t>Communication using IKE always begins with IKE_SA_INIT and IKE_AUTH
exchanges (known in IKEv1 as Phase 1). These initial exchanges normally
consist of four messages, though in some scenarios that number can grow.
All communications using IKE consist of
request/response pairs. We'll describe the base exchange first,
followed by variations. The first pair of messages (IKE_SA_INIT)
negotiate cryptographic algorithms, exchange nonces, and do a
Diffie-Hellman exchange <xref target='DH'/>.</t>
<t>The second pair of messages (IKE_AUTH) authenticate the previous
messages, exchange identities and certificates, and establish the first
Child SA. Parts of these messages are encrypted and integrity protected
with keys established through the IKE_SA_INIT exchange, so the
identities are hidden from eavesdroppers and all fields in all the
messages are authenticated. See <xref target='sect-2.14'/> for information
on how the encryption keys are generated.
(A man-in-the-middle attacker who cannot complete the IKE_AUTH exchange can
nonetheless see the identity of the initiator.)</t>
<t>All messages following the initial exchange are cryptographically
protected using the cryptographic algorithms and keys negotiated in
the IKE_SA_INIT exchange. These subsequent messages use the
syntax of the Encrypted payload described in
<xref target='sect-3.14'/>, encrypted with keys that are derived
as described in <xref target='sect-2.14'/>. All subsequent messages
include an Encrypted payload, even if they are referred to in the text
as "empty". For the CREATE_CHILD_SA, IKE_AUTH, or INFORMATIONAL
exchanges, the message following the header is encrypted and the
message including the header is integrity protected using the
cryptographic algorithms negotiated for the IKE SA.</t>
<t>Every IKE message contains a Message ID as part of its fixed header.
This Message ID is used to match up requests and responses, and to
identify retransmissions of messages.</t>
<t>In the following descriptions, the payloads contained in the message
are indicated by names as listed below.</t>
<figure><artwork><![CDATA[
Notation Payload
-----------------------------------------
AUTH Authentication
CERT Certificate
CERTREQ Certificate Request
CP Configuration
D Delete
EAP Extensible Authentication
HDR IKE header (not a payload)
IDi Identification - Initiator
IDr Identification - Responder
KE Key Exchange
Ni, Nr Nonce
N Notify
SA Security Association
SK Encrypted and Authenticated
TSi Traffic Selector - Initiator
TSr Traffic Selector - Responder
V Vendor ID
]]></artwork></figure>
<t>The details of the contents of each payload are described in section
3. Payloads that may optionally appear will be shown in brackets,
such as [CERTREQ]; this indicates that a Certificate Request
payload can optionally be included.</t>
<t>The initial exchanges are as follows:</t>
<figure><artwork><![CDATA[
Initiator Responder
-------------------------------------------------------------------
HDR, SAi1, KEi, Ni -->
]]></artwork></figure>
<t>HDR contains the Security Parameter Indexes (SPIs), version
numbers, Exchange Type, Message ID, and flags of various sorts. The
SAi1 payload states the cryptographic algorithms the initiator
supports for the IKE SA. The KE payload sends the initiator's
Diffie-Hellman value. Ni is the initiator's nonce.</t>
<figure><artwork><![CDATA[
<-- HDR, SAr1, KEr, Nr, [CERTREQ]
]]></artwork></figure>
<t>The responder chooses a cryptographic suite from the initiator's
offered choices and expresses that choice in the SAr1 payload, completes
the Diffie-Hellman exchange with the KEr payload, and sends its nonce in
the Nr payload.</t>
<t>At this point in the negotiation, each party can generate a
quantity called SKEYSEED (see <xref target="sect-2.14"/>), from which
all keys are derived for that IKE SA. The messages that follow are
encrypted and integrity protected in their entirety, with the
exception of the message headers. The keys used for the encryption and
integrity protection are derived from SKEYSEED and are known as SK_e
(encryption) and SK_a (authentication, a.k.a. integrity protection);
see Sections <xref target='sect-2.13' format='counter'/> and <xref
target='sect-2.14' format='counter'/> for details on the key
derivation. A separate SK_e and SK_a is computed for each direction.
In addition to the keys SK_e and SK_a derived from the Diffie-Hellman
value for protection of the IKE SA, another quantity SK_d is derived
and used for derivation of further keying material for Child SAs. The
notation SK { ... } indicates that these payloads are encrypted and
integrity protected using that direction's SK_e and SK_a.</t>
<figure><artwork><![CDATA[
HDR, SK {IDi, [CERT,] [CERTREQ,]
[IDr,] AUTH, SAi2,
TSi, TSr} -->
]]></artwork></figure>
<t>The initiator asserts its identity with the IDi payload, proves
knowledge of the secret corresponding to IDi and integrity protects the
contents of the first message using the AUTH payload (see <xref
target='sect-2.15'/>).
It might also send its certificate(s) in CERT payload(s) and
a list of its trust anchors in CERTREQ payload(s). If any CERT
payloads are included, the first certificate provided MUST contain
the public key used to verify the AUTH field.</t>
<t>The optional payload
IDr enables the initiator to specify to which of the responder's
identities it wants to talk. This is useful when the machine on
which the responder is running is hosting multiple identities at the
same IP address.
If the IDr proposed by the initiator is not acceptable to the
responder, the responder might use some other IDr to finish the
exchange. If the initiator then does not accept the fact that
responder used an IDr different than the one that was requested, the
initiator can close the SA after noticing the fact.</t>
<t>The Traffic Selectors (TSi and TSr) are discussed in
<xref target='sect-2.9'/>.</t>
<t>The initiator begins negotiation of a Child SA
using the SAi2 payload. The final fields (starting with SAi2) are
described in the description of the CREATE_CHILD_SA exchange.</t>
<figure><artwork><![CDATA[
<-- HDR, SK {IDr, [CERT,] AUTH,
SAr2, TSi, TSr}
]]></artwork></figure>
<t>The responder asserts its identity with the IDr payload, optionally
sends one or more certificates (again with the certificate containing
the public key used to verify AUTH listed first), authenticates its
identity and protects the integrity of the second message with the AUTH
payload, and completes negotiation of a Child SA with the additional
fields described below in the CREATE_CHILD_SA exchange.</t>
<t>Both parties in the IKE_AUTH exchange MUST verify that all signatures
and Message Authentication Codes (MACs) are computed correctly. If either side uses a shared secret
for authentication, the names in the ID payload MUST correspond to
the key used to generate the AUTH payload.</t>
<t>Because the initiator sends its Diffie-Hellman value in the
IKE_SA_INIT, it must guess the Diffie-Hellman group that the responder
will select from its list of supported groups. If the initiator guesses
wrong, the responder will respond with a Notify payload of type
INVALID_KE_PAYLOAD indicating the selected group. In this case, the
initiator MUST retry the IKE_SA_INIT with the corrected Diffie-Hellman
group. The initiator MUST again propose its full set of acceptable
cryptographic suites because the rejection message was unauthenticated
and otherwise an active attacker could trick the endpoints into
negotiating a weaker suite than a stronger one that they both
prefer.</t>
<t>If creating the Child SA during the
IKE_AUTH exchange fails for some reason, the IKE SA is still created as
usual. The list of Notify message types in the IKE_AUTH exchange that do not
prevent an IKE SA from being set up include at least the following:
NO_PROPOSAL_CHOSEN, TS_UNACCEPTABLE, SINGLE_PAIR_REQUIRED,
INTERNAL_ADDRESS_FAILURE, and FAILED_CP_REQUIRED.</t>
<t>If the failure is related to creating the IKE SA (for example,
an AUTHENTICATION_FAILED Notify error message is returned), the IKE SA is not created. Note that
although the IKE_AUTH messages are encrypted and integrity
protected, if the peer receiving this Notify error message has not yet
authenticated the other end (or if the peer fails to
authenticate the other end for some reason), the information needs
to be treated with caution. More precisely, assuming that the MAC
verifies correctly, the sender of the error Notify message is known to
be the responder of the IKE_SA_INIT exchange, but the sender's
identity cannot be assured.</t>
<t>Note that IKE_AUTH messages do not contain KEi/KEr
or Ni/Nr payloads. Thus, the SA payloads in the IKE_AUTH exchange
cannot contain Transform Type 4 (Diffie-Hellman group) with any value
other than NONE. Implementations SHOULD omit the whole transform
substructure instead of sending value NONE. </t>
</section>
<section anchor='sect-1.3' title='The CREATE_CHILD_SA Exchange'>
<t>The CREATE_CHILD_SA exchange is used to create new Child SAs and to
rekey both IKE SAs and Child SAs. This exchange consists of a single
request/response pair, and some of its function was referred to as a
Phase 2 exchange in IKEv1. It MAY be initiated by either end of the
IKE SA after the initial exchanges are completed.</t>
<t>An SA is rekeyed by creating a new SA and then deleting the old one.
This
section describes the first part of rekeying, the creation of new SAs;
<xref target='sect-2.8'/> covers the mechanics of rekeying, including
moving traffic from old to new SAs and the deletion of the old SAs. The
two sections must be read together to understand the entire process of
rekeying.</t>
<t>Either endpoint may initiate a CREATE_CHILD_SA exchange, so in this
section the term initiator refers to the endpoint initiating this
exchange. An implementation MAY refuse all CREATE_CHILD_SA requests
within an IKE SA.</t>
<t>The CREATE_CHILD_SA request MAY optionally contain a KE payload for
an additional Diffie-Hellman exchange to enable stronger guarantees of
forward secrecy for the Child SA. The keying material for the Child SA
is a function of SK_d established during the establishment of the
IKE SA, the nonces exchanged during the CREATE_CHILD_SA exchange, and
the Diffie-Hellman value (if KE payloads are included in the
CREATE_CHILD_SA exchange).</t>
<t>If a CREATE_CHILD_SA exchange includes a KEi payload, at least one of
the SA offers MUST include the Diffie-Hellman group of the KEi. The
Diffie-Hellman group of the KEi MUST be an element of the group the
initiator expects the responder to accept (additional Diffie-Hellman
groups can be proposed). If the responder selects a proposal using a
different Diffie-Hellman group (other than NONE), the responder MUST
reject the request and indicate its preferred Diffie-Hellman group in
the INVALID_KE_PAYLOAD Notify payload. There are
two octets of data associated with this notification: the accepted Diffie-Hellman
group number in big endian order. In the case of such a rejection, the
CREATE_CHILD_SA exchange fails, and the initiator will probably retry
the exchange with a Diffie-Hellman proposal and KEi in the group that
the responder gave in the INVALID_KE_PAYLOAD Notify payload.</t>
<t>The responder sends a NO_ADDITIONAL_SAS notification
to indicate that a CREATE_CHILD_SA request is unacceptable because the
responder is unwilling to accept any more Child SAs on this IKE SA.
This notification can also be used to reject IKE SA rekey. Some
minimal implementations may only accept a single Child SA setup in the
context of an initial IKE exchange and reject any subsequent attempts to
add more.</t>
<section anchor='sect-1.3.1' title='Creating New Child SAs with the
CREATE_CHILD_SA Exchange'>
<t>A Child SA may be created by sending a CREATE_CHILD_SA request.
The CREATE_CHILD_SA request for creating a new Child SA is:</t>
<figure><artwork><![CDATA[
Initiator Responder
-------------------------------------------------------------------
HDR, SK {SA, Ni, [KEi],
TSi, TSr} -->
]]></artwork></figure>
<t>The initiator sends SA offer(s) in the SA payload, a nonce in
the Ni payload, optionally a Diffie-Hellman value in the KEi
payload, and the proposed Traffic Selectors for the proposed
Child SA in the TSi and TSr payloads.</t>
<t>The CREATE_CHILD_SA response for creating a new Child SA is:</t>
<figure><artwork><![CDATA[
<-- HDR, SK {SA, Nr, [KEr],
TSi, TSr}
]]></artwork></figure>
<t>The responder replies (using the same Message ID to respond) with
the accepted offer in an SA payload, nonce in the Nr payload, and a
Diffie-Hellman value in the KEr payload if KEi was included in the
request and the selected cryptographic suite includes that group.</t>
<t>The Traffic Selectors for traffic to be sent on that SA are
specified in the TS payloads in the response, which may be a
subset of what the initiator of the Child SA proposed.</t>
<t>The USE_TRANSPORT_MODE notification MAY be
included in a request message that also includes an SA payload
requesting a Child SA. It requests that the Child SA use transport mode
rather than tunnel mode for the SA created. If the request is accepted,
the response MUST also include a notification of type
USE_TRANSPORT_MODE. If the responder declines the request, the Child SA
will be established in tunnel mode. If this is unacceptable to the
initiator, the initiator MUST delete the SA. Note: Except when using
this option to negotiate transport mode, all Child SAs will use tunnel
mode.</t>
<t>The ESP_TFC_PADDING_NOT_SUPPORTED notification
asserts that the sending endpoint will not accept packets that contain
Traffic Flow Confidentiality (TFC) padding over the Child SA being
negotiated. If neither endpoint accepts TFC padding,
this notification is included in both the request and the response.
If this notification is included in only one of the messages, TFC
padding can still be sent in the other direction.</t>
<t>The NON_FIRST_FRAGMENTS_ALSO notification is used
for fragmentation control. See <xref target='IPSECARCH'/> for a fuller
explanation. Both parties need to agree to
sending non-first fragments before either party does so. It is enabled
only if NON_FIRST_FRAGMENTS_ALSO notification is included in both the
request proposing an SA and the response accepting it. If the responder
does not want to send or receive non-first fragments, it
only omits NON_FIRST_FRAGMENTS_ALSO
notification from its response, but does not reject the whole Child SA
creation.</t>
<t>An IPCOMP_SUPPORTED notification, covered in <xref target='sect-2.22'/>,
can also be included in the exchange.</t>
<t>A failed attempt to create a Child SA SHOULD NOT tear down
the IKE SA: there is no reason to lose the work done to set up the IKE
SA. See <xref target="sect-2.21" /> for a list of error messages that
might occur if creating a Child SA fails.
</t>
</section>
<section anchor='sect-1.3.2' title='Rekeying IKE SAs with the
CREATE_CHILD_SA Exchange'>
<t>The CREATE_CHILD_SA request for rekeying an IKE SA is:</t>
<figure><artwork><![CDATA[
Initiator Responder
-------------------------------------------------------------------
HDR, SK {SA, Ni, KEi} -->
]]></artwork></figure>
<t>The initiator sends SA offer(s) in the SA payload, a nonce in
the Ni payload, and a Diffie-Hellman value in the KEi payload.
The KEi payload MUST be included.
A new initiator SPI is supplied in the SPI field
of the SA payload.
Once a peer receives a request to rekey an IKE SA or sends a request to rekey
an IKE SA, it SHOULD NOT start any new CREATE_CHILD_SA exchanges on the IKE SA
that is being rekeyed.</t>
<t>The CREATE_CHILD_SA response for rekeying an IKE SA is:</t>
<figure><artwork><![CDATA[
<-- HDR, SK {SA, Nr, KEr}
]]></artwork></figure>
<t>The responder replies (using the same Message ID to respond) with
the accepted offer in an SA payload, nonce in the Nr payload, and a
Diffie-Hellman value in the KEr payload if the selected cryptographic
suite includes that group. A new responder SPI is supplied in the SPI
field of the SA payload.</t>
<t>The new IKE SA has its message counters set to 0, regardless of
what they were in the earlier IKE SA.
The first IKE requests from both sides on the new IKE SA
will have Message ID 0. The old IKE SA retains its numbering, so any
further requests (for example, to delete the IKE SA) will have
consecutive numbering. The new IKE SA also has its window size reset
to 1, and the initiator in this rekey exchange is the new "original
initiator" of the new IKE SA.</t>
<t><xref target='sect-2.18'/> also covers IKE SA rekeying in detail.</t>
</section>
<section anchor='sect-1.3.3' title='Rekeying Child SAs with
the CREATE_CHILD_SA Exchange'>
<t>The CREATE_CHILD_SA request for rekeying a Child SA is:</t>
<figure><artwork><![CDATA[
Initiator Responder
-------------------------------------------------------------------
HDR, SK {N(REKEY_SA), SA, Ni, [KEi],
TSi, TSr} -->
]]></artwork></figure>
<t>The initiator sends SA offer(s) in the SA payload, a nonce in
the Ni payload, optionally a Diffie-Hellman value in the KEi
payload, and the proposed Traffic Selectors for the proposed
Child SA in the TSi and TSr payloads.</t>
<t>The notifications described in <xref target='sect-1.3.1'/> may
also be sent in a rekeying exchange. Usually, these will be the same
notifications that were used in the original exchange; for example,
when rekeying a transport mode SA, the USE_TRANSPORT_MODE
notification will be used.</t>
<t>The REKEY_SA notification MUST be included in a
CREATE_CHILD_SA exchange if the purpose of the exchange is to replace
an existing ESP or AH SA. The SA being rekeyed is
identified by the SPI field in the Notify payload; this is the SPI the
exchange initiator would expect in inbound ESP or AH packets. There is
no data associated with this Notify message type.
The Protocol ID field of the REKEY_SA notification is set to match the
protocol of the SA we are rekeying, for example, 3 for ESP and 2 for
AH.</t>
<t>The CREATE_CHILD_SA response for rekeying a Child SA is:</t>
<figure><artwork><![CDATA[
<-- HDR, SK {SA, Nr, [KEr],
TSi, TSr}
]]></artwork></figure>
<t>The responder replies (using the same Message ID to respond) with
the accepted offer in an SA payload, nonce in the Nr, and a
Diffie-Hellman value in the KEr payload if KEi was included in the
request and the selected cryptographic suite includes that group.</t>
<t>The Traffic Selectors for traffic to be sent on that SA are
specified in the TS payloads in the response, which may be a
subset of what the initiator of the Child SA proposed.</t>
</section>
</section>
<section anchor='sect-1.4' title='The INFORMATIONAL Exchange'>
<t>At various points during the operation of an IKE SA, peers may desire
to convey control messages to each other regarding errors or
notifications of certain events. To accomplish this, IKE defines an
INFORMATIONAL exchange. INFORMATIONAL exchanges MUST ONLY occur after
the initial exchanges and are cryptographically protected with the
negotiated keys. Note that some informational messages, not
exchanges, can be sent outside the context of an IKE SA.
Section 2.21 also covers error messages in great
detail.</t>
<t>Control messages that pertain to an IKE SA MUST be sent under that
IKE SA. Control messages that pertain to Child SAs MUST be sent under
the protection of the IKE SA that generated them (or its successor if
the IKE SA was rekeyed).</t>
<t>Messages in an INFORMATIONAL exchange contain zero or more
Notification, Delete, and Configuration payloads. The recipient of an
INFORMATIONAL exchange request MUST send some response; otherwise, the sender
will assume the message was lost in the network and will retransmit it.
That response MAY be an empty message. The request message in
an INFORMATIONAL exchange MAY also contain no payloads. This is the
expected way an endpoint can ask the other endpoint to verify that it is
alive.</t>
<t>The INFORMATIONAL exchange is defined as:</t>
<figure><artwork><![CDATA[
Initiator Responder
-------------------------------------------------------------------
HDR, SK {[N,] [D,]
[CP,] ...} -->
<-- HDR, SK {[N,] [D,]
[CP], ...}
]]></artwork></figure>
<t>The processing of an INFORMATIONAL exchange is determined by its
component payloads.</t>
<section anchor='sect-1.4.1' title='Deleting an SA with INFORMATIONAL Exchanges'>
<t>ESP and AH SAs always exist in pairs, with one SA in
each direction. When an SA is closed, both members of the pair MUST be
closed (that is, deleted). Each endpoint MUST close its incoming SAs
and allow the other endpoint to close the other SA in each pair. To
delete an SA, an INFORMATIONAL exchange with one or more Delete payloads
is sent listing the SPIs (as they would be expected in the headers of
inbound packets) of the SAs to be deleted. The recipient MUST close the
designated SAs. Note that one never sends Delete
payloads for the two sides of an SA in a single message. If there are
many SAs to delete at the same time, one
includes Delete payloads for the inbound half of each SA pair in the
INFORMATIONAL exchange.</t>
<t>Normally, the response in the INFORMATIONAL exchange will contain Delete
payloads for the paired SAs going in the other direction. There is one
exception. If, by chance, both ends of a set of SAs independently decide
to close them, each may send a Delete payload and the two requests may
cross in the network. If a node receives a delete request for SAs for
which it has already issued a delete request, it MUST delete the
outgoing SAs while processing the request and the incoming SAs while
processing the response. In that case, the responses MUST NOT include
Delete payloads for the deleted SAs, since that would result in
duplicate deletion and could in theory delete the wrong SA.</t>
<t>Similar to ESP and AH SAs, IKE SAs are also deleted by sending an
Informational exchange. Deleting an IKE SA implicitly closes any
remaining Child SAs negotiated under it. The response to a request
that deletes the IKE SA is an empty INFORMATIONAL response.</t>
<t>Half-closed ESP or AH connections are anomalous, and a node with
auditing capability should probably audit their existence if they
persist. Note that this specification does not specify time
periods, so it is up to individual endpoints to decide how long to
wait. A node MAY refuse to accept incoming data on half-closed
connections but MUST NOT unilaterally close them and reuse the SPIs.
If connection state becomes sufficiently messed up, a node MAY close
the IKE SA, as described above. It can then rebuild the SAs it needs
on a clean base under a new IKE SA.</t>
</section>
</section>
<section anchor='sect-1.5' title='Informational Messages outside of an IKE SA'>
<t>There are some cases in which a node receives a packet that it cannot
process, but it may want to notify the sender about this situation.</t>
<t><list style='symbols'>
<t>If an ESP or AH packet arrives with an
unrecognized SPI. This might be due to the receiving node having
recently crashed and lost state, or because of some other system
malfunction or attack.</t>
<t>If an encrypted IKE request packet arrives on port 500 or 4500
with an unrecognized IKE SPI. This might be due to the receiving node
having recently crashed and lost state, or because of some other
system malfunction or attack.</t>
<t>If an IKE request packet arrives with a higher major version
number than the implementation supports.</t>
</list></t>
<t>In the first case, if the receiving node has an active IKE SA to
the IP address from whence the packet came, it MAY send an
INVALID_SPI notification of the wayward packet over that IKE SA in
an INFORMATIONAL exchange. The Notification Data contains the SPI
of the invalid packet. The recipient of this notification cannot
tell whether the SPI is for AH or ESP, but this is not important
because in many cases the SPIs will be different for the two.
If no suitable IKE SA exists, the node MAY send an informational
message without cryptographic protection to the source IP address,
using the source UDP port as the destination port if the packet was
UDP (UDP-encapsulated ESP or AH). In this case, it should only
be used by the recipient as a hint that something might be wrong
(because it could easily be forged). This message is not part of an
INFORMATIONAL exchange, and the receiving node MUST NOT respond to it because
doing so could cause a message loop. The message is constructed as
follows: there are no IKE SPI values that would be meaningful to the
recipient of such a notification; using zero values or random values
are both acceptable, this being the exception to the rule in
<xref target='sect-3.1'/> that prohibits zero IKE Initiator SPIs. The Initiator
flag is set to 1, the Response flag is set to 0, and the version flags are
set in the normal fashion; these flags are described in <xref target='sect-3.1'/>.</t>
<t>In the second and third cases, the message is always sent without
cryptographic protection (outside of an IKE SA), and includes
either an INVALID_IKE_SPI or an INVALID_MAJOR_VERSION notification (with
no notification data). The message is a response message, and thus
it is sent to the IP address and port from whence it came with the
same IKE SPIs and the Message ID and Exchange Type are copied
from the request. The Response flag is set to 1, and the version
flags are set in the normal fashion.</t>
</section>
<section anchor='sect-1.6' title='Requirements Terminology'>
<t>Definitions of the primitive terms in this document (such as Security
Association or SA) can be found in <xref target='IPSECARCH'/>.
It should be noted that parts of IKEv2
rely on some of the processing rules in <xref target='IPSECARCH'/>,
as described in various sections of this document.</t>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
<xref target='MUSTSHOULD'/>.</t>
</section>
<section anchor='sect-1.7' title='Significant Differences between RFC 4306 and RFC5996'>
<t>This document contains clarifications and amplifications to IKEv2
<xref target='IKEV2'/>.
Many of the clarifications are based on <xref target='Clarif'/>. The
changes listed in that document were discussed in the IPsec Working
Group and, after the Working Group was disbanded, on the IPsec mailing
list. That document contains detailed explanations of areas that were
unclear in IKEv2, and is thus useful to implementers of IKEv2.</t>
<t>The protocol described in this document retains the same major
version number (2) and minor version number (0) as was used in RFC
4306. That is, the version number is *not* changed from RFC 4306.
The small number of technical changes listed here are not expected
to affect RFC 4306 implementations that have already been deployed
at the time of publication of this document.</t>
<t>This document makes the figures and references a bit more
consistent than they were in <xref target='IKEV2'/>.</t>
<t>IKEv2 developers have noted that the SHOULD-level requirements in RFC 4306 are
often unclear in that they don't say when it is OK to not obey the
requirements. They also have noted that there are MUST-level
requirements that are not related to interoperability. This document has
more explanation of some of these requirements. All
non-capitalized uses of the words SHOULD and MUST now mean
their normal English sense, not the interoperability sense of
<xref target='MUSTSHOULD'/>.</t>
<t>IKEv2 (and IKEv1) developers have noted that there is a great deal
of material in the tables of codes in <xref target='sect-3.10.1'/> in RFC 4306.
This leads to implementers not having all the needed information in
the main body of the document.
Much of the material from those tables has been moved into the associated parts
of the main body of the document.</t>
<t>This document removes discussion of nesting AH and ESP. This was a
mistake in RFC 4306 caused by the lag between finishing RFC 4306
and RFC 4301. Basically, IKEv2 is based on RFC 4301, which does
not include "SA bundles" that were part of RFC 2401. While a single
packet can go through IPsec processing multiple times, each of these
passes uses a separate SA, and the passes are coordinated by the
forwarding tables. In IKEv2, each of these SAs has to be created using
a separate CREATE_CHILD_SA exchange.</t>
<t>This document removes discussion of the INTERNAL_ADDRESS_EXPIRY
configuration attribute because its implementation was very
problematic. Implementations that conform to this document MUST
ignore proposals that have configuration attribute type 5, the
old value for INTERNAL_ADDRESS_EXPIRY. This document also removed
INTERNAL_IP6_NBNS as a configuration attribute.</t>
<t>This document removes the allowance for rejecting messages in which
the payloads were not in the "right" order; now implementations MUST
NOT reject them. This is due to the lack of clarity where the orders
for the payloads are described.</t>
<t>The lists of items from RFC 4306 that ended up in the IANA registry were trimmed
to only include items that were actually defined in RFC 4306. Also,
many of those lists are now preceded with the very important instruction
to developers that they really should look at the IANA registry at
the time of development because new items have been added since
RFC 4306.</t>
<t>This document adds clarification on when notifications are and are not
sent encrypted, depending on the state of the negotiation at the time.</t>
<t>This document discusses more about how to negotiate combined-mode
ciphers.</t>
<t>In Section 1.3.2, "The KEi payload SHOULD be included" was changed to be
"The KEi payload MUST be included". This also led to changes in
Section 2.18.</t>
<t>In Section 2.1, there is new material covering how the
initiator's SPI and/or IP is used to differentiate if this is a
"half-open" IKE SA or a new request.</t>
<t>This document clarifies the use of the critical flag in Section
2.5.</t>
<t>In Section 2.8, "Note that, when rekeying, the new Child SA MAY
have different Traffic Selectors and algorithms than the old one" was changed to
"Note that, when rekeying, the new Child SA SHOULD NOT have different
Traffic Selectors and algorithms than the old one".</t>
<t>The new Section 2.8.2 covers simultaneous IKE SA rekeying.</t>
<t>The new Section 2.9.2 covers Traffic Selectors in rekeying.</t>
<t>This document adds the restriction in Section 2.13 that all
pseudorandom functions (PRFs) used with IKEv2 MUST take
variable-sized keys. This should not affect any implementations
because there were no standardized PRFs that have fixed-size
keys.</t>
<t>Section 2.18 requires doing a Diffie-Hellman exchange when
rekeying the IKE_SA. In theory, RFC 4306 allowed a policy where the
Diffie-Hellman exchange was optional, but this was not useful (or
appropriate) when rekeying the IKE_SA.</t>
<t>Section 2.21 has been greatly expanded to cover the different cases
where error responses are needed and the appropriate responses
to them.</t>
<t>Section 2.23 clarified that, in NAT traversal, now both UDP-encapsulated IPsec packets and non-UDP-encapsulated IPsec packets need to be understood when receiving.</t>
<t>Added Section 2.23.1 to describe NAT traversal when transport mode
is requested.</t>
<t>Added Section 2.25 to explain how to act when there are
timing collisions when deleting and/or rekeying SAs, and two new
error notifications (TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND) were
defined.</t>
<t>In Section 3.6, "Implementations MUST support the HTTP
method for hash-and-URL lookup. The behavior of other URL methods is
not currently specified, and such methods SHOULD NOT be used in the
absence of a document specifying them" was added.</t>
<t>In Section 3.15.3, a pointer to a new document that is related
to configuration of IPv6 addresses was added.</t>
<t>Appendix C was expanded and clarified.</t>
</section>
<section anchor='sect-1.8' title='Differences between RFC 5996 and This Document'>
<t>Fixed section 3.6 and 3.10 as specified in the RFC5996 errata
2707 and 3036.</t>
<t>Removed Raw RSA Public keys. There is new work ongoing to replace
that with more generic format for generic raw public keys.</t>
<t>Added reference to the RFC6989 when using non Sophie-Germain
Diffie-Hellman groups, or when reusing Diffie-Hellman
Exponentials.</t>
<t>Added reference to the RFC4945 in the Identification Payloads
section.</t>
<t>Added IANA Considerations section note about removing the Raw RSA
Key, and removed the old contents which was already done during
RFC5996 processing. Added note that IANA should update IKEv2
registry to point to this document instead of RFC5996.</t>
<t>Clarified that the intended status of this document is Internet
Standard both in abstract and Introduction section.</t>
<t>Added name Last Substruc for the Proposal and Transform
Substructure header for the 0 (last) or 2/3 (more) field.</t>
</section>
</section> <!-- end of 1 -->
<section anchor='sect-2' title='IKE Protocol Details and Variations'>
<t>IKE normally listens and sends on UDP port 500, though IKE messages
may also be received on UDP port 4500 with a slightly different format
(see <xref target='sect-2.23'/>). Since UDP is a datagram (unreliable)
protocol, IKE includes in its definition recovery from transmission
errors, including packet loss, packet replay, and packet forgery. IKE is
designed to function so long as (1) at least one of a series of
retransmitted packets reaches its destination before timing out; and (2)
the channel is not so full of forged and replayed packets so as to
exhaust the network or CPU capacities of either endpoint. Even in the
absence of those minimum performance requirements, IKE is designed to
fail cleanly (as though the network were broken).</t>
<t>Although IKEv2 messages are intended to be short, they contain
structures with no hard upper bound on size (in particular, digital
certificates), and IKEv2 itself does not have a mechanism for
fragmenting large messages. IP defines a mechanism for fragmentation
of oversized UDP messages, but implementations vary in the maximum
message size supported. Furthermore, use of IP fragmentation opens an
implementation to denial-of-service (DoS) attacks <xref target='DOSUDPPROT'/>.
Finally, some NAT and/or firewall implementations may block IP
fragments.</t>
<t>All IKEv2 implementations MUST be able to send, receive, and process
IKE messages that are up to 1280 octets long, and they SHOULD be able to
send, receive, and process messages that are up to 3000 octets long.
IKEv2 implementations need to be aware of the
maximum UDP message size supported and MAY shorten messages by leaving
out some certificates or cryptographic suite proposals if that will keep
messages below the maximum. Use of the "Hash and URL" formats rather
than including certificates in exchanges where possible can avoid most
problems. Implementations and configuration
need to keep in mind, however, that if the URL lookups are possible only
after the Child SA is established, recursion issues could prevent this
technique from working.</t>
<t>The UDP payload of all packets containing IKE messages sent on port
4500 MUST begin with the prefix of four zeros; otherwise, the receiver
won't know how to handle them.</t>
<section anchor='sect-2.1' title='Use of Retransmission Timers'>
<t>All messages in IKE exist in pairs: a request and a response. The
setup of an IKE SA normally consists of two exchanges. Once
the IKE SA is set up, either end of the Security Association may
initiate requests at any time, and there can be many requests and
responses "in flight" at any given moment. But each message is labeled
as either a request or a response, and for each exchange, one
end of the Security Association is the initiator and the other is the
responder.</t>
<t>For every pair of IKE messages, the initiator is responsible for
retransmission in the event of a timeout. The responder MUST never
retransmit a response unless it receives a retransmission of the
request. In that event, the responder MUST ignore the retransmitted
request except insofar as it causes a retransmission of the response.
The initiator MUST remember each request until it receives the
corresponding response. The responder MUST remember each response until
it receives a request whose sequence number is larger than or equal to the sequence
number in the response plus its window size (see <xref
target='sect-2.3'/>).
In order to allow saving memory, responders are allowed to forget
the response after a timeout of several minutes. If the responder
receives a retransmitted request for which it has already forgotten
the response, it MUST ignore the request (and not, for example,
attempt constructing a new response).
</t>
<t>IKE is a reliable protocol: the initiator MUST
retransmit a request until it either receives a corresponding response or deems the IKE SA to have failed. In the latter case, the initiator discards all
state associated with the IKE SA and any Child SAs that were negotiated using that
IKE SA.
A retransmission from the
initiator MUST be bitwise identical to the original request.
That is, everything starting from the IKE header (the IKE SA initiator's
SPI onwards) must be bitwise identical; items before it (such as the IP and
UDP headers) do not have to be identical.</t>
<t>Retransmissions of the IKE_SA_INIT request
require some special handling. When a responder receives an
IKE_SA_INIT request, it has to determine whether the packet is a
retransmission belonging to an existing "half-open" IKE SA (in which
case the responder retransmits the same response), or a new request
(in which case the responder creates a new IKE SA and sends a fresh
response), or it belongs to an existing IKE SA where the IKE_AUTH
request has been already received (in which case the responder ignores
it).</t>
<t>It is not sufficient to use the initiator's SPI and/or IP address
to differentiate between these three cases because two different peers
behind a single NAT could choose the same initiator SPI. Instead, a
robust responder will do the IKE SA lookup using the whole packet, its
hash, or the Ni payload.</t>
<t>The retransmission policy for one-way messages is somewhat
different from that for regular messages. Because no acknowledgement
is ever sent, there is no reason to gratuitously retransmit one-way
messages. Given that all these messages are errors, it makes sense to
send them only once per "offending" packet, and only retransmit if
further offending packets are received. Still, it also makes sense to
limit retransmissions of such error messages.</t>
</section>
<section anchor='sect-2.2' title='Use of Sequence Numbers for Message ID'>
<t>Every IKE message contains a Message ID as part of its fixed header.
This Message ID is used to match up requests and responses and to
identify retransmissions of messages. Retransmission of a message
MUST use the same Message ID as the original message.</t>
<t>The Message ID is a 32-bit quantity, which is zero for the
IKE_SA_INIT messages (including retries of the message due to
responses such as COOKIE and INVALID_KE_PAYLOAD), and incremented for
each subsequent exchange. Thus, the first pair of IKE_AUTH messages
will have an ID of 1, the second (when EAP is used) will be 2, and so on.
The Message ID is reset to zero in the new IKE SA after the IKE SA is
rekeyed.</t>
<t>Each endpoint in the IKE Security Association
maintains two "current" Message IDs: the next one to be used for a
request it initiates and the next one it expects to see in a request
from the other end. These counters increment as requests are generated
and received. Responses always contain the same Message ID as the
corresponding request. That means that after the initial exchange, each
integer n may appear as the Message ID in four distinct messages: the
nth request from the original IKE initiator, the corresponding response,
the nth request from the original IKE responder, and the corresponding
response. If the two ends make a very different number of requests, the
Message IDs in the two directions can be very different. There is no
ambiguity in the messages, however, because the Initiator and
Response flags in the message header specify which of the four messages
a particular one is.</t>
<t>Throughout this document, "initiator" refers to the party who
initiated the exchange being described. The "original
initiator" always refers to the party who initiated the exchange
that resulted in the current IKE SA. In other words, if the
"original responder" starts rekeying the IKE SA, that party becomes
the "original initiator" of the new IKE SA.</t>
<t>Note that Message IDs are cryptographically protected and provide
protection against message replays. In the unlikely event that Message
IDs grow too large to fit in 32 bits, the IKE SA MUST be closed or rekeyed.
</t>
</section>
<section anchor='sect-2.3' title='Window Size for Overlapping Requests'>
<t>The SET_WINDOW_SIZE notification asserts that the
sending endpoint is capable of keeping state for multiple outstanding
exchanges, permitting the recipient to send multiple requests before
getting a response to the first. The data associated with a
SET_WINDOW_SIZE notification MUST be 4 octets long and contain the big
endian representation of the number of messages the sender promises to
keep. The window size is always one until the initial exchanges
complete.</t>
<t>An IKE endpoint MUST wait for a response to each of its messages
before sending a subsequent message unless it has received a
SET_WINDOW_SIZE Notify message from its peer informing it that the peer
is prepared to maintain state for multiple outstanding messages in order
to allow greater throughput.</t>
<t>After an IKE SA is set up, in order to maximize IKE throughput, an
IKE endpoint MAY issue multiple requests before getting a response to
any of them, up to the limit set by its peer's SET_WINDOW_SIZE.
These requests may pass one another over the network. An IKE
endpoint MUST be prepared to accept and process a request while it has a
request outstanding in order to avoid a deadlock in this situation.
An IKE endpoint may also accept and process
multiple requests while it has a request outstanding.</t>
<t>An IKE endpoint MUST NOT exceed the peer's stated window size for
transmitted IKE requests. In other words, if the responder stated its
window size is N, then when the initiator needs to make a request X, it
MUST wait until it has received responses to all requests up through
request X-N. An IKE endpoint MUST keep a copy of (or be able to
regenerate exactly) each request it has sent until it receives the
corresponding response. An IKE endpoint MUST keep a copy of (or be able
to regenerate exactly) the number of previous responses equal to its
declared window size in case its response was lost and the initiator
requests its retransmission by retransmitting the request.</t>
<t>An IKE endpoint supporting a window size greater than one ought to be
capable of processing incoming requests out of order to maximize
performance in the event of network failures or packet reordering.</t>
<t>The window size is normally a (possibly
configurable) property of a particular implementation, and is not
related to congestion control (unlike the window size in TCP, for
example). In particular, what the responder should do
when it receives a SET_WINDOW_SIZE notification containing a smaller
value than is currently in effect is not defined. Thus, there is currently no way to
reduce the window size of an existing IKE SA; you can only increase it.
When rekeying an IKE SA, the new IKE SA starts with window size 1 until
it is explicitly increased by sending a new SET_WINDOW_SIZE
notification.</t>
<t>The INVALID_MESSAGE_ID notification is sent when an IKE
Message ID outside the supported window is received. This Notify message MUST
NOT be sent in a response; the invalid request MUST NOT be acknowledged.
Instead, inform the other side by initiating an INFORMATIONAL exchange
with Notification data containing the four-octet invalid Message ID.
Sending this notification is OPTIONAL, and notifications of this type
MUST be rate limited.</t>
</section>
<section anchor='sect-2.4' title='State Synchronization and Connection Timeouts'>
<t>An IKE endpoint is allowed to forget all of its state associated with
an IKE SA and the collection of corresponding Child SAs at any time.
This is the anticipated behavior in the event of an endpoint crash and
restart. It is important when an endpoint either fails or reinitializes
its state that the other endpoint detect those conditions and not
continue to waste network bandwidth by sending packets over discarded
SAs and having them fall into a black hole.</t>
<t>The INITIAL_CONTACT notification asserts that this
IKE SA is the only IKE SA currently active between the authenticated
identities. It MAY be sent when an IKE SA is established after a crash,
and the recipient MAY use this information to delete any other IKE SAs
it has to the same authenticated identity without waiting for a timeout.
This notification MUST NOT be sent by an entity that may be replicated
(e.g., a roaming user's credentials where the user is allowed to connect
to the corporate firewall from two remote systems at the same time).
The INITIAL_CONTACT notification, if sent, MUST be in
the first IKE_AUTH request or response, not as a separate exchange afterwards;
receiving parties MAY ignore it in other messages.</t>
<t>Since IKE is designed to operate in spite of DoS
attacks from the network, an endpoint MUST NOT conclude that the other
endpoint has failed based on any routing information (e.g., ICMP
messages) or IKE messages that arrive without cryptographic protection
(e.g., Notify messages complaining about unknown SPIs). An endpoint MUST
conclude that the other endpoint has failed only when repeated attempts
to contact it have gone unanswered for a timeout period or when a
cryptographically protected INITIAL_CONTACT notification is received on
a different IKE SA to the same authenticated identity. An endpoint
should suspect that the other endpoint has failed based on routing
information and initiate a request to see whether the other endpoint is
alive. To check whether the other side is alive, IKE specifies an empty
INFORMATIONAL message that (like all IKE requests) requires an
acknowledgement (note that within the context of an IKE SA, an "empty"
message consists of an IKE header followed by an Encrypted payload that
contains no payloads). If a cryptographically protected (fresh, i.e.,
not retransmitted) message has been
received from the other side recently, unprotected Notify messages MAY be
ignored. Implementations MUST limit the rate at which they take actions
based on unprotected messages.</t>
<t>The number of retries and length of timeouts are not covered in this
specification because they do not affect interoperability. It is
suggested that messages be retransmitted at least a dozen times over a
period of at least several minutes before giving up on an SA, but
different environments may require different rules. To be a good network
citizen, retransmission times MUST increase exponentially to avoid
flooding the network and making an existing congestion situation worse.
If there has only been outgoing traffic on all of the SAs associated
with an IKE SA, it is essential to confirm liveness of the other
endpoint to avoid black holes. If no cryptographically protected
messages have been received on an IKE SA or any of its Child SAs
recently, the system needs to perform a liveness check in order to
prevent sending messages to a dead peer. (This is sometimes called
"dead peer detection" or "DPD", although it is really detecting
live peers, not dead ones.)
Receipt of a fresh
cryptographically protected message on an IKE SA or any of its Child SAs
ensures liveness of the IKE SA and all of its Child SAs. Note that this
places requirements on the failure modes of an IKE endpoint. An
implementation needs to stop sending over any SA if some failure
prevents it from receiving on all of the associated SAs. If
a system creates Child SAs that
can fail independently from one another without the associated IKE SA
being able to send a delete message, then the system MUST negotiate
such Child SAs using separate IKE SAs.</t>
<t>There is a DoS attack on the initiator of an IKE SA
that can be avoided if the initiator takes the proper care. Since the
first two messages of an SA setup are not cryptographically protected,
an attacker could respond to the initiator's message before the genuine
responder and poison the connection setup attempt. To prevent this, the
initiator MAY be willing to accept multiple responses to its first
message, treat each as potentially legitimate, respond to it, and then
discard all the invalid half-open connections when it receives a valid
cryptographically protected response to any one of its requests. Once a
cryptographically valid response is received, all subsequent responses
should be ignored whether or not they are cryptographically valid.</t>
<t>Note that with these rules, there is no reason to negotiate and agree
upon an SA lifetime. If IKE presumes the partner is dead, based on
repeated lack of acknowledgement to an IKE message, then the IKE SA and
all Child SAs set up through that IKE SA are deleted.</t>
<t>An IKE endpoint may at any time delete inactive Child SAs to recover
resources used to hold their state. If an IKE endpoint chooses to delete
Child SAs, it MUST send Delete payloads to the other end notifying it of
the deletion. It MAY similarly time out the IKE SA.
Closing the IKE SA
implicitly closes all associated Child SAs. In this case, an IKE
endpoint SHOULD send a Delete payload indicating that it has closed the
IKE SA unless the other endpoint is no longer responding.</t>
</section>
<section anchor='sect-2.5' title='Version Numbers and Forward Compatibility'>
<t>This document describes version 2.0 of IKE, meaning the major version
number is 2 and the minor version number is 0.
This document is a replacement for <xref target='IKEV2'/>.
It is likely that some
implementations will want to support version 1.0 and version 2.0,
and in the future, other versions.</t>
<t>The major version number should be incremented only if the packet
formats or required actions have changed so dramatically that an older
version node would not be able to interoperate with a newer version node
if it simply ignored the fields it did not understand and took the
actions specified in the older specification. The minor version number
indicates new capabilities, and MUST be ignored by a node with a smaller
minor version number, but used for informational purposes by the node
with the larger minor version number. For example, it might indicate the
ability to process a newly defined Notify message type. The node with
the larger minor version number would simply note that its correspondent
would not be able to understand that message and therefore would not
send it.</t>
<t>If an endpoint receives a message with a
higher major version number, it MUST drop the message and SHOULD send an
unauthenticated Notify message of type INVALID_MAJOR_VERSION
containing the highest (closest) version
number it supports. If an endpoint supports major version n, and major
version m, it MUST support all versions between n and m. If it receives
a message with a major version that it supports, it MUST respond with
that version number. In order to prevent two nodes from being tricked
into corresponding with a lower major version number than the maximum
that they both support, IKE has a flag that indicates that the node is
capable of speaking a higher major version number.</t>
<t>Thus, the major version number in the IKE header indicates the version
number of the message, not the highest version number that the
transmitter supports. If the initiator is capable of speaking versions
n, n+1, and n+2, and the responder is capable of speaking versions n and
n+1, then they will negotiate speaking n+1, where the initiator will set
a flag indicating its ability to speak a higher version. If they
mistakenly (perhaps through an active attacker sending error messages)
negotiate to version n, then both will notice that the other side can
support a higher version number, and they MUST break the connection and
reconnect using version n+1.</t>
<t>Note that IKEv1 does not follow these rules, because there is no way
in v1 of noting that you are capable of speaking a higher version
number. So an active attacker can trick two v2-capable nodes into
speaking v1. When a v2-capable node negotiates
down to v1, it should note that fact in its logs.</t>
<t>Also, for forward compatibility, all fields marked RESERVED MUST be
set to zero by an implementation running version 2.0,
and their content MUST be
ignored by an implementation
running version 2.0 ("Be conservative in what you
send and liberal in what you receive" <xref target="IP" />). In this way, future versions of
the protocol can use those fields in a way that is guaranteed to be
ignored by implementations that do not understand them. Similarly,
payload types that are not defined are reserved for future use;
implementations of a version where they
are undefined MUST skip over those payloads and ignore
their contents.</t>
<t>IKEv2 adds a "critical" flag to each payload header for further
flexibility for forward compatibility. If the critical flag is set and
the payload type is unrecognized, the message MUST be rejected and the
response to the IKE request containing that payload MUST include a
Notify payload UNSUPPORTED_CRITICAL_PAYLOAD, indicating an unsupported
critical payload was included. In that Notify payload,
the notification data contains the one-octet payload type. If the
critical flag is not set and the payload type is unsupported, that
payload MUST be ignored.
Payloads sent in IKE response messages MUST NOT have the
critical flag set.
Note that the critical flag applies only to the payload type, not
the contents. If the payload type is recognized, but the payload
contains something that is not (such as an unknown transform
inside an SA payload, or an unknown Notify Message Type inside a
Notify payload), the critical flag is ignored.</t>
<t>Although new payload
types may be added in the future and may appear interleaved with the
fields defined in this specification, implementations SHOULD send the
payloads defined in this specification in the order shown in the figures
in Sections 1 and 2; implementations MUST NOT
reject as invalid a message with those payloads in any other order.</t>
</section>
<section anchor='sect-2.6' title='IKE SA SPIs and Cookies'>
<t>The initial two eight-octet fields in the header, called the "IKE
SPIs", are used as a connection identifier at the beginning of IKE
packets. Each endpoint chooses one of the two SPIs and MUST choose
them so as to be unique identifiers of an IKE SA. An SPI value of
zero is special: it indicates that the remote SPI value is not yet
known by the sender.</t>
<t>Incoming IKE packets are mapped to an IKE SA only using the
packet's SPI, not using (for example) the source IP address of the
packet.</t>
<t>Unlike ESP and AH where only the recipient's SPI appears in the
header of a message, in IKE the sender's SPI is also sent in every
message. Since the SPI chosen by the original initiator of the IKE SA is
always sent first, an endpoint with multiple IKE SAs open that wants to
find the appropriate IKE SA using the SPI it assigned must look at the
Initiator flag in the header to determine whether it assigned the
first or the second eight octets.</t>
<t>In the first message of an initial IKE exchange, the initiator will
not know the responder's SPI value and will therefore set that field
to zero. When the IKE_SA_INIT exchange does not result in the creation
of an IKE SA due to INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN, or COOKIE,
the responder's SPI will be zero also in the response message.
However, if the responder sends a non-zero responder SPI, the
initiator should not reject the response for only that reason.</t>
<t>Two expected attacks against IKE are state and CPU exhaustion, where the
target is flooded with session initiation requests from forged IP
addresses. These attacks can be made less effective if
a responder uses minimal CPU and commits no state to an SA until it
knows the initiator can receive packets at the address from which it
claims to be sending them.</t>
<t>When a responder detects a large number of half-open IKE SAs, it
SHOULD reply to IKE_SA_INIT requests with a response containing the
COOKIE notification. The data associated with this
notification MUST be between 1 and 64 octets in length (inclusive),
and its generation is described later in this section. If the
IKE_SA_INIT response includes the COOKIE notification, the initiator
MUST then retry the IKE_SA_INIT request, and include the COOKIE
notification containing the received data as the first payload, and
all other payloads unchanged. The initial exchange will then be as
follows:</t>
<figure><artwork><![CDATA[
Initiator Responder
-------------------------------------------------------------------
HDR(A,0), SAi1, KEi, Ni -->
<-- HDR(A,0), N(COOKIE)
HDR(A,0), N(COOKIE), SAi1,
KEi, Ni -->
<-- HDR(A,B), SAr1, KEr,
Nr, [CERTREQ]
HDR(A,B), SK {IDi, [CERT,]
[CERTREQ,] [IDr,] AUTH,
SAi2, TSi, TSr} -->
<-- HDR(A,B), SK {IDr, [CERT,]
AUTH, SAr2, TSi, TSr}
]]></artwork></figure>
<t>The first two messages do not affect any initiator or responder state
except for communicating the cookie. In particular, the message sequence
numbers in the first four messages will all be zero and the message
sequence numbers in the last two messages will be one. 'A' is the SPI
assigned by the initiator, while 'B' is the SPI assigned by the
responder.</t>
<t>An IKE implementation can implement its
responder cookie generation in such a way as to not require any saved
state to recognize its valid cookie when the second IKE_SA_INIT message
arrives. The exact algorithms and syntax used to generate cookies do
not affect interoperability and hence are not specified here. The
following is an example of how an endpoint could use cookies to
implement limited DoS protection.</t>
<t>A good way to do this is to set the responder cookie to be:</t>
<figure><artwork><![CDATA[
Cookie = <VersionIDofSecret> | Hash(Ni | IPi | SPIi | <secret>)
]]></artwork></figure>
<t>where <secret> is a randomly generated secret known only to the
responder and periodically changed and | indicates concatenation.
<VersionIDofSecret> should be changed whenever <secret> is
regenerated. The cookie can be recomputed when the IKE_SA_INIT arrives
the second time and compared to the cookie in the received message. If
it matches, the responder knows that the cookie was generated since the last
change to <secret> and that IPi must be the same as the source
address it saw the first time. Incorporating SPIi into the calculation
ensures that if multiple IKE SAs are being set up in parallel they will
all get different cookies (assuming the initiator chooses unique
SPIi's). Incorporating Ni in the hash ensures that an attacker who
sees only message 2 can't successfully forge a message 3.
Also, incorporating SPIi in the hash prevents an attacker from fetching
one cookie from the other end, and then initiating many
IKE_SA_INIT exchanges all with different initiator SPIs (and perhaps
port numbers) so that the responder thinks that there are a lot of
machines behind one NAT box that are all trying to connect.</t>
<t>If a new value for <secret> is chosen while there are
connections in the process of being initialized, an IKE_SA_INIT might be
returned with other than the current <VersionIDofSecret>. The
responder in that case MAY reject the message by sending another
response with a new cookie or it MAY keep the old value of
<secret> around for a short time and accept cookies computed from
either one. The responder should not accept
cookies indefinitely after <secret> is changed, since that would
defeat part of the DoS protection.
The responder should change the value of <secret> frequently,
especially if under attack.</t>
<t>When one party receives an IKE_SA_INIT request
containing a cookie whose contents do not match the value expected,
that party MUST ignore the cookie and process the message as if no
cookie had been included; usually this means sending a response
containing a new cookie. The initiator should limit the number of
cookie exchanges it tries before giving up, possibly using
exponential back-off. An attacker can forge
multiple cookie responses to the initiator's IKE_SA_INIT message, and
each of those forged cookie replies will cause two packets to be sent: one packet
from the initiator to the responder (which will reject those cookies),
and one response from responder to initiator that includes the correct
cookie. </t>
<t>A note on terminology:
the term "cookies" originates with Karn and Simpson <xref
target='PHOTURIS'/> in Photuris, an early proposal for key management
with IPsec, and it has persisted. The Internet Security Association and
Key Management Protocol (ISAKMP) <xref target='ISAKMP'/> fixed message
header includes two eight-octet fields called "cookies", and that syntax
is used by both IKEv1 and IKEv2, although in IKEv2 they are referred to as
the "IKE SPI" and there is a new separate field in a Notify payload
holding the cookie.</t>
<section anchor='sect-2.6.1' title='Interaction of COOKIE and INVALID_KE_PAYLOAD'>
<t>There are two common reasons why the initiator may have to retry the
IKE_SA_INIT exchange: the responder requests a cookie or wants a
different Diffie-Hellman group than was included in the KEi payload. If
the initiator receives a cookie from the responder, the initiator needs
to decide whether or not to include the cookie in only the next retry of
the IKE_SA_INIT request, or in all subsequent retries as well.</t>
<t>If the initiator includes the cookie only in the next retry, one
additional round trip may be needed in some cases. An additional
round trip is needed also if the initiator includes the cookie in all
retries, but the responder does not support this. For instance, if the
responder includes the KEi payloads in cookie calculation, it
will reject the request by sending a new cookie.</t>
<t>If both peers support including the cookie in all retries, a slightly
shorter exchange can happen.</t>
<figure><artwork><![CDATA[
Initiator Responder
-----------------------------------------------------------
HDR(A,0), SAi1, KEi, Ni -->
<-- HDR(A,0), N(COOKIE)
HDR(A,0), N(COOKIE), SAi1, KEi, Ni -->
<-- HDR(A,0), N(INVALID_KE_PAYLOAD)
HDR(A,0), N(COOKIE), SAi1, KEi', Ni -->
<-- HDR(A,B), SAr1, KEr, Nr
]]></artwork></figure>
<t>Implementations SHOULD support this shorter
exchange, but MUST NOT fail if other implementations do not support this
shorter exchange.</t>
</section>
</section>
<section anchor='sect-2.7' title='Cryptographic Algorithm Negotiation'>
<t>The payload type known as "SA" indicates a proposal for a set of
choices of IPsec protocols (IKE, ESP, or AH) for the SA as well as
cryptographic algorithms associated with each protocol.</t>
<t>An SA payload consists of one or more proposals.
Each proposal includes one protocol. Each protocol contains one or more
transforms -- each specifying a cryptographic algorithm. Each transform
contains zero or more attributes (attributes are needed only if the
Transform ID does not completely specify the cryptographic
algorithm).</t>
<t>This hierarchical structure was designed to efficiently encode
proposals for cryptographic suites when the number of supported suites
is large because multiple values are acceptable for multiple transforms.
The responder MUST choose a single suite, which may be any subset of the
SA proposal following the rules below.</t>
<t>Each proposal contains one protocol. If a proposal is
accepted, the SA response MUST contain the same protocol.
The responder MUST accept a single proposal or
reject them all and return an error. The error is
given in a notification of type NO_PROPOSAL_CHOSEN.</t>
<t>Each IPsec protocol proposal contains one or more transforms. Each
transform contains a Transform Type. The accepted cryptographic suite
MUST contain exactly one transform of each type included in the
proposal. For example: if an ESP proposal includes transforms ENCR_3DES,
ENCR_AES w/keysize 128, ENCR_AES w/keysize 256, AUTH_HMAC_MD5, and
AUTH_HMAC_SHA, the accepted suite MUST contain one of the ENCR_
transforms and one of the AUTH_ transforms. Thus, six combinations are
acceptable.</t>
<t>If an initiator proposes both normal ciphers with integrity
protection as well as combined-mode ciphers, then two proposals are
needed. One of the proposals includes the normal ciphers with the
integrity algorithms for them, and the other proposal includes all the
combined-mode ciphers without the integrity algorithms (because
combined-mode ciphers are not allowed to have any integrity algorithm
other than "none").</t>
</section>
<section anchor='sect-2.8' title='Rekeying'>
<t>IKE, ESP, and AH Security Associations use secret keys that should
be used only for a limited amount of time and to protect a limited
amount of data. This limits the lifetime of the entire Security
Association. When the lifetime of a Security Association expires, the
Security Association MUST NOT be used. If there is demand, new Security
Associations MAY be established. Reestablishment of Security
Associations to take the place of ones that expire is referred to as
"rekeying".</t>
<t>To allow for minimal IPsec implementations, the ability to rekey SAs
without restarting the entire IKE SA is optional. An implementation MAY
refuse all CREATE_CHILD_SA requests within an IKE SA. If an SA has
expired or is about to expire and rekeying attempts using the mechanisms
described here fail, an implementation MUST close the IKE SA and any
associated Child SAs and then MAY start new ones.
Implementations may wish to support in-place rekeying of SAs, since doing
so offers better performance and is likely to reduce the number of
packets lost during the transition.</t>
<t>To rekey a Child SA within an existing IKE SA, create a new,
equivalent SA (see <xref target='sect-2.17'/> below), and when the new
one is established, delete the old one.
Note that, when rekeying, the new Child SA SHOULD NOT have
different Traffic Selectors and algorithms than the old one.</t>
<t>To rekey an IKE SA, establish
a new equivalent IKE SA (see <xref target='sect-2.18'/> below) with
the peer to whom the old IKE SA is shared using a CREATE_CHILD_SA
within the existing IKE SA. An IKE SA so created inherits all of the
original IKE SA's Child SAs, and the new IKE SA is used for all
control messages needed to maintain those Child SAs.
After the new equivalent IKE SA is created, the initiator deletes the old IKE SA,
and the Delete payload to delete itself MUST be the last
request sent over the old IKE SA.</t>
<t>SAs should be rekeyed proactively, i.e., the
new SA should be established before the old one expires and becomes
unusable. Enough time should elapse between the time the new SA is
established and the old one becomes unusable so that traffic can be
switched over to the new SA.</t>
<t>A difference between IKEv1 and IKEv2 is that in IKEv1 SA lifetimes
were negotiated. In IKEv2, each end of the SA is responsible for
enforcing its own lifetime policy on the SA and rekeying the SA when
necessary. If the two ends have different lifetime policies, the end
with the shorter lifetime will end up always being the one to request
the rekeying. If an SA has been inactive for a long time and if
an endpoint would not initiate the SA in the absence of traffic, the
endpoint MAY choose to close the SA instead of rekeying it when its
lifetime expires. It can also do so if there has
been no traffic since the last time the SA was rekeyed.</t>
<t>Note that IKEv2 deliberately allows parallel SAs with the same
Traffic Selectors between common endpoints. One of the purposes of this
is to support traffic quality of service (QoS) differences among the SAs
(see <xref target='DIFFSERVFIELD'/>, <xref target='DIFFSERVARCH'/>, and
Section 4.1 of <xref target='DIFFTUNNEL'/>). Hence unlike IKEv1, the
combination of the endpoints and the Traffic Selectors may not uniquely
identify an SA between those endpoints, so the IKEv1 rekeying heuristic
of deleting SAs on the basis of duplicate Traffic Selectors SHOULD NOT
be used.</t>
<t>There are timing windows -- particularly in the presence of lost
packets -- where endpoints may not agree on the state of an SA. The
responder to a CREATE_CHILD_SA MUST be prepared to accept messages on an
SA before sending its response to the creation request, so there is no
ambiguity for the initiator. The initiator MAY begin sending on an SA as
soon as it processes the response. The initiator, however, cannot
receive on a newly created SA until it receives and processes the
response to its CREATE_CHILD_SA request. How, then, is the responder to
know when it is OK to send on the newly created SA?</t>
<t>From a technical correctness and interoperability perspective, the
responder MAY begin sending on an SA as soon as it sends its response to
the CREATE_CHILD_SA request. In some situations, however, this could
result in packets unnecessarily being dropped, so an implementation MAY
defer such sending.</t>
<t>The responder can be assured that the initiator is prepared to
receive messages on an SA if either (1) it has received a
cryptographically valid message on the other half of the SA
pair, or (2) the new SA rekeys
an existing SA and it receives an IKE request to close the replaced SA.
When rekeying an SA, the responder continues to send traffic on
the old SA until one of those events occurs. When establishing a new
SA, the responder MAY defer sending messages on a new SA until either it
receives one or a timeout has occurred. If an initiator receives a
message on an SA for which it has not received a response to its
CREATE_CHILD_SA request, it interprets that as a likely packet
loss and retransmits the CREATE_CHILD_SA request. An initiator MAY send a
dummy ESP message on a newly created ESP SA if it has no messages queued in
order to assure the responder that the initiator is ready to receive
messages.</t>
<section anchor='sect-2.8.1' title='Simultaneous Child SA Rekeying'>
<t>If the two ends have the same lifetime policies, it is possible that
both will initiate a rekeying at the same time (which will result in
redundant SAs). To reduce the probability of this happening, the timing
of rekeying requests SHOULD be jittered (delayed by a random amount of
time after the need for rekeying is noticed).</t>
<t>This form of rekeying may temporarily result in multiple similar SAs
between the same pairs of nodes. When there are two SAs eligible to
receive packets, a node MUST accept incoming packets through either SA.
If redundant SAs are created though such a collision, the SA created
with the lowest of the four nonces used in the two exchanges SHOULD be
closed by the endpoint that created it. "Lowest" means
an octet-by-octet comparison (instead of, for instance,
comparing the nonces as large integers). In other words, start by
comparing the first octet; if they're equal, move to the next octet, and
so on. If you reach the end of one nonce, that nonce is the lower one.
The node that initiated the surviving rekeyed SA should delete the
replaced SA after the new one is established.</t>
<t>The following is an explanation on the impact this has on
implementations. Assume that hosts A and B have an existing Child SA
pair with SPIs (SPIa1,SPIb1), and both start rekeying it at the same
time:</t>
<figure><artwork><![CDATA[
Host A Host B
-------------------------------------------------------------------
send req1: N(REKEY_SA,SPIa1),
SA(..,SPIa2,..),Ni1,.. -->
<-- send req2: N(REKEY_SA,SPIb1),
SA(..,SPIb2,..),Ni2
recv req2 <--
]]></artwork></figure>
<t>At this point, A knows there is a simultaneous rekeying happening.
However, it cannot yet know which of the exchanges will have the
lowest nonce, so it will just note the situation and respond as
usual.</t>
<figure><artwork><![CDATA[
send resp2: SA(..,SPIa3,..),
Nr1,.. -->
--> recv req1
]]></artwork></figure>
<t>Now B also knows that simultaneous rekeying is going on. It responds
as usual.</t>
<figure><artwork><![CDATA[
<-- send resp1: SA(..,SPIb3,..),
Nr2,..
recv resp1 <--
--> recv resp2
]]></artwork></figure>
<t>At this point, there are three Child SA pairs between A and B (the
old one and two new ones). A and B can now compare the nonces.
Suppose that the lowest nonce was Nr1 in message resp2; in this case,
B (the sender of req2) deletes the redundant new SA, and A (the node
that initiated the surviving rekeyed SA), deletes the old one.</t>
<figure><artwork><![CDATA[
send req3: D(SPIa1) -->
<-- send req4: D(SPIb2)
--> recv req3
<-- send resp3: D(SPIb1)
recv req4 <--
send resp4: D(SPIa3) -->
]]></artwork></figure>
<t>The rekeying is now finished.</t>
<t>However, there is a second possible sequence of events that can
happen if some packets are lost in the network, resulting in
retransmissions. The rekeying begins as usual, but A's first packet
(req1) is lost.</t>
<figure><artwork><![CDATA[
Host A Host B
-------------------------------------------------------------------
send req1: N(REKEY_SA,SPIa1),
SA(..,SPIa2,..),
Ni1,.. --> (lost)
<-- send req2: N(REKEY_SA,SPIb1),
SA(..,SPIb2,..),Ni2
recv req2 <--
send resp2: SA(..,SPIa3,..),
Nr1,.. -->
--> recv resp2
<-- send req3: D(SPIb1)
recv req3 <--
send resp3: D(SPIa1) -->
--> recv resp3
]]></artwork></figure>
<t>From B's point of view, the rekeying is now completed, and since it
has not yet received A's req1, it does not even know that there was
simultaneous rekeying. However, A will continue retransmitting the
message, and eventually it will reach B.</t>
<figure><artwork><![CDATA[
resend req1 -->
--> recv req1
]]></artwork></figure>
<t>To B, it looks like A is trying to rekey an SA that no longer exists;
thus, B responds to the request with something non-fatal such as
CHILD_SA_NOT_FOUND.</t>
<figure><artwork><![CDATA[
<-- send resp1: N(CHILD_SA_NOT_FOUND)
recv resp1 <--
]]></artwork></figure>
<t>When A receives this error, it already knows there was simultaneous
rekeying, so it can ignore the error message.</t>
</section>
<section anchor='sect-2.8.2' title='Simultaneous IKE SA Rekeying'>
<t>Probably the most complex case occurs when both peers try to rekey
the IKE_SA at the same time. Basically, the text in <xref target='sect-2.8'/>
applies to this case as well; however, it is important to ensure that
the Child SAs are inherited by the correct IKE_SA.</t>
<t>The case where both endpoints notice the simultaneous rekeying
works the same way as with Child SAs. After the CREATE_CHILD_SA
exchanges, three IKE SAs exist between A and B: the old IKE SA and
two new IKE SAs. The new IKE SA containing the lowest nonce SHOULD be deleted by the node
that created it, and the other surviving new IKE SA MUST inherit all the
Child SAs.</t>
<t>In addition to normal simultaneous rekeying cases, there is a
special case where one peer finishes its rekey before it even notices
that other peer is doing a rekey.
If only one peer detects a simultaneous rekey,
redundant SAs are not created. In this case, when the peer that did
not notice the simultaneous rekey gets the request to rekey the IKE
SA that it has already successfully rekeyed, it SHOULD return
TEMPORARY_FAILURE because it is an IKE SA that it is currently trying
to close (whether or not it has already sent the delete notification
for the SA). If the peer that did notice the simultaneous rekey gets
the delete request from the other peer for the old IKE SA, it knows
that the other peer did not detect the simultaneous rekey, and the
first peer can forget its own rekey attempt.</t>
<figure><artwork><![CDATA[
Host A Host B
-------------------------------------------------------------------
send req1:
SA(..,SPIa1,..),Ni1,.. -->
<-- send req2: SA(..,SPIb1,..),Ni2,..
--> recv req1
<-- send resp1: SA(..,SPIb2,..),Nr2,..
recv resp1 <--
send req3: D() -->
--> recv req3
]]></artwork></figure>
<t>At this point, host B sees a request to close the IKE_SA. There's
not much more to do than to reply as usual. However, at this point
host B should stop retransmitting req2, since once host A receives
resp3, it will delete all the state associated with the old IKE_SA
and will not be able to reply to it.</t>
<figure><artwork><![CDATA[
<-- send resp3: ()
]]></artwork></figure>
<t>The TEMPORARY_FAILURE notification was not included in RFC 4306,
and support of the TEMPORARY_FAILURE notification is not negotiated.
Thus, older peers that implement RFC 4306 but not this document
may receive these notifications. In that case, they will
treat it the same as any other unknown error notification, and will
stop the exchange. Because the other peer has already rekeyed the
exchange, doing so does not have any ill effects.</t>
</section>
<section anchor='sect-2.8.3' title='Rekeying the IKE SA versus Reauthentication'>
<t>Rekeying the IKE SA and reauthentication are different concepts in
IKEv2. Rekeying the IKE SA establishes new keys for the IKE SA and
resets the Message ID counters, but it does not authenticate the
parties again (no AUTH or EAP payloads are involved).</t>
<t>Although rekeying the IKE SA may be important in some environments,
reauthentication (the verification that the parties still have access
to the long-term credentials) is often more important.</t>
<t>IKEv2 does not have any special support for reauthentication.
Reauthentication is done by creating a new IKE SA from scratch (using
IKE_SA_INIT/IKE_AUTH exchanges, without any REKEY_SA Notify
payloads), creating new Child SAs within the new IKE SA (without
REKEY_SA Notify payloads), and finally deleting the old IKE SA (which
deletes the old Child SAs as well).</t>
<t>This means that reauthentication also establishes new keys for the
IKE SA and Child SAs. Therefore, while rekeying can be performed
more often than reauthentication, the situation where "authentication
lifetime" is shorter than "key lifetime" does not make sense.</t>
<t> While creation of a new IKE SA can be initiated by either party
(initiator or responder in the original IKE SA), the use of EAP
and/or Configuration payloads means in practice that
reauthentication has to be initiated by the same party as the
original IKE SA. IKEv2 does not currently allow the responder to
request reauthentication in this case; however, there are extensions
that add this functionality such as <xref target='REAUTH'/>.</t>
</section>
</section>
<section anchor='sect-2.9' title='Traffic Selector Negotiation'>
<t>When an RFC4301-compliant IPsec subsystem receives an IP packet
that matches a "protect" selector in its
Security Policy Database (SPD), the subsystem protects
that packet with IPsec. When no SA exists yet, it is the task of IKE to
create it. Maintenance of a system's SPD is outside the scope of IKE,
although some
implementations might update their SPD in connection with the running of
IKE (for an example scenario, see <xref target='sect-1.1.3'/>).</t>
<t>Traffic Selector (TS) payloads allow endpoints to communicate some of
the information from their SPD to their peers.
These must be communicated to IKE from the SPD (for example, the
PF_KEY API <xref target='PFKEY'/> uses the SADB_ACQUIRE message).
TS payloads specify the
selection criteria for packets that will be forwarded over the newly set
up SA. This can serve as a consistency check in some scenarios to assure
that the SPDs are consistent. In others, it guides the dynamic update of
the SPD.</t>
<t>Two TS payloads appear in each of the messages in the exchange that
creates a Child SA pair. Each TS payload contains one or more Traffic
Selectors. Each Traffic Selector consists of an address range (IPv4 or
IPv6), a port range, and an IP protocol ID.</t>
<t>The first of the two TS payloads is known as TSi (Traffic
Selector-initiator). The second is known as TSr (Traffic
Selector-responder). TSi specifies the source address of traffic
forwarded from (or the destination address of traffic forwarded to) the
initiator of the Child SA pair. TSr specifies the destination address of
the traffic forwarded to (or the source address of the traffic
forwarded from) the responder of the Child SA pair. For example, if the
original initiator requests the creation of a Child SA pair, and wishes
to tunnel all traffic from subnet 198.51.100.* on the initiator's side to
subnet 192.0.2.* on the responder's side, the initiator would include a
single Traffic Selector in each TS payload. TSi would specify the
address range (198.51.100.0 - 198.51.100.255) and TSr would specify the
address range (192.0.2.0 - 192.0.2.255). Assuming that proposal was
acceptable to the responder, it would send identical TS payloads back.
</t>
<t>IKEv2 allows the responder to choose a subset of the traffic
proposed by the initiator. This could happen when the
configurations of the two endpoints are being updated but only one
end has received the new information. Since the two endpoints may
be configured by different people, the incompatibility may persist
for an extended period even in the absence of errors. It also
allows for intentionally different configurations, as when one end
is configured to tunnel all addresses and depends on the other end
to have the up-to-date list.</t>
<t>When the responder chooses a subset of the traffic proposed by the
initiator, it narrows the Traffic Selectors to some subset of the
initiator's proposal (provided the set does not become the null
set). If the type of Traffic Selector proposed is unknown, the
responder ignores that Traffic Selector, so that the unknown type is
not returned in the narrowed set.</t>
<t>
To enable the responder to choose the appropriate range in this case,
if the initiator has requested the SA due to a data packet, the
initiator SHOULD include as the first Traffic Selector in each of TSi
and TSr a very specific Traffic Selector including the addresses in
the packet triggering the request.
In the example,
the initiator would include in TSi two Traffic Selectors: the first
containing the address range (198.51.100.43 - 198.51.100.43) and the
source port and IP protocol from the packet and the second
containing (198.51.100.0 - 198.51.100.255) with all ports and IP
protocols. The initiator would similarly include two Traffic
Selectors in TSr. If the initiator creates the Child SA pair not
in response to an arriving packet, but rather, say, upon startup,
then there may be no specific addresses the initiator prefers for
the initial tunnel over any other. In that case, the first values
in TSi and TSr can be ranges rather than specific values.</t>
<t>The responder performs the narrowing as follows:</t>
<t><list style='symbols'>
<t>If the responder's policy does not allow it to accept any part of
the proposed Traffic Selectors, it responds with a
TS_UNACCEPTABLE Notify message.</t>
<t>If the responder's policy allows the entire set of traffic covered
by TSi and TSr, no narrowing is necessary, and the responder can
return the same TSi and TSr values.</t>
<t>If the responder's policy allows it to accept the first selector
of TSi and TSr, then the responder MUST narrow the Traffic
Selectors to a subset that includes the initiator's first choices.
In this example above, the responder might respond with TSi being
(198.51.100.43 - 198.51.100.43) with all ports and IP protocols.</t>
<t>If the responder's policy does not allow it to accept the
first selector of TSi and TSr, the responder narrows to an
acceptable subset of TSi and TSr.</t>
</list></t>
<t>When narrowing is done, there may be several subsets that are
acceptable but their union is not. In this case, the responder
arbitrarily chooses one of them, and MAY include an
ADDITIONAL_TS_POSSIBLE notification in the response.
The ADDITIONAL_TS_POSSIBLE notification asserts
that the responder narrowed the proposed Traffic Selectors but that
other Traffic Selectors would also have been acceptable, though
only in a separate SA. There is no data associated with this
Notify type. This case will occur only when the initiator and
responder are configured differently from one another. If the
initiator and responder agree on the granularity of tunnels, the
initiator will never request a tunnel wider than the responder will
accept.</t>
<t>It is possible for the responder's policy to contain multiple
smaller ranges, all encompassed by the initiator's Traffic Selector,
and with the responder's policy being that each of those ranges
should be sent over a different SA. Continuing the example above,
the responder might have a policy of being willing to tunnel those
addresses to and from the initiator, but might require that each
address pair be on a separately negotiated Child SA. If the
initiator didn't generate its request based on the packet, but (for
example) upon startup, there would not be the very specific first
Traffic Selectors helping the responder to select the correct range.
There would be no way for the responder to determine which pair of
addresses should be included in this tunnel, and it would have to
make a guess or reject the request with a
SINGLE_PAIR_REQUIRED Notify message.</t>
<t>The SINGLE_PAIR_REQUIRED error indicates that a
CREATE_CHILD_SA request is unacceptable because its sender is only
willing to accept Traffic Selectors specifying a single pair of
addresses. The requestor is expected to respond by requesting an
SA for only the specific traffic it is trying to forward.</t>
<t>Few implementations will have policies that
require separate SAs for each address pair. Because of this, if
only some parts of the TSi and TSr proposed by the initiator are
acceptable to the responder, responders SHOULD narrow the selectors
to an acceptable subset rather than use SINGLE_PAIR_REQUIRED.</t>
<section anchor='sect-2.9.1' title='Traffic Selectors Violating Own Policy'>
<t>When creating a new SA, the initiator needs to avoid proposing
Traffic Selectors that violate its own policy. If this rule is not
followed, valid traffic may be dropped. If you use decorrelated
policies from <xref target="IPSECARCH"/>, this kind of policy violations
cannot happen.</t>
<t>This is best illustrated by an example. Suppose that host A has a
policy whose effect is that traffic to 198.51.100.66 is sent via host B
encrypted using AES, and traffic to all other hosts in 198.51.100.0/24
is also sent via B, but must use 3DES. Suppose also that host B
accepts any combination of AES and 3DES.</t>
<t>If host A now proposes an SA that uses 3DES, and includes TSr
containing (198.51.100.0-198.51.100.255), this will be accepted by host
B. Now, host B can also use this SA to send traffic from 198.51.100.66,
but those packets will be dropped by A since it requires the use of
AES for this traffic. Even if host A creates a new SA only for
198.51.100.66 that uses AES, host B may freely continue to use the first
SA for the traffic. In this situation, when proposing the SA, host A
should have followed its own policy, and included a TSr containing
((198.51.100.0-198.51.100.65),(198.51.100.67-198.51.100.255)) instead.</t>
<t>In general, if (1) the initiator makes a proposal "for traffic X
(TSi/TSr), do SA", and (2) for some subset X' of X, the initiator
does not actually accept traffic X' with SA, and (3) the initiator
would be willing to accept traffic X' with some SA' (!=SA), valid
traffic can be unnecessarily dropped since the responder can apply
either SA or SA' to traffic X'.</t>
</section>
</section>
<section anchor='sect-2.10' title='Nonces'>
<t>The IKE_SA_INIT messages each contain a nonce. These nonces are used
as inputs to cryptographic functions. The CREATE_CHILD_SA request and
the CREATE_CHILD_SA response also contain nonces. These nonces are used
to add freshness to the key derivation technique used to obtain keys for
Child SA, and to ensure creation of strong pseudorandom bits from the
Diffie-Hellman key. Nonces used in IKEv2 MUST be randomly chosen, MUST
be at least 128 bits in size, and MUST be at least half the key size of
the negotiated pseudorandom function (PRF).
However, the initiator chooses the nonce before the
outcome of the negotiation is known. Because of that, the nonce has to
be long enough for all the PRFs being proposed. If the same random
number source is used for both keys and nonces, care must be taken to
ensure that the latter use does not compromise the former.</t>
</section>
<section anchor='sect-2.11' title='Address and Port Agility'>
<t>IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and
AH associations for the same IP addresses over which it runs. The IP addresses
and ports in the outer header are, however, not themselves
cryptographically protected, and IKE is designed to work even through
Network Address Translation (NAT) boxes. An implementation MUST accept
incoming requests even if the source port is not 500 or 4500, and MUST
respond to the address and port from which the request was received. It
MUST specify the address and port at which the request was received as
the source address and port in the response. IKE functions identically
over IPv4 or IPv6.</t>
</section>
<section anchor='sect-2.12' title='Reuse of Diffie-Hellman Exponentials'>
<t>IKE generates keying material using an ephemeral Diffie-Hellman
exchange in order to gain the property of "perfect forward secrecy".
This means that once a connection is closed and its corresponding keys
are forgotten, even someone who has recorded all of the data from the
connection and gets access to all of the long-term keys of the two
endpoints cannot reconstruct the keys used to protect the conversation
without doing a brute force search of the session key space.</t>
<t>Achieving perfect forward secrecy requires that when a connection is
closed, each endpoint MUST forget not only the keys used by the
connection but also any information that could be used to recompute those
keys.</t>
<t>Because computing Diffie-Hellman exponentials is computationally
expensive, an endpoint may find it advantageous to reuse those
exponentials for multiple connection setups. There are several
reasonable strategies for doing this. An endpoint could choose a new
exponential only periodically though this could result in
less-than-perfect forward secrecy if some connection lasts for less than
the lifetime of the exponential. Or it could keep track of which
exponential was used for each connection and delete the information
associated with the exponential only when some corresponding connection
was closed. This would allow the exponential to be reused without losing
perfect forward secrecy at the cost of maintaining more state.</t>
<t>Whether and when to reuse Diffie-Hellman exponentials are private
decisions in the sense that they will not affect interoperability. An
implementation that reuses exponentials MAY choose to remember the
exponential used by the other endpoint on past exchanges and if one is
reused to avoid the second half of the calculation. See <xref
target='REUSE'/> and <xref target='RFC6989'/> for a security analysis
of this practice and for additional security considerations when
reusing ephemeral Diffie-Hellman keys.</t>
</section>
<section anchor='sect-2.13' title='Generating Keying Material'>
<t>In the context of the IKE SA, four cryptographic algorithms are
negotiated: an encryption algorithm, an integrity protection algorithm,
a Diffie-Hellman group, and a pseudorandom function (PRF). The
PRF is used for the construction of keying material
for all of the cryptographic algorithms used in both the IKE SA and the
Child SAs.</t>
<t>We assume that each encryption algorithm and integrity protection
algorithm uses a fixed-size key and that any randomly chosen value of
that fixed size can serve as an appropriate key. For algorithms that
accept a variable-length key, a fixed key size MUST be specified as
part of the cryptographic transform negotiated (see <xref target='sect-3.3.5'/> for
the definition of the Key Length transform attribute). For algorithms
for which not all values are valid keys (such as DES or 3DES with key
parity), the algorithm by which keys are derived from arbitrary values
MUST be specified by the cryptographic transform. For integrity
protection functions based on Hashed Message Authentication Code
(HMAC), the fixed key size is the size of the output of the underlying
hash function.</t>
<t>It is assumed that PRFs accept keys of
any length, but have a preferred key size. The preferred key size MUST be
used as the length of SK_d, SK_pi, and SK_pr (see <xref target='sect-2.14'/>). For
PRFs based on the HMAC construction, the preferred key size is equal
to the length of the output of the underlying hash function. Other
types of PRFs MUST specify their preferred key size.</t>
<t>Keying material will always be derived as the output of the
negotiated PRF algorithm. Since the amount of keying material needed
may be greater than the size of the output of the PRF,
the PRF is used iteratively. The term "prf+"
describes a function that outputs a pseudorandom stream based on
the inputs to a pseudorandom function called "prf".</t>
<t>In the following, | indicates concatenation. prf+ is defined
as:</t>
<figure><artwork><![CDATA[
prf+ (K,S) = T1 | T2 | T3 | T4 | ...
where:
T1 = prf (K, S | 0x01)
T2 = prf (K, T1 | S | 0x02)
T3 = prf (K, T2 | S | 0x03)
T4 = prf (K, T3 | S | 0x04)
...
]]></artwork></figure>
<t>This continues until all the material needed to compute all required keys
has been output from prf+. The keys are taken
from the output string without regard to boundaries (e.g., if the
required keys are a 256-bit Advanced Encryption Standard (AES)
key and a 160-bit HMAC key, and the prf
function generates 160 bits, the AES key will come from T1 and the
beginning of T2, while the HMAC key will come from the rest of T2 and
the beginning of T3).</t>
<t>The constant concatenated to the end of each prf function
is a single octet. The prf+ function is not defined beyond 255 times
the size of the prf function output.</t>
</section>
<section anchor='sect-2.14' title='Generating Keying Material for the IKE SA'>
<t>The shared keys are computed as follows. A quantity called SKEYSEED
is calculated from the nonces exchanged during the IKE_SA_INIT exchange
and the Diffie-Hellman shared secret established during that exchange.
SKEYSEED is used to calculate seven other secrets: SK_d used for
deriving new keys for the Child SAs established with this IKE SA; SK_ai
and SK_ar used as a key to the integrity protection algorithm for
authenticating the component messages of subsequent exchanges; SK_ei and
SK_er used for encrypting (and of course decrypting) all subsequent
exchanges; and SK_pi and SK_pr, which are used when generating an AUTH
payload. The lengths of SK_d, SK_pi, and SK_pr MUST be the preferred key length of
the PRF agreed upon.</t>
<t>SKEYSEED and its derivatives are computed as follows:</t>
<figure><artwork><![CDATA[
SKEYSEED = prf(Ni | Nr, g^ir)
{SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr }
= prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
]]></artwork></figure>
<t>(indicating that the quantities SK_d, SK_ai, SK_ar, SK_ei, SK_er,
SK_pi, and SK_pr are taken in order from the generated bits of the
prf+). g^ir is the shared secret from the ephemeral Diffie-Hellman
exchange. g^ir is represented as a string of octets in big endian
order padded with zeros if necessary to make it the length of the
modulus. Ni and Nr are the nonces, stripped of any headers. For
historical backward-compatibility reasons, there are two PRFs that
are treated specially in this calculation. If the negotiated PRF is
AES-XCBC-PRF-128 <xref target="AESXCBCPRF128"/> or AES-CMAC-PRF-128 <xref
target="AESCMACPRF128"/>, only the first 64 bits of Ni and the first 64 bits
of Nr are used in calculating SKEYSEED, but all the bits are used for input to the
prf+ function.</t>
<t>The two directions of traffic flow use different keys. The keys used
to protect messages from the original initiator are SK_ai and SK_ei. The
keys used to protect messages in the other direction are SK_ar and
SK_er.</t>
</section>
<section anchor='sect-2.15' title='Authentication of the IKE SA'>
<t>When not using extensible authentication (see <xref
target='sect-2.16'/>), the peers are authenticated by having each sign
(or MAC using a padded shared secret as the key, as described later
in this section) a block of data. In these calculations, IDi' and IDr' are the
entire ID payloads excluding the fixed header. For the
responder, the octets to be signed start with the first octet of the
first SPI in the header of the second message (IKE_SA_INIT response)
and end with the last octet of the last payload in the second message.
Appended to this (for the purposes of computing the signature) are the
initiator's nonce Ni (just the value, not the payload containing it),
and the value prf(SK_pr, IDr'). Note that neither the nonce Ni nor the
value prf(SK_pr, IDr') are transmitted. Similarly, the initiator signs
the first message (IKE_SA_INIT request), starting with the first octet
of the first SPI in the header and ending with the last octet of the
last payload. Appended to this (for purposes of computing the
signature) are the responder's nonce Nr, and the value
prf(SK_pi, IDi'). It is critical to the
security of the exchange that each side sign the other side's
nonce.</t>
<t>The initiator's signed octets can be described as:</t>
<figure><artwork><![CDATA[
InitiatorSignedOctets = RealMessage1 | NonceRData | MACedIDForI
GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR
RealIKEHDR = SPIi | SPIr | . . . | Length
RealMessage1 = RealIKEHDR | RestOfMessage1
NonceRPayload = PayloadHeader | NonceRData
InitiatorIDPayload = PayloadHeader | RestOfInitIDPayload
RestOfInitIDPayload = IDType | RESERVED | InitIDData
MACedIDForI = prf(SK_pi, RestOfInitIDPayload)
]]></artwork></figure>
<t>The responder's signed octets can be described as:</t>
<figure><artwork><![CDATA[
ResponderSignedOctets = RealMessage2 | NonceIData | MACedIDForR
GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR
RealIKEHDR = SPIi | SPIr | . . . | Length
RealMessage2 = RealIKEHDR | RestOfMessage2
NonceIPayload = PayloadHeader | NonceIData
ResponderIDPayload = PayloadHeader | RestOfRespIDPayload
RestOfRespIDPayload = IDType | RESERVED | RespIDData
MACedIDForR = prf(SK_pr, RestOfRespIDPayload)
]]></artwork></figure>
<t>Note that all of the payloads are included under the signature,
including any payload types not defined in this document. If the first
message of the exchange is sent multiple times (such as with a responder
cookie and/or a different Diffie-Hellman group), it is the latest
version of the message that is signed.</t>
<t>Optionally, messages 3 and 4 MAY include a certificate, or
certificate chain providing evidence that the key used to compute a
digital signature belongs to the name in the ID payload. The signature
or MAC will be computed using algorithms dictated by the type of key
used by the signer, and specified by the Auth Method field in the
Authentication payload. There is no requirement that the initiator and
responder sign with the same cryptographic algorithms. The choice of
cryptographic algorithms depends on the type of key each has. In
particular, the initiator may be using a shared key while the responder
may have a public signature key and certificate. It will commonly be the
case (but it is not required) that, if a shared secret is used for
authentication, the same key is used in both directions.</t>
<t>Note that
it is a common but typically insecure practice to have a shared key
derived solely from a user-chosen password without incorporating another
source of randomness. This is typically insecure because user-chosen
passwords are unlikely to have sufficient unpredictability to resist
dictionary attacks and these attacks are not prevented in this
authentication method. (Applications using password-based authentication
for bootstrapping and IKE SA should use the authentication method in
<xref target='sect-2.16'/>, which is designed to prevent off-line
dictionary attacks.) The pre-shared key needs to contain as much
unpredictability as the strongest key being negotiated. In the case of a
pre-shared key, the AUTH value is computed as:</t>
<figure><artwork><![CDATA[
For the initiator:
AUTH = prf( prf(Shared Secret, "Key Pad for IKEv2"),
<InitiatorSignedOctets>)
For the responder:
AUTH = prf( prf(Shared Secret, "Key Pad for IKEv2"),
<ResponderSignedOctets>)
]]></artwork></figure>
<t>where the string "Key Pad for IKEv2" is 17 ASCII characters without
null termination. The shared secret can be variable length. The pad
string is added so that if the shared secret is derived from a password,
the IKE implementation need not store the password in cleartext, but
rather can store the value prf(Shared Secret,"Key Pad for IKEv2"), which
could not be used as a password equivalent for protocols other than
IKEv2. As noted above, deriving the shared secret from a password is not
secure. This construction is used because it is anticipated that people
will do it anyway. The management interface by which the shared secret
is provided MUST accept ASCII strings of at least 64 octets and MUST NOT
add a null terminator before using them as shared secrets. It MUST also
accept a hex encoding of the shared secret. The management interface MAY
accept other encodings if the algorithm for translating the encoding to
a binary string is specified.</t>
<t>There are two types of EAP authentication (described in <xref
target='sect-2.16'/>), and each type uses different values in the
AUTH computations shown above. If the EAP method is key-generating,
substitute master session key (MSK) for the shared secret in the computation. For
non-key-generating methods, substitute SK_pi and SK_pr, respectively,
for the shared secret in the two AUTH computations.</t>
</section>
<section anchor='sect-2.16' title='Extensible Authentication Protocol Methods'>
<t>In addition to authentication using public key signatures and shared
secrets, IKE supports authentication using methods defined in RFC 3748
<xref target='EAP'/>. Typically, these methods are asymmetric (designed
for a user authenticating to a server), and they may not be mutual.
For this reason, these protocols are typically used to authenticate
the initiator to the responder and MUST be used in conjunction with a
public-key-signature-based authentication of the responder to the initiator. These methods
are often associated with mechanisms referred to as "Legacy
Authentication" mechanisms.</t>
<t>While this document references <xref target='EAP'/> with the intent that
new methods can be added in the future without updating this
specification, some simpler variations are documented here.
<xref target='EAP'/> defines an authentication
protocol requiring a variable number of messages. Extensible
Authentication is implemented in IKE as additional IKE_AUTH exchanges
that MUST be completed in order to initialize the IKE SA.</t>
<t>An initiator indicates a desire to use EAP by
leaving out the AUTH payload from the first message in the IKE_AUTH exchange.
(Note that the AUTH payload is required for non-EAP authentication, and
is thus not marked as optional in the rest of this document.)
By including an IDi payload
but not an AUTH payload, the initiator has declared an identity but has
not proven it. If the responder is willing to use an EAP method, it will place an Extensible
Authentication Protocol (EAP) payload in the response of the IKE_AUTH exchange and
defer sending SAr2, TSi, and TSr until initiator authentication is
complete in a subsequent IKE_AUTH exchange. In the case of a minimal
EAP method, the initial SA establishment will appear as
follows:</t>
<figure><artwork><![CDATA[
Initiator Responder
-------------------------------------------------------------------
HDR, SAi1, KEi, Ni -->
<-- HDR, SAr1, KEr, Nr, [CERTREQ]
HDR, SK {IDi, [CERTREQ,]
[IDr,] SAi2,
TSi, TSr} -->
<-- HDR, SK {IDr, [CERT,] AUTH,
EAP }
HDR, SK {EAP} -->
<-- HDR, SK {EAP (success)}
HDR, SK {AUTH} -->
<-- HDR, SK {AUTH, SAr2, TSi, TSr }
]]></artwork></figure>
<t>As described in <xref target='sect-2.2'/>, when EAP is used, each
pair of IKE SA initial setup messages will have their message numbers
incremented; the first pair of IKE_AUTH messages will have an ID of 1,
the second will be 2, and so on.</t>
<t>For EAP methods that create a shared key as a side effect of
authentication, that shared key MUST be used by both the initiator and
responder to generate AUTH payloads in messages 7 and 8 using the syntax
for shared secrets specified in <xref target='sect-2.15'/>. The shared
key from EAP is the field from the EAP specification named MSK. This
shared key generated during an IKE exchange MUST NOT be used for any
other purpose.</t>
<t>EAP methods that do not establish a shared key SHOULD NOT be used, as
they are subject to a number of man-in-the-middle attacks <xref
target='EAPMITM'/> if these EAP methods are used in other protocols that
do not use a server-authenticated tunnel. Please see the Security
Considerations section
for more details. If EAP methods that do not generate
a shared key are used, the AUTH payloads in messages 7 and 8 MUST be
generated using SK_pi and SK_pr, respectively.</t>
<t>The initiator of an IKE SA using EAP needs to be capable of extending
the initial protocol exchange to at least ten IKE_AUTH exchanges in the
event the responder sends notification messages and/or retries the
authentication prompt. Once the protocol exchange defined by the chosen
EAP authentication method has successfully terminated, the responder
MUST send an EAP payload containing the Success message. Similarly, if
the authentication method has failed, the responder MUST send an EAP
payload containing the Failure message. The responder MAY at any time
terminate the IKE exchange by sending an EAP payload containing the
Failure message.</t>
<t>Following such an extended exchange, the EAP AUTH payloads MUST be
included in the two messages following the one containing the EAP
Success message.</t>
<t>When the initiator authentication uses
EAP, it is possible that the contents of the IDi payload is used only
for Authentication, Authorization, and Accounting (AAA) routing purposes and selecting which EAP method to use. This
value may be different from the identity authenticated by the EAP
method. It is important that policy lookups and access control decisions
use the actual authenticated identity. Often the EAP server is
implemented in a separate AAA server that communicates with the IKEv2
responder. In this case, the authenticated identity, if different from that in the
IDi payload, has to be sent from
the AAA server to the IKEv2 responder.</t>
</section>
<section anchor='sect-2.17' title='Generating Keying Material for Child SAs'>
<t>A single Child SA is created by the IKE_AUTH exchange, and additional
Child SAs can optionally be created in CREATE_CHILD_SA exchanges.
Keying material for them is generated as follows:</t>
<figure><artwork><![CDATA[
KEYMAT = prf+(SK_d, Ni | Nr)
]]></artwork></figure>
<t>Where Ni and Nr are the nonces from the IKE_SA_INIT exchange if this
request is the first Child SA created or the fresh Ni and Nr from the
CREATE_CHILD_SA exchange if this is a subsequent creation.</t>
<t>For CREATE_CHILD_SA exchanges including an optional Diffie-Hellman
exchange, the keying material is defined as:</t>
<figure><artwork><![CDATA[
KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr )
]]></artwork></figure>
<t>where g^ir (new) is the shared secret from the ephemeral
Diffie-Hellman exchange of this CREATE_CHILD_SA exchange (represented as
an octet string in big endian order padded with zeros in the high-order
bits if necessary to make it the length of the modulus).</t>
<t>A single CREATE_CHILD_SA negotiation may result in multiple
Security Associations. ESP and AH SAs exist in pairs (one in each
direction), so two SAs are created in a single Child SA negotiation
for them. Furthermore, Child SA negotiation may include some future
IPsec protocol(s) in addition to, or instead of, ESP or AH (for
example, ROHC_INTEG as described in <xref target="ROHCV2"/>). In any
case, keying material for each Child SA MUST be taken from the
expanded KEYMAT using the following rules:</t>
<t><list style = 'symbols'>
<t>All keys for SAs carrying data from the initiator to the responder
are taken before SAs going from the responder to the initiator.</t>
<t>If multiple IPsec protocols are negotiated, keying material for
each Child SA is taken in the order in which the protocol headers
will appear in the encapsulated packet.</t>
<t>If an IPsec protocol requires multiple keys, the order in which
they are taken from the SA's keying material needs to be described in
the protocol's specification. For ESP and AH, <xref target='IPSECARCH'/>
defines the order, namely: the encryption key (if any) MUST be taken
from the first bits and the integrity key (if any) MUST be taken from
the remaining bits.</t>
</list></t>
<t>Each cryptographic algorithm takes a fixed number of bits of keying
material specified as part of the algorithm, or negotiated in SA
payloads (see <xref target='sect-2.13'/> for description of key lengths, and
<xref target='sect-3.3.5'/> for the definition of the Key Length transform attribute).</t>
</section>
<section anchor='sect-2.18' title='Rekeying IKE SAs Using a CREATE_CHILD_SA Exchange'>
<t>The CREATE_CHILD_SA exchange can be used to rekey an existing IKE SA
(see Sections <xref target='sect-1.3.2' format='counter'/> and <xref target='sect-2.8' format='counter'/>). New
initiator and responder SPIs are supplied in the SPI fields in the
Proposal structures inside the Security Association (SA) payloads (not
the SPI fields in the IKE header). The TS payloads are omitted when
rekeying an IKE SA. SKEYSEED for the new IKE SA is computed using SK_d
from the existing IKE SA as follows:</t>
<figure><artwork><![CDATA[
SKEYSEED = prf(SK_d (old), g^ir (new) | Ni | Nr)
]]></artwork></figure>
<t>where g^ir (new) is the shared secret from the ephemeral
Diffie-Hellman exchange of this CREATE_CHILD_SA exchange (represented as
an octet string in big endian order padded with zeros if necessary to
make it the length of the modulus) and Ni and Nr are the two nonces
stripped of any headers.</t>
<t>The old and new IKE SA may have
selected a different PRF. Because the rekeying exchange belongs to
the old IKE SA, it is the old IKE SA's PRF that is used to generate SKEYSEED.</t>
<t>The main reason for rekeying the IKE SA is to ensure
that the compromise of old keying material does not provide information
about the current keys, or vice versa. Therefore, implementations MUST
perform a new Diffie-Hellman exchange when rekeying the IKE SA. In
other words, an initiator MUST NOT propose the value "NONE" for the
Diffie-Hellman transform, and a responder MUST NOT accept such a proposal. This
means that a successful exchange rekeying the IKE SA always includes the
KEi/KEr payloads.</t>
<t>The new IKE SA MUST reset its message counters to 0.</t>
<t>SK_d, SK_ai, SK_ar, SK_ei, and SK_er are computed from SKEYSEED
as specified in <xref target='sect-2.14'/>, using SPIi, SPIr, Ni, and Nr
from the new exchange, and using the new IKE SA's PRF.</t>
</section>
<section anchor='sect-2.19'
title='Requesting an Internal Address on a Remote Network'>
<t>Most commonly occurring in the endpoint-to-security-gateway scenario,
an endpoint may need an IP address in the network protected by the
security gateway and may need to have that address dynamically
assigned. A request for such a temporary address can be included in any
request to create a Child SA (including the implicit request in message
3) by including a CP payload.
Note, however, it is usual to only assign one IP address during
the IKE_AUTH exchange. That address persists at least until the
deletion of the IKE SA.</t>
<t>This function provides address allocation to an IPsec Remote Access
Client (IRAC) trying to tunnel into a network protected by an IPsec
Remote Access Server (IRAS). Since the IKE_AUTH exchange creates an
IKE SA and a Child SA, the IRAC MUST request the IRAS-controlled address
(and optionally other information concerning the protected network) in
the IKE_AUTH exchange. The IRAS may procure an address for the IRAC
from any number of sources such as a DHCP/BOOTP (Bootstrap Protocol) server or its own
address pool.
</t>
<figure><artwork><![CDATA[
Initiator Responder
-------------------------------------------------------------------
HDR, SK {IDi, [CERT,]
[CERTREQ,] [IDr,] AUTH,
CP(CFG_REQUEST), SAi2,
TSi, TSr} -->
<-- HDR, SK {IDr, [CERT,] AUTH,
CP(CFG_REPLY), SAr2,
TSi, TSr}
]]></artwork></figure>
<t>In all cases, the CP payload MUST be inserted before the SA payload.
In variations of the protocol where there are multiple IKE_AUTH
exchanges, the CP payloads MUST be inserted in the messages containing
the SA payloads.</t>
<t>CP(CFG_REQUEST) MUST contain at least an INTERNAL_ADDRESS attribute
(either IPv4 or IPv6) but MAY contain any number of additional
attributes the initiator wants returned in the response.</t>
<t>For example, message from initiator to responder:</t>
<figure><artwork><![CDATA[
CP(CFG_REQUEST)=
INTERNAL_ADDRESS()
TSi = (0, 0-65535,0.0.0.0-255.255.255.255)
TSr = (0, 0-65535,0.0.0.0-255.255.255.255)
]]></artwork></figure>
<t>NOTE: Traffic Selectors contain (protocol, port range, address
range).</t>
<t>Message from responder to initiator:</t>
<figure><artwork><![CDATA[
CP(CFG_REPLY)=
INTERNAL_ADDRESS(192.0.2.202)
INTERNAL_NETMASK(255.255.255.0)
INTERNAL_SUBNET(192.0.2.0/255.255.255.0)
TSi = (0, 0-65535,192.0.2.202-192.0.2.202)
TSr = (0, 0-65535,192.0.2.0-192.0.2.255)
]]></artwork></figure>
<t>All returned values will be implementation dependent. As can be seen
in the above example, the IRAS MAY also send other attributes that were
not included in CP(CFG_REQUEST) and MAY ignore the non- mandatory
attributes that it does not support.</t>
<t>The responder MUST NOT send a CFG_REPLY without having first received
a CP(CFG_REQUEST) from the initiator, because we do not want the IRAS
to perform an unnecessary configuration lookup if the IRAC cannot
process the REPLY.</t>
<t>In the case where the IRAS's configuration requires that CP be used
for a given identity IDi, but IRAC has failed to send a
CP(CFG_REQUEST), IRAS MUST fail the request, and terminate the Child
SA creation with a FAILED_CP_REQUIRED error. The FAILED_CP_REQUIRED is
not fatal to the IKE SA; it simply causes the Child SA creation to fail.
The initiator can fix this by later starting a new Configuration
payload request. There is no associated data in the FAILED_CP_REQUIRED
error.</t>
</section>
<section anchor='sect-2.20' title="Requesting the Peer's Version">
<t>An IKE peer wishing to inquire about the other peer's IKE software
version information MAY use the method below. This is an example of a
configuration request within an INFORMATIONAL exchange, after the IKE SA
and first Child SA have been created.</t>
<t>An IKE implementation MAY decline to give out version information
prior to authentication or even after authentication
in case some implementation is known to have some security weakness. In
that case, it MUST either return an empty string or no CP payload if CP
is not supported.</t>
<figure><artwork><![CDATA[
Initiator Responder
-------------------------------------------------------------------
HDR, SK{CP(CFG_REQUEST)} -->
<-- HDR, SK{CP(CFG_REPLY)}
CP(CFG_REQUEST)=
APPLICATION_VERSION("")
CP(CFG_REPLY) APPLICATION_VERSION("foobar v1.3beta, (c) Foo Bar
Inc.")
]]></artwork></figure>
</section>
<section anchor='sect-2.21' title='Error Handling'>
<t>There are many kinds of errors that can occur during IKE
processing. The general rule is that if a request is received that is
badly formatted, or unacceptable for reasons of policy (such as no
matching cryptographic algorithms), the response contains a Notify
payload indicating the error. The decision whether or not to send
such a response depends whether or not there is an authenticated IKE
SA.</t>
<t>If there is an error parsing or processing a response packet, the
general rule is to not send back any error message because responses
should not generate new requests (and a new request would be the only
way to send back an error message). Such errors in parsing or
processing response packets should still cause the recipient to clean
up the IKE state (for example, by sending a Delete for a bad SA).</t>
<t>Only authentication failures (AUTHENTICATION_FAILED and EAP failure) and malformed
messages (INVALID_SYNTAX) lead to a deletion of the IKE SA without
requiring an explicit INFORMATIONAL exchange carrying a Delete
payload. Other error conditions MAY require such an exchange if
policy dictates that this is needed.
If the exchange is terminated with EAP Failure, an AUTHENTICATION_FAILED
notification is not sent.</t>
<section anchor='sect-2.21.1' title='Error Handling in IKE_SA_INIT'>
<t>Errors that occur before a cryptographically protected IKE SA is
established need to be handled very carefully. There is a trade-off
between wanting to help the peer to diagnose a problem and thus
responding to the error and wanting to avoid being part of a DoS
attack based on forged messages.</t>
<t>In an IKE_SA_INIT exchange, any error notification causes the
exchange to fail. Note that some error notifications such as COOKIE,
INVALID_KE_PAYLOAD or INVALID_MAJOR_VERSION may lead to a subsequent
successful exchange. Because all error notifications are completely
unauthenticated, the recipient should continue trying for some time
before giving up. The recipient should not immediately act based on
the error notification unless corrective actions are defined in this
specification, such as for COOKIE, INVALID_KE_PAYLOAD, and
INVALID_MAJOR_VERSION.</t>
</section>
<section anchor='sect-2.21.2' title='Error Handling in IKE_AUTH'>
<t>All errors that occur in an IKE_AUTH exchange, causing the
authentication to fail for whatever reason (invalid shared secret,
invalid ID, untrusted certificate issuer, revoked or expired
certificate, etc.) SHOULD result in an AUTHENTICATION_FAILED
notification. If the error occurred on the responder, the
notification is returned in the protected response, and is usually
the only payload in that response. Although the IKE_AUTH messages are
encrypted and integrity protected, if the peer receiving this
notification has not authenticated the other end yet, that peer needs
to treat the information with caution.</t>
<t>If the error occurs on the initiator, the notification MAY be
returned in a separate INFORMATIONAL exchange, usually with no other
payloads. This is an exception for the general rule of not starting new
exchanges based on errors in responses.</t>
<t>Note, however, that request messages that contain an unsupported
critical payload, or where the whole message is malformed (rather
than just bad payload contents), MUST be rejected in their entirety,
and MUST only lead to an UNSUPPORTED_CRITICAL_PAYLOAD or
INVALID_SYNTAX Notification sent as a response. The receiver should not
verify the payloads related to authentication in this case.</t>
<t>If authentication has succeeded in the IKE_AUTH exchange, the IKE
SA is established; however, establishing the Child SA or requesting
configuration information may still fail. This failure does not
automatically cause the IKE SA to be deleted. Specifically, a
responder may include all the payloads associated with authentication
(IDr, CERT, and AUTH) while sending error notifications for the
piggybacked exchanges (FAILED_CP_REQUIRED,
NO_PROPOSAL_CHOSEN, and so on), and the initiator MUST NOT fail the
authentication because of this. The initiator MAY, of course, for
reasons of policy later delete such an IKE SA.</t>
<t>In an IKE_AUTH exchange, or in the INFORMATIONAL exchange
immediately following it (in case an error happened when
processing a response to IKE_AUTH), the UNSUPPORTED_CRITICAL_PAYLOAD,
INVALID_SYNTAX, and AUTHENTICATION_FAILED notifications are the only
ones to cause the IKE SA to be deleted or not created, without a
Delete payload. Extension documents may define new error
notifications with these semantics, but MUST NOT use them unless the
peer has been shown to understand them, such as by using the Vendor ID
payload.</t>
</section>
<section anchor='sect-2.21.3' title='Error Handling after IKE SA is Authenticated'>
<t>After the IKE SA is authenticated, all requests having errors MUST
result in a response notifying about the error.</t>
<t>In normal situations, there should not be cases where a valid
response from one peer results in an error situation in the other
peer, so there should not be any reason for a peer to send error
messages to the other end except as a response. Because sending such
error messages as an INFORMATIONAL exchange might lead to further errors
that could cause loops, such errors SHOULD NOT be sent. If errors are
seen that indicate that the peers do not have the same state, it might be
good to delete the IKE SA to clean up state and start over.</t>
<t>If a peer parsing a request notices that it is badly formatted
(after it has passed the message authentication code checks and
window checks) and it returns an INVALID_SYNTAX notification, then
this error notification is considered fatal in both peers, meaning
that the IKE SA is deleted without needing an explicit Delete
payload.</t>
</section>
<section anchor='sect-2.21.4' title='Error Handling Outside IKE SA'>
<t>A node needs to limit the rate at which it will send messages in
response to unprotected messages.</t>
<t>If a node receives a message on UDP port 500 or 4500 outside the
context of an IKE SA known to it (and the message is not a request to
start an IKE SA), this may be the result of a recent crash of the
node. If the message is marked as a response, the node can audit the
suspicious event but MUST NOT respond. If the message is marked as a
request, the node can audit the suspicious event and MAY send a
response. If a response is sent, the response MUST be sent to the IP
address and port from where it came with the same IKE SPIs and the
Message ID copied. The response MUST NOT be cryptographically
protected and MUST contain an INVALID_IKE_SPI Notify payload. The
INVALID_IKE_SPI notification indicates an IKE message was received
with an unrecognized destination SPI; this usually indicates that the
recipient has rebooted and forgotten the existence of an IKE SA.</t>
<t>A peer receiving such an unprotected Notify payload MUST NOT
respond and MUST NOT change the state of any existing SAs. The
message might be a forgery or might be a response that a genuine
correspondent was tricked into sending. A node should treat such a
message (and also a network message like ICMP destination
unreachable) as a hint that there might be problems with SAs to that
IP address and should initiate a liveness check for any such IKE SA.
An implementation SHOULD limit the frequency of such tests to avoid
being tricked into participating in a DoS attack.</t>
<t>If an error occurs outside the context of an IKE request (e.g.,
the node is getting ESP messages on a nonexistent SPI), the node
SHOULD initiate an INFORMATIONAL exchange with a Notify payload
describing the problem.</t>
<t>A node receiving a suspicious message from an IP address (and
port, if NAT traversal is used) with which it has an IKE SA SHOULD
send an IKE Notify payload in an IKE INFORMATIONAL exchange over that
SA. The recipient MUST NOT change the state of any SAs as a result,
but may wish to audit the event to aid in diagnosing
malfunctions.</t>
</section>
</section>
<section anchor='sect-2.22' title='IPComp'>
<t>Use of IP Compression <xref target="IP-COMP"/> can be negotiated as part of the setup
of a Child SA. While IP Compression involves an extra header in each
packet and a compression parameter index (CPI), the virtual
"compression association" has no life outside the ESP or AH SA that
contains it. Compression associations disappear when the
corresponding ESP or AH SA goes away. It is not explicitly mentioned
in any Delete payload.</t>
<t>Negotiation of IP Compression is separate from the negotiation of
cryptographic parameters associated with a Child SA. A node requesting
a Child SA MAY advertise its support for one or more compression
algorithms through one or more Notify payloads of type IPCOMP_SUPPORTED.
This Notify message may be included only in a message containing an SA
payload negotiating a Child SA and indicates a willingness by its sender
to use IPComp on this SA. The response MAY indicate acceptance of a
single compression algorithm with a Notify payload of type
IPCOMP_SUPPORTED. These payloads MUST NOT occur in messages that do not
contain SA payloads.</t>
<t>The data associated with this Notify message includes
a two-octet IPComp CPI followed by a one-octet Transform ID optionally
followed by attributes whose length and format are defined by that
Transform ID. A message proposing an SA may contain multiple
IPCOMP_SUPPORTED notifications to indicate multiple supported
algorithms. A message accepting an SA may contain at most one.</t>
<t>The Transform IDs are listed here.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
Name Number Defined In
-------------------------------------
IPCOMP_OUI 1
IPCOMP_DEFLATE 2 RFC 2394
IPCOMP_LZS 3 RFC 2395
IPCOMP_LZJH 4 RFC 3051
]]></artwork></figure>
<t>Although there has been discussion of allowing multiple compression
algorithms to be accepted and to have different compression algorithms
available for the two directions of a Child SA, implementations of this
specification MUST NOT accept an IPComp algorithm that was not proposed,
MUST NOT accept more than one, and MUST NOT compress using an algorithm
other than one proposed and accepted in the setup of the Child SA.</t>
<t>A side effect of separating the negotiation of IPComp from
cryptographic parameters is that it is not possible to propose multiple
cryptographic suites and propose IP Compression with some of them but
not others.</t>
<t>In some cases, Robust Header Compression (ROHC) may be more
appropriate than IP Compression. <xref target="ROHCV2"/>
defines the use of ROHC with IKEv2 and IPsec.</t>
</section>
<section anchor='sect-2.23' title='NAT Traversal'>
<t>Network Address Translation (NAT) gateways are a controversial
subject. This section briefly describes what they are and how they are
likely to act on IKE traffic. Many people believe that NATs are evil and
that we should not design our protocols so as to make them work better.
IKEv2 does specify some unintuitive processing rules in order that NATs
are more likely to work.</t>
<t>NATs exist primarily because of the shortage of IPv4 addresses,
though there are other rationales. IP nodes that are "behind" a NAT have
IP addresses that are not globally unique, but rather are assigned from
some space that is unique within the network behind the NAT but that
are likely to be reused by nodes behind other NATs. Generally, nodes
behind NATs can communicate with other nodes behind the same NAT and
with nodes with globally unique addresses, but not with nodes behind
other NATs. There are exceptions to that rule. When those nodes make
connections to nodes on the real Internet, the NAT gateway "translates"
the IP source address to an address that will be routed back to the
gateway. Messages to the gateway from the Internet have their
destination addresses "translated" to the internal address that will
route the packet to the correct endnode.</t>
<t>NATs are designed to be "transparent" to endnodes. Neither software
on the node behind the NAT nor the node on the Internet requires
modification to communicate through the NAT. Achieving this transparency
is more difficult with some protocols than with others. Protocols that
include IP addresses of the endpoints within the payloads of the packet
will fail unless the NAT gateway understands the protocol and modifies
the internal references as well as those in the headers. Such knowledge
is inherently unreliable, is a network layer violation, and often
results in subtle problems.</t>
<t>Opening an IPsec connection through a NAT introduces special
problems. If the connection runs in transport mode, changing the IP
addresses on packets will cause the checksums to fail and the NAT cannot
correct the checksums because they are cryptographically protected. Even
in tunnel mode, there are routing problems because transparently
translating the addresses of AH and ESP packets requires special logic
in the NAT and that logic is heuristic and unreliable in nature. For
that reason, IKEv2 will use UDP encapsulation of IKE and ESP
packets. This encoding is slightly less efficient but is easier for NATs
to process. In addition, firewalls may be configured to pass UDP-encapsulated
IPsec traffic but not plain, unencapsulated ESP/AH or vice versa.</t>
<t>It is a common practice of NATs to translate TCP and UDP port numbers
as well as addresses and use the port numbers of inbound packets to
decide which internal node should get a given packet. For this reason,
even though IKE packets MUST be sent to and from UDP port 500 or 4500, they MUST
be accepted coming from any port and responses MUST be sent to the port
from whence they came. This is because the ports may be modified as the
packets pass through NATs. Similarly, IP addresses of the IKE endpoints
are generally not included in the IKE payloads because the payloads are
cryptographically protected and could not be transparently modified by
NATs.</t>
<t>Port 4500 is reserved for UDP-encapsulated ESP and IKE.
An IPsec endpoint that discovers a NAT between it and its
correspondent (as described below) MUST send all subsequent traffic from port 4500, which
NATs should not treat specially (as they might with port 500).</t>
<t>An initiator can use port 4500 for both IKE and ESP, regardless of
whether or not there is a NAT, even at the beginning of IKE. When
either side is using port 4500, sending ESP with UDP encapsulation
is not required, but understanding received UDP-encapsulated ESP
packets is required. UDP encapsulation MUST NOT be done on port 500.
If Network Address Translation Traversal (NAT-T) is supported (that is, if
NAT_DETECTION_*_IP payloads were exchanged during IKE_SA_INIT), all
devices MUST be able to receive and process both UDP-encapsulated
ESP and non-UDP-encapsulated ESP packets at any time. Either side
can decide whether or not to use UDP encapsulation for ESP
irrespective of the choice made by the other side. However, if a
NAT is detected, both devices MUST use UDP encapsulation for ESP.</t>
<t>The specific requirements for supporting NAT traversal
<xref target='NATREQ'/> are listed
below. Support for NAT traversal is optional. In this section only,
requirements listed as MUST apply only to implementations supporting NAT
traversal.</t>
<t><list style='symbols'>
<t>Both the IKE initiator and responder MUST include in their IKE_SA_INIT
packets Notify payloads of type NAT_DETECTION_SOURCE_IP and
NAT_DETECTION_DESTINATION_IP. Those payloads can be used to detect if
there is NAT between the hosts, and which end is behind the NAT. The
location of the payloads in the IKE_SA_INIT packets is just after the
Ni and Nr payloads (before the optional CERTREQ payload).</t>
<t>The data associated with the
NAT_DETECTION_SOURCE_IP notification is a SHA-1 digest of the SPIs (in
the order they appear in the header), IP address, and port from which this
packet was sent. There MAY be multiple NAT_DETECTION_SOURCE_IP payloads
in a message if the sender does not know which of several network
attachments will be used to send the packet. </t>
<t>The data associated with the
NAT_DETECTION_DESTINATION_IP notification is a SHA-1 digest of the SPIs
(in the order they appear in the header), IP address, and port to which
this packet was sent. </t>
<t>The recipient of either the
NAT_DETECTION_SOURCE_IP or NAT_DETECTION_DESTINATION_IP notification MAY
compare the supplied value to a SHA-1 hash of the SPIs, source or recipient IP address (respectively),
address, and port, and if they don't match, it SHOULD enable NAT
traversal.
In the case there is a mismatch of the
NAT_DETECTION_SOURCE_IP hash with all of the NAT_DETECTION_SOURCE_IP payloads
received, the recipient MAY reject the connection attempt if NAT traversal
is not supported.
In the case of a mismatching NAT_DETECTION_DESTINATION_IP
hash, it means that the system receiving the NAT_DETECTION_DESTINATION_IP
payload is behind a NAT and that system SHOULD start
sending keepalive packets as defined in <xref target='UDPENCAPS'/>; alternately, it MAY
reject the connection attempt if NAT traversal is not supported. </t>
<t>If none of the NAT_DETECTION_SOURCE_IP payload(s) received matches
the expected value of the source IP and port found from the IP header of the
packet containing the payload, it means that the system sending those
payloads is behind a NAT
(i.e., someone along the route changed the source address of the
original packet to match the address of the NAT box). In this case, the
system receiving the payloads should allow dynamic updates of the other systems' IP address, as
described later.</t>
<t>The IKE initiator MUST check the NAT_DETECTION_SOURCE_IP or
NAT_DETECTION_DESTINATION_IP payloads if present, and if they do
not match the addresses in the outer packet, MUST tunnel all future IKE
and ESP packets associated with this IKE SA over UDP port 4500.</t>
<t>To tunnel IKE packets over UDP port 4500, the IKE header has four
octets of zero prepended and the result immediately follows the UDP
header. To tunnel ESP packets over UDP port 4500, the ESP header
immediately follows the UDP header. Since the first four octets of the
ESP header contain the SPI, and the SPI cannot validly be zero, it is
always possible to distinguish ESP and IKE messages.</t>
<t>Implementations MUST process received UDP-encapsulated ESP packets
even when no NAT was detected.</t>
<t>The original source and destination IP address required for the
transport mode TCP and UDP packet checksum fixup (see <xref
target='UDPENCAPS'/>) are obtained from the Traffic Selectors associated
with the exchange. In the case of transport mode NAT
traversal, the Traffic Selectors MUST contain exactly one IP address,
which is then used as the original IP address.
This is covered in greater detail in <xref target='sect-2.23.1'/>.</t>
<t>There are cases where a NAT box decides to remove mappings that
are still alive (for example, the keepalive interval is too long, or
the NAT box is rebooted). This will be apparent to a host if it
receives a packet whose integrity protection validates, but has a
different port, address, or both from the one that was associated
with the SA in the validated packet. When such a validated packet is
found, a host that does not support other methods of recovery such as
IKEv2 Mobility and Multihoming (MOBIKE) <xref target='MOBIKE'/>, and that is not behind a NAT, SHOULD
send all packets (including retransmission packets) to the IP address
and port in the validated packet, and SHOULD store this as the new
address and port combination for the SA (that is, they SHOULD
dynamically update the address). A host behind a NAT SHOULD NOT do
this type of dynamic address update if a validated packet has
different port and/or address values because it opens a possible
DoS attack (such as allowing an attacker to break the
connection with a single packet). Also, dynamic address update should
only be done in response to a new packet; otherwise, an attacker can
revert the addresses with old replayed packets. Because of this,
dynamic updates can only be done safely if replay protection is
enabled. When IKEv2 is used with MOBIKE, dynamically updating the
addresses described above interferes with MOBIKE's way of recovering
from the same situation. See Section 3.8 of <xref target='MOBIKE'/>
for more information.</t>
</list></t>
<section anchor='sect-2.23.1' title='Transport Mode NAT Traversal'>
<t>Transport mode used with NAT Traversal requires special handling
of the Traffic Selectors used in the IKEv2. The complete scenario
looks like:</t>
<figure><artwork><![CDATA[
+------+ +------+ +------+ +------+
|Client| IP1 | NAT | IPN1 IPN2 | NAT | IP2 |Server|
|node |<------>| A |<---------->| B |<------->| |
+------+ +------+ +------+ +------+
]]></artwork></figure>
<t>(Other scenarios are simplifications of this complex case, so this
discussion uses the complete scenario.)</t>
<t>In this scenario, there are two address translating NATs: NAT A
and NAT B. NAT A is a dynamic NAT that maps the client's source address
IP1 to IPN1. NAT B is a static NAT configured so that connections
coming to IPN2 address are mapped to the gateway's address IP2, that
is, IPN2 destination address is mapped to IP2. This allows the client
to connect to a server by connecting to the IPN2. NAT B does not
necessarily need to be a static NAT, but the client needs to know how
to connect to the server, and it can only do that if it somehow knows
the outer address of the NAT B, that is, the IPN2 address. If NAT B
is a static NAT, then its address can be configured to the client's
configuration. Another option would be to find it using some other
protocol (like DNS), but that is outside of scope of IKEv2.</t>
<t>In this scenario, both the client and server are configured to use
transport mode for the traffic originating from the client node and
destined to the server.</t>
<t>When the client starts creating the IKEv2 SA and Child SA for
sending traffic to the server, it may have a triggering packet with source
IP address of IP1, and a destination IP address of IPN2. Its Peer Authorization Database (PAD) and
SPD needs to have a configuration matching those addresses (or wildcard
entries covering them). Because this is transport mode, it uses
exactly same addresses as the Traffic Selectors and outer IP address
of the IKE packets. For transport mode, it MUST use exactly one IP
address in the TSi and TSr payloads. It can have multiple Traffic
Selectors if it has, for example, multiple port ranges that it wants
to negotiate, but all TSi entries must use the IP1-IP1 range as the IP
addresses, and all TSr entries must have the IPN2-IPN2 range as IP
addresses. The first Traffic Selector of TSi and TSr SHOULD have
very specific Traffic Selectors including protocol and port numbers,
such as from the packet triggering the request.</t>
<t>NAT A will then replace the source address of the IKE packet from
IP1 to IPN1, and NAT B will replace the destination address of the IKE
packet from IPN2 to IP2, so when the packet arrives to the server it
will still have the exactly same Traffic Selectors that were sent by
the client, but the IP address of the IKE packet has been replaced by
IPN1 and IP2.</t>
<t>When the server receives this packet, it normally looks in the
Peer Authorization Database (PAD) described in
<xref target='IPSECARCH'>RFC 4301</xref>
based on the ID and then searches the SPD based on the Traffic
Selectors. Because IP1 does not really mean anything to the server
(it is the address client has behind the NAT), it is useless to do
a lookup based on that if transport mode is used. On the other hand,
the server cannot know whether transport mode is allowed by its
policy before it finds the matching SPD entry.</t>
<t>In this case, the server should first check that the initiator
requested transport mode, and then do address substitution on the Traffic
Selectors. It needs to first store the old Traffic Selector IP
addresses to be used later for the incremental checksum fixup (the IP
address in the TSi can be stored as the original source address and the
IP address in the TSr can be stored as the original destination address).
After that, if the other end was detected as being behind a NAT, the
server replaces the IP address in TSi payloads with the IP address
obtained from the source address of the IKE packet received (that is,
it replaces IP1 in TSi with IPN1). If the server's end was detected
to be behind NAT, it replaces the IP address in the TSr payloads
with the IP address obtained from the destination address of the IKE
packet received (that is, it replaces IPN2 in TSr with IP2).</t>
<t>After this address substitution, both the Traffic Selectors and
the IKE UDP source/destination addresses look the same, and the
server does SPD lookup based on those new Traffic Selectors. If an
entry is found and it allows transport mode, then that entry is used.
If an entry is found but it does not allow transport mode, then the
server MAY undo the address substitution and redo the SPD lookup
using the original Traffic Selectors. If the second lookup succeeds,
the server will create an SA in tunnel mode using real Traffic
Selectors sent by the other end.</t>
<t>This address substitution in transport mode is needed because the
SPD is looked up using the addresses that will be seen by the local
host. This also will make sure the Security Association Database (SAD) entries for the tunnel exit
checks and return packets is added using the addresses as seen by the
local operating system stack.</t>
<t>The most common case is that the server's SPD will contain
wildcard entries matching any addresses, but this also allows making
different SPD entries, for example, for different known NATs' outer
addresses.</t>
<t>After the SPD lookup, the server will do Traffic Selector
narrowing based on the SPD entry it found. It will again use the
already substituted Traffic Selectors, and it will thus send back
Traffic Selectors having IPN1 and IP2 as their IP addresses; it can
still narrow down the protocol number or port ranges used by the
Traffic Selectors. The SAD entry created for the Child SA will have
the addresses as seen by the server, namely IPN1 and IP2.</t>
<t>When the client receives the server's response to the Child SA, it
will do similar processing. If the transport mode SA was created, the
client can store the original returned Traffic Selectors as original
source and destination addresses. It will replace the IP addresses in
the Traffic Selectors with the ones from the IP header of the IKE
packet: it will replace IPN1 with IP1 and IP2 with IPN2. Then, it will
use those Traffic Selectors when verifying the SA against sent
Traffic Selectors, and when installing the SAD entry.</t>
<t>A summary of the rules for NAT traversal in transport mode is:</t>
<figure><artwork><![CDATA[
For the client proposing transport mode:
- The TSi entries MUST have exactly one IP address, and that MUST
match the source address of the IKE SA.
- The TSr entries MUST have exactly one IP address, and that MUST
match the destination address of the IKE SA.
- The first TSi and TSr Traffic Selectors SHOULD have very specific
Traffic Selectors including protocol and port numbers, such as
from the packet triggering the request.
- There MAY be multiple TSi and TSr entries.
- If transport mode for the SA was selected (that is, if the server
included USE_TRANSPORT_MODE notification in its response):
- Store the original Traffic Selectors as the received source and
destination address.
- If the server is behind a NAT, substitute the IP address in the
TSr entries with the remote address of the IKE SA.
- If the client is behind a NAT, substitute the IP address in the
TSi entries with the local address of the IKE SA.
- Do address substitution before using those Traffic Selectors
for anything other than storing original content of them.
This includes verification that Traffic Selectors were narrowed
correctly by the other end, creation of the SAD entry, and so on.
]]></artwork></figure>
<figure><artwork><![CDATA[
For the responder, when transport mode is proposed by client:
- Store the original Traffic Selector IP addresses as received source
and destination address, in case undo address
substitution is needed, to use as the "real source and destination
address" specified by [UDPENCAPS], and for TCP/UDP checksum fixup.
- If the client is behind a NAT, substitute the IP address in the
TSi entries with the remote address of the IKE SA.
- If the server is behind a NAT, substitute the IP address in the
TSr entries with the local address of the IKE SA.
- Do PAD and SPD lookup using the ID and substituted Traffic
Selectors.
- If no SPD entry was found, or if found SPD entry does not
allow transport mode, undo the Traffic Selector substitutions.
Do PAD and SPD lookup again using the ID and original Traffic
Selectors, but also searching for tunnel mode SPD entry (that
is, fall back to tunnel mode).
- However, if a transport mode SPD entry was found, do normal
traffic selection narrowing based on the substituted Traffic
Selectors and SPD entry. Use the resulting Traffic Selectors when
creating SAD entries, and when sending Traffic Selectors back to
the client.
]]></artwork></figure>
</section>
</section>
<section anchor='sect-2.24' title='Explicit Congestion Notification (ECN)'>
<t>When IPsec tunnels behave as originally specified in <xref
target='IPSECARCH-OLD'/>, ECN usage is not appropriate for the outer IP
headers because tunnel decapsulation processing discards ECN
congestion indications to the detriment of the network. ECN support
for IPsec tunnels for IKEv1-based IPsec requires multiple operating
modes and negotiation (see <xref target='ECN'/>). IKEv2
simplifies this situation by requiring that ECN be usable in the
outer IP headers of all tunnel mode Child SAs created by IKEv2.
Specifically, tunnel encapsulators and decapsulators for all
tunnel mode SAs created by IKEv2 MUST support the ECN
full-functionality option for tunnels specified in <xref
target='ECN'/> and MUST implement the tunnel encapsulation and
decapsulation processing specified in <xref target='IPSECARCH'/> to
prevent discarding of ECN congestion indications.</t>
</section>
<section anchor='sect-2.25' title='Exchange Collisions'>
<t>Because IKEv2 exchanges can be initiated by either peer, it is
possible that two exchanges affecting the same SA partly overlap.
This can lead to a situation where the SA state information is
temporarily not synchronized, and a peer can receive a request that
it cannot process in a normal fashion.</t>
<t>Obviously, using a window size greater than 1 leads to more
complex situations, especially if requests are processed out of
order. This section concentrates on problems that can arise even with
a window size of 1, and recommends solutions.</t>
<t>A TEMPORARY_FAILURE notification SHOULD be sent when a peer
receives a request that cannot be completed due to a temporary
condition such as a rekeying operation. When a peer receives a
TEMPORARY_FAILURE notification, it MUST NOT immediately retry the
operation; it MUST wait so that the sender may complete whatever
operation caused the temporary condition. The recipient MAY retry the
request one or more times over a period of several minutes. If a peer
continues to receive TEMPORARY_FAILURE on the same IKE SA after
several minutes, it SHOULD conclude that the state information is
out of sync and close the IKE SA.</t>
<t>A CHILD_SA_NOT_FOUND notification SHOULD be sent when a peer
receives a request to rekey a Child SA that does not exist.
The SA that the initiator attempted to rekey is indicated by the
SPI field in the Notify payload, which is copied from the SPI field
in the REKEY_SA notification.
A peer
that receives a CHILD_SA_NOT_FOUND notification SHOULD silently
delete the Child SA (if it still exists) and send a request to create a new Child SA from
scratch (if the Child SA does not yet exist).</t>
<section anchor='sect-2.25.1' title="Collisions while Rekeying or Closing Child SAs">
<t>If a peer receives a request to rekey a Child SA that it is
currently trying to close, it SHOULD reply with TEMPORARY_FAILURE. If
a peer receives a request to rekey a Child SA that it is currently
rekeying, it SHOULD reply as usual, and SHOULD prepare to close
redundant SAs later based on the nonces (see <xref target='sect-2.8.1'/>).
If a peer receives a request
to rekey a Child SA that does not exist, it SHOULD reply with
CHILD_SA_NOT_FOUND.</t>
<t>If a peer receives a request to close a Child SA that it is
currently trying to close, it SHOULD reply without a Delete payload
(see <xref target='sect-1.4.1'/>). If a peer receives a request to close a Child SA that it is currently
rekeying, it SHOULD reply as usual, with a Delete payload. If a peer
receives a request to close a Child SA that does not exist, it SHOULD
reply without a Delete payload.</t>
<t>If a peer receives a request to rekey the IKE SA, and it is
currently creating, rekeying, or closing a Child SA of that IKE SA,
it SHOULD reply with TEMPORARY_FAILURE.</t>
</section>
<section anchor='sect-2.25.2' title="Collisions while Rekeying or Closing IKE SAs">
<t>If a peer receives a request to rekey an IKE SA that it is
currently rekeying, it SHOULD reply as usual, and SHOULD prepare to
close redundant SAs and move inherited Child SAs later based on the
nonces (see <xref target='sect-2.8.2'/>). If a peer receives a request
to rekey an IKE SA that it is currently trying to close, it SHOULD
reply with TEMPORARY_FAILURE.</t>
<t>If a peer receives a request to close an IKE SA that it is
currently rekeying, it SHOULD reply as usual, and forget about its
own rekeying request. If a peer receives a request to close an IKE SA
that it is currently trying to close, it SHOULD reply as usual, and
forget about its own close request.</t>
<t>If a peer receives a request to create or rekey a Child SA when it
is currently rekeying the IKE SA, it SHOULD reply with
TEMPORARY_FAILURE. If a peer receives a request to delete a Child SA when it is
currently rekeying the IKE SA, it SHOULD reply as usual, with a
Delete payload.</t>
</section>
</section>
</section> <!-- end of 2 -->
<section anchor='sect-3' title='Header and Payload Formats'>
<t>In the tables in this section, some cryptographic primitives and
configuration attributes are marked as "UNSPECIFIED". These are items
for which there are no known specifications and therefore
interoperability is currently impossible. A future specification may
describe their use, but until such specification is made,
implementations SHOULD NOT attempt to use items marked as "UNSPECIFIED"
in implementations that are meant to be interoperable.</t>
<section anchor='sect-3.1' title='The IKE Header'>
<t>IKE messages use UDP ports 500 and/or 4500, with one IKE message per
UDP datagram. Information from the beginning of the packet through the
UDP header is largely ignored except that the IP addresses and UDP ports
from the headers are reversed and used for return packets. When sent on
UDP port 500, IKE messages begin immediately following the UDP header.
When sent on UDP port 4500, IKE messages have prepended four octets of
zero. These four octets of zeros are not part of the IKE message and are
not included in any of the length fields or checksums defined by IKE.
Each IKE message begins with the IKE header, denoted HDR in this document.
Following the header are one or more IKE payloads each identified by a
"Next Payload" field in the preceding payload. Payloads are identified in the order in which
they appear in an IKE message by looking in the "Next Payload" field
in the IKE header, and subsequently according to the "Next Payload"
field in the IKE payload itself until a "Next Payload" field of zero
indicates that no payloads follow. If a payload of type "Encrypted" is found, that
payload is decrypted and its contents parsed as additional payloads. An
Encrypted payload MUST be the last payload in a packet and an Encrypted
payload MUST NOT contain another Encrypted payload.</t>
<t>The responder's SPI in the header identifies an instance of an IKE
Security Association. It is therefore possible for a single instance of
IKE to multiplex distinct sessions with multiple peers, including multiple sessions per peer.</t>
<t>All multi-octet fields representing integers are laid out in big
endian order (also known as "most significant byte first", or "network byte
order").</t>
<t>The format of the IKE header is shown in Figure 4.</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IKE SA Initiator's SPI |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IKE SA Responder's SPI |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | MjVer | MnVer | Exchange Type | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: IKE Header Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Initiator's SPI (8 octets) - A value chosen by the initiator to
identify a unique IKE Security Association. This value MUST NOT be
zero.</t>
<t>Responder's SPI (8 octets) - A value chosen by the responder to
identify a unique IKE Security Association. This value MUST be zero in
the first message of an IKE initial exchange (including repeats of that
message including a cookie).</t>
<t>Next Payload (1 octet) - Indicates the type of payload that
immediately follows the header. The format and value of each payload
are defined below.</t>
<t>Major Version (4 bits) - Indicates the major version of the IKE
protocol in use. Implementations based on this version of IKE MUST set
the major version to 2. Implementations based on previous versions of
IKE and ISAKMP MUST set the major version to 1. Implementations based on
this version of IKE MUST reject or ignore messages containing a version
number greater than 2 with an INVALID_MAJOR_VERSION notification message
as described in Section 2.5.</t>
<t>Minor Version (4 bits) - Indicates the minor version of the IKE
protocol in use. Implementations based on this version of IKE MUST set
the minor version to 0. They MUST ignore the minor version number of
received messages.</t>
<t>Exchange Type (1 octet) - Indicates the type of exchange being used.
This constrains the payloads sent in each message in an exchange.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.
<figure><artwork><![CDATA[
Exchange Type Value
----------------------------------
IKE_SA_INIT 34
IKE_AUTH 35
CREATE_CHILD_SA 36
INFORMATIONAL 37
]]></artwork></figure></t>
<t>Flags (1 octet) - Indicates specific options that are set for the
message. Presence of options is indicated by the appropriate bit in the
flags field being set. The bits are as follows:
<figure><artwork><![CDATA[
+-+-+-+-+-+-+-+-+
|X|X|R|V|I|X|X|X|
+-+-+-+-+-+-+-+-+
]]></artwork></figure>
In the description below,
a bit being 'set' means its value is '1', while 'cleared' means its
value is '0'. 'X' bits MUST be cleared when sending and
MUST be ignored on receipt.
<list style='symbols'>
<t>R (Response) - This bit indicates that this message is
a response to a message containing the same Message ID. This bit MUST be
cleared in all request messages and MUST be set in all responses. An IKE
endpoint MUST NOT generate a response to a message that is marked as
being a response (with one exception; see <xref target='sect-2.21.2'/>).</t>
<t>V (Version) - This bit indicates that the transmitter
is capable of speaking a higher major version number of the protocol
than the one indicated in the major version number field.
Implementations of IKEv2 MUST clear this bit when sending and MUST
ignore it in incoming messages.</t>
<t>I (Initiator) - This bit MUST be set in messages sent
by the original initiator of the IKE SA and MUST be cleared in messages
sent by the original responder. It is used by the recipient to determine
which eight octets of the SPI were generated by the recipient.
This bit changes to reflect who initiated the last rekey of the IKE SA.</t>
</list></t>
<t>Message ID (4 octets, unsigned integer) - Message identifier used to control
retransmission of lost packets and matching of requests and responses.
It is essential to the security of the protocol because it is used to
prevent message replay attacks. See Sections <xref target='sect-2.1' format='counter'/> and
<xref target='sect-2.2' format='counter'/>.</t>
<t>Length (4 octets, unsigned integer) - Length of the total message (header + payloads) in
octets.</t>
</list></t>
</section>
<section anchor='sect-3.2' title='Generic Payload Header'>
<t>Each IKE payload defined in Sections <xref target='sect-3.3' format="counter"/> through
<xref target='sect-3.16' format='counter'/> begins with a
generic payload header, shown in Figure 5. Figures for each payload
below will include the generic payload header, but for brevity, the
description of each field will be omitted.</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Generic Payload Header
]]></artwork></figure>
<t>The Generic Payload Header fields are defined as follows:</t>
<t><list style='symbols'>
<t>Next Payload (1 octet) - Identifier for the payload type of the next
payload in the message. If the current payload is the last in the
message, then this field will be 0. This field provides a "chaining"
capability whereby additional payloads can be added to a message by
appending each one to the end of the message and setting the "Next Payload"
field of the preceding payload to indicate the new payload's type. An
Encrypted payload, which must always be the last payload of a message,
is an exception. It contains data structures in the format of additional
payloads. In the header of an Encrypted payload,
the Next Payload field is set to the payload type of the first
contained payload (instead of 0); conversely, the Next Payload field
of the last contained payload is set to zero.
The payload type values are listed here. The values in the following
table are only current as of the publication date of RFC 4306. Other
values may have been added since then or will be added after the
publication of this document. Readers should refer to <xref target='IKEV2IANA'/>
for the latest values.
<figure><artwork><![CDATA[
Next Payload Type Notation Value
--------------------------------------------------
No Next Payload 0
Security Association SA 33
Key Exchange KE 34
Identification - Initiator IDi 35
Identification - Responder IDr 36
Certificate CERT 37
Certificate Request CERTREQ 38
Authentication AUTH 39
Nonce Ni, Nr 40
Notify N 41
Delete D 42
Vendor ID V 43
Traffic Selector - Initiator TSi 44
Traffic Selector - Responder TSr 45
Encrypted and Authenticated SK 46
Configuration CP 47
Extensible Authentication EAP 48
(Payload type values 1-32 should not be assigned in the
future so that there is no overlap with the code assignments
for IKEv1.)
]]></artwork></figure></t>
<t>Critical (1 bit) - MUST be set to zero if the sender wants the
recipient to skip this payload if it does not understand the payload
type code in the Next Payload field of the previous payload. MUST be set
to one if the sender wants the recipient to reject this entire message
if it does not understand the payload type. MUST be ignored by the
recipient if the recipient understands the payload type code. MUST be
set to zero for payload types defined in this document. Note that the
critical bit applies to the current payload rather than the "next"
payload whose type code appears in the first octet. The reasoning behind
not setting the critical bit for payloads defined in this document is
that all implementations MUST understand all payload types defined in
this document and therefore must ignore the critical bit's value.
Skipped payloads are expected to have valid Next Payload and Payload
Length fields. See <xref target="sect-2.5"/> for more information on
this bit.</t>
<t>RESERVED (7 bits) - MUST be sent as zero; MUST be ignored on
receipt.</t>
<t>Payload Length (2 octets, unsigned integer) - Length in octets of the current payload,
including the generic payload header.</t>
</list></t>
<t>Many payloads contain fields marked as "RESERVED".
Some payloads in IKEv2 (and historically in IKEv1) are not
aligned to 4-octet boundaries.</t>
</section>
<section anchor='sect-3.3' title='Security Association Payload'>
<t>The Security Association payload, denoted SA in this document, is used to
negotiate attributes of a Security Association. Assembly of Security
Association payloads requires great peace of mind. An SA payload MAY
contain multiple proposals. If there is more than one, they MUST be
ordered from most preferred to least preferred. Each proposal
contains a single IPsec protocol (where a protocol is IKE, ESP, or AH),
each protocol MAY contain multiple transforms, and each transform MAY
contain multiple attributes. When parsing an SA, an implementation MUST
check that the total Payload Length is consistent with the payload's
internal lengths and counts. Proposals, Transforms, and Attributes each
have their own variable-length encodings. They are nested such that the
Payload Length of an SA includes the combined contents of the SA,
Proposal, Transform, and Attribute information. The length of a Proposal
includes the lengths of all Transforms and Attributes it contains. The
length of a Transform includes the lengths of all Attributes it
contains.</t>
<t>The syntax of Security Associations, Proposals, Transforms, and
Attributes is based on ISAKMP; however, the semantics are somewhat
different. The reason for the complexity and the hierarchy is to allow
for multiple possible combinations of algorithms to be encoded in a
single SA. Sometimes there is a choice of multiple algorithms, whereas
other times there is a combination of algorithms. For example, an
initiator might want to propose using ESP
with either (3DES and HMAC_MD5) or (AES and HMAC_SHA1).</t>
<t>One of the reasons the semantics of the SA payload have changed from
ISAKMP and IKEv1 is to make the encodings more compact in common
cases.</t>
<t>The Proposal structure contains within it a Proposal Num and an IPsec
protocol ID. Each structure MUST have a proposal number one (1)
greater than the previous structure. The first Proposal in the
initiator's SA payload MUST have a Proposal Num of one (1).
One reason to use multiple proposals is to propose both standard
crypto ciphers and combined-mode ciphers.
Combined-mode ciphers include both
integrity and encryption in a single encryption algorithm, and
MUST either offer no integrity algorithm or a single integrity
algorithm of "none", with no integrity algorithm being the RECOMMENDED method.
If an initiator wants to propose both
combined-mode ciphers and normal ciphers, it must include two
proposals: one will have all the combined-mode ciphers, and the other
will have all the normal ciphers with the integrity algorithms. For
example, one such proposal would have two proposal structures.
Proposal 1 is ESP with AES-128, AES-192, and AES-256 bits in Cipher Block Chaining (CBC) mode, with
either HMAC-SHA1-96 or XCBC-96 as the integrity algorithm;
Proposal 2 is AES-128 or AES-256 in GCM mode with an 8-octet Integrity Check Value (ICV).
Both proposals allow but do not require the use of ESNs (Extended
Sequence Numbers).
This can be illustrated as:
<figure><artwork><![CDATA[
SA Payload
|
+--- Proposal #1 ( Proto ID = ESP(3), SPI size = 4,
| | 7 transforms, SPI = 0x052357bb )
| |
| +-- Transform ENCR ( Name = ENCR_AES_CBC )
| | +-- Attribute ( Key Length = 128 )
| |
| +-- Transform ENCR ( Name = ENCR_AES_CBC )
| | +-- Attribute ( Key Length = 192 )
| |
| +-- Transform ENCR ( Name = ENCR_AES_CBC )
| | +-- Attribute ( Key Length = 256 )
| |
| +-- Transform INTEG ( Name = AUTH_HMAC_SHA1_96 )
| +-- Transform INTEG ( Name = AUTH_AES_XCBC_96 )
| +-- Transform ESN ( Name = ESNs )
| +-- Transform ESN ( Name = No ESNs )
|
+--- Proposal #2 ( Proto ID = ESP(3), SPI size = 4,
| 4 transforms, SPI = 0x35a1d6f2 )
|
+-- Transform ENCR ( Name = AES-GCM with a 8 octet ICV )
| +-- Attribute ( Key Length = 128 )
|
+-- Transform ENCR ( Name = AES-GCM with a 8 octet ICV )
| +-- Attribute ( Key Length = 256 )
|
+-- Transform ESN ( Name = ESNs )
+-- Transform ESN ( Name = No ESNs )
]]></artwork></figure></t>
<t>Each Proposal/Protocol structure is followed by one or more transform
structures. The number of different transforms is generally determined
by the Protocol. AH generally has two transforms: Extended
Sequence Numbers (ESNs) and an integrity check
algorithm. ESP generally has three: ESN, an encryption algorithm, and an
integrity check algorithm. IKE generally has four transforms: a
Diffie-Hellman group, an integrity check algorithm, a PRF algorithm, and
an encryption algorithm.
For each Protocol, the set of permissible transforms is assigned
Transform ID numbers, which appear in the header of each transform.</t>
<t>If there are multiple transforms with the same Transform Type, the
proposal is an OR of those transforms. If there are multiple transforms
with different Transform Types, the proposal is an AND of the different
groups. For example, to propose ESP with (3DES or AES-CBC) and (HMAC_MD5 or
HMAC_SHA), the ESP proposal would contain two Transform Type 1
candidates (one for 3DES and one for AEC-CBC) and two Transform Type 3
candidates (one for HMAC_MD5 and one for HMAC_SHA). This effectively
proposes four combinations of algorithms. If the initiator wanted to
propose only a subset of those, for example (3DES and HMAC_MD5) or (IDEA and
HMAC_SHA), there is no way to encode that as multiple transforms within
a single Proposal. Instead, the initiator would have to construct two
different Proposals, each with two transforms.</t>
<t>A given transform MAY have one or more Attributes. Attributes are
necessary when the transform can be used in more than one way, as when
an encryption algorithm has a variable key size. The transform would
specify the algorithm and the attribute would specify the key size. Most
transforms do not have attributes. A transform MUST NOT have multiple
attributes of the same type. To propose alternate values for an
attribute (for example, multiple key sizes for the AES encryption
algorithm), an implementation MUST include multiple transforms with the
same Transform Type each with a single Attribute.</t>
<t>Note that the semantics of Transforms and Attributes are quite
different from those in IKEv1. In IKEv1, a single Transform carried multiple
algorithms for a protocol with one carried in the Transform and the
others carried in the Attributes.</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ <Proposals> ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: Security Association Payload
]]></artwork></figure>
<t><list style='symbols'>
<t>Proposals (variable) - One or more proposal substructures.</t>
</list></t>
<t>The payload type for the Security Association payload is thirty-three
(33).</t>
<section anchor='sect-3.3.1' title='Proposal Substructure'>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Last Substruc | RESERVED | Proposal Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Proposal Num | Protocol ID | SPI Size |Num Transforms|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ SPI (variable) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ <Transforms> ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: Proposal Substructure
]]></artwork></figure>
<t><list style='symbols'>
<t>Last Substruc (1 octet) - Specifies whether or not this is the last
Proposal Substructure in the SA. This field has a value of 0 if this
was last Proposal Substructure, and a value of 2 if there are more
Proposal Substructures. This syntax is inherited from ISAKMP, but is
unnecessary because the last Proposal could be identified from the
length of the SA. The value (2) corresponds to a payload type of
Proposal in IKEv1, and the first four octets of the Proposal structure
are designed to look somewhat like the header of a payload.</t>
<t>RESERVED (1 octet) - MUST be sent as zero; MUST be ignored on
receipt.</t>
<t>Proposal Length (2 octets, unsigned integer) - Length of this proposal, including all
transforms and attributes that follow.</t>
<t>Proposal Num (1 octet) - When a proposal is made, the first proposal in
an SA payload MUST be 1, and subsequent proposals MUST be
one more than the previous proposal (indicating an OR of the two
proposals). When a proposal is accepted, the proposal number in the SA
payload MUST match the number on the proposal sent that was
accepted.</t>
<t>Protocol ID (1 octet) - Specifies the IPsec protocol identifier for
the current negotiation.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.
<figure><artwork><![CDATA[
Protocol Protocol ID
-----------------------------------
IKE 1
AH 2
ESP 3
]]></artwork></figure></t>
<t>SPI Size (1 octet) - For an initial IKE SA negotiation, this field
MUST be zero; the SPI is obtained from the outer header. During
subsequent negotiations, it is equal to the size, in octets, of the SPI
of the corresponding protocol (8 for IKE, 4 for ESP and AH).</t>
<t>Num Transforms (1 octet) - Specifies the number of transforms in
this proposal.</t>
<t>SPI (variable) - The sending entity's SPI. Even if the SPI Size is
not a multiple of 4 octets, there is no padding applied to the payload.
When the SPI Size field is zero, this field is not present in the
Security Association payload.</t>
<t>Transforms (variable) - One or more transform substructures.</t>
</list></t>
</section>
<section anchor='sect-3.3.2' title='Transform Substructure'>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Last Substruc | RESERVED | Transform Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Transform Type | RESERVED | Transform ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Transform Attributes ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 8: Transform Substructure
]]></artwork></figure>
<t><list style='symbols'>
<t>Last Substruc (1 octet) - Specifies whether or not this is the last
Transform Substructure in the Proposal. This field has a value of 0 if
this was last Transform Substructure, and a value of 3 if there are
more Transform Substructures. This syntax is inherited from ISAKMP,
but is unnecessary because the last transform could be identified from
the length of the proposal. The value (3) corresponds to a payload
type of Transform in IKEv1, and the first four octets of the Transform
structure are designed to look somewhat like the header of a
payload.</t>
<t>RESERVED - MUST be sent as zero; MUST be ignored on receipt.</t>
<t>Transform Length - The length (in octets) of the Transform
Substructure including Header and Attributes.</t>
<t>Transform Type (1 octet) - The type of transform being specified in
this transform. Different protocols support different Transform Types.
For some protocols, some of the transforms may be optional. If a
transform is optional and the initiator wishes to propose that the
transform be omitted, no transform of the given type is included in the
proposal. If the initiator wishes to make use of the transform optional
to the responder, it includes a transform substructure with Transform ID
= 0 as one of the options.</t>
<t>Transform ID (2 octets) - The specific instance of the Transform Type
being proposed.</t>
</list></t>
<t>The Transform Type values are listed below.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
Description Trans. Used In
Type
------------------------------------------------------------------
Encryption Algorithm (ENCR) 1 IKE and ESP
Pseudorandom Function (PRF) 2 IKE
Integrity Algorithm (INTEG) 3 IKE*, AH, optional in ESP
Diffie-Hellman group (D-H) 4 IKE, optional in AH & ESP
Extended Sequence Numbers (ESN) 5 AH and ESP
(*) Negotiating an integrity algorithm is mandatory for the
Encrypted payload format specified in this document. For example,
[AEAD] specifies additional formats based on authenticated
encryption, in which a separate integrity algorithm is not
negotiated.
]]></artwork></figure>
<t>For Transform Type 1 (Encryption Algorithm), the Transform IDs
are listed below.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
Name Number Defined In
---------------------------------------------------
ENCR_DES_IV64 1 (UNSPECIFIED)
ENCR_DES 2 (RFC2405), [DES]
ENCR_3DES 3 (RFC2451)
ENCR_RC5 4 (RFC2451)
ENCR_IDEA 5 (RFC2451), [IDEA]
ENCR_CAST 6 (RFC2451)
ENCR_BLOWFISH 7 (RFC2451)
ENCR_3IDEA 8 (UNSPECIFIED)
ENCR_DES_IV32 9 (UNSPECIFIED)
ENCR_NULL 11 (RFC2410)
ENCR_AES_CBC 12 (RFC3602)
ENCR_AES_CTR 13 (RFC3686)
]]></artwork></figure>
<t>For Transform Type 2 (Pseudorandom Function), the Transform IDs
are listed below.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
Name Number Defined In
------------------------------------------------------
PRF_HMAC_MD5 1 (RFC2104), [MD5]
PRF_HMAC_SHA1 2 (RFC2104), [SHA]
PRF_HMAC_TIGER 3 (UNSPECIFIED)
]]></artwork></figure>
<t>For Transform Type 3 (Integrity Algorithm), defined Transform IDs
are listed below.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
Name Number Defined In
----------------------------------------
NONE 0
AUTH_HMAC_MD5_96 1 (RFC2403)
AUTH_HMAC_SHA1_96 2 (RFC2404)
AUTH_DES_MAC 3 (UNSPECIFIED)
AUTH_KPDK_MD5 4 (UNSPECIFIED)
AUTH_AES_XCBC_96 5 (RFC3566)
]]></artwork></figure>
<t>For Transform Type 4 (Diffie-Hellman group), defined Transform IDs
are listed below.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
Name Number Defined In
----------------------------------------
NONE 0
768-bit MODP 1 Appendix B
1024-bit MODP 2 Appendix B
1536-bit MODP 5 [ADDGROUP]
2048-bit MODP 14 [ADDGROUP]
3072-bit MODP 15 [ADDGROUP]
4096-bit MODP 16 [ADDGROUP]
6144-bit MODP 17 [ADDGROUP]
8192-bit MODP 18 [ADDGROUP]
]]></artwork></figure>
<t>Although ESP and AH do not directly include a Diffie-Hellman
exchange, a Diffie-Hellman group MAY be negotiated for the Child SA.
This allows the peers to employ Diffie-Hellman in the CREATE_CHILD_SA
exchange, providing perfect forward secrecy for the generated Child
SA keys.</t>
<t>Note, that MODP Diffie-Hellman groups listed above does not need
any special validity tests to be performed, but other types of groups
(ECP and MODP groups with small subgroups) need to have some
additional tests to be performed on them to use them securely. See
"Additional Diffie-Hellman Tests for IKEv2" (<xref target='RFC6989'
/>) for more information.</t>
<t>For Transform Type 5 (Extended Sequence Numbers), defined Transform
IDs are listed below.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
Name Number
--------------------------------------------
No Extended Sequence Numbers 0
Extended Sequence Numbers 1
]]></artwork></figure>
<t>Note that an initiator who supports ESNs will
usually include two ESN transforms, with values "0" and "1", in its
proposals. A proposal containing a single ESN transform with value
"1" means that using normal (non-extended) sequence numbers is not
acceptable.</t>
<t>Numerous additional Transform Types have been defined since the
publication of RFC 4306. Please refer to the IANA IKEv2 registry for
details.</t>
</section>
<section anchor='sect-3.3.3' title='Valid Transform Types by Protocol'>
<t>The number and type of transforms that accompany an SA payload are
dependent on the protocol in the SA itself. An SA payload proposing the
establishment of an SA has the following mandatory and optional
Transform Types. A compliant implementation MUST understand all
mandatory and optional types for each protocol it supports (though it
need not accept proposals with unacceptable suites). A proposal MAY omit
the optional types if the only value for them it will accept is NONE.
</t>
<figure><artwork><![CDATA[
Protocol Mandatory Types Optional Types
---------------------------------------------------
IKE ENCR, PRF, INTEG*, D-H
ESP ENCR, ESN INTEG, D-H
AH INTEG, ESN D-H
(*) Negotiating an integrity algorithm is mandatory for the
Encrypted payload format specified in this document. For example,
[AEAD] specifies additional formats based on authenticated
encryption, in which a separate integrity algorithm is not
negotiated.
]]></artwork></figure>
</section>
<section anchor='sect-3.3.4' title='Mandatory Transform IDs'>
<t>The specification of suites that MUST and SHOULD be supported for
interoperability has been removed from this document because they are
likely to change more rapidly than this document evolves.
At the time of publication of this document, <xref target='RFC4307'/> specifies
these suites, but note that it might be updated in the future, and
other RFCs might specify different sets of suites.</t>
<t>An important lesson learned from IKEv1 is that no system should
only implement the mandatory algorithms and expect them to be the
best choice for all customers.</t>
<t>It is likely that IANA will add additional transforms in the future,
and some users may want to use private suites, especially for IKE where
implementations should be capable of supporting different parameters, up
to certain size limits. In support of this goal, all implementations of
IKEv2 SHOULD include a management facility that allows specification (by
a user or system administrator) of Diffie-Hellman parameters (the
generator, modulus, and exponent lengths and values) for new Diffie-Hellman groups.
Implementations SHOULD provide a management interface through which these
parameters and the associated Transform IDs may be entered (by a user or
system administrator), to enable negotiating such groups.</t>
<t>All implementations of IKEv2 MUST include a management facility that
enables a user or system administrator to specify the suites that are
acceptable for use with IKE. Upon receipt of a payload with a set of
Transform IDs, the implementation MUST compare the transmitted Transform
IDs against those locally configured via the management controls, to
verify that the proposed suite is acceptable based on local policy. The
implementation MUST reject SA proposals that are not authorized by these
IKE suite controls. Note that cryptographic suites that MUST be
implemented need not be configured as acceptable to local policy.</t>
</section>
<section anchor='sect-3.3.5' title='Transform Attributes'>
<t>Each transform in a Security Association payload may include
attributes that modify or complete the specification of the transform.
The set of valid attributes depends on the transform. Currently, only
a single attribute type is defined: the Key Length attribute is used
by certain encryption transforms with variable-length keys (see below
for details).</t>
<t>The attributes are type/value pairs and are defined below.
Attributes can have a value with a fixed two-octet length or a
variable-length value. For the latter, the attribute is encoded as
type/length/value. </t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|A| Attribute Type | AF=0 Attribute Length |
|F| | AF=1 Attribute Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AF=0 Attribute Value |
| AF=1 Not Transmitted |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9: Data Attributes
]]></artwork></figure>
<t><list style='symbols'>
<t>Attribute Format (AF) (1 bit) - Indicates whether the data
attribute follows the Type/Length/Value (TLV) format or a shortened
Type/Value (TV) format. If the AF bit is zero (0), then the attribute
uses TLV format; if the AF bit is one (1), the TV format (with
two-byte value) is used.</t>
<t>Attribute Type (15 bits) - Unique identifier for each type of
attribute (see below).</t>
<t>Attribute Value (variable length) - Value of the attribute
associated with the attribute type. If the AF bit is a zero (0), this
field has a variable length defined by the Attribute Length field. If
the AF bit is a one (1), the Attribute Value has a length of 2
octets.</t>
</list></t>
<t>The only currently defined attribute type (Key Length) is
fixed length; the variable-length encoding specification is included
only for future extensions. Attributes described as fixed length MUST
NOT be encoded using the variable-length encoding
unless that length exceeds two bytes. Variable-length
attributes MUST NOT be encoded as fixed-length even if their value can
fit into two octets. Note: This is a change from IKEv1, where
increased flexibility may have simplified the composer of messages but
certainly complicated the parser.</t>
<t>The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
Attribute Type Value Attribute Format
------------------------------------------------------------
Key Length (in bits) 14 TV
]]></artwork></figure>
<t>Values 0-13 and 15-17 were used in a similar context in
IKEv1, and should not be assigned except to matching values.</t>
<t>The Key Length attribute specifies the key length in bits
(MUST use network byte order) for certain transforms as
follows:</t>
<t><list style='symbols'>
<t>The Key Length attribute MUST NOT be used with transforms
that use a fixed-length key. For example, this includes ENCR_DES,
ENCR_IDEA, and all the Type 2 (Pseudorandom function) and
Type 3 (Integrity Algorithm) transforms specified in
this document. It is recommended that future Type 2 or 3
transforms do not use this attribute.</t>
<t>Some transforms specify that the Key Length attribute MUST
be always included (omitting the attribute is not allowed,
and proposals not containing it MUST be rejected). For example, this
includes ENCR_AES_CBC and ENCR_AES_CTR.</t>
<t>Some transforms allow variable-length keys, but also specify
a default key length if the attribute is not included.
For example, these transforms include ENCR_RC5 and ENCR_BLOWFISH.</t>
</list></t>
<t>Implementation note: To further interoperability and to support
upgrading endpoints independently, implementers of this protocol
SHOULD accept values that they deem to supply greater security.
For instance, if a peer is configured to accept a
variable-length cipher with a key length of X bits and is
offered that cipher with a larger key length, the implementation
SHOULD accept the offer if it supports use of the longer key.</t>
<t>Support for this capability allows a responder to express a
concept of "at least" a certain level of security -- "a key
length of _at least_ X bits for cipher Y". However, as the
attribute is always returned unchanged (see the next section), an
initiator willing to accept multiple key lengths has to include
multiple transforms with the same Transform Type, each with
a different Key Length attribute.</t>
</section>
<section anchor='sect-3.3.6' title='Attribute Negotiation'>
<t>During Security Association negotiation initiators present offers
to responders. Responders MUST select a single complete set of
parameters from the offers (or reject all offers if none are
acceptable). If there are multiple proposals, the responder MUST
choose a single proposal. If the selected proposal has multiple
transforms with the same type, the responder MUST choose a single one.
Any attributes of a selected transform MUST be returned unmodified.
The initiator of an exchange MUST check that the accepted offer is
consistent with one of its proposals, and if not MUST terminate
the exchange.</t>
<t>If the responder receives a proposal that contains a Transform
Type it does not understand, or a proposal that is missing a
mandatory Transform Type, it MUST consider this proposal
unacceptable; however, other proposals in the same SA payload are
processed as usual. Similarly, if the responder receives a transform
that it does not understand, or one that contains a Transform
Attribute it does not understand, it MUST consider this transform
unacceptable; other transforms with the same Transform Type are
processed as usual. This allows new Transform Types and Transform
Attributes to be defined in the future.</t>
<t>Negotiating Diffie-Hellman groups presents some special
challenges. SA offers include proposed attributes and a
Diffie-Hellman public number (KE) in the same message. If in the
initial exchange the initiator offers to use one of several
Diffie-Hellman groups, it SHOULD pick the one the responder is most
likely to accept and include a KE corresponding to that group. If
the responder selects a proposal using a different Diffie-Hellman
group (other than NONE), the responder will indicate the correct
group in the response and the initiator SHOULD pick an element of
that group for its KE value when retrying the first message. It
SHOULD, however, continue to propose its full supported set of groups
in order to prevent a man-in-the-middle downgrade attack.
If one of the proposals offered is for the
Diffie-Hellman group of NONE, and the responder selects that
Diffie-Hellman group, then it MUST ignore the initiator's KE
payload and omit the KE payload from the response.</t>
</section>
</section>
<section anchor='sect-3.4' title='Key Exchange Payload'>
<t>The Key Exchange payload, denoted KE in this document, is used to
exchange Diffie-Hellman public numbers as part of a Diffie-Hellman key
exchange. The Key Exchange payload consists of the IKE generic payload
header followed by the Diffie-Hellman public value itself.</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Diffie-Hellman Group Num | RESERVED |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Key Exchange Data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10: Key Exchange Payload Format
]]></artwork></figure>
<t>A Key Exchange payload is constructed by copying one's Diffie-Hellman
public value into the "Key Exchange Data" portion of the payload. The
length of the Diffie-Hellman public value for modular exponentiation group (MODP) groups MUST be equal to the length of
the prime modulus over which the exponentiation was performed,
prepending zero bits to the value if necessary.</t>
<t>The Diffie-Hellman Group Num identifies the Diffie-Hellman group in which the
Key Exchange Data was computed (see <xref target='sect-3.3.2'/>). This Diffie-Hellman Group Num
MUST match a Diffie-Hellman group specified in a proposal in the SA payload
that is sent in the same message, and SHOULD match the Diffie-Hellman group in
the first group in the first proposal, if such exists. If none of
the proposals in that SA payload specifies a Diffie-Hellman group, the KE
payload MUST NOT be present. If the selected proposal uses a
different Diffie-Hellman group (other than NONE), the message MUST
be rejected with a Notify payload of type INVALID_KE_PAYLOAD.
See also Sections <xref target='sect-1.2' format='counter'/> and <xref target='sect-2.7' format='counter'/>.</t>
<t>The payload type for the Key Exchange payload is thirty-four
(34).</t>
</section>
<section anchor='sect-3.5' title='Identification Payloads'>
<t>The Identification payloads, denoted IDi and IDr in this document, allow
peers to assert an identity to one another. This identity may be used
for policy lookup, but does not necessarily have to match anything in
the CERT payload; both fields may be used by an implementation to
perform access control decisions. When using the
ID_IPV4_ADDR/ID_IPV6_ADDR identity types in IDi/IDr payloads, IKEv2 does
not require this address to match the address in the IP header of IKEv2
packets, or anything in the TSi/TSr payloads. The contents of IDi/IDr
are used purely to fetch the policy and authentication data related to
the other party. </t>
<t>NOTE: In IKEv1, two ID payloads were used in each direction to hold
Traffic Selector (TS) information for data passing over the SA. In IKEv2,
this information is carried in TS payloads (see
<xref target='sect-3.13'/>).</t>
<t>The Peer Authorization Database (PAD) as described in
<xref target='IPSECARCH'>RFC 4301</xref>
describes the use of the ID payload in IKEv2 and provides a formal model for
the binding of identity to policy in addition to providing services that
deal more specifically with the details of policy enforcement. The PAD is
intended to provide a link between the SPD and the IKE Security Association
management. See Section 4.4.3 of RFC 4301 for more details.</t>
<t>The Identification payload consists of the IKE generic payload header
followed by identification fields as follows:</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ID Type | RESERVED |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Identification Data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 11: Identification Payload Format
]]></artwork></figure>
<t><list style='symbols'>
<t>ID Type (1 octet) - Specifies the type of Identification being
used.</t>
<t>RESERVED - MUST be sent as zero; MUST be ignored on receipt.</t>
<t>Identification Data (variable length) - Value, as indicated by the
Identification Type. The length of the Identification Data is computed
from the size in the ID payload header.</t>
</list></t>
<t>The payload types for the Identification payload are thirty-five (35)
for IDi and thirty-six (36) for IDr.</t>
<t>The following table lists the assigned semantics for the Identification
Type field.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
ID Type Value
-------------------------------------------------------------------
ID_IPV4_ADDR 1
A single four (4) octet IPv4 address.
ID_FQDN 2
A fully-qualified domain name string. An example of an ID_FQDN
is "example.com". The string MUST NOT contain any terminators
(e.g., NULL, CR, etc.). All characters in the ID_FQDN are ASCII;
for an "internationalized domain name", the syntax is as defined
in [IDNA], for example "xn--tmonesimerkki-bfbb.example.net".
ID_RFC822_ADDR 3
A fully-qualified RFC 822 email address string. An example of a
ID_RFC822_ADDR is "jsmith@example.com". The string MUST NOT
contain any terminators. Because of [EAI], implementations would
be wise to treat this field as UTF-8 encoded text, not as
pure ASCII.
ID_IPV6_ADDR 5
A single sixteen (16) octet IPv6 address.
ID_DER_ASN1_DN 9
The binary Distinguished Encoding Rules (DER) encoding of an
ASN.1 X.500 Distinguished Name [PKIX].
ID_DER_ASN1_GN 10
The binary DER encoding of an ASN.1 X.509 GeneralName [PKIX].
ID_KEY_ID 11
An opaque octet stream that may be used to pass vendor-
specific information necessary to do certain proprietary
types of identification.
]]></artwork></figure>
<t>Two implementations will interoperate only if each can generate a
type of ID acceptable to the other. To assure maximum interoperability,
implementations MUST be configurable to send at least one of
ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, or ID_KEY_ID, and MUST be
configurable to accept all of these four types. Implementations SHOULD be
capable of generating and accepting all of these types. IPv6-capable
implementations MUST additionally be configurable to accept
ID_IPV6_ADDR. IPv6-only implementations MAY be configurable to send only
ID_IPV6_ADDR instead of ID_IPV4_ADDR for IP addresses.</t>
<t>EAP <xref target='EAP'/> does not mandate
the use of any particular type of identifier, but often EAP is used with
Network Access Identifiers (NAIs) defined in <xref target='NAI'/>.
Although NAIs look a bit like email addresses (e.g., "joe@example.com"),
the syntax is not exactly the same as the syntax of email address in
<xref target='MAILFORMAT'/>. For those NAIs that include the realm
component, the ID_RFC822_ADDR identification type SHOULD be used.
Responder implementations should not attempt to verify that the contents
actually conform to the exact syntax given in <xref
target='MAILFORMAT'/>, but instead should accept any reasonable-looking
NAI. For NAIs that do not include the realm component, the ID_KEY_ID
identification type SHOULD be used.</t>
<t>See "IPsec PKI Profile of IKEv1, IKEv2 and PKIX" (<xref
target='RFC4945'/>) for more information about matching Identification
payloads and the contents of the PKIX Certificates.</t>
</section>
<section anchor='sect-3.6' title='Certificate Payload'>
<t>The Certificate payload, denoted CERT in this document, provides a means
to transport certificates or other authentication-related information
via IKE.
Certificate payloads SHOULD be included in an exchange if
certificates are available to the sender. The Hash and URL formats of
the Certificate payloads should be used in case the peer has indicated
an ability to retrieve this information from elsewhere using an
HTTP_CERT_LOOKUP_SUPPORTED Notify payload.
Note that the term
"Certificate payload" is somewhat misleading, because not all
authentication mechanisms use certificates and data other than
certificates may be passed in this payload.</t>
<t>The Certificate payload is defined as follows:</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cert Encoding | |
+-+-+-+-+-+-+-+-+ |
~ Certificate Data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 12: Certificate Payload Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Certificate Encoding (1 octet) - This field indicates the type of
certificate or certificate-related information contained in the
Certificate Data field.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.
<figure><artwork><![CDATA[
Certificate Encoding Value
----------------------------------------------------
PKCS #7 wrapped X.509 certificate 1 UNSPECIFIED
PGP Certificate 2 UNSPECIFIED
DNS Signed Key 3 UNSPECIFIED
X.509 Certificate - Signature 4
Kerberos Token 6 UNSPECIFIED
Certificate Revocation List (CRL) 7
Authority Revocation List (ARL) 8 UNSPECIFIED
SPKI Certificate 9 UNSPECIFIED
X.509 Certificate - Attribute 10 UNSPECIFIED
Deprecated (Was Raw RSA Key) 11 DEPRECATED
Hash and URL of X.509 certificate 12
Hash and URL of X.509 bundle 13
]]></artwork></figure></t>
<t>Certificate Data (variable length) - Actual encoding of certificate
data. The type of certificate is indicated by the Certificate Encoding
field.</t>
</list></t>
<t>The payload type for the Certificate payload is thirty-seven
(37).</t>
<t>Specific syntax for some of the certificate type codes above is
not defined in this document. The types whose syntax is defined in this
document are:</t>
<t><list style='symbols'>
<t>"X.509 Certificate - Signature" contains a DER-encoded X.509
certificate whose public key is used to validate the sender's AUTH
payload. Note that with this encoding, if a chain of certificates
needs to be sent, multiple CERT payloads are used, only the first of
which holds the public key used to validate the sender's AUTH
payload.</t>
<t>"Certificate Revocation List" contains a DER-encoded X.509
certificate revocation list.</t>
<t>Hash and URL encodings allow IKE messages to remain short by
replacing long data structures with a 20-octet SHA-1 hash (see
<xref target='SHA' />) of the
replaced value followed by a variable-length URL that resolves to the
DER-encoded data structure itself. This improves efficiency when the
endpoints have certificate data cached and makes IKE less subject to
DoS attacks that become easier to mount when IKE messages
are large enough to require IP fragmentation <xref target='DOSUDPPROT'/>.</t>
</list></t>
<t>The "Hash and URL of a bundle" type uses the
following ASN.1 definition for the X.509 bundle:
<figure><artwork><![CDATA[
CertBundle
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-cert-bundle(34) }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
IMPORTS
Certificate, CertificateList
FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit(18) } ;
CertificateOrCRL ::= CHOICE {
cert [0] Certificate,
crl [1] CertificateList }
CertificateBundle ::= SEQUENCE OF CertificateOrCRL
END
]]></artwork></figure></t>
<t>Implementations MUST be capable of being configured to send and
accept up to four X.509 certificates in support of authentication, and
also MUST be capable of being configured to send and accept the two
Hash and URL formats (with HTTP URLs). If multiple certificates are
sent, the first certificate MUST contain the public key used to sign
the AUTH payload. The other certificates may be sent in any order.</t>
<t>Implementations MUST support the HTTP <xref target='HTTP'/> method
for hash-and-URL lookup. The behavior of other URL methods
<xref target='URLS'/> is not currently specified, and such methods SHOULD
NOT be used in the absence of a document specifying them.</t>
</section>
<section anchor='sect-3.7' title='Certificate Request Payload'>
<t>The Certificate Request payload, denoted CERTREQ in this document,
provides a means to request preferred certificates via IKE and can
appear in the IKE_INIT_SA response and/or the IKE_AUTH request.
Certificate Request payloads MAY be included in an exchange when the
sender needs to get the certificate of the receiver. </t>
<t>The Certificate Request payload is defined as follows:</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cert Encoding | |
+-+-+-+-+-+-+-+-+ |
~ Certification Authority ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 13: Certificate Request Payload Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Certificate Encoding (1 octet) - Contains an encoding of the type or
format of certificate requested. Values are listed in <xref
target='sect-3.6'/>.</t>
<t>Certification Authority (variable length) - Contains an encoding of
an acceptable certification authority for the type of certificate
requested.</t>
</list></t>
<t>The payload type for the Certificate Request payload is thirty-eight
(38).</t>
<t>The Certificate Encoding field has the same values as those
defined in <xref target='sect-3.6'/>. The Certification Authority
field contains an indicator of trusted authorities for this
certificate type. The Certification Authority value is a concatenated
list of SHA-1 hashes of the public keys of trusted Certification
Authorities (CAs). Each is encoded as the SHA-1 hash of the Subject
Public Key Info element (see section 4.1.2.7 of <xref
target='PKIX'/>) from each Trust Anchor certificate. The
20-octet hashes are concatenated and included with no other
formatting.</t>
<t>The contents of the "Certification
Authority" field are defined only for X.509 certificates, which are
types 4, 12, and 13. Other values SHOULD NOT be used until
Standards-Track specifications that specify their use are published.</t>
<t>Note that the term "Certificate Request" is somewhat misleading, in
that values other than certificates are defined in a "Certificate"
payload and requests for those values can be present in a Certificate
Request payload. The syntax of the Certificate Request payload in such
cases is not defined in this document.</t>
<t>The Certificate Request payload is processed by inspecting the "Cert
Encoding" field to determine whether the processor has any certificates
of this type. If so, the "Certification Authority" field is inspected to
determine if the processor has any certificates that can be validated
up to one of the specified certification authorities. This can be a
chain of certificates.</t>
<t>If an end-entity certificate exists that satisfies the criteria
specified in the CERTREQ, a certificate or certificate chain SHOULD be
sent back to the certificate requestor if the recipient of the
CERTREQ:</t>
<t><list style='symbols'>
<t>is configured to use certificate authentication,</t>
<t>is allowed to send a CERT payload,</t>
<t>has matching CA trust policy governing the current negotiation,
and</t>
<t>has at least one time-wise and usage-appropriate end-entity
certificate chaining to a CA provided in the CERTREQ.</t> </list></t>
<t>Certificate revocation checking must be considered during the
chaining process used to select a certificate. Note that even if two
peers are configured to use two different CAs, cross-certification
relationships should be supported by appropriate selection logic.</t>
<t>The intent is not to prevent communication through the strict
adherence of selection of a certificate based on CERTREQ, when an
alternate certificate could be selected by the sender that would
still enable the recipient to successfully validate and trust it
through trust conveyed by cross-certification, CRLs, or other
out-of-band configured means. Thus, the processing of a CERTREQ
should be seen as a suggestion for a certificate to select, not a
mandated one. If no certificates exist, then the CERTREQ is ignored.
This is not an error condition of the protocol. There may be cases
where there is a preferred CA sent in the CERTREQ, but an alternate
might be acceptable (perhaps after prompting a human operator).</t>
<t>The HTTP_CERT_LOOKUP_SUPPORTED notification MAY be
included in any message that can include a CERTREQ payload and indicates
that the sender is capable of looking up certificates based on an
HTTP-based URL (and hence presumably would prefer to receive certificate
specifications in that format).</t>
</section>
<section anchor='sect-3.8' title='Authentication Payload'>
<t>The Authentication payload, denoted AUTH in this document, contains data
used for authentication purposes. The syntax of the Authentication data
varies according to the Auth Method as specified below.</t>
<t>The Authentication payload is defined as follows:</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Auth Method | RESERVED |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Authentication Data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 14: Authentication Payload Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Auth Method (1 octet) - Specifies the method of authentication used.
The types of signatures are listed here.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.
<figure><artwork><![CDATA[
Mechanism Value
-----------------------------------------------------------------
RSA Digital Signature 1
Computed as specified in Section 2.15 using an RSA private key
with RSASSA-PKCS1-v1_5 signature scheme specified in [PKCS1]
(implementers should note that IKEv1 used a different method for
RSA signatures). To promote interoperability, implementations
that support this type SHOULD support signatures that use SHA-1
as the hash function and SHOULD use SHA-1 as the default hash
function when generating signatures. Implementations can use the
certificates received from a given peer as a hint for selecting a
mutually understood hash function for the AUTH payload signature.
Note, however, that the hash algorithm used in the AUTH payload
signature doesn't have to be the same as any hash algorithm(s)
used in the certificate(s).
Shared Key Message Integrity Code 2
Computed as specified in Section 2.15 using the shared key
associated with the identity in the ID payload and the negotiated
PRF.
DSS Digital Signature 3
Computed as specified in Section 2.15 using a DSS private key
(see [DSS]) over a SHA-1 hash.
]]></artwork></figure></t>
<t>Authentication Data (variable length) - see <xref
target='sect-2.15'/>.</t>
</list></t>
<t>The payload type for the Authentication payload is thirty-nine
(39).</t>
</section>
<section anchor='sect-3.9' title='Nonce Payload'>
<t>The Nonce payload, denoted as Ni and Nr in this document for the initiator's
and responder's nonce, respectively, contains random data used to
guarantee liveness during an exchange and protect against replay
attacks.</t>
<t>The Nonce payload is defined as follows:</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Nonce Data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 15: Nonce Payload Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Nonce Data (variable length) - Contains the random data generated by
the transmitting entity.</t>
</list></t>
<t>The payload type for the Nonce payload is forty (40).</t>
<t>The size of the Nonce Data MUST be between 16 and 256 octets, inclusive.
Nonce values MUST NOT be reused.</t>
</section>
<section anchor='sect-3.10' title='Notify Payload'>
<t>The Notify payload, denoted N in this document, is used to transmit
informational data, such as error conditions and state transitions, to
an IKE peer. A Notify payload may appear in a response message (usually
specifying why a request was rejected), in an INFORMATIONAL Exchange (to
report an error not in an IKE request), or in any other message to
indicate sender capabilities or to modify the meaning of the
request.</t>
<t>The Notify payload is defined as follows:</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol ID | SPI Size | Notify Message Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Security Parameter Index (SPI) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Notification Data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 16: Notify Payload Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Protocol ID (1 octet) - If this notification
concerns an existing SA whose SPI is given in the SPI field, this field
indicates the type of that SA. For notifications concerning Child SAs,
this field MUST contain either (2) to indicate AH or (3) to indicate
ESP. Of the notifications defined in this document, the
SPI is included only with INVALID_SELECTORS, REKEY_SA and
CHILD_SA_NOT_FOUND. If the SPI field is empty, this field MUST be sent
as zero and MUST be ignored on receipt.</t>
<t>SPI Size (1 octet) - Length in octets of the SPI as defined by the
IPsec protocol ID or zero if no SPI is applicable. For a notification
concerning the IKE SA, the SPI Size MUST be zero and the field must
be empty.</t>
<t>Notify Message Type (2 octets) - Specifies the type of notification
message.</t>
<t>SPI (variable length) - Security Parameter Index.</t>
<t>Notification Data (variable length) - Status or error data
transmitted in addition to the Notify Message Type. Values for this
field are type specific (see below).</t>
</list></t>
<t>The payload type for the Notify payload is forty-one (41).</t>
<section anchor='sect-3.10.1' title='Notify Message Types'>
<t>Notification information can be error messages specifying why an SA
could not be established. It can also be status data that a process
managing an SA database wishes to communicate with a peer process. The
table below lists the Notification messages and their corresponding
values. The number of different error statuses was greatly reduced from
IKEv1 both for simplification and to avoid giving configuration
information to probers.</t>
<t>Types in the range 0 - 16383 are intended for reporting errors. An
implementation receiving a Notify payload with one of these types that
it does not recognize in a response MUST assume that the corresponding
request has failed entirely. Unrecognized error types in a request and
status types in a request or response MUST be ignored, and they
should be logged.</t>
<t>Notify payloads with status types MAY be added to any message and
MUST be ignored if not recognized. They are intended to indicate
capabilities, and as part of SA negotiation, are used to negotiate
non-cryptographic parameters.</t>
<t>More information on error handling can be found in
<xref target='sect-2.21'/>.</t>
<t>The values in the following table are only current as of the
publication date of RFC 4306, plus two error types
added in this document. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
NOTIFY messages: error types Value
-------------------------------------------------------------------
UNSUPPORTED_CRITICAL_PAYLOAD 1
See Section 2.5.
INVALID_IKE_SPI 4
See Section 2.21.
INVALID_MAJOR_VERSION 5
See Section 2.5.
INVALID_SYNTAX 7
Indicates the IKE message that was received was invalid because
some type, length, or value was out of range or because the
request was rejected for policy reasons. To avoid a DoS
attack using forged messages, this status may only be
returned for and in an encrypted packet if the Message ID and
cryptographic checksum were valid. To avoid leaking information
to someone probing a node, this status MUST be sent in response
to any error not covered by one of the other status types.
To aid debugging, more detailed error information should be
written to a console or log.
INVALID_MESSAGE_ID 9
See Section 2.3.
INVALID_SPI 11
See Section 1.5.
NO_PROPOSAL_CHOSEN 14
None of the proposed crypto suites was acceptable. This can be
sent in any case where the offered proposals (including but not
limited to SA payload values, USE_TRANSPORT_MODE notify,
IPCOMP_SUPPORTED notify) are not acceptable for the responder.
This can also be used as "generic" Child SA error when Child SA
cannot be created for some other reason. See also Section 2.7.
INVALID_KE_PAYLOAD 17
See Sections 1.2 and 1.3.
AUTHENTICATION_FAILED 24
Sent in the response to an IKE_AUTH message when, for some reason,
the authentication failed. There is no associated data. See also
Section 2.21.2.
SINGLE_PAIR_REQUIRED 34
See Section 2.9.
NO_ADDITIONAL_SAS 35
See Section 1.3.
INTERNAL_ADDRESS_FAILURE 36
See Section 3.15.4.
FAILED_CP_REQUIRED 37
See Section 2.19.
TS_UNACCEPTABLE 38
See Section 2.9.
INVALID_SELECTORS 39
MAY be sent in an IKE INFORMATIONAL exchange when a node receives
an ESP or AH packet whose selectors do not match those of the SA
on which it was delivered (and that caused the packet to be
dropped). The Notification Data contains the start of the
offending packet (as in ICMP messages) and the SPI field of the
notification is set to match the SPI of the Child SA.
TEMPORARY_FAILURE 43
See section 2.25.
CHILD_SA_NOT_FOUND 44
See section 2.25.
]]></artwork></figure>
<figure><artwork><![CDATA[
NOTIFY messages: status types Value
-------------------------------------------------------------------
INITIAL_CONTACT 16384
See Section 2.4.
SET_WINDOW_SIZE 16385
See Section 2.3.
ADDITIONAL_TS_POSSIBLE 16386
See Section 2.9.
IPCOMP_SUPPORTED 16387
See Section 2.22.
NAT_DETECTION_SOURCE_IP 16388
See Section 2.23.
NAT_DETECTION_DESTINATION_IP 16389
See Section 2.23.
COOKIE 16390
See Section 2.6.
USE_TRANSPORT_MODE 16391
See Section 1.3.1.
HTTP_CERT_LOOKUP_SUPPORTED 16392
See Section 3.6.
REKEY_SA 16393
See Section 1.3.3.
ESP_TFC_PADDING_NOT_SUPPORTED 16394
See Section 1.3.1.
NON_FIRST_FRAGMENTS_ALSO 16395
See Section 1.3.1.
]]></artwork></figure>
</section>
</section>
<section anchor='sect-3.11' title='Delete Payload'>
<t>The Delete payload, denoted D in this document, contains a protocol-specific Security Association identifier that the sender has removed
from its Security Association database and is, therefore, no longer
valid. Figure 17 shows the format of the Delete payload. It is possible
to send multiple SPIs in a Delete payload; however, each SPI MUST be for
the same protocol. Mixing of protocol identifiers MUST NOT be performed
in the Delete payload. It is permitted, however, to include multiple
Delete payloads in a single INFORMATIONAL exchange where each Delete
payload lists SPIs for a different protocol.</t>
<t>Deletion of the IKE SA is indicated by a protocol ID of 1 (IKE) but
no SPIs. Deletion of a Child SA, such as ESP or AH, will contain the
IPsec protocol ID of that protocol (2 for AH, 3 for ESP), and the SPI is
the SPI the sending endpoint would expect in inbound ESP or AH
packets.</t>
<t>The Delete payload is defined as follows:</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol ID | SPI Size | Num of SPIs |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Security Parameter Index(es) (SPI) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 17: Delete Payload Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Protocol ID (1 octet) - Must be 1 for an IKE SA, 2 for AH, or 3 for
ESP.</t>
<t>SPI Size (1 octet) - Length in octets of the SPI as defined by the
protocol ID. It MUST be zero for IKE (SPI is in message header) or four
for AH and ESP.</t>
<t>Num of SPIs (2 octets, unsigned integer) - The number of SPIs contained in the Delete
payload. The size of each SPI is defined by the SPI Size field.</t>
<t>Security Parameter Index(es) (variable length) - Identifies the
specific Security Association(s) to delete. The length of this field is
determined by the SPI Size and Num of SPIs fields.</t>
</list></t>
<t>The payload type for the Delete payload is forty-two (42).</t>
</section>
<section anchor='sect-3.12' title='Vendor ID Payload'>
<t>The Vendor ID payload, denoted V in this document, contains a vendor-defined constant. The constant is used by vendors to identify and
recognize remote instances of their implementations. This mechanism
allows a vendor to experiment with new features while maintaining
backward compatibility.</t>
<t>A Vendor ID payload MAY announce that the sender is capable of
accepting certain extensions to the protocol, or it MAY simply identify
the implementation as an aid in debugging. A Vendor ID payload MUST NOT
change the interpretation of any information defined in this
specification (i.e., the critical bit MUST be set to 0). Multiple Vendor
ID payloads MAY be sent. An implementation is not required to send any
Vendor ID payload at all.</t>
<t>A Vendor ID payload may be sent as part of any message. Reception of
a familiar Vendor ID payload allows an implementation to make use of
private use numbers described throughout this document,
such as private payloads,
private exchanges, private notifications, etc. Unfamiliar Vendor IDs
MUST be ignored.</t>
<t>Writers of documents who wish to extend this protocol MUST
define a Vendor ID payload to announce the ability to implement the
extension in the document. It is expected that documents
that gain acceptance and are standardized will be given "magic
numbers" out of the Future Use range by IANA, and the requirement to
use a Vendor ID will go away.</t>
<t>The Vendor ID payload fields are defined as follows:</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Vendor ID (VID) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 18: Vendor ID Payload Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Vendor ID (variable length) - It is the responsibility of the person
choosing the Vendor ID to assure its uniqueness in spite of the absence
of any central registry for IDs. Good practice is to include a company
name, a person name, or some such information. If you want to show off, you might
include the latitude and longitude and time where you were when you
chose the ID and some random input. A message digest of a long unique
string is preferable to the long unique string itself.</t>
</list></t>
<t>The payload type for the Vendor ID payload is forty-three (43).</t>
</section>
<section anchor='sect-3.13' title='Traffic Selector Payload'>
<t>The Traffic Selector payload, denoted TS in this document, allows peers
to identify packet flows for processing by IPsec security services. The
Traffic Selector payload consists of the IKE generic payload header
followed by individual Traffic Selectors as follows:</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Number of TSs | RESERVED |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ <Traffic Selectors> ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 19: Traffic Selectors Payload Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Number of TSs (1 octet) - Number of Traffic Selectors being
provided.</t>
<t>RESERVED - This field MUST be sent as zero and MUST be ignored on
receipt.</t>
<t>Traffic Selectors (variable length) - One or more individual Traffic
Selectors.</t>
</list></t>
<t>The length of the Traffic Selector payload
includes the TS header and all the Traffic Selectors.</t>
<t>The payload type for the Traffic Selector payload is forty-four (44)
for addresses at the initiator's end of the SA and forty-five (45) for
addresses at the responder's end.</t>
<t>There is no requirement that TSi and TSr
contain the same number of individual Traffic Selectors. Thus, they are
interpreted as follows: a packet matches a given TSi/TSr if it matches
at least one of the individual selectors in TSi, and at least one of the
individual selectors in TSr.</t>
<t>For instance, the following Traffic Selectors:</t>
<figure><artwork><![CDATA[
TSi = ((17, 100, 198.51.100.66-198.51.100.66),
(17, 200, 198.51.100.66-198.51.100.66))
TSr = ((17, 300, 0.0.0.0-255.255.255.255),
(17, 400, 0.0.0.0-255.255.255.255))
]]></artwork></figure>
<t>would match UDP packets from 198.51.100.66 to anywhere, with any of the
four combinations of source/destination ports (100,300), (100,400),
(200,300), and (200, 400).</t>
<t>Thus, some types of policies may require several Child SA pairs. For
instance, a policy matching only source/destination ports (100,300) and
(200,400), but not the other two combinations, cannot be negotiated as a
single Child SA pair.</t>
<section anchor='sect-3.13.1' title='Traffic Selector'>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TS Type |IP Protocol ID*| Selector Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Start Port* | End Port* |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Starting Address* ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Ending Address* ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 20: Traffic Selector
]]></artwork></figure>
<t>*Note: All fields other than TS Type and Selector Length depend
on the TS Type. The fields shown are for TS Types 7 and 8, the
only two values currently defined.</t>
<t><list style='symbols'>
<t>TS Type (one octet) - Specifies the type of Traffic Selector.</t>
<t>IP protocol ID (1 octet) - Value specifying an associated IP protocol
ID (such as UDP, TCP, and ICMP). A value of zero means that the protocol ID is
not relevant to this Traffic Selector -- the SA can carry all
protocols.</t>
<t>Selector Length - Specifies the length of this Traffic Selector
substructure including the header.</t>
<t>Start Port (2 octets, unsigned integer) - Value specifying the smallest port number
allowed by this Traffic Selector. For protocols for which port is
undefined (including protocol 0), or if all ports are allowed, this
field MUST be zero. ICMP and ICMPv6 Type and Code values, as well as
Mobile IP version 6 (MIPv6) mobility header (MH) Type values, are represented in this field as specified in
Section 4.4.1.1 of <xref target='IPSECARCH'/>. ICMP Type and Code
values are treated as a single 16-bit integer port number, with Type
in the most significant eight bits and Code in the least significant
eight bits. MIPv6 MH Type values are treated as a single 16-bit
integer port number, with Type in the most significant eight bits and
the least significant eight bits set to zero. </t>
<t>End Port (2 octets, unsigned integer) - Value specifying the largest port number
allowed by this Traffic Selector. For protocols for which port is
undefined (including protocol 0), or if all ports are allowed,
this field MUST be 65535. ICMP and ICMPv6 Type and Code values, as
well as MIPv6 MH Type values, are represented in this field as
specified in Section 4.4.1.1 of <xref target='IPSECARCH'/>. ICMP Type and Code
values are treated as a single 16-bit integer port number, with
Type in the most significant eight bits and Code in the least
significant eight bits. MIPv6 MH Type values are treated as a single 16-bit
integer port number, with Type in the most significant eight bits and
the least significant eight bits set to zero.</t>
<t>Starting Address - The smallest address included in this Traffic
Selector (length determined by TS Type).</t>
<t>Ending Address - The largest address included in this Traffic
Selector (length determined by TS Type).</t>
</list></t>
<t>Systems that are complying with <xref target='IPSECARCH'/> that wish
to indicate "ANY" ports MUST set the start port to 0 and the end port to
65535; note that according to <xref target='IPSECARCH'/>, "ANY"
includes "OPAQUE". Systems working with <xref target='IPSECARCH'/> that
wish to indicate "OPAQUE" ports, but not "ANY" ports, MUST set the start
port to 65535 and the end port to 0.</t>
<t>The Traffic Selector types 7 and 8 can also refer to ICMP or
ICMPv6 type and code fields, as well as MH Type fields for the IPv6
mobility header <xref target='MIPV6'/>. Note, however, that neither
ICMP nor MIPv6 packets have separate source and destination fields.
The method for specifying the Traffic Selectors for ICMP and MIPv6 is
shown by example in Section 4.4.1.3 of <xref target='IPSECARCH'/>.</t>
<t>The following table lists values for the Traffic
Selector Type field and the corresponding Address Selector Data.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.</t>
<figure><artwork><![CDATA[
TS Type Value
-------------------------------------------------------------------
TS_IPV4_ADDR_RANGE 7
A range of IPv4 addresses, represented by two four-octet
values. The first value is the beginning IPv4 address
(inclusive) and the second value is the ending IPv4 address
(inclusive). All addresses falling between the two specified
addresses are considered to be within the list.
TS_IPV6_ADDR_RANGE 8
A range of IPv6 addresses, represented by two sixteen-octet
values. The first value is the beginning IPv6 address
(inclusive) and the second value is the ending IPv6 address
(inclusive). All addresses falling between the two specified
addresses are considered to be within the list.
]]></artwork></figure>
</section>
</section>
<section anchor='sect-3.14' title='Encrypted Payload'>
<t>The Encrypted payload, denoted SK{...} in this document, contains other
payloads in encrypted form. The Encrypted payload, if present in a
message, MUST be the last payload in the message. Often, it is the only
payload in the message. This payload is also called the "Encrypted and
Authenticated" payload.</t>
<t>The algorithms for encryption and integrity protection are negotiated
during IKE SA setup, and the keys are computed as specified in Sections
<xref target='sect-2.14' format='counter'/> and <xref target='sect-2.18' format='counter'/>.</t>
<t>This document specifies the cryptographic processing of Encrypted
payloads using a block cipher in CBC mode and an integrity check
algorithm that computes a fixed-length checksum over a variable size
message. The design is modeled after the ESP algorithms described in
RFCs 2104 <xref target='HMAC'/>, 4303 <xref target='ESP'/>, and 2451
<xref target='ESPCBC'/>. This document completely specifies the
cryptographic processing of IKE data, but those documents should be
consulted for design rationale. Future documents may specify the
processing of Encrypted payloads for other types of transforms, such
as counter mode encryption and authenticated encryption algorithms.
Peers MUST NOT negotiate transforms for which no such specification
exists.</t>
<t>When an authenticated encryption algorithm is used to protect
the IKE SA, the construction of the Encrypted payload is different
than what is described here. See <xref target="AEAD"/> for more
information on authenticated encryption algorithms and their use
in ESP.</t>
<t>The payload type for an Encrypted payload is forty-six (46). The
Encrypted payload consists of the IKE generic payload header followed by
individual fields as follows:</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
| (length is block size for encryption algorithm) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encrypted IKE Payloads ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | Padding (0-255 octets) |
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
| | Pad Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Integrity Checksum Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 21: Encrypted Payload Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Next Payload - The payload type of the first embedded payload. Note
that this is an exception in the standard header format, since the
Encrypted payload is the last payload in the message and therefore the
Next Payload field would normally be zero. But because the content of
this payload is embedded payloads and there was no natural place to put
the type of the first one, that type is placed here.</t>
<t>Payload Length - Includes the lengths of the header, initialization vector (IV), Encrypted
IKE payloads, Padding, Pad Length, and Integrity Checksum Data.</t>
<t>Initialization Vector - For CBC mode ciphers, the length of the
initialization vector (IV) is equal to the block length of the
underlying encryption algorithm. Senders MUST select a new
unpredictable IV for every message; recipients MUST accept any value.
The reader
is encouraged to consult <xref target='MODES'/> for advice on IV
generation. In particular, using the final ciphertext block of the
previous message is not considered unpredictable.
For modes other than CBC, the IV format and processing is specified in
the document specifying the encryption algorithm and mode.
</t>
<t>IKE payloads are as specified earlier in this section. This field is
encrypted with the negotiated cipher.</t>
<t>Padding MAY contain any value chosen by the sender, and MUST have a
length that makes the combination of the payloads, the Padding, and the
Pad Length to be a multiple of the encryption block size. This field is
encrypted with the negotiated cipher.</t>
<t>Pad Length is the length of the Padding field. The sender SHOULD set
the Pad Length to the minimum value that makes the combination of the
payloads, the Padding, and the Pad Length a multiple of the block size,
but the recipient MUST accept any length that results in proper
alignment. This field is encrypted with the negotiated cipher.</t>
<t>Integrity Checksum Data is the cryptographic checksum of the entire
message starting with the Fixed IKE header through the Pad Length. The
checksum MUST be computed over the encrypted message. Its length is
determined by the integrity algorithm negotiated.</t>
</list></t>
</section>
<section anchor='sect-3.15' title='Configuration Payload'>
<t>The Configuration payload, denoted CP in this document, is used to
exchange configuration information between IKE peers. The exchange is
for an IRAC to request an internal IP address from an IRAS and to
exchange other information of the sort that one would acquire with
Dynamic Host Configuration Protocol (DHCP) if the IRAC were directly
connected to a LAN.</t>
<t>The Configuration payload is defined as follows: </t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CFG Type | RESERVED |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Configuration Attributes ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 22: Configuration Payload Format
]]></artwork></figure>
<t>The payload type for the Configuration payload is forty-seven
(47).</t>
<t><list style='symbols'>
<t>CFG Type (1 octet) - The type of exchange represented by the
Configuration Attributes.
The values in the following table are only current as of the
publication date of RFC 4306. Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.
<figure><artwork><![CDATA[
CFG Type Value
--------------------------
CFG_REQUEST 1
CFG_REPLY 2
CFG_SET 3
CFG_ACK 4
]]></artwork></figure></t>
<t>RESERVED (3 octets) - MUST be sent as zero; MUST be ignored on
receipt.</t>
<t>Configuration Attributes (variable length) - These are type length
value (TLV) structures specific to the Configuration payload and are defined below.
There may be zero or more Configuration Attributes in this payload.</t>
</list></t>
<section anchor='sect-3.15.1' title='Configuration Attributes'>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|R| Attribute Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Value ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 23: Configuration Attribute Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Reserved (1 bit) - This bit MUST be set to zero and MUST be ignored
on receipt.</t>
<t>Attribute Type (15 bits) - A unique identifier for each of the
Configuration Attribute Types.</t>
<t>Length (2 octets, unsigned integer) - Length in octets of value.</t>
<t>Value (0 or more octets) - The variable-length value of this
Configuration Attribute. The following lists the attribute types.</t>
</list></t>
<t>The values in the following table are only current as of the
publication date of RFC 4306
(except INTERNAL_ADDRESS_EXPIRY and
INTERNAL_IP6_NBNS which were removed by this document). Other values may have been added
since then or will be added after the publication of this document.
Readers should refer to <xref target='IKEV2IANA'/> for the latest
values.
<figure><artwork><![CDATA[
Attribute Type Value Multi-Valued Length
------------------------------------------------------------
INTERNAL_IP4_ADDRESS 1 YES* 0 or 4 octets
INTERNAL_IP4_NETMASK 2 NO 0 or 4 octets
INTERNAL_IP4_DNS 3 YES 0 or 4 octets
INTERNAL_IP4_NBNS 4 YES 0 or 4 octets
INTERNAL_IP4_DHCP 6 YES 0 or 4 octets
APPLICATION_VERSION 7 NO 0 or more
INTERNAL_IP6_ADDRESS 8 YES* 0 or 17 octets
INTERNAL_IP6_DNS 10 YES 0 or 16 octets
INTERNAL_IP6_DHCP 12 YES 0 or 16 octets
INTERNAL_IP4_SUBNET 13 YES 0 or 8 octets
SUPPORTED_ATTRIBUTES 14 NO Multiple of 2
INTERNAL_IP6_SUBNET 15 YES 17 octets
* These attributes may be multi-valued on return only if
multiple values were requested.
]]></artwork></figure></t>
<t><list style='symbols'>
<t>INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS
- An address on the internal network, sometimes called a red node
address or private address, and it MAY be a private address on the Internet.
In a request message, the address specified is a
requested address (or a zero-length address if no specific address is
requested). If a specific address is requested, it likely indicates that
a previous connection existed with this address and the requestor would
like to reuse that address. With IPv6, a requestor MAY supply the
low-order address octets it wants to use. Multiple internal addresses MAY
be requested by requesting multiple internal address attributes. The
responder MAY only send up to the number of addresses requested. The
INTERNAL_IP6_ADDRESS is made up of two fields: the first is a 16-octet
IPv6 address, and the second is a one-octet prefix-length as defined in
<xref target='ADDRIPV6'/>.
The requested address is valid as long as this IKE SA (or its rekeyed successors)
requesting the address is valid. This is described in more detail in Section 3.15.3.</t>
<t>INTERNAL_IP4_NETMASK - The internal network's netmask. Only one
netmask is allowed in the request and response messages (e.g.,
255.255.255.0), and it MUST be used only with an INTERNAL_IP4_ADDRESS
attribute. INTERNAL_IP4_NETMASK in a CFG_REPLY means
roughly the same thing as INTERNAL_IP4_SUBNET containing the same
information ("send traffic to these addresses through me"), but also
implies a link boundary. For instance, the client could use its own
address and the netmask to calculate the broadcast address of the link.
An empty INTERNAL_IP4_NETMASK attribute can be included in a CFG_REQUEST
to request this information (although the gateway can send the
information even when not requested). Non-empty values for this
attribute in a CFG_REQUEST do not make sense and thus MUST NOT be
included.</t>
<t>INTERNAL_IP4_DNS, INTERNAL_IP6_DNS - Specifies an address of a DNS
server within the network. Multiple DNS servers MAY be requested. The
responder MAY respond with zero or more DNS server attributes.
</t>
<t>INTERNAL_IP4_NBNS - Specifies an address of a
NetBios Name Server (WINS) within the network. Multiple NBNS servers
MAY be requested. The responder MAY respond with zero or more NBNS
server attributes.</t>
<t>INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP - Instructs the host to send any
internal DHCP requests to the address contained within the attribute.
Multiple DHCP servers MAY be requested. The responder MAY respond with
zero or more DHCP server attributes.</t>
<t>APPLICATION_VERSION - The version or application information of the
IPsec host. This is a string of printable ASCII characters that is NOT
null terminated.</t>
<t>INTERNAL_IP4_SUBNET - The protected sub-networks that this
edge-device protects. This attribute is made up of two fields: the
first being an IP address and the second being a netmask. Multiple
sub-networks MAY be requested. The responder MAY respond with zero or
more sub-network attributes. This is discussed in more detail in
<xref target='sect-3.15.2'/>.</t>
<t>SUPPORTED_ATTRIBUTES - When used within a Request, this attribute
MUST be zero-length and specifies a query to the responder to reply back
with all of the attributes that it supports. The response contains an
attribute that contains a set of attribute identifiers each in 2 octets.
The length divided by 2 (octets) would state the number of supported
attributes contained in the response.</t>
<t>INTERNAL_IP6_SUBNET - The protected sub-networks that this
edge-device protects. This attribute is made up of two fields: the
first is a 16-octet IPv6 address, and the second is a one-octet
prefix-length as defined in <xref target='ADDRIPV6'/>. Multiple
sub-networks MAY be requested. The responder MAY respond with zero or
more sub-network attributes. This is discussed in more detail in
<xref target='sect-3.15.2'/>.</t>
</list></t>
<t>Note that no recommendations are made in this document as to how an
implementation actually figures out what information to send in a response.
That is, we do not recommend any specific method of an IRAS determining
which DNS server should be returned to a requesting IRAC.</t>
<t>The CFG_REQUEST and CFG_REPLY pair allows an IKE endpoint to request information
from its peer. If an attribute in the CFG_REQUEST Configuration
payload is not zero-length, it is taken as a suggestion for that
attribute. The CFG_REPLY Configuration payload MAY return that
value, or a new one. It MAY also add new attributes and not include
some requested ones. Unrecognized or unsupported attributes MUST be ignored in both
requests and responses.</t>
<t>The CFG_SET and CFG_ACK pair allows an IKE endpoint to push configuration data
to its peer. In this case, the CFG_SET Configuration payload
contains attributes the initiator wants its peer to alter. The
responder MUST return a Configuration payload if it accepted any of
the configuration data and it MUST contain the attributes that the
responder accepted with zero-length data. Those attributes that it
did not accept MUST NOT be in the CFG_ACK Configuration payload. If
no attributes were accepted, the responder MUST return either an
empty CFG_ACK payload or a response message without a CFG_ACK
payload. There are currently no defined uses for the CFG_SET/CFG_ACK
exchange, though they may be used in connection with extensions based
on Vendor IDs. An implementation of this specification MAY
ignore CFG_SET payloads.</t>
</section>
<section anchor='sect-3.15.2' title='Meaning of INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET'>
<t>INTERNAL_IP4/6_SUBNET attributes can indicate additional subnets, ones
that need one or more separate SAs, that can be reached through the
gateway that announces the attributes. INTERNAL_IP4/6_SUBNET attributes
may also express the gateway's policy about what traffic should be sent
through the gateway; the client can choose whether other traffic
(covered by TSr, but not in INTERNAL_IP4/6_SUBNET) is sent through the
gateway or directly to the destination. Thus, traffic to the addresses
listed in the INTERNAL_IP4/6_SUBNET attributes should be sent through
the gateway that announces the attributes. If there are no existing
Child SAs whose Traffic Selectors cover the address in question, new SAs
need to be created.</t>
<t>For instance, if there are two
subnets, 198.51.100.0/26 and 192.0.2.0/24, and the client's request
contains the following:</t>
<figure><artwork><![CDATA[
CP(CFG_REQUEST) =
INTERNAL_IP4_ADDRESS()
TSi = (0, 0-65535, 0.0.0.0-255.255.255.255)
TSr = (0, 0-65535, 0.0.0.0-255.255.255.255)
]]></artwork></figure>
<t>then a valid response could be the following (in which TSr and
INTERNAL_IP4_SUBNET contain the same information):</t>
<figure><artwork><![CDATA[
CP(CFG_REPLY) =
INTERNAL_IP4_ADDRESS(198.51.100.234)
INTERNAL_IP4_SUBNET(198.51.100.0/255.255.255.192)
INTERNAL_IP4_SUBNET(192.0.2.0/255.255.255.0)
TSi = (0, 0-65535, 198.51.100.234-198.51.100.234)
TSr = ((0, 0-65535, 198.51.100.0-198.51.100.63),
(0, 0-65535, 192.0.2.0-192.0.2.255))
]]></artwork></figure>
<t>In these cases, the INTERNAL_IP4_SUBNET does not really carry any
useful information.</t>
<t>A different possible response would have been this:</t>
<figure><artwork><![CDATA[
CP(CFG_REPLY) =
INTERNAL_IP4_ADDRESS(198.51.100.234)
INTERNAL_IP4_SUBNET(198.51.100.0/255.255.255.192)
INTERNAL_IP4_SUBNET(192.0.2.0/255.255.255.0)
TSi = (0, 0-65535, 198.51.100.234-198.51.100.234)
TSr = (0, 0-65535, 0.0.0.0-255.255.255.255)
]]></artwork></figure>
<t>That response would mean that the client can send all its traffic
through the gateway, but the gateway does not mind if the client sends
traffic not included by INTERNAL_IP4_SUBNET directly to the destination
(without going through the gateway).</t>
<t>A different situation arises if the gateway has a policy that
requires the traffic for the two subnets to be carried in separate
SAs. Then a response like this would indicate to the client that if
it wants access to the second subnet, it needs to create a separate
SA:</t>
<figure><artwork><![CDATA[
CP(CFG_REPLY) =
INTERNAL_IP4_ADDRESS(198.51.100.234)
INTERNAL_IP4_SUBNET(198.51.100.0/255.255.255.192)
INTERNAL_IP4_SUBNET(192.0.2.0/255.255.255.0)
TSi = (0, 0-65535, 198.51.100.234-198.51.100.234)
TSr = (0, 0-65535, 198.51.100.0-198.51.100.63)
]]></artwork></figure>
<t>INTERNAL_IP4_SUBNET can also be useful if the client's TSr included
only part of the address space. For instance, if the client requests
the following:</t>
<figure><artwork><![CDATA[
CP(CFG_REQUEST) =
INTERNAL_IP4_ADDRESS()
TSi = (0, 0-65535, 0.0.0.0-255.255.255.255)
TSr = (0, 0-65535, 192.0.2.155-192.0.2.155)
]]></artwork></figure>
<t>then the gateway's response might be:</t>
<figure><artwork><![CDATA[
CP(CFG_REPLY) =
INTERNAL_IP4_ADDRESS(198.51.100.234)
INTERNAL_IP4_SUBNET(198.51.100.0/255.255.255.192)
INTERNAL_IP4_SUBNET(192.0.2.0/255.255.255.0)
TSi = (0, 0-65535, 198.51.100.234-198.51.100.234)
TSr = (0, 0-65535, 192.0.2.155-192.0.2.155)
]]></artwork></figure>
<t>Because the meaning of INTERNAL_IP4_SUBNET/INTERNAL_IP6_SUBNET in
CFG_REQUESTs is unclear, they cannot be used reliably in
CFG_REQUESTs.</t>
</section>
<section anchor='sect-3.15.3' title='Configuration Payloads for IPv6'>
<t>The Configuration payloads for IPv6 are based on the corresponding
IPv4 payloads, and do not fully follow the "normal IPv6 way of doing
things". In particular, IPv6 stateless autoconfiguration or router
advertisement messages are not used, neither is neighbor discovery.
Note that there is an additional document that discusses IPv6 configuration
in IKEv2, <xref target='IPV6CONFIG'/>. At the present time, it is an experimental
document, but there is a hope that with more implementation experience,
it will gain the same standards treatment as this document.</t>
<t>A client can be assigned an IPv6 address using the
INTERNAL_IP6_ADDRESS Configuration payload. A minimal exchange might
look like this:</t>
<figure><artwork><![CDATA[
CP(CFG_REQUEST) =
INTERNAL_IP6_ADDRESS()
INTERNAL_IP6_DNS()
TSi = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF)
TSr = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF)
CP(CFG_REPLY) =
INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64)
INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44)
TSi = (0, 0-65535, 2001:DB8:0:1:2:3:4:5 - 2001:DB8:0:1:2:3:4:5)
TSr = (0, 0-65535, :: - FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF)
]]></artwork></figure>
<t>The client MAY send a non-empty INTERNAL_IP6_ADDRESS attribute
in the CFG_REQUEST to request a specific address or interface
identifier. The gateway first checks if the specified address is
acceptable, and if it is, returns that one. If the address was not
acceptable, the gateway attempts to use the interface identifier
with some other prefix; if even that fails, the gateway selects
another interface identifier.</t>
<t>The INTERNAL_IP6_ADDRESS attribute also contains a prefix length
field. When used in a CFG_REPLY, this corresponds to the
INTERNAL_IP4_NETMASK attribute in the IPv4 case.</t>
<t>Although this approach to configuring IPv6 addresses is reasonably
simple, it has some limitations. IPsec tunnels configured using IKEv2
are not fully featured "interfaces" in the IPv6 addressing
architecture sense
<xref target ='ADDRIPV6'/>. In particular, they do not
necessarily have link-local addresses, and this may complicate the
use of protocols that assume them, such as
<xref target='MLDV2'/>.</t>
</section>
<section anchor='sect-3.15.4' title='Address Assignment Failures'>
<t>If the responder encounters an error while attempting to assign an IP
address to the initiator during the processing of a Configuration
payload, it responds with an INTERNAL_ADDRESS_FAILURE notification.
The IKE SA is still created even if the initial Child SA cannot be created
because of this failure.
If this error is generated within an IKE_AUTH exchange, no
Child SA will be created. However, there are some more complex error
cases.</t>
<t>If the responder does not support Configuration payloads at all, it
can simply ignore all Configuration payloads. This type of
implementation never sends INTERNAL_ADDRESS_FAILURE notifications. If
the initiator requires the assignment of an IP address, it will treat a
response without CFG_REPLY as an error.</t>
<t>The initiator may request a particular type of address (IPv4 or IPv6)
that the responder does not support, even though the responder supports
Configuration payloads. In this case, the responder simply ignores the
type of address it does not support and processes the rest of the
request as usual.</t>
<t>If the initiator requests multiple addresses of a type that the
responder supports, and some (but not all) of the requests fail, the
responder replies with the successful addresses only. The responder
sends INTERNAL_ADDRESS_FAILURE only if no addresses can be assigned.</t>
<t>If the initiator does not receive the IP address(es) required by
its policy, it MAY keep the IKE SA up and retry the Configuration
payload as separate INFORMATIONAL exchange after suitable timeout, or
it MAY tear down the IKE SA by sending a Delete payload inside a
separate INFORMATIONAL exchange and later retry IKE SA from the
beginning after some timeout. Such a timeout should not be too short
(especially if the IKE SA is started from the beginning) because
these error situations may not be able to be fixed quickly; the
timeout should likely be several minutes. For example, an address
shortage problem on the responder will probably only be fixed when
more entries are returned to the address pool when other clients
disconnect or when responder is reconfigured with larger address
pool.</t>
</section>
</section>
<section anchor='sect-3.16' title='Extensible Authentication Protocol (EAP) Payload'>
<t>The Extensible Authentication Protocol payload, denoted EAP in this
document, allows IKE SAs to be authenticated using the protocol defined in
RFC 3748 <xref target='EAP'/> and subsequent extensions to that
protocol.
When using EAP, an appropriate EAP method needs to be selected. Many
of these methods have been defined, specifying the protocol's use
with various authentication mechanisms. EAP method types are listed in
<xref target="EAP-IANA"/>. A short summary of the EAP format is included here for
clarity.</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ EAP Message ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 24: EAP Payload Format
]]></artwork></figure>
<t>The payload type for an EAP payload is forty-eight (48).</t>
<figure><artwork><![CDATA[
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Type_Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Figure 25: EAP Message Format
]]></artwork></figure>
<t><list style='symbols'>
<t>Code (1 octet) indicates whether this message is a Request (1),
Response (2), Success (3), or Failure (4).</t>
<t>Identifier (1 octet) is used in PPP to distinguish replayed
messages from repeated ones. Since in IKE, EAP runs over a reliable
protocol, it serves no function here. In a response message, this octet
MUST be set to match the identifier in the corresponding request.</t>
<t>Length (2 octets, unsigned integer) is the length of the EAP message and MUST be four
less than the Payload Length of the encapsulating payload.</t>
<t>Type (1 octet) is present only if the Code field is Request (1) or
Response (2). For other codes, the EAP message length MUST be four
octets and the Type and Type_Data fields MUST NOT be present. In a
Request (1) message, Type indicates the data being requested. In a
Response (2) message, Type MUST either be Nak or match the type of the
data requested. Note that since IKE passes an indication of initiator identity in
the first message in the IKE_AUTH exchange, the responder SHOULD NOT send EAP Identity
requests (type 1). The initiator MAY, however, respond to such requests
if it receives them.</t>
<t>Type_Data (Variable Length) varies with the Type of Request and the
associated Response. For the documentation of the EAP methods, see <xref
target='EAP'/>.</t>
</list></t>
<t>Note that since IKE passes an indication of initiator identity in
the first message in the IKE_AUTH exchange, the responder should not send EAP Identity
requests. The initiator may, however, respond to such requests if it
receives them.</t>
</section>
</section> <!-- end of 3 -->
<section anchor='sect-4' title='Conformance Requirements'>
<t>In order to assure that all implementations of IKEv2 can
interoperate, there are "MUST support" requirements in addition to those
listed elsewhere. Of course, IKEv2 is a security protocol, and one of
its major functions is to allow only authorized parties to successfully
complete establishment of SAs. So a particular implementation may be
configured with any of a number of restrictions concerning algorithms
and trusted authorities that will prevent universal
interoperability.</t>
<t>IKEv2 is designed to permit minimal implementations that can
interoperate with all compliant implementations. The following are
features that can be omitted in a minimal implementation:</t>
<t><list style='symbols'>
<t>Ability to negotiate SAs through a NAT and tunnel the resulting ESP
SA over UDP.</t>
<t>Ability to request (and respond to a request for) a temporary IP
address on the remote end of a tunnel.</t>
<t>Ability to support EAP-based authentication.</t>
<t>Ability to support window sizes greater than one.</t>
<t>Ability to establish multiple ESP or AH SAs within a single
IKE SA.</t>
<t>Ability to rekey SAs.</t>
</list></t>
<t>To assure interoperability, all implementations MUST be capable of
parsing all payload types (if only to skip over them) and to ignore
payload types that it does not support unless the critical bit is set in
the payload header. If the critical bit is set in an unsupported payload
header, all implementations MUST reject the messages containing those
payloads.</t>
<t>Every implementation MUST be capable of doing four-message
IKE_SA_INIT and IKE_AUTH exchanges establishing two SAs (one for IKE,
one for ESP or AH). Implementations MAY be initiate-only or
respond-only if appropriate for their platform. Every implementation
MUST be capable of responding to an INFORMATIONAL exchange, but a
minimal implementation MAY respond to any request in the INFORMATIONAL exchange with an
empty response (note that within the context of an IKE SA, an
"empty" message consists of an IKE header followed by an Encrypted
payload with no payloads contained in it). A minimal implementation MAY
support the CREATE_CHILD_SA exchange only in so far as to recognize
requests and reject them with a Notify payload of type
NO_ADDITIONAL_SAS. A minimal implementation need not be able to initiate
CREATE_CHILD_SA or INFORMATIONAL exchanges. When an SA expires (based on
locally configured values of either lifetime or octets passed), and
implementation MAY either try to renew it with a CREATE_CHILD_SA
exchange or it MAY delete (close) the old SA and create a new one. If
the responder rejects the CREATE_CHILD_SA request with a
NO_ADDITIONAL_SAS notification, the implementation MUST be capable of
instead deleting the old SA and creating a new one.</t>
<t>Implementations are not required to support requesting temporary IP
addresses or responding to such requests. If an implementation does
support issuing such requests and its policy requires using temporary
IP addresses, it MUST include a CP payload in the first message in the IKE_AUTH exchange
containing at least a field of type INTERNAL_IP4_ADDRESS or
INTERNAL_IP6_ADDRESS. All other fields are optional. If an
implementation supports responding to such requests, it MUST parse the
CP payload of type CFG_REQUEST in the first message in the IKE_AUTH exchange and recognize a field of
type INTERNAL_IP4_ADDRESS or INTERNAL_IP6_ADDRESS. If it supports
leasing an address of the appropriate type, it MUST return a CP payload
of type CFG_REPLY containing an address of the requested type.
The responder may include any other related attributes.</t>
<t>For an implementation to be called conforming to this specification,
it MUST be possible to configure it to accept the following:</t>
<t><list style='symbols'>
<t>Public Key Infrastructure using X.509 (PKIX) Certificates containing and signed by RSA keys of size 1024 or
2048 bits, where the ID passed is any of ID_KEY_ID, ID_FQDN,
ID_RFC822_ADDR, or ID_DER_ASN1_DN.</t>
<t>Shared key authentication where the ID passed is any of ID_KEY_ID,
ID_FQDN, or ID_RFC822_ADDR.</t>
<t>Authentication where the responder is authenticated using PKIX
Certificates and the initiator is authenticated using shared key
authentication.</t>
</list></t>
</section> <!-- end of 4 -->
<section anchor='sect-5' title='Security Considerations'>
<t>While this protocol is designed to minimize disclosure of
configuration information to unauthenticated peers, some such disclosure
is unavoidable. One peer or the other must identify itself first and
prove its identity first. To avoid probing, the initiator of an exchange
is required to identify itself first, and usually is required to
authenticate itself first. The initiator can, however, learn that the
responder supports IKE and what cryptographic protocols it supports. The
responder (or someone impersonating the responder) can probe the
initiator not only for its identity, but using CERTREQ payloads may be
able to determine what certificates the initiator is willing to use.</t>
<t>Use of EAP authentication changes the probing possibilities somewhat.
When EAP authentication is used, the responder proves its identity
before the initiator does, so an initiator that knew the name of a valid
initiator could probe the responder for both its name and
certificates.</t>
<t>Repeated rekeying using CREATE_CHILD_SA without additional
Diffie-Hellman exchanges leaves all SAs vulnerable to cryptanalysis of a
single key. Implementers should take note
of this fact and set a limit on CREATE_CHILD_SA exchanges between
exponentiations. This document does not prescribe such a limit.</t>
<t>The strength of a key derived from a Diffie-Hellman exchange using
any of the groups defined here depends on the inherent strength of the
group, the size of the exponent used, and the entropy provided by the
random number generator used. Due to these inputs, it is difficult to
determine the strength of a key for any of the defined groups.
Diffie-Hellman group number two, when used with a strong random number
generator and an exponent no less than 200 bits, is common for use with
3DES. Group five provides greater security than group two. Group one is
for historic purposes only and does not provide sufficient strength
except for use with DES, which is also for historic use only.
Implementations should make note of these estimates when establishing
policy and negotiating security parameters.</t>
<t>Note that these limitations are on the Diffie-Hellman groups
themselves. There is nothing in IKE that prohibits using stronger
groups nor is there anything that will dilute the strength obtained
from stronger groups (limited by the strength of the other algorithms
negotiated including the PRF). In fact, the extensible
framework of IKE encourages the definition of more groups; use of
elliptic curve groups may greatly increase strength using much smaller
numbers.</t>
<t>It is assumed that all Diffie-Hellman exponents are erased from
memory after use.</t>
<t>The IKE_SA_INIT and IKE_AUTH exchanges happen before the initiator
has been authenticated. As a result, an implementation of this
protocol needs to be completely robust when deployed on any insecure
network. Implementation vulnerabilities, particularly
DoS attacks, can be exploited by unauthenticated peers.
This issue is particularly worrisome because of the unlimited number
of messages in EAP-based authentication.</t>
<t>The strength of all keys is limited by the size of the output of the
negotiated PRF. For this reason, a PRF whose output is
less than 128 bits (e.g., 3DES-CBC) MUST NOT be used with this
protocol.</t>
<t>The security of this protocol is critically dependent on the
randomness of the randomly chosen parameters. These should be generated
by a strong random or properly seeded pseudorandom source (see <xref
target='RANDOMNESS'/>). Implementers should take care to ensure that use of
random numbers for both keys and nonces is engineered in a fashion that
does not undermine the security of the keys.</t>
<t>For information on the rationale of many of the cryptographic design
choices in this protocol, see <xref target='SIGMA'/> and
<xref target='SKEME'/>. Though the
security of negotiated Child SAs does not depend on the strength of the
encryption and integrity protection negotiated in the IKE SA,
implementations MUST NOT negotiate NONE as the IKE integrity protection
algorithm or ENCR_NULL as the IKE encryption algorithm.</t>
<t>When using pre-shared keys, a critical consideration is how to assure
the randomness of these secrets. The strongest practice is to ensure
that any pre-shared key contain as much randomness as the strongest key
being negotiated. Deriving a shared secret from a password, name, or
other low-entropy source is not secure. These sources are subject to
dictionary and social-engineering attacks, among others.</t>
<t>The NAT_DETECTION_*_IP notifications contain a hash of the addresses
and ports in an attempt to hide internal IP addresses behind a NAT.
Since the IPv4 address space is only 32 bits, and it is usually very
sparse, it would be possible for an attacker to find out the internal
address used behind the NAT box by trying all possible IP addresses and
trying to find the matching hash. The port numbers are normally fixed to
500, and the SPIs can be extracted from the packet. This reduces the
number of hash calculations to 2^32. With an educated guess of the use
of private address space, the number of hash calculations is much
smaller. Designers should therefore not assume that use of IKE will not
leak internal address information.</t>
<t>When using an EAP authentication method that does not generate a
shared key for protecting a subsequent AUTH payload, certain
man-in-the-middle and server-impersonation attacks are possible <xref
target='EAPMITM'/>. These vulnerabilities occur when EAP is also used
in protocols that are not protected with a secure tunnel. Since EAP is
a general-purpose authentication protocol, which is often used to
provide single-signon facilities, a deployed IPsec solution that relies
on an EAP authentication method that does not generate a shared key
(also known as a non-key-generating EAP method) can become compromised
due to the deployment of an entirely unrelated application that also
happens to use the same non-key-generating EAP method, but in an
unprotected fashion. Note that this vulnerability is not limited to just
EAP, but can occur in other scenarios where an authentication
infrastructure is reused. For example, if the EAP mechanism used by
IKEv2 utilizes a token authenticator, a man-in-the-middle attacker could
impersonate the web server, intercept the token authentication exchange,
and use it to initiate an IKEv2 connection. For this reason, use of
non-key-generating EAP methods SHOULD be avoided where possible. Where
they are used, it is extremely important that all usages of these EAP
methods SHOULD utilize a protected tunnel, where the initiator validates
the responder's certificate before initiating the EAP authentication.
Implementers should describe the vulnerabilities of using
non-key-generating EAP methods in the documentation of their
implementations so that the administrators deploying IPsec solutions are
aware of these dangers.</t>
<t>An implementation using EAP MUST also use a public-key-based
authentication of the server to the client before the EAP authentication
begins, even if the EAP method offers mutual authentication. This avoids
having additional IKEv2 protocol variations and protects the EAP data
from active attackers.</t>
<t>If the messages of IKEv2 are long enough that IP-level fragmentation
is necessary, it is possible that attackers could prevent the exchange
from completing by exhausting the reassembly buffers. The chances of
this can be minimized by using the Hash and URL encodings instead of
sending certificates (see <xref target='sect-3.6'/>). Additional
mitigations are discussed in <xref target='DOSUDPPROT'/>.</t>
<t>Admission control is critical to the security of the protocol. For
example, trust anchors used for identifying IKE peers should probably
be different than those used for other forms of trust, such as those
used to identify public web servers. Moreover, although IKE provides
a great deal of leeway in defining the security policy for a trusted
peer's identity, credentials, and the correlation between them,
having such security policy defined explicitly is essential to a
secure implementation.</t>
<section anchor='sect-5.1' title='Traffic Selector Authorization'>
<t>IKEv2 relies on information in the Peer Authorization Database (PAD)
when determining what kind of Child SAs a peer is allowed to create.
This process is described in Section 4.4.3 of <xref target='IPSECARCH'/>.
When a peer requests the creation of an Child SA with some Traffic
Selectors, the PAD must contain "Child SA Authorization Data" linking
the identity authenticated by IKEv2 and the addresses permitted for
Traffic Selectors.</t>
<t>For example, the PAD might be configured so that authenticated
identity "sgw23.example.com" is allowed to create Child SAs for
192.0.2.0/24, meaning this security gateway is a valid "representative"
for these addresses. Host-to-host IPsec requires similar entries,
linking, for example, "fooserver4.example.com" with 198.51.100.66/32,
meaning this identity is a valid "owner" or "representative" of the address
in question.</t>
<t>As noted in <xref target='IPSECARCH'/>, "It is necessary to impose
these constraints on creation of child SAs to prevent an authenticated
peer from spoofing IDs associated with other, legitimate peers". In the
example given above, a correct configuration of the PAD prevents sgw23
from creating Child SAs with address 198.51.100.66, and prevents fooserver4
from creating Child SAs with addresses from 192.0.2.0/24.</t>
<t>It is important to note that simply sending IKEv2 packets using some
particular address does not imply a permission to create Child SAs with
that address in the Traffic Selectors. For example, even if sgw23 would
be able to spoof its IP address as 198.51.100.66, it could not create Child
SAs matching fooserver4's traffic.</t>
<t>The IKEv2 specification does not specify how exactly IP address
assignment using Configuration payloads interacts with the PAD. Our
interpretation is that when a security gateway assigns an address using
Configuration payloads, it also creates a temporary PAD entry linking
the authenticated peer identity and the newly allocated inner
address.</t>
<t>It has been recognized that configuring the PAD correctly may be
difficult in some environments. For instance, if IPsec is used between
a pair of hosts whose addresses are allocated dynamically using DHCP, it
is extremely difficult to ensure that the PAD specifies the correct
"owner" for each IP address. This would require a mechanism to securely
convey address assignments from the DHCP server, and link them to
identities authenticated using IKEv2.</t>
<t>Due to this limitation, some vendors have been known to configure
their PADs to allow an authenticated peer to create Child SAs with
Traffic Selectors containing the same address that was used for the
IKEv2 packets. In environments where IP spoofing is possible (i.e.,
almost everywhere) this essentially allows any peer to create Child SAs
with any Traffic Selectors. This is not an appropriate or secure
configuration in most circumstances. See <xref target='H2HIPSEC'/> for
an extensive discussion about this issue, and the limitations of
host-to-host IPsec in general.</t>
</section>
</section> <!-- end of 5 -->
<section anchor='sect-6' title='IANA Considerations'>
<t><xref target='IKEV2'/> defined many field types and values.
IANA has already registered those types and values
in <xref target='IKEV2IANA'/>, so they are not listed here again.</t>
<t>One item has been removed from the IKEv2 Certificate Encodings
table: "Raw RSA Key".</t>
<t>IANA has updated all references to RFC 5996
to point to this document.</t>
</section> <!-- end of 6 -->
<section anchor='sect-7' title='Acknowledgements'>
<t>Many individuals in the IPsecME Working Group were very helpful in
contributing ideas and text for this document, as well as in
reviewing the clarifications suggested by others.</t>
<t>The acknowledgements from the IKEv2 document were:</t>
<t>This document is a collaborative effort of the entire IPsec WG. If
there were no limit to the number of authors that could appear on an
RFC, the following, in alphabetical order, would have been listed: Bill
Aiello, Stephane Beaulieu, Steve Bellovin, Sara Bitan, Matt Blaze, Ran
Canetti, Darren Dukes, Dan Harkins, Paul Hoffman, John Ioannidis,
Charlie Kaufman, Steve Kent, Angelos Keromytis, Tero Kivinen, Hugo
Krawczyk, Andrew Krywaniuk, Radia Perlman, Omer Reingold, and Michael
Richardson. Many other people contributed to the design. It is an
evolution of IKEv1, ISAKMP, and the IPsec DOI, each of which has its own
list of authors. Hugh Daniel suggested the feature of having the
initiator, in message 3, specify a name for the responder, and gave the
feature the cute name "You Tarzan, Me Jane". David Faucher and Valery
Smyslov helped refine the design of the Traffic Selector
negotiation.</t>
</section> <!-- end of 7 -->
</middle>
<back>
<references title="Normative References">
<?rfc rfcedstyle="no" ?>
<reference anchor='ADDGROUP'>
<front>
<title>More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)</title>
<author initials='T.' surname='Kivinen' fullname='T. Kivinen'>
<organization /></author>
<author initials='M.' surname='Kojo' fullname='M. Kojo'>
<organization /></author>
<date year='2003' month='May' />
<abstract>
<t>This document defines new Modular Exponential (MODP) Groups for the Internet Key Exchange (IKE) protocol. It documents the well known and used 1536 bit group 5, and also defines new 2048, 3072, 4096, 6144, and 8192 bit Diffie-Hellman groups numbered starting at 14. The selection of the primes for theses groups follows the criteria established by Richard Schroeppel. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3526' />
</reference>
<reference anchor='ADDRIPV6'>
<front>
<title>IP Version 6 Addressing Architecture</title>
<author initials='R.' surname='Hinden' fullname='R. Hinden'>
<organization /></author>
<author initials='S.' surname='Deering' fullname='S. Deering'>
<organization /></author>
<date year='2006' month='February' />
<abstract>
<t>This specification defines the addressing architecture of the IP Version 6 (IPv6) protocol. The document includes the IPv6 addressing model, text representations of IPv6 addresses, definition of IPv6 unicast addresses, anycast addresses, and multicast addresses, and an IPv6 node's required addresses.</t><t> This document obsoletes RFC 3513, "IP Version 6 Addressing Architecture". [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4291' />
</reference>
<reference anchor="AEAD">
<front>
<title>Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol</title>
<author initials='D.' surname='Black' fullname='D. Black'>
<organization /></author>
<author initials='D.' surname='McGrew' fullname='D. McGrew'>
<organization /></author>
<date year='2008' month='August' />
<abstract>
<t>An authenticated encryption algorithm combines encryption and integrity into a single operation; such algorithms may also be referred to as combined modes of an encryption cipher or as combined mode algorithms. This document describes the use of authenticated encryption algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) protocol.</t><t> The use of two specific authenticated encryption algorithms with the IKEv2 Encrypted Payload is also described; these two algorithms are the Advanced Encryption Standard (AES) in Galois/Counter Mode (AES GCM) and AES in Counter with CBC-MAC Mode (AES CCM). Additional documents may describe the use of other authenticated encryption algorithms with the IKEv2 Encrypted Payload. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5282' />
<format type='TXT' octets='42137' target='http://www.rfc-editor.org/rfc/rfc5282.txt' />
</reference>
<reference anchor='AESCMACPRF128'>
<front>
<title>The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for the Internet Key Exchange Protocol (IKE)</title>
<author initials='J.' surname='Song' fullname='J. Song'>
<organization /></author>
<author initials='R.' surname='Poovendran' fullname='R. Poovendran'>
<organization /></author>
<author initials='J.' surname='Lee' fullname='J. Lee'>
<organization /></author>
<author initials='T.' surname='Iwata' fullname='T. Iwata'>
<organization /></author>
<date year='2006' month='August' />
<abstract>
<t>Some implementations of IP Security (IPsec) may want to use a pseudo-random function (PRF) based on the Advanced Encryption Standard (AES). This memo describes such an algorithm, called AES-CMAC-PRF-128. It supports fixed and variable key sizes. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4615' />
</reference>
<reference anchor='AESXCBCPRF128'>
<front>
<title>The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)</title>
<author initials='P.' surname='Hoffman' fullname='P. Hoffman'>
<organization /></author>
<date year='2006' month='February' />
<abstract>
<t>Some implementations of IP Security (IPsec) may want to use a pseudo-random function derived from the Advanced Encryption Standard (AES). This document describes such an algorithm, called AES-XCBC-PRF-128. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4434' />
</reference>
<reference anchor='EAP'>
<front>
<title>Extensible Authentication Protocol (EAP)</title>
<author initials='B.' surname='Aboba' fullname='B. Aboba'>
<organization /></author>
<author initials='L.' surname='Blunk' fullname='L. Blunk'>
<organization /></author>
<author initials='J.' surname='Vollbrecht' fullname='J. Vollbrecht'>
<organization /></author>
<author initials='J.' surname='Carlson' fullname='J. Carlson'>
<organization /></author>
<author initials='H.' surname='Levkowetz' fullname='H. Levkowetz'>
<organization /></author>
<date year='2004' month='June' />
<abstract>
<t>This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this. This document obsoletes RFC 2284. A summary of the changes between this document and RFC 2284 is available in Appendix A. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3748' />
</reference>
<reference anchor='ECN'>
<front>
<title>The Addition of Explicit Congestion Notification (ECN) to IP</title>
<author initials='K.' surname='Ramakrishnan' fullname='K. Ramakrishnan'>
<organization /></author>
<author initials='S.' surname='Floyd' fullname='S. Floyd'>
<organization /></author>
<author initials='D.' surname='Black' fullname='D. Black'>
<organization /></author>
<date year='2001' month='September' />
<abstract>
<t>This memo specifies the incorporation of ECN (Explicit Congestion Notification) to TCP and IP, including ECN's use of two bits in the IP header. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3168' />
</reference>
<reference anchor='ESPCBC'>
<front>
<title>The ESP CBC-Mode Cipher Algorithms</title>
<author initials='R.' surname='Pereira' fullname='Roy Pereira'>
<organization>TimeStep Corporation</organization>
<address>
<phone>+1 613 599 3610 x 4808</phone>
<email>rpereira@timestep.com</email></address></author>
<author initials='R.' surname='Adams' fullname='Rob Adams'>
<organization>Cisco Systems Inc.</organization>
<address>
<phone>+1 408 457 5397</phone>
<email>adams@cisco.com</email></address></author>
<date year='1998' month='November' />
<area>Internet</area>
<area>Security</area>
<keyword>IP security protocol</keyword>
<keyword>cipher block chaining</keyword>
<keyword>encapsulate</keyword>
<keyword>encapsulating security payload</keyword>
<keyword>encryption</keyword>
<keyword>security</keyword>
<abstract>
<t>
This document describes how to use CBC-mode cipher algorithms with
the IPSec ESP (Encapsulating Security Payload) Protocol. It not only
clearly states how to use certain cipher algorithms, but also how to
use all CBC-mode cipher algorithms.
</t></abstract></front>
<seriesInfo name='RFC' value='2451' />
</reference>
<reference anchor='HTTP'>
<front>
<title abbrev='HTTP/1.1'>Hypertext Transfer Protocol -- HTTP/1.1</title>
<author initials='R.' surname='Fielding' fullname='Roy T. Fielding'>
<organization abbrev='UC Irvine'>Department of Information and Computer Science</organization>
<address>
<postal>
<street>University of California, Irvine</street>
<city>Irvine</city>
<region>CA</region>
<code>92697-3425</code></postal>
<facsimile>+1(949)824-1715</facsimile>
<email>fielding@ics.uci.edu</email></address></author>
<author initials='J.' surname='Gettys' fullname='James Gettys'>
<organization abbrev='Compaq/W3C'>World Wide Web Consortium</organization>
<address>
<postal>
<street>MIT Laboratory for Computer Science, NE43-356</street>
<street>545 Technology Square</street>
<city>Cambridge</city>
<region>MA</region>
<code>02139</code></postal>
<facsimile>+1(617)258-8682</facsimile>
<email>jg@w3.org</email></address></author>
<author initials='J.' surname='Mogul' fullname='Jeffrey C. Mogul'>
<organization abbrev='Compaq'>Compaq Computer Corporation</organization>
<address>
<postal>
<street>Western Research Laboratory</street>
<street>250 University Avenue</street>
<city>Palo Alto</city>
<region>CA</region>
<code>94305</code></postal>
<email>mogul@wrl.dec.com</email></address></author>
<author initials='H.' surname='Frystyk' fullname='Henrik Frystyk Nielsen'>
<organization abbrev='W3C/MIT'>World Wide Web Consortium</organization>
<address>
<postal>
<street>MIT Laboratory for Computer Science, NE43-356</street>
<street>545 Technology Square</street>
<city>Cambridge</city>
<region>MA</region>
<code>02139</code></postal>
<facsimile>+1(617)258-8682</facsimile>
<email>frystyk@w3.org</email></address></author>
<author initials='L.' surname='Masinter' fullname='Larry Masinter'>
<organization abbrev='Xerox'>Xerox Corporation</organization>
<address>
<postal>
<street>MIT Laboratory for Computer Science, NE43-356</street>
<street>3333 Coyote Hill Road</street>
<city>Palo Alto</city>
<region>CA</region>
<code>94034</code></postal>
<email>masinter@parc.xerox.com</email></address></author>
<author initials='P.' surname='Leach' fullname='Paul J. Leach'>
<organization abbrev='Microsoft'>Microsoft Corporation</organization>
<address>
<postal>
<street>1 Microsoft Way</street>
<city>Redmond</city>
<region>WA</region>
<code>98052</code></postal>
<email>paulle@microsoft.com</email></address></author>
<author initials='T.' surname='Berners-Lee' fullname='Tim Berners-Lee'>
<organization abbrev='W3C/MIT'>World Wide Web Consortium</organization>
<address>
<postal>
<street>MIT Laboratory for Computer Science, NE43-356</street>
<street>545 Technology Square</street>
<city>Cambridge</city>
<region>MA</region>
<code>02139</code></postal>
<facsimile>+1(617)258-8682</facsimile>
<email>timbl@w3.org</email></address></author>
<date year='1999' month='June' />
<abstract>
<t>
The Hypertext Transfer Protocol (HTTP) is an application-level
protocol for distributed, collaborative, hypermedia information
systems. It is a generic, stateless, protocol which can be used for
many tasks beyond its use for hypertext, such as name servers and
distributed object management systems, through extension of its
request methods, error codes and headers . A feature of HTTP is
the typing and negotiation of data representation, allowing systems
to be built independently of the data being transferred.
</t>
<t>
HTTP has been in use by the World-Wide Web global information
initiative since 1990. This specification defines the protocol
referred to as "HTTP/1.1", and is an update to RFC 2068 .
</t></abstract></front>
<seriesInfo name='RFC' value='2616' />
</reference>
<reference anchor='IKEV2IANA' target='http://www.iana.org'>
<front>
<title>Internet Key Exchange Version 2 (IKEv2) Parameters</title>
<author fullname='IANA'><organization/></author>
</front>
</reference>
<reference anchor='IPSECARCH'>
<front>
<title>Security Architecture for the Internet Protocol</title>
<author initials='S.' surname='Kent' fullname='S. Kent'>
<organization /></author>
<author initials='K.' surname='Seo' fullname='K. Seo'>
<organization /></author>
<date year='2005' month='December' />
<abstract>
<t>This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer. This document obsoletes RFC 2401 (November 1998). [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4301' />
</reference>
<reference anchor='MUSTSHOULD'>
<front>
<title abbrev='RFC Key Words'>Key words for use in RFCs to Indicate Requirement Levels</title>
<author initials='S.' surname='Bradner' fullname='Scott Bradner'>
<organization>Harvard University</organization>
<address>
<postal>
<street>1350 Mass. Ave.</street>
<street>Cambridge</street>
<street>MA 02138</street></postal>
<phone>- +1 617 495 3864</phone>
<email>sob@harvard.edu</email></address></author>
<date year='1997' month='March' />
<area>General</area>
<keyword>keyword</keyword>
<abstract>
<t>
In many standards track documents several words are used to signify
the requirements in the specification. These words are often
capitalized. This document defines these words as they should be
interpreted in IETF documents. Authors who follow these guidelines
should incorporate this phrase near the beginning of their document:
<list>
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
RFC 2119.
</t></list></t>
<t>
Note that the force of these words is modified by the requirement
level of the document in which they are used.
</t></abstract></front>
<seriesInfo name='BCP' value='14' />
<seriesInfo name='RFC' value='2119' />
</reference>
<reference anchor='PKCS1'>
<front>
<title>Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1</title>
<author initials='J.' surname='Jonsson' fullname='J. Jonsson'>
<organization /></author>
<author initials='B.' surname='Kaliski' fullname='B. Kaliski'>
<organization /></author>
<date year='2003' month='February' />
<abstract>
<t>This memo represents a republication of PKCS #1 v2.1 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document is taken directly from the PKCS #1 v2.1 document, with certain corrections made during the publication process. This memo provides information for the Internet community.</t></abstract></front>
<seriesInfo name='RFC' value='3447' />
</reference>
<reference anchor='PKIX'>
<front>
<title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
<author initials='D.' surname='Cooper' fullname='D. Cooper'>
<organization /></author>
<author initials='S.' surname='Santesson' fullname='S. Santesson'>
<organization /></author>
<author initials='S.' surname='Farrell' fullname='S. Farrell'>
<organization /></author>
<author initials='S.' surname='Boeyen' fullname='S. Boeyen'>
<organization /></author>
<author initials='R.' surname='Housley' fullname='R. Housley'>
<organization /></author>
<author initials='W.' surname='Polk' fullname='W. Polk'>
<organization /></author>
<date year='2008' month='May' />
<abstract>
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5280' />
</reference>
<reference anchor='RFC4307'>
<front>
<title>Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)</title>
<author initials='J.' surname='Schiller' fullname='J. Schiller'>
<organization /></author>
<date year='2005' month='December' />
<abstract>
<t>The IPsec series of protocols makes use of various cryptographic algorithms in order to provide security services. The Internet Key Exchange (IKE (RFC 2409) and IKEv2) provide a mechanism to negotiate which algorithms should be used in any given association. However, to ensure interoperability between disparate implementations, it is necessary to specify a set of mandatory-to-implement algorithms to ensure that there is at least one algorithm that all implementations will have available. This document defines the current set of algorithms that are mandatory to implement as part of IKEv2, as well as algorithms that should be implemented because they may be promoted to mandatory at some future time. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4307' />
<format type='TXT' octets='12985' target='http://www.rfc-editor.org/rfc/rfc4307.txt' />
</reference>
<reference anchor='UDPENCAPS'>
<front>
<title>UDP Encapsulation of IPsec ESP Packets</title>
<author initials='A.' surname='Huttunen' fullname='A. Huttunen'>
<organization /></author>
<author initials='B.' surname='Swander' fullname='B. Swander'>
<organization /></author>
<author initials='V.' surname='Volpe' fullname='V. Volpe'>
<organization /></author>
<author initials='L.' surname='DiBurro' fullname='L. DiBurro'>
<organization /></author>
<author initials='M.' surname='Stenberg' fullname='M. Stenberg'>
<organization /></author>
<date year='2005' month='January' />
<abstract>
<t>This protocol specification defines methods to encapsulate and decapsulate IP Encapsulating Security Payload (ESP) packets inside UDP packets for traversing Network Address Translators. ESP encapsulation, as defined in this document, can be used in both IPv4 and IPv6 scenarios. Whenever negotiated, encapsulation is used with Internet Key Exchange (IKE). [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3948' />
</reference>
<reference anchor='URLS'>
<front>
<title abbrev='URI Generic Syntax'>Uniform Resource Identifier (URI): Generic Syntax</title>
<author initials='T.' surname='Berners-Lee' fullname='Tim Berners-Lee'>
<organization abbrev='W3C/MIT'>World Wide Web Consortium</organization>
<address>
<postal>
<street>Massachusetts Institute of Technology</street>
<street>77 Massachusetts Avenue</street>
<city>Cambridge</city>
<region>MA</region>
<code>02139</code>
<country>USA</country></postal>
<phone>+1-617-253-5702</phone>
<facsimile>+1-617-258-5999</facsimile>
<email>timbl@w3.org</email>
<uri>http://www.w3.org/People/Berners-Lee/</uri></address></author>
<author initials='R.' surname='Fielding' fullname='Roy T. Fielding'>
<organization abbrev='Day Software'>Day Software</organization>
<address>
<postal>
<street>5251 California Ave., Suite 110</street>
<city>Irvine</city>
<region>CA</region>
<code>92617</code>
<country>USA</country></postal>
<phone>+1-949-679-2960</phone>
<facsimile>+1-949-679-2972</facsimile>
<email>fielding@gbiv.com</email>
<uri>http://roy.gbiv.com/</uri></address></author>
<author initials='L.' surname='Masinter' fullname='Larry Masinter'>
<organization abbrev='Adobe Systems'>Adobe Systems Incorporated</organization>
<address>
<postal>
<street>345 Park Ave</street>
<city>San Jose</city>
<region>CA</region>
<code>95110</code>
<country>USA</country></postal>
<phone>+1-408-536-3024</phone>
<email>LMM@acm.org</email>
<uri>http://larry.masinter.net/</uri></address></author>
<date year='2005' month='January' />
<area>Applications</area>
<keyword>uniform resource identifier</keyword>
<keyword>URI</keyword>
<keyword>URL</keyword>
<keyword>URN</keyword>
<keyword>WWW</keyword>
<keyword>resource</keyword>
<abstract>
<t>
A Uniform Resource Identifier (URI) is a compact sequence of characters
that identifies an abstract or physical resource. This specification
defines the generic URI syntax and a process for resolving URI references
that might be in relative form, along with guidelines and security
considerations for the use of URIs on the Internet.
The URI syntax defines a grammar that is a superset of all valid URIs,
allowing an implementation to parse the common components of a URI
reference without knowing the scheme-specific requirements of every
possible identifier. This specification does not define a generative
grammar for URIs; that task is performed by the individual
specifications of each URI scheme.
</t></abstract></front>
<seriesInfo name='STD' value='66' />
<seriesInfo name='RFC' value='3986' />
</reference>
</references>
<!-- ============================================================== -->
<references title="Informative References">
<reference anchor='AH'>
<front>
<title>IP Authentication Header</title>
<author initials='S.' surname='Kent' fullname='S. Kent'>
<organization /></author>
<date year='2005' month='December' />
<abstract>
<t>This document describes an updated version of the IP Authentication Header (AH), which is designed to provide authentication services in IPv4 and IPv6. This document obsoletes RFC 2402 (November 1998). [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4302' />
</reference>
<reference anchor='ARCHGUIDEPHIL'>
<front>
<title>Some Internet Architectural Guidelines and Philosophy</title>
<author initials='R.' surname='Bush' fullname='R. Bush'>
<organization /></author>
<author initials='D.' surname='Meyer' fullname='D. Meyer'>
<organization /></author>
<date year='2002' month='December' />
<abstract>
<t>This document extends RFC 1958 by outlining some of the philosophical guidelines to which architects and designers of Internet backbone networks should adhere. We describe the Simplicity Principle, which states that complexity is the primary mechanism that impedes efficient scaling, and discuss its implications on the architecture, design and engineering issues found in large scale Internet backbones. This memo provides information for the Internet community.</t></abstract></front>
<seriesInfo name='RFC' value='3439' />
</reference>
<reference anchor='ARCHPRINC'>
<front>
<title>Architectural Principles of the Internet</title>
<author initials='B.' surname='Carpenter' fullname='Brian E. Carpenter'>
<organization>CERN, European Laboratory for Particle Physics</organization>
<address>
<postal>
<street>1211 Geneva 23</street>
<country>CH</country></postal>
<phone>+41 22 7674967</phone>
<facsimile>+41 22 7677155</facsimile>
<email>brian@dxcoms.cern.ch</email></address></author>
<date year='1996' month='June' />
<abstract>
<t>The Internet and its architecture have grown in evolutionary fashion from modest beginnings, rather than from a Grand Plan. While this process of evolution is one of the main reasons for the technology's success, it nevertheless seems useful to record a snapshot of the current principles of the Internet architecture. This is intended for general guidance and general interest, and is in no way intended to be a formal or invariant reference model.</t></abstract></front>
<seriesInfo name='RFC' value='1958' />
</reference>
<reference anchor='Clarif'>
<front>
<title>IKEv2 Clarifications and Implementation Guidelines</title>
<author initials='P.' surname='Eronen' fullname='P. Eronen'>
<organization /></author>
<author initials='P.' surname='Hoffman' fullname='P. Hoffman'>
<organization /></author>
<date year='2006' month='October' />
<abstract>
<t>This document clarifies many areas of the IKEv2 specification. It does not to introduce any changes to the protocol, but rather provides descriptions that are less prone to ambiguous interpretations. The purpose of this document is to encourage the development of interoperable implementations. This memo provides information for the Internet community.</t></abstract></front>
<seriesInfo name='RFC' value='4718' />
</reference>
<reference anchor="DES">
<front>
<title>American National Standard for Information Systems-Data Link Encryption</title>
<author>
<organization>American National Standards Institute</organization>
</author>
<date year="1983"/>
</front>
<seriesInfo name="ANSI" value="X3.106"/>
</reference>
<reference anchor="DH">
<front>
<title>New Directions in Cryptography</title>
<author initials="W." surname="Diffie" fullname="W. Diffie">
<organization/></author>
<author initials="M." surname="Hellman" fullname="M. Hellman">
<organization/></author>
<date month="June" year="1977"/>
</front>
<seriesInfo name="IEEE Transactions on Information Theory, V.IT-22" value="n. 6"/>
</reference>
<reference anchor='DIFFSERVARCH'>
<front>
<title abbrev='Architecture for Differentiated Services'>An Architecture for Differentiated Services</title>
<author initials='S.' surname='Blake' fullname='Steven Blake'>
<organization>Torrent Networking Technologies</organization>
<address>
<postal>
<street>3000 Aerial Center, Suite 140</street>
<city>Morrisville</city>
<region>NC</region>
<code>27560</code>
<country>USA</country></postal>
<phone>+1 919 468 8466 x232 </phone>
<email>slblake@torrentnet.com</email></address></author>
<author initials='D.L.' surname='Black' fullname='David L. Black'>
<organization>EMC Corporation</organization>
<address>
<postal>
<street>35 Parkwood Drive</street>
<city>Hopkinton</city>
<region>MA</region>
<code>01748</code>
<country>USA</country></postal>
<phone>+1 508 435 1000 x76140 </phone>
<email>black_david@emc.com</email></address></author>
<author initials='M.A.' surname='Carlson' fullname='Mark A. Carlson'>
<organization>Sun Microsystems, Inc.</organization>
<address>
<postal>
<street>2990 Center Green Court South</street>
<city>Boulder</city>
<region>CO</region>
<code>80301</code>
<country>USA</country></postal>
<phone>+1 303 448 0048 x115</phone>
<email>mark.carlson@sun.com</email></address></author>
<author initials='E.' surname='Davies' fullname='Elwyn Davies'>
<organization>Nortel UK</organization>
<address>
<postal>
<street>London Road</street>
<street>Harlow, Essex CM17 9NA</street>
<country>UK</country></postal>
<phone>+44 1279 405498</phone>
<email>elwynd@nortel.co.uk</email></address></author>
<author initials='Z.' surname='Wang' fullname='Zheng Wang'>
<organization>Bell Labs Lucent Technologies</organization>
<address>
<postal>
<street>101 Crawfords Corner Road</street>
<city>Holmdel</city>
<region>NJ</region>
<code>07733</code>
<country>USA</country></postal>
<email>zhwang@bell-labs.com</email></address></author>
<author initials='W.' surname='Weiss' fullname='Walter Weiss'>
<organization>Lucent Technologies</organization>
<address>
<postal>
<street>300 Baker Avenue, Suite 100</street>
<city>Concord</city>
<region>MA</region>
<code>01742-2168</code>
<country>USA</country></postal>
<email>wweiss@lucent.com</email></address></author>
<date year='1998' month='December' />
<area>Internet</area>
<keyword>type of service</keyword>
<abstract>
<t>
This document defines an architecture for implementing scalable
service differentiation in the Internet. This architecture achieves
scalability by aggregating traffic classification state which is
conveyed by means of IP-layer packet marking using the DS field
. Packets are classified and marked to receive a particular
per-hop forwarding behavior on nodes along their path. Sophisticated
classification, marking, policing, and shaping operations need only
be implemented at network boundaries or hosts. Network resources are
allocated to traffic streams by service provisioning policies which
govern how traffic is marked and conditioned upon entry to a
differentiated services-capable network, and how that traffic is
forwarded within that network. A wide variety of services can be
implemented on top of these building blocks.
</t></abstract></front>
<seriesInfo name='RFC' value='2475' />
</reference>
<reference anchor='DIFFSERVFIELD'>
<front>
<title abbrev='Differentiated Services Field'>Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers</title>
<author initials='K.' surname='Nichols' fullname='Kathleen Nichols'>
<organization>Cisco Systems</organization>
<address>
<postal>
<street>170 West Tasman Drive</street>
<city>San Jose</city>
<region>CA</region>
<code>95134-1706</code>
<country>USA</country></postal>
<phone>+1 408 525 4857</phone>
<email>kmn@cisco.com</email></address></author>
<author initials='S.' surname='Blake' fullname='Steven Blake'>
<organization>Torrent Networking Technologies</organization>
<address>
<postal>
<street>3000 Aerial Center</street>
<city>Morrisville</city>
<region>NC</region>
<code>27560</code>
<country>USA</country></postal>
<phone>+1 919 468 8466 x232</phone>
<email>slblake@torrentnet.com</email></address></author>
<author initials='F.' surname='Baker' fullname='Fred Baker'>
<organization>Cisco Systems</organization>
<address>
<postal>
<street>519 Lado Drive</street>
<city> Santa Barbara</city>
<region>CA</region>
<code>93111</code>
<country>USA</country></postal>
<phone>+1 408 526 4257</phone>
<email>fred@cisco.com</email></address></author>
<author initials='D.L.' surname='Black' fullname='David L. Black'>
<organization>EMC Corporation</organization>
<address>
<postal>
<street>35 Parkwood Drive</street>
<city>Hopkinton</city>
<region>MA</region>
<code>01748</code>
<country>USA</country></postal>
<phone>+1 508 435 1000 x76140</phone>
<email>black_david@emc.com</email></address></author>
<date year='1998' month='December' />
<area>Internet</area>
<keyword>internet protocol version 4</keyword>
<keyword>IPv6</keyword>
<keyword>IPv4</keyword>
<keyword>internet protocol version 6</keyword>
<keyword>type of service</keyword>
<abstract>
<t>
Differentiated services enhancements to the Internet protocol are
intended to enable scalable service discrimination in the Internet
without the need for per-flow state and signaling at every hop. A
variety of services may be built from a small, well-defined set of
building blocks which are deployed in network nodes. The services
may be either end-to-end or intra-domain; they include both those
that can satisfy quantitative performance requirements (e.g., peak
bandwidth) and those based on relative performance (e.g., "class"
differentiation). Services can be constructed by a combination of:
<list>
<t>
- setting bits in an IP header field at network boundaries
(autonomous system boundaries, internal administrative boundaries,
or hosts),
</t>
<t>
- using those bits to determine how packets are forwarded by the
nodes inside the network, and
</t>
<t>
- conditioning the marked packets at network boundaries in accordance
with the requirements or rules of each service.
</t></list></t>
<t>
The requirements or rules of each service must be set through
administrative policy mechanisms which are outside the scope of this
document. A differentiated services-compliant network node includes
a classifier that selects packets based on the value of the DS field,
along with buffer management and packet scheduling mechanisms capable
of delivering the specific packet forwarding treatment indicated by
the DS field value. Setting of the DS field and conditioning of the
temporal behavior of marked packets need only be performed at network
boundaries and may vary in complexity.
</t>
<t>
This document defines the IP header field, called the DS (for
differentiated services) field. In IPv4, it defines the layout of
the TOS octet; in IPv6, the Traffic Class octet. In addition, a base
set of packet forwarding treatments, or per-hop behaviors, is
defined.
</t>
<t>
For a more complete understanding of differentiated services, see
also the differentiated services architecture .
</t></abstract></front>
<seriesInfo name='RFC' value='2474' />
</reference>
<reference anchor='DIFFTUNNEL'>
<front>
<title>Differentiated Services and Tunnels</title>
<author initials='D.' surname='Black' fullname='D. Black'>
<organization /></author>
<date year='2000' month='October' />
<abstract>
<t>This document considers the interaction of Differentiated Services (diffserv) with IP tunnels of various forms. This memo provides information for the Internet community.</t></abstract></front>
<seriesInfo name='RFC' value='2983' />
</reference>
<reference anchor='DOI'>
<front>
<title abbrev='IP Security Domain of Interpretation'>The Internet IP Security Domain of Interpretation for ISAKMP</title>
<author initials='D.' surname='Piper' fullname='Derrell Piper'>
<organization>Network Alchemy</organization>
<address>
<postal>
<street>1521.5 Pacific Ave</street>
<street>Santa Cruz</street>
<street>California</street>
<street>95060</street>
<country>United States of America</country></postal>
<phone>+1 408 460-3822</phone>
<email>ddp@network-alchemy.com</email></address></author>
<date year='1998' month='November' />
<area>Security</area>
<area>Internet</area>
<keyword>IP security protocol</keyword>
<keyword>cryptographic</keyword>
<keyword>internet security association and key management protocol</keyword>
<keyword>key management</keyword>
<keyword>security</keyword>
<note title='IESG Note'>
<t>
Section 4.4.4.2 states, "All implememtations within the IPSEC DOI
MUST support ESP_DES...". Recent work in the area of cryptanalysis
suggests that DES may not be sufficiently strong for many
applications. Therefore, it is very likely that the IETF will
deprecate the use of ESP_DES as a mandatory cipher suite in the near
future. It will remain as an optional use protocol. Although the
IPsec working group and the IETF in general have not settled on an
alternative algorithm (taking into account concerns of security and
performance), implementers may want to heed the recommendations of
section 4.4.4.3 on the use of ESP_3DES.
</t></note></front>
<seriesInfo name='RFC' value='2407' />
</reference>
<reference anchor='DOSUDPPROT'>
<front>
<title>DoS protection for UDP-based protocols</title>
<author surname='C. Kaufman'><organization/></author>
<author surname='R. Perlman'><organization/></author>
<author surname='B. Sommerfeld'><organization/></author>
<date month='October' year='2003'/>
</front>
<seriesInfo name='ACM Conference on Computer and Communications' value='Security'/>
</reference>
<reference anchor="DSS">
<front>
<title>Digital Signature Standard</title>
<author>
<organization abbrev="NIST">National Institute of Standards and
Technology, U.S. Department of Commerce</organization>
</author>
<date month="June" year="2008"/>
</front>
<seriesInfo name="Draft FIPS" value="186-3"/>
</reference>
<reference anchor='EAI'>
<front>
<title>Internationalized Email Headers</title>
<author initials='Y.' surname='Abel' fullname='Y. Abel'>
<organization /></author>
<date year='2008' month='September' />
<abstract>
<t>Full internationalization of electronic mail requires not only the capabilities to transmit non-ASCII content, to encode selected information in specific header fields, and to use non-ASCII characters in envelope addresses. It also requires being able to express those addresses and the information based on them in mail header fields. This document specifies an experimental variant of Internet mail that permits the use of Unicode encoded in UTF-8, rather than ASCII, as the base form for Internet email header field. This form is permitted in transmission only if authorized by an SMTP extension, as specified in an associated specification. This specification Updates section 6.4 of RFC 2045 to conform with the requirements. This memo defines an Experimental Protocol for the Internet community.</t></abstract></front>
<seriesInfo name='RFC' value='5335' />
</reference>
<reference anchor='EAP-IANA' target='http://www.iana.org'>
<front>
<title>Extensible Authentication Protocol (EAP) Registry: Method Types</title>
<author fullname='IANA'><organization/></author>
</front>
</reference>
<reference anchor='EAPMITM'
target='http://eprint.iacr.org/2002/163'>
<front>
<title>Man-in-the-Middle in Tunneled Authentication Protocols</title>
<author surname='N. Asokan'><organization/></author>
<author surname='V. Nierni'><organization/></author>
<author surname='K. Nyberg'><organization/></author>
<date month='November' year='2002'/>
</front>
<format type='TXT'
target='http://eprint.iacr.org/2002/163'/>
</reference>
<reference anchor='ESP'>
<front>
<title>IP Encapsulating Security Payload (ESP)</title>
<author initials='S.' surname='Kent' fullname='S. Kent'>
<organization /></author>
<date year='2005' month='December' />
<abstract>
<t>This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4303' />
</reference>
<reference anchor='EXCHANGEANALYSIS'
target='http://sec.femto.org/wetice-2001/papers/radia-paper.pdf'>
<front>
<title>Analysis of the IPsec key exchange Standard</title>
<author surname='R. Perlman'><organization/></author>
<author surname='C. Kaufman'><organization/></author>
<date year='2001'/>
</front>
<seriesInfo name='WET-ICE Security Conference,' value='MIT'/>
<format type='TXT'
target='http://sec.femto.org/wetice-2001/papers/radia-paper.pdf'/>
</reference>
<reference anchor="H2HIPSEC">
<front>
<title>Experiences with Host-to-Host IPsec</title>
<author initials="T" surname="Aura"><organization /></author>
<author initials="M" surname="Roe"><organization /></author>
<author initials="A" surname="Mohammed"><organization /></author>
<date month="April" year="2005" />
</front>
<seriesInfo name='13th' value='International Workshop on Security Protocols, Cambridge, UK' />
</reference>
<reference anchor='HMAC'>
<front>
<title abbrev='HMAC'>HMAC: Keyed-Hashing for Message Authentication</title>
<author initials='H.' surname='Krawczyk' fullname='Hugo Krawczyk'>
<organization>IBM, T.J. Watson Research Center</organization>
<address>
<postal>
<street>P.O.Box 704</street>
<city>Yorktown Heights</city>
<region>NY</region>
<code>10598</code>
<country>US</country></postal>
<email>hugo@watson.ibm.com</email></address></author>
<author initials='M.' surname='Bellare' fullname='Mihir Bellare'>
<organization>University of California at San Diego, Dept of Computer Science and Engineering</organization>
<address>
<postal>
<street>9500 Gilman Drive</street>
<street>Mail Code 0114</street>
<city>La Jolla</city>
<region>CA</region>
<code>92093</code>
<country>US</country></postal>
<email>mihir@cs.ucsd.edu</email></address></author>
<author initials='R.' surname='Canetti' fullname='Ran Canetti'>
<organization>IBM T.J. Watson Research Center</organization>
<address>
<postal>
<street>P.O.Box 704</street>
<city>Yorktown Heights</city>
<region>NY</region>
<code>10598</code>
<country>US</country></postal>
<email>canetti@watson.ibm.com</email></address></author>
<date year='1997' month='February' />
<abstract>
<t>This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function.</t></abstract></front>
<seriesInfo name='RFC' value='2104' />
</reference>
<reference anchor='IDNA'>
<front>
<title>Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework</title>
<author initials='J.' surname='Klensin' fullname='J. Klensin'>
<organization /></author>
<date year='2010' month='August' />
<abstract>
<t>This document is one of a collection that, together, describe the protocol and usage context for a revision of Internationalized Domain Names for Applications (IDNA), superseding the earlier version. It describes the document collection and provides definitions and other material that are common to the set. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5890' />
</reference>
<reference anchor='IKEV1'>
<front>
<title>The Internet Key Exchange (IKE)</title>
<author initials='D.' surname='Harkins' fullname='Dan Harkins'>
<organization>cisco Systems</organization>
<address>
<postal>
<street>170 W. Tasman Dr.</street>
<street>San Jose</street>
<street>California</street>
<street>95134-1706</street>
<country>United States of America</country></postal>
<phone>+1 408 526 4000</phone>
<email>dharkins@cisco.com</email></address></author>
<author initials='D.' surname='Carrel' fullname='Dave Carrel'>
<organization />
<address>
<postal>
<street>76 Lippard Ave.</street>
<street>San Francisco</street>
<street>CA 94131-2947</street>
<country>United States of America</country></postal>
<phone>+1 415 337 8469</phone>
<email>carrel@ipsec.org</email></address></author>
<date year='1998' month='November' />
<area>Security</area>
<area>Internet</area>
<keyword>IP security protocol</keyword>
<keyword>authentication</keyword>
<keyword>internet security association and key management protocol</keyword>
<keyword>key exchange</keyword>
<keyword>security</keyword></front>
<seriesInfo name='RFC' value='2409' />
</reference>
<reference anchor='IDEA'>
<front>
<title>On the Design and Security of Block Ciphers</title>
<author surname='X. Lai'><organization/></author>
<date year='1992'/>
</front>
<seriesInfo name='ETH Series in Information Processing, v. 1,'
value='Konstanz: Hartung-Gorre Verlag'/>
</reference>
<reference anchor='IKEV2'>
<front>
<title>Internet Key Exchange (IKEv2) Protocol</title>
<author initials='C.' surname='Kaufman' fullname='C. Kaufman'>
<organization /></author>
<date year='2005' month='December' />
<abstract>
<t>This document describes version 2 of the Internet Key Exchange (IKE) protocol. IKE is a component of IPsec used for performing mutual authentication and establishing and maintaining security associations (SAs).</t><t> This version of the IKE specification combines the contents of what were previously separate documents, including Internet Security Association and Key Management Protocol (ISAKMP, RFC 2408), IKE (RFC 2409), the Internet Domain of Interpretation (DOI, RFC 2407), Network Address Translation (NAT) Traversal, Legacy authentication, and remote address acquisition.</t><t> Version 2 of IKE does not interoperate with version 1, but it has enough of the header format in common that both versions can unambiguously run over the same UDP port. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4306' />
</reference>
&rfc5996;
<reference anchor='IP'>
<front>
<title abbrev='Internet Protocol'>Internet Protocol</title>
<author initials='J.' surname='Postel' fullname='Jon Postel'>
<organization>University of Southern California (USC)/Information Sciences Institute</organization>
<address>
<postal>
<street>4676 Admiralty Way</street>
<city>Marina del Rey</city>
<region>CA</region>
<code>90291</code>
<country>US</country></postal></address></author>
<date year='1981' day='1' month='September' /></front>
<seriesInfo name='STD' value='5' />
<seriesInfo name='RFC' value='791' />
</reference>
<reference anchor='IP-COMP'>
<front>
<title>IP Payload Compression Protocol (IPComp)</title>
<author initials='A.' surname='Shacham' fullname='A. Shacham'>
<organization /></author>
<author initials='B.' surname='Monsour' fullname='B. Monsour'>
<organization /></author>
<author initials='R.' surname='Pereira' fullname='R. Pereira'>
<organization /></author>
<author initials='M.' surname='Thomas' fullname='M. Thomas'>
<organization /></author>
<date year='2001' month='September' />
<abstract>
<t>This document describes a protocol intended to provide lossless compression for Internet Protocol datagrams in an Internet environment. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3173' />
</reference>
<reference anchor='IPSECARCH-OLD'>
<front>
<title abbrev='Security Architecture'>Security Architecture for the Internet Protocol</title>
<author initials='S.' surname='Kent' fullname='Stephen Kent'>
<organization>BBN Corporation</organization>
<address>
<postal>
<street>70 Fawcett Street</street>
<street>Cambridge</street>
<street>MA 02140</street>
<country>USA</country></postal>
<phone>+1 (617) 873-3988</phone>
<email>kent@bbn.com</email></address></author>
<author initials='R.' surname='Atkinson' fullname='Randall Atkinson'>
<organization>@Home Network</organization>
<address>
<postal>
<street>425 Broadway</street>
<street>Redwood City</street>
<street>CA 94063</street>
<country>USA</country></postal>
<phone>+1 (415) 569-5000</phone>
<email>rja@corp.home.net</email></address></author>
<date year='1998' month='November' />
<area>Security</area>
<keyword>IP security protocol</keyword>
<keyword>IPSEC</keyword>
<keyword>internet protocol version 6</keyword>
<keyword>security</keyword></front>
<seriesInfo name='RFC' value='2401' />
</reference>
<reference anchor='IPV6CONFIG'>
<front>
<title>IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)</title>
<author initials='P.' surname='Eronen' fullname='P. Eronen'>
<organization /></author>
<author initials='J.' surname='Laganier' fullname='J. Laganier'>
<organization /></author>
<author initials='C.' surname='Madson' fullname='C. Madson'>
<organization /></author>
<date year='2010' month='February' />
<abstract>
<t>When Internet Key Exchange Protocol version 2 (IKEv2) is used for remote VPN access (client to VPN gateway), the gateway assigns the client an IP address from the internal network using IKEv2 configuration payloads. The configuration payloads specified in RFC 4306 work well for IPv4 but make it difficult to use certain features of IPv6. This document specifies new configuration attributes for IKEv2 that allows the VPN gateway to assign IPv6 prefixes to clients, enabling all features of IPv6 to be used with the client-gateway "virtual link". This document defines an Experimental Protocol for the Internet community.</t></abstract></front>
<seriesInfo name='RFC' value='5739' />
</reference>
<reference anchor='ISAKMP'>
<front>
<title abbrev='ISAKMP'>Internet Security Association and Key Management Protocol (ISAKMP)</title>
<author initials='D.' surname='Maughan' fullname='Douglas Maughan'>
<organization>National Security Agency</organization>
<address>
<postal>
<street>ATTN: R23</street>
<street>9800 Savage Road</street>
<street>Ft. Meade</street>
<street>MD. 20755-6000</street></postal>
<phone>301-688-0847</phone>
<email>wdm@tycho.ncsc.mil</email></address></author>
<author initials='M.' surname='Schneider' fullname='Mark Schneider'>
<organization>National Security Agency</organization>
<address>
<postal>
<street>ATTN: R23</street>
<street>9800 Savage Road</street>
<street>Ft. Meade</street>
<street>MD. 20755-6000</street></postal>
<phone>301-688-0851</phone>
<email>mss@tycho.ncsc.mil</email></address></author>
<author initials='M.' surname='Schertler' fullname='Mark Schertler'>
<organization>Securify, Inc.</organization>
<address>
<postal>
<street>2415-B Charleston Road</street>
<street>Mountain View</street>
<street>CA 94043</street></postal>
<phone>410-715-9399</phone>
<uri>er@raba.com</uri></address></author>
<date year='1998' month='November' />
<area>Security</area>
<keyword>cryptographic</keyword>
<keyword>internet security association and key management protocol</keyword>
<keyword>key management</keyword>
<keyword>security</keyword>
<abstract>
<t>
This memo describes a protocol utilizing security concepts necessary
for establishing Security Associations (SA) and cryptographic keys in
an Internet environment. A Security Association protocol that
negotiates, establishes, modifies and deletes Security Associations
and their attributes is required for an evolving Internet, where
there will be numerous security mechanisms and several options for
each security mechanism. The key management protocol must be robust
in order to handle public key generation for the Internet community
at large and private key requirements for those private networks with
that requirement. The Internet Security Association and Key
Management Protocol (ISAKMP) defines the procedures for
authenticating a communicating peer, creation and management of
Security Associations, key generation techniques, and threat
mitigation (e.g. denial of service and replay attacks). All of
these are necessary to establish and maintain secure communications
(via IP Security Service or any other security protocol) in an
Internet environment.
</t></abstract></front>
<seriesInfo name='RFC' value='2408' />
</reference>
<reference anchor='MAILFORMAT'>
<front>
<title>Internet Message Format</title>
<author initials='P.' surname='Resnick' fullname='Peter W.
Resnick' role='editor'>
<organization>Qualcomm Incorporated</organization>
<address>
<postal>
<street>5775 Morehouse Drive</street>
<city>San Diego</city>
<region>CA</region>
<code>92121-1714</code>
<country>US</country></postal>
<phone>+1 858 651 4478</phone>
<email>presnick@qualcomm.com</email>
<uri>http://www.qualcomm.com/~presnick/</uri></address></author>
<date year='2008' month='October' />
<abstract>
<t>This document specifies the Internet
Message Format (IMF), a syntax for text messages
that are sent between computer users, within
the framework of "electronic mail"
messages. This specification is a revision of
Request For Comments (RFC) 2822, which
itself superseded Request For Comments (RFC)
822, "Standard for the Format of ARPA
Internet Text Messages", updating it to
reflect current practice and incorporating
incremental changes that were specified in
other RFCs.</t></abstract></front>
<seriesInfo name='RFC' value='5322' />
</reference>
<reference anchor='MD5'>
<front>
<title abbrev='MD5 Message-Digest Algorithm'>The MD5 Message-Digest Algorithm</title>
<author initials='R.' surname='Rivest' fullname='Ronald L. Rivest'>
<organization>Massachusetts Institute of Technology, (MIT) Laboratory for Computer Science</organization>
<address>
<postal>
<street>545 Technology Square</street>
<street>NE43-324</street>
<city>Cambridge</city>
<region>MA</region>
<code>02139-1986</code>
<country>US</country></postal>
<phone>+1 617 253 5880</phone>
<email>rivest@theory.lcs.mit.edu</email></address></author>
<date year='1992' month='April' /></front>
<seriesInfo name='RFC' value='1321' />
</reference>
<reference anchor='MIPV6'>
<front>
<title>Mobility Support in IPv6</title>
<author initials='D.' surname='Johnson' fullname='D. Johnson'>
<organization /></author>
<author initials='C.' surname='Perkins' fullname='C. Perkins'>
<organization /></author>
<author initials='J.' surname='Arkko' fullname='J. Arkko'>
<organization /></author>
<date year='2004' month='June' />
<abstract>
<t>This document specifies a protocol which allows nodes to remain reachable while moving around in the IPv6 Internet. Each mobile node is always identified by its home address, regardless of its current point of attachment to the Internet. While situated away from its home, a mobile node is also associated with a care-of address, which provides information about the mobile node's current location. IPv6 packets addressed to a mobile node's home address are transparently routed to its care-of address. The protocol enables IPv6 nodes to cache the binding of a mobile node's home address with its care-of address, and to then send any packets destined for the mobile node directly to it at this care-of address. To support this operation, Mobile IPv6 defines a new IPv6 protocol and a new destination option. All IPv6 nodes, whether mobile or stationary, can communicate with mobile nodes. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3775' />
</reference>
<reference anchor='MLDV2'>
<front>
<title>Multicast Listener Discovery Version 2 (MLDv2) for IPv6</title>
<author initials='R.' surname='Vida' fullname='R. Vida'>
<organization /></author>
<author initials='L.' surname='Costa' fullname='L. Costa'>
<organization /></author>
<date year='2004' month='June' />
<abstract>
<t>This document updates RFC 2710, and it specifies Version 2 of the ulticast Listener Discovery Protocol (MLDv2). MLD is used by an IPv6 router to discover the presence of multicast listeners on directly attached links, and to discover which multicast addresses are of interest to those neighboring nodes. MLDv2 is designed to be interoperable with MLDv1. MLDv2 adds the ability for a node to report interest in listening to packets with a particular multicast address only from specific source addresses or from all sources except for specific source addresses. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3810' />
</reference>
<reference anchor='MOBIKE'>
<front>
<title>IKEv2 Mobility and Multihoming Protocol (MOBIKE)</title>
<author initials='P.' surname='Eronen' fullname='P. Eronen'>
<organization /></author>
<date year='2006' month='June' />
<abstract>
<t>This document describes the MOBIKE protocol, a mobility and multihoming extension to Internet Key Exchange (IKEv2). MOBIKE allows the IP addresses associated with IKEv2 and tunnel mode IPsec Security Associations to change. A mobile Virtual Private Network (VPN) client could use MOBIKE to keep the connection with the VPN gateway active while moving from one address to another. Similarly, a multihomed host could use MOBIKE to move the traffic to a different interface if, for instance, the one currently being used stops working. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4555' />
</reference>
<reference anchor="MODES">
<front>
<title>Recommendation for Block Cipher Modes of Operation</title>
<author>
<organization abbrev="NIST">National Institute of Standards and
Technology, U.S. Department of Commerce</organization>
</author>
<date year="2001"/>
</front>
<seriesInfo name="SP" value="800-38A"/>
</reference>
<reference anchor='NAI'>
<front>
<title>The Network Access Identifier</title>
<author initials='B.' surname='Aboba' fullname='B. Aboba'>
<organization /></author>
<author initials='M.' surname='Beadles' fullname='M. Beadles'>
<organization /></author>
<author initials='J.' surname='Arkko' fullname='J. Arkko'>
<organization /></author>
<author initials='P.' surname='Eronen' fullname='P. Eronen'>
<organization /></author>
<date year='2005' month='December' />
<abstract>
<t>In order to provide roaming services, it is necessary to have a standardized method for identifying users. This document defines the syntax for the Network Access Identifier (NAI), the user identity submitted by the client during network authentication. "Roaming" may be loosely defined as the ability to use any one of multiple Internet Service Providers (ISPs), while maintaining a formal, \%customer-vendor relationship with only one. Examples of where roaming capabilities might be required include ISP "confederations" and \%ISP-provided corporate network access support. This document is a revised version of RFC 2486, which originally defined NAIs. Enhancements include international character set and privacy support, as well as a number of corrections to the original RFC. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4282' />
</reference>
<reference anchor='NATREQ'>
<front>
<title>IPsec-Network Address Translation (NAT) Compatibility Requirements</title>
<author initials='B.' surname='Aboba' fullname='B. Aboba'>
<organization /></author>
<author initials='W.' surname='Dixon' fullname='W. Dixon'>
<organization /></author>
<date year='2004' month='March' />
<abstract>
<t>This document describes known incompatibilities between Network Address Translation (NAT) and IPsec, and describes the requirements for addressing them. Perhaps the most common use of IPsec is in providing virtual private networking capabilities. One very popular use of Virtual Private Networks (VPNs) is to provide telecommuter access to the corporate Intranet. Today, NATs are widely deployed in home gateways, as well as in other locations likely to be used by telecommuters, such as hotels. The result is that IPsec-NAT incompatibilities have become a major barrier in the deployment of IPsec in one of its principal uses. This memo provides information for the Internet community.</t></abstract></front>
<seriesInfo name='RFC' value='3715' />
</reference>
<reference anchor='OAKLEY'>
<front>
<title>The OAKLEY Key Determination Protocol</title>
<author initials='H.K.' surname='Orman' fullname='Hilarie K. Orman'>
<organization>University of Arizona, Department of Computer Science</organization>
<address>
<email>ho@darpa.mil</email></address></author>
<date year='1998' month='November' />
<area>Security</area>
<keyword>authentication</keyword>
<abstract>
<t>
This document describes a protocol, named OAKLEY, by which two
authenticated parties can agree on secure and secret keying material.
The basic mechanism is the Diffie-Hellman key exchange algorithm.
</t>
<t>
The OAKLEY protocol supports Perfect Forward Secrecy, compatibility
with the ISAKMP protocol for managing security associations, user-
defined abstract group structures for use with the Diffie-Hellman
algorithm, key updates, and incorporation of keys distributed via
out-of-band mechanisms.
</t></abstract></front>
<seriesInfo name='RFC' value='2412' />
</reference>
<reference anchor='PFKEY'>
<front>
<title abbrev='PF_KEY'>PF_KEY Key Management API, Version 2</title>
<author initials='D.L.' surname='McDonald' fullname='Daniel L. McDonald'>
<organization>Sun Microsystems, Inc.</organization>
<address>
<postal>
<street>901 San Antonio Road</street>
<street>MS UMPK17-202</street>
<street>Palo Alto</street>
<street>CA 94303</street></postal>
<phone>+1 650 786 6815</phone>
<email>danmcd@eng.sun.com</email></address></author>
<author initials='C.' surname='Metz' fullname='Craig Metz'>
<organization>(for Code 5544)</organization>
<address>
<postal>
<street>U.S. Naval Research Laboratory</street>
<street>4555 Overlook Ave. SW</street>
<street>Washington</street>
<street>DC 20375</street></postal>
<phone>(DSN) 754-8590</phone>
<email>cmetz@inner.net</email></address></author>
<author initials='B.G.' surname='Phan' fullname='Bao G. Phan'>
<organization>U. S. Naval Research Laboratory</organization>
<address>
<email>phan@itd.nrl.navy.mil</email></address></author>
<date year='1998' month='July' />
<area>Internet</area>
<area>Security</area>
<keyword>IP security protocol</keyword>
<keyword>application program interface</keyword>
<keyword>internet security association and key management protocol</keyword>
<keyword>key management</keyword>
<keyword>security</keyword>
<abstract>
<t>
A generic key management API that can be used not only for IP
Security but also for other network
security services is presented in this document. Version 1 of this
API was implemented inside 4.4-Lite BSD as part of the U. S. Naval
Research Laboratory's freely distributable and usable IPv6 and IPsec
implementation. It is documented here for the benefit of
others who might also adopt and use the API, thus providing increased
portability of key management applications (e.g. a manual keying
application, an ISAKMP daemon, a GKMP daemon , a
Photuris daemon, or a SKIP certificate discovery protocol daemon).
</t></abstract></front>
<seriesInfo name='RFC' value='2367' />
</reference>
<reference anchor='PHOTURIS'>
<front>
<title abbrev='Photuris Protocol'>Photuris: Session-Key Management Protocol</title>
<author initials='P.' surname='Karn' fullname='Phil Karn'>
<organization>Qualcomm, Inc.</organization>
<address>
<postal>
<street>6455 Lusk Boulevard</street>
<city>San Diego</city>
<region>CA</region>
<code>92121-2779</code>
<country>US</country></postal>
<email>karn@unix.ka9q.ampr.org</email></address></author>
<author initials='W.A.' surname='Simpson' fullname='William Allen Simpson'>
<organization>DayDreamer</organization>
<address>
<postal>
<street>Computer Systems Consulting Services</street>
<street>1384 Fontaine</street>
<city>Madison Heights</city>
<region>MI</region>
<code>48071</code>
<country>US</country></postal>
<email>wsimpson@GreenDragon.com</email></address></author>
<date year='1999' month='March' />
<abstract>
<t>Photuris is a session-key management protocol intended for use with the IP Security Protocols (AH and ESP). This document defines the basic protocol mechanisms.</t></abstract></front>
<seriesInfo name='RFC' value='2522' />
</reference>
<reference anchor='RANDOMNESS'>
<front>
<title>Randomness Requirements for Security</title>
<author initials='D.' surname='Eastlake' fullname='D. Eastlake'>
<organization /></author>
<author initials='J.' surname='Schiller' fullname='J. Schiller'>
<organization /></author>
<author initials='S.' surname='Crocker' fullname='S. Crocker'>
<organization /></author>
<date year='2005' month='June' />
<abstract>
<t>Security systems are built on strong cryptographic algorithms that foil pattern analysis attempts. However, the security of these systems is dependent on generating secret quantities for passwords, cryptographic keys, and similar quantities. The use of pseudo-random processes to generate secret quantities can result in pseudo-security. A sophisticated attacker may find it easier to reproduce the environment that produced the secret quantities and to search the resulting small set of possibilities than to locate the quantities in the whole of the potential number space.</t><t> Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. This document points out many pitfalls in using poor entropy sources or traditional pseudo-random number generation techniques for generating such quantities. It recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose. It provides suggestions to ameliorate the problem when a hardware solution is not available, and it gives examples of how large such quantities need to be for some applications. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract></front>
<seriesInfo name='BCP' value='106' />
<seriesInfo name='RFC' value='4086' />
</reference>
<reference anchor='REAUTH'>
<front>
<title>Repeated Authentication in Internet Key Exchange (IKEv2) Protocol</title>
<author initials='Y.' surname='Nir' fullname='Y. Nir'>
<organization /></author>
<date year='2006' month='April' />
<abstract>
<t>This document extends the Internet Key Exchange (IKEv2) Protocol document [IKEv2]. With some IPsec peers, particularly in the remote access scenario, it is desirable to repeat the mutual authentication periodically. The purpose of this is to limit the time that security associations (SAs) can be used by a third party who has gained control of the IPsec peer. This document describes a mechanism to perform this function. This memo defines an Experimental Protocol for the Internet community.</t></abstract></front>
<seriesInfo name='RFC' value='4478' />
</reference>
<reference anchor='REUSE'
target='http://www.cacr.math.uwaterloo.ca/techreports/2008/cacr2008-24.pdf'>
<front>
<title>On Reusing Ephemeral Keys In Diffie-Hellman
Key Agreement Protocols</title>
<author initials='A.' surname='Menezes' fullname='Alfred Menezes'>
<organization /></author>
<author initials='B.' surname='Ustaoglu' fullname='Berkant Ustaoglu'>
<organization /></author>
<date year='2008' month='December' />
</front>
<format type='PDF' target='http://www.cacr.math.uwaterloo.ca/~ajmeneze/publications/ephemeral.pdf' />
</reference>
<reference anchor='ROHCV2'>
<front>
<title>IKEv2 Extensions to Support Robust Header Compression over IPsec</title>
<author initials='E.' surname='Ertekin' fullname='E. Ertekin'>
<organization /></author>
<author initials='C.' surname='Christou' fullname='C. Christou'>
<organization /></author>
<author initials='R.' surname='Jasani' fullname='R. Jasani'>
<organization /></author>
<author initials='T.' surname='Kivinen' fullname='T. Kivinen'>
<organization /></author>
<author initials='C.' surname='Bormann' fullname='C. Bormann'>
<organization /></author>
<date year='2010' month='May' />
<abstract>
<t>In order to integrate Robust Header Compression (ROHC) with IPsec, a mechanism is needed to signal ROHC channel parameters between endpoints. Internet Key Exchange (IKE) is a mechanism that can be leveraged to exchange these parameters. This document specifies extensions to IKEv2 that will allow ROHC and its associated channel parameters to be signaled for IPsec Security Associations (SAs). [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5857' />
</reference>
<reference anchor='RSA'>
<front>
<title>A Method for Obtaining Digital
Signatures and Public-Key Cryptosystems</title>
<author surname='R. Rivest'><organization/></author>
<author surname='A. Shamir'><organization/></author>
<author surname='L. Adleman'><organization/></author>
<date month='February' year='1978'/>
</front>
<format type='TXT'
target='Communications of the ACM, v. 21, n. 2'/>
</reference>
<reference anchor='SHA'>
<front>
<title>Secure Hash Standard</title>
<author>
<organization abbrev="NIST">National Institute of Standards and
Technology, U.S. Department of Commerce</organization>
</author>
<date month='October' year='2008'/>
</front>
<seriesInfo name="FIPS" value="180-3"/>
</reference>
<reference anchor='SIGMA'
target='http://www.informatik.uni-trier.de/~ley/db/conf/crypto/crypto2003.html'>
<front>
<title>SIGMA: the `SIGn-and-MAc' Approach to Authenticated
Diffie-Hellman and its Use in the IKE Protocols</title>
<author surname='H. Krawczyk'><organization/></author>
<date year='2003'/>
</front>
<seriesInfo name='Advances in Cryptography - CRYPTO 2003 Proceedings'
value='LNCS 2729'/>
<format type='TXT'
target='http://www.informatik.uni-trier.de/~ley/db/conf/crypto/crypto2003.html'/>
</reference>
<reference anchor='SKEME'>
<front>
<title>SKEME: A Versatile Secure Key Exchange Mechanism for
Internet</title>
<author surname='H. Krawczyk'><organization/></author>
<date year='1996'/>
</front>
<seriesInfo name='IEEE Proceedings of the 1996 Symposium on Network and
Distributed Systems Security' value=''/>
</reference>
<reference anchor='TRANSPARENCY'>
<front>
<title>Internet Transparency</title>
<author initials='B.E.' surname='Carpenter' fullname='Brian E. Carpenter'>
<organization>IBM c/o iCAIR</organization>
<address>
<postal>
<street>1890 Maple Avenue</street>
<street>Suite 150</street>
<city>Evanston</city>
<region>IL</region>
<code>60201</code>
<country>US</country></postal>
<email>brian@icair.org</email></address></author>
<date year='2000' month='February' />
<abstract>
<t>This document describes the current state of the Internet from the architectural viewpoint, concentrating on issues of end-to-end connectivity and transparency. It concludes with a summary of some major architectural alternatives facing the Internet network layer.</t>
<t>This document was used as input to the IAB workshop on the future of the network layer held in July 1999. For this reason, it does not claim to be complete and definitive, and it refrains from making recommendations.</t></abstract></front>
<seriesInfo name='RFC' value='2775' />
</reference>
&rfc6989;
&rfc4945;
</references>
<?rfc rfcedstyle="yes" ?>
<section anchor='app.a' title='Summary of Changes from IKEv1'>
<t>The goals of this revision to IKE are:</t>
<t><list style='numbers'>
<t>To define the entire IKE protocol in a single document, replacing
RFCs 2407, 2408, and 2409 and incorporating subsequent changes to
support NAT Traversal, Extensible Authentication, and Remote Address
acquisition;</t>
<t>To simplify IKE by replacing the eight different initial exchanges
with a single four-message exchange (with changes in authentication
mechanisms affecting only a single AUTH payload rather than
restructuring the entire exchange) see
<xref target='EXCHANGEANALYSIS'/>;</t>
<t>To remove the Domain of Interpretation (DOI), Situation (SIT), and
Labeled Domain Identifier fields, and the Commit and Authentication only
bits;</t>
<t>To decrease IKE's latency in the common case by making the initial
exchange be 2 round trips (4 messages), and allowing the ability to
piggyback setup of a Child SA on that exchange;</t>
<t>To replace the cryptographic syntax for protecting the IKE messages
themselves with one based closely on ESP to simplify implementation and
security analysis;</t>
<t>To reduce the number of possible error states by making the protocol
reliable (all messages are acknowledged) and sequenced. This allows
shortening CREATE_CHILD_SA exchanges from 3 messages to 2;</t>
<t>To increase robustness by allowing the responder to not do
significant processing until it receives a message proving that the
initiator can receive messages at its claimed IP address;</t>
<t>To fix cryptographic weaknesses such as the problem with symmetries
in hashes used for authentication (documented by Tero Kivinen);</t>
<t>To specify Traffic Selectors in their own payloads type rather than
overloading ID payloads, and making more flexible the Traffic Selectors
that may be specified;</t>
<t>To specify required behavior under certain error conditions or when
data that is not understood is received in order to make it easier to
make future revisions in a way that does not break backward
compatibility;</t>
<t>To simplify and clarify how shared state is maintained in the
presence of network failures and DoS attacks; and</t>
<t>To maintain existing syntax and magic numbers to the extent possible
to make it likely that implementations of IKEv1 can be enhanced to
support IKEv2 with minimum effort.</t>
</list></t>
</section> <!-- Appendix A (changes) -->
<section anchor='app.b' title='Diffie-Hellman Groups'>
<t>There are two Diffie-Hellman groups defined here for use in IKE.
These groups were generated by Richard Schroeppel at the University of
Arizona. Properties of these primes are described in <xref
target='OAKLEY'/>.</t>
<t>The strength supplied by group 1 may not be sufficient for
typical uses and is here for historic reasons.</t>
<t>Additional Diffie-Hellman groups have been defined in <xref
target='ADDGROUP'/>.</t>
<section title='Group 1 - 768-bit MODP'>
<t>This group is assigned ID 1 (one).</t>
<figure><artwork><![CDATA[
The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }
Its hexadecimal value is:
FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF
]]></artwork></figure>
<t>The generator is 2.</t>
</section>
<section title='Group 2 - 1024-bit MODP'>
<t>This group is assigned ID 2 (two).</t>
<figure><artwork><![CDATA[
The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
Its hexadecimal value is:
FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
FFFFFFFF FFFFFFFF
]]></artwork></figure>
<t>The generator is 2.</t>
</section>
</section> <!-- Appendix B - DH groups -->
<section anchor='app.c' title='Exchanges and Payloads'>
<t>This appendix contains a short summary of the IKEv2 exchanges, and
what payloads can appear in which message. This appendix is purely
informative; if it disagrees with the body of this document, the other
text is considered correct.</t>
<t>Vendor ID (V) payloads may be included in any place in any message.
This sequence here shows what are the most logical places
for them.</t>
<section anchor='app.c.1' title='IKE_SA_INIT Exchange'>
<figure><artwork><![CDATA[
request --> [N(COOKIE)],
SA, KE, Ni,
[N(NAT_DETECTION_SOURCE_IP)+,
N(NAT_DETECTION_DESTINATION_IP)],
[V+][N+]
normal response <-- SA, KE, Nr,
(no cookie) [N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP)],
[[N(HTTP_CERT_LOOKUP_SUPPORTED)], CERTREQ+],
[V+][N+]
cookie response <-- N(COOKIE),
[V+][N+]
different Diffie- <-- N(INVALID_KE_PAYLOAD),
Hellman group [V+][N+]
wanted
]]></artwork></figure>
</section>
<section anchor='app.c.2' title='IKE_AUTH Exchange without EAP'>
<figure><artwork><![CDATA[
request --> IDi, [CERT+],
[N(INITIAL_CONTACT)],
[[N(HTTP_CERT_LOOKUP_SUPPORTED)], CERTREQ+],
[IDr],
AUTH,
[CP(CFG_REQUEST)],
[N(IPCOMP_SUPPORTED)+],
[N(USE_TRANSPORT_MODE)],
[N(ESP_TFC_PADDING_NOT_SUPPORTED)],
[N(NON_FIRST_FRAGMENTS_ALSO)],
SA, TSi, TSr,
[V+][N+]
response <-- IDr, [CERT+],
AUTH,
[CP(CFG_REPLY)],
[N(IPCOMP_SUPPORTED)],
[N(USE_TRANSPORT_MODE)],
[N(ESP_TFC_PADDING_NOT_SUPPORTED)],
[N(NON_FIRST_FRAGMENTS_ALSO)],
SA, TSi, TSr,
[N(ADDITIONAL_TS_POSSIBLE)],
[V+][N+]
error in Child SA <-- IDr, [CERT+],
creation AUTH,
N(error),
[V+][N+]
]]></artwork></figure>
</section>
<section anchor='app.c.3' title='IKE_AUTH Exchange with EAP'>
<figure><artwork><![CDATA[
first request --> IDi,
[N(INITIAL_CONTACT)],
[[N(HTTP_CERT_LOOKUP_SUPPORTED)], CERTREQ+],
[IDr],
[CP(CFG_REQUEST)],
[N(IPCOMP_SUPPORTED)+],
[N(USE_TRANSPORT_MODE)],
[N(ESP_TFC_PADDING_NOT_SUPPORTED)],
[N(NON_FIRST_FRAGMENTS_ALSO)],
SA, TSi, TSr,
[V+][N+]
first response <-- IDr, [CERT+], AUTH,
EAP,
[V+][N+]
/ --> EAP
repeat 1..N times |
\ <-- EAP
last request --> AUTH
last response <-- AUTH,
[CP(CFG_REPLY)],
[N(IPCOMP_SUPPORTED)],
[N(USE_TRANSPORT_MODE)],
[N(ESP_TFC_PADDING_NOT_SUPPORTED)],
[N(NON_FIRST_FRAGMENTS_ALSO)],
SA, TSi, TSr,
[N(ADDITIONAL_TS_POSSIBLE)],
[V+][N+]
]]></artwork></figure>
</section>
<section anchor='app.c.4' title='CREATE_CHILD_SA Exchange for Creating
or Rekeying Child SAs'>
<figure><artwork><![CDATA[
request --> [N(REKEY_SA)],
[CP(CFG_REQUEST)],
[N(IPCOMP_SUPPORTED)+],
[N(USE_TRANSPORT_MODE)],
[N(ESP_TFC_PADDING_NOT_SUPPORTED)],
[N(NON_FIRST_FRAGMENTS_ALSO)],
SA, Ni, [KEi], TSi, TSr
[V+][N+]
normal <-- [CP(CFG_REPLY)],
response [N(IPCOMP_SUPPORTED)],
[N(USE_TRANSPORT_MODE)],
[N(ESP_TFC_PADDING_NOT_SUPPORTED)],
[N(NON_FIRST_FRAGMENTS_ALSO)],
SA, Nr, [KEr], TSi, TSr,
[N(ADDITIONAL_TS_POSSIBLE)]
[V+][N+]
error case <-- N(error)
different Diffie- <-- N(INVALID_KE_PAYLOAD),
Hellman group [V+][N+]
wanted
]]></artwork></figure>
</section>
<section anchor='app.c.5' title='CREATE_CHILD_SA Exchange for Rekeying the IKE SA'>
<figure><artwork><![CDATA[
request --> SA, Ni, KEi
[V+][N+]
response <-- SA, Nr, KEr
[V+][N+]
]]></artwork></figure>
</section>
<section anchor='app.c.6' title='INFORMATIONAL Exchange'>
<figure><artwork><![CDATA[
request --> [N+],
[D+],
[CP(CFG_REQUEST)]
response <-- [N+],
[D+],
[CP(CFG_REPLY)]
]]></artwork></figure>
</section>
</section> <!-- Appendix C -->
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 03:03:17 |