One document matched: draft-nir-ipsecme-childless-06.ps
%!PS-Adobe-3.0
%%Creator: groff version 1.19.2
%%CreationDate: Thu Aug 12 01:18:01 2010
%%DocumentNeededResources: font Times-Roman
%%+ font Courier
%%DocumentSuppliedResources: procset grops 1.19 2
%%Pages: 7 0
%%PageOrder: Ascend
%%DocumentMedia: Default 612 792 0 () ()
%%Orientation: Portrait
%%EndComments
%%BeginDefaults
%%PageMedia: Default
%%EndDefaults
%%BeginProlog
%%BeginProcSet: PStoPS 1 15
userdict begin
[/showpage/erasepage/copypage]{dup where{pop dup load
type/operatortype eq{1 array cvx dup 0 3 index cvx put
bind def}{pop}ifelse}{pop}ifelse}forall
[/letter/legal/executivepage/a4/a4small/b5/com10envelope
/monarchenvelope/c5envelope/dlenvelope/lettersmall/note
/folio/quarto/a5]{dup where{dup wcheck{exch{}put}
{pop{}def}ifelse}{pop}ifelse}forall
/setpagedevice {pop}bind 1 index where{dup wcheck{3 1 roll put}
{pop def}ifelse}{def}ifelse
/PStoPSmatrix matrix currentmatrix def
/PStoPSxform matrix def/PStoPSclip{clippath}def
/defaultmatrix{PStoPSmatrix exch PStoPSxform exch concatmatrix}bind def
/initmatrix{matrix defaultmatrix setmatrix}bind def
/initclip[{matrix currentmatrix PStoPSmatrix setmatrix
[{currentpoint}stopped{$error/newerror false put{newpath}}
{/newpath cvx 3 1 roll/moveto cvx 4 array astore cvx}ifelse]
{[/newpath cvx{/moveto cvx}{/lineto cvx}
{/curveto cvx}{/closepath cvx}pathforall]cvx exch pop}
stopped{$error/errorname get/invalidaccess eq{cleartomark
$error/newerror false put cvx exec}{stop}ifelse}if}bind aload pop
/initclip dup load dup type dup/operatortype eq{pop exch pop}
{dup/arraytype eq exch/packedarraytype eq or
{dup xcheck{exch pop aload pop}{pop cvx}ifelse}
{pop cvx}ifelse}ifelse
{newpath PStoPSclip clip newpath exec setmatrix} bind aload pop]cvx def
/initgraphics{initmatrix newpath initclip 1 setlinewidth
0 setlinecap 0 setlinejoin []0 setdash 0 setgray
10 setmiterlimit}bind def
end
%%EndProcSet
%%BeginResource: procset grops 1.19 2
%!PS-Adobe-3.0 Resource-ProcSet
/setpacking where{
pop
currentpacking
true setpacking
}if
/grops 120 dict dup begin
/SC 32 def
/A/show load def
/B{0 SC 3 -1 roll widthshow}bind def
/C{0 exch ashow}bind def
/D{0 exch 0 SC 5 2 roll awidthshow}bind def
/E{0 rmoveto show}bind def
/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
/G{0 rmoveto 0 exch ashow}bind def
/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/I{0 exch rmoveto show}bind def
/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
/K{0 exch rmoveto 0 exch ashow}bind def
/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/M{rmoveto show}bind def
/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
/O{rmoveto 0 exch ashow}bind def
/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/Q{moveto show}bind def
/R{moveto 0 SC 3 -1 roll widthshow}bind def
/S{moveto 0 exch ashow}bind def
/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/SF{
findfont exch
[exch dup 0 exch 0 exch neg 0 0]makefont
dup setfont
[exch/setfont cvx]cvx bind def
}bind def
/MF{
findfont
[5 2 roll
0 3 1 roll
neg 0 0]makefont
dup setfont
[exch/setfont cvx]cvx bind def
}bind def
/level0 0 def
/RES 0 def
/PL 0 def
/LS 0 def
/MANUAL{
statusdict begin/manualfeed true store end
}bind def
/PLG{
gsave newpath clippath pathbbox grestore
exch pop add exch pop
}bind def
/BP{
/level0 save def
1 setlinecap
1 setlinejoin
72 RES div dup scale
LS{
90 rotate
}{
0 PL translate
}ifelse
1 -1 scale
}bind def
/EP{
level0 restore
showpage
}def
/DA{
newpath arcn stroke
}bind def
/SN{
transform
.25 sub exch .25 sub exch
round .25 add exch round .25 add exch
itransform
}bind def
/DL{
SN
moveto
SN
lineto stroke
}bind def
/DC{
newpath 0 360 arc closepath
}bind def
/TM matrix def
/DE{
TM currentmatrix pop
translate scale newpath 0 0 .5 0 360 arc closepath
TM setmatrix
}bind def
/RC/rcurveto load def
/RL/rlineto load def
/ST/stroke load def
/MT/moveto load def
/CL/closepath load def
/Fr{
setrgbcolor fill
}bind def
/setcmykcolor where{
pop
/Fk{
setcmykcolor fill
}bind def
}if
/Fg{
setgray fill
}bind def
/FL/fill load def
/LW/setlinewidth load def
/Cr/setrgbcolor load def
/setcmykcolor where{
pop
/Ck/setcmykcolor load def
}if
/Cg/setgray load def
/RE{
findfont
dup maxlength 1 index/FontName known not{1 add}if dict begin
{
1 index/FID ne{def}{pop pop}ifelse
}forall
/Encoding exch def
dup/FontName exch def
currentdict end definefont pop
}bind def
/DEFS 0 def
/EBEGIN{
moveto
DEFS begin
}bind def
/EEND/end load def
/CNT 0 def
/level1 0 def
/PBEGIN{
/level1 save def
translate
div 3 1 roll div exch scale
neg exch neg exch translate
0 setgray
0 setlinecap
1 setlinewidth
0 setlinejoin
10 setmiterlimit
[]0 setdash
/setstrokeadjust where{
pop
false setstrokeadjust
}if
/setoverprint where{
pop
false setoverprint
}if
newpath
/CNT countdictstack def
userdict begin
/showpage{}def
/setpagedevice{}def
}bind def
/PEND{
countdictstack CNT sub{end}repeat
level1 restore
}bind def
end def
/setpacking where{
pop
setpacking
}if
%%EndResource
%%EndProlog
%%BeginSetup
%%BeginFeature: *PageSize Default
<< /PageSize [ 612 792 ] /ImagingBBox null >> setpagedevice
%%EndFeature
%%IncludeResource: font Times-Roman
%%IncludeResource: font Courier
grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
def/PL 792 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron/Zcaron
/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
userdict/PStoPSxform PStoPSmatrix matrix currentmatrix
matrix invertmatrix matrix concatmatrix
matrix invertmatrix put
%%EndSetup
%%Page: (0) 1
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
0.000000 -28.346457 translate
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF(Netw)72 84 Q(ork W)-.1 E(orking Group)-.8 E 2.58
-1.29(Y. N)343.55 H(ir)1.29 E 360.8(Internet-Draft Check)72 96 R(Point)
2.5 E(Intended status: Experimental)72 108 Q(H. Tschofenig)291.36 E
(Expires: February 13, 2011)72 120 Q(NSN)338.57 E(H. Deng)506.12 132 Q
(China Mobile)484.72 144 Q(R. Singh)504.99 156 Q(Cisco)517.22 168 Q
(August 12, 2010)473.61 180 Q 2.5(AC)232.945 216 S
(hildless Initiation of the IKE SA)-2.5 E(draft-nir)245.56 228 Q
(-ipsecme-childless-06)-.2 E(Abstract)72 252 Q
(This document describes an e)102 276 Q
(xtension to the IKEv2 protocol that allo)-.15 E
(ws an IKE Security Association \(SA\) to)-.25 E
(be created and authenticated without generating a Child SA.)102 288 Q
(Status of this Memo)72 312 Q
(This Internet-Draft is submitted in full conformance with the pro)102
336 Q(visions of BCP)-.15 E(78 and BCP)5 E(79.)5 E
(Internet-Drafts are w)102 360 Q
(orking documents of the Internet Engineering T)-.1 E(ask F)-.8 E
(orce \(IETF\).)-.15 E(Note that other)5 E(groups may also distrib)102
372 Q(ute w)-.2 E(orking documents as Internet-Drafts.)-.1 E
(The list of current Internet- Drafts is at)5 E(http://datatrack)102 384
Q(er)-.1 E(.ietf.or)-.55 E(g/drafts/current/.)-.18 E
(Internet-Drafts are draft documents v)102 408 Q
(alid for a maximum of six months and may be updated, replaced, or)-.25
E(obsoleted by other documents at an)102 420 Q 2.5(yt)-.15 G 2.5
(ime. It)-2.5 F
(is inappropriate to use Internet-Drafts as reference material or)2.5 E
(to cite them other than as "w)102 432 Q(ork in progress.")-.1 E
(This Internet-Draft will e)102 456 Q(xpire on February 13, 2011.)-.15 E
(Cop)72 480 Q(yright Notice)-.1 E(Cop)102 504 Q
(yright \(c\) 2010 IETF T)-.1 E
(rust and the persons identi\214ed as the document authors.)-.35 E
(All rights reserv)5 E(ed.)-.15 E
(This document is subject to BCP 78 and the IETF T)102 528 Q
(rust\264s Le)-.35 E -.05(ga)-.15 G 2.5(lP).05 G(ro)-2.5 E
(visions Relating to IETF Documents)-.15 E(\(http://trustee.ietf.or)102
540 Q(g/license-info\) in ef)-.18 E
(fect on the date of publication of this document.)-.25 E(Please re)5 E
(vie)-.25 E 2.5(wt)-.25 G(hese)-2.5 E(documents carefully)102 552 Q 2.5
(,a)-.65 G 2.5(st)-2.5 G(he)-2.5 E 2.5(yd)-.15 G
(escribe your rights and restrictions with respect to this document.)
-2.5 E(Code)5 E(Components e)102 564 Q(xtracted from this document must)
-.15 E(Nir)72 696 Q 2.5(,e)-.4 G 2.5(ta)-2.5 G 140.805(l. Expires)-2.5 F
(February 13, 2011)2.5 E([P)147.225 E(age 1])-.15 E 0 Cg EP
PStoPSsaved restore
%%Page: (1) 2
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
0.000000 -28.346457 translate
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 128.19(Internet-Draft Childless)72 48 R
(IKE Initiation)2.5 E(August 2010)134.83 E
(include Simpli\214ed BSD License te)102 84 Q
(xt as described in Section 4.e of the T)-.15 E(rust Le)-.35 E -.05(ga)
-.15 G 2.5(lP).05 G(ro)-2.5 E(visions and are)-.15 E(pro)102 96 Q
(vided without w)-.15 E
(arranty as described in the Simpli\214ed BSD License.)-.1 E 2.5
(1. Introduction)72 132 R
(IKEv2, as speci\214ed in [IKEv2bis], requires that the IKE_A)102 156 Q
(UTH e)-.55 E(xchange try to create a Child SA along)-.15 E
(with the IKE SA.)102 168 Q(This requirement is sometimes incon)5 E -.15
(ve)-.4 G(nient or super\215uous, as some implementations).15 E
(need to use IKE for authentication only)102 180 Q 2.5(,w)-.65 G
(hile others w)-2.5 E(ould lik)-.1 E 2.5(et)-.1 G 2.5(os)-2.5 G
(et up the IKE SA before there is an)-2.5 E(y)-.15 E(actual traf)102 192
Q(\214c to protect.)-.25 E(The e)5 E
(xtension described in this document allo)-.15 E
(ws the creation of an IKE SA without)-.25 E
(also attempting to create a Child SA.)102 204 Q
(The terms IKE, IKE SA, Child SA and the v)5 E(arious IKE e)-.25 E
(xchanges are)-.15 E(de\214ned in [IKEv2bis])102 216 Q
(An IKE SA without an)102 240 Q 2.5(yC)-.15 G
(hild SA is not a fruitless endea)-2.5 E -.2(vo)-.2 G 3.6 -.55(r. E).2 H
-.15(ve).55 G 2.5(nw).15 G(ithout Child SAs, an IKE SA allo)-2.5 E(ws:)
-.25 E 25(oC)102 252 S(hecking the li)-25 E -.15(ve)-.25 G
(ness status of the peer via li).15 E -.15(ve)-.25 G(ness checks.).15 E
25(oQ)102 264 S(uickly setting up Child SAs without public k)-25 E .3
-.15(ey o)-.1 H(perations, and without user interaction.).15 E 25(oA)102
276 S(uthentication of the peer)-25 E(.)-.55 E 25(oD)102 288 S
(etection of N)-25 E 2.22 -1.11(AT b)-.35 H(ox)1.11 E(es between tw)-.15
E 2.5(oh)-.1 G(osts on the Internet)-2.5 E 2.5(1.1. Con)72 312 R -.15
(ve)-.4 G(ntions Used in This Document).15 E(The k)102 336 Q .3 -.15
(ey w)-.1 H(ords "MUST", "MUST NO).05 E(T", "REQ)-.4 E
(UIRED", "SHALL", "SHALL NO)-.1 E(T", "SHOULD",)-.4 E("SHOULD NO)102 348
Q(T", "RECOMMENDED", "MA)-.4 E(Y", and "OPTION)-1.05 E
(AL" in this document are to be interpreted)-.35 E
(as described in [RFC2119].)102 360 Q 2.5(2. Usage)72 396 R(Scenarios)
2.5 E(Se)102 420 Q -.15(ve)-.25 G(ral scenarios moti).15 E -.25(va)-.25
G(ted this proposal:).25 E 25(oI)102 432 S(nteracti)-25 E .3 -.15(ve r)
-.25 H
(emote access VPN: the user tells the client to "connect", which may in)
.15 E -.2(vo)-.4 G(lv).2 E 2.5(ei)-.15 G(nteracti)-2.5 E -.15(ve)-.25 G
2.5(authentication. There)132 444 R(is still no traf)2.5 E(\214c, b)-.25
E(ut some may come later)-.2 E 5(.S)-.55 G(ince there is no traf)-5 E
(\214c, it is)-.25 E(impossible for the g)132 456 Q(ate)-.05 E -.1(wa)
-.25 G 2.5(yt).1 G 2.5(ok)-2.5 G(no)-2.5 E 2.5(ww)-.25 G
(hat selectors to use \(ho)-2.5 E 2.5(wt)-.25 G 2.5(on)-2.5 G(arro)-2.5
E 2.5(wd)-.25 G -.25(ow)-2.5 G 2.5(nt).25 G(he client\264s proposal\).)
-2.5 E 25(oL)102 468 S(ocation a)-25 E -.1(wa)-.15 G(re security).1 E
2.5(,a)-.65 G 2.5(si)-2.5 G 2.5(n[)-2.5 G 2.5(SecureBeacon]. The)-2.5 F
(user is roaming between trusted and untrusted)2.5 E(netw)132 480 Q 2.5
(orks. While)-.1 F(in an untrusted netw)2.5 E(ork, all traf)-.1 E
(\214c should be encrypted, b)-.25 E(ut on the trusted netw)-.2 E(ork,)
-.1 E(only the IKE SA needs to be maintained.)132 492 Q 25(oA)102 504 S
2.5(nI)-25 G(KE SA may be needed between peers e)-2.5 E -.15(ve)-.25 G
2.5(nw).15 G(hen there is not IPsec traf)-2.5 E 2.5(\214c. Such)-.25 F
(IKE peers use)2.5 E(li)132 516 Q -.15(ve)-.25 G(ness checks, and repor\
t to the administrator the status of the "VPN links".).15 E(Nir)72 696 Q
2.5(,e)-.4 G 2.5(ta)-2.5 G 140.805(l. Expires)-2.5 F(February 13, 2011)
2.5 E([P)147.225 E(age 2])-.15 E 0 Cg EP
PStoPSsaved restore
%%Page: (2) 3
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
0.000000 -28.346457 translate
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 128.19(Internet-Draft Childless)72 48 R
(IKE Initiation)2.5 E(August 2010)134.83 E 25(oI)102 84 S
(KE may be used on some ph)-25 E
(ysically secure links, where authentication is necessary)-.05 E 2.5(,b)
-.65 G(ut traf)-2.7 E<8c63>-.25 E(protection is not.)132 96 Q(An e)5 E
(xample of this is the PON links as described in [3GPP)-.15 E(.33.820].)
-1.11 E 25(oC)102 108 S(hildless IKE can be used for [EAP-IKEv2] where \
we use IKEv2 as a method for user)-25 E(authentication.)132 120 Q 25(oA)
102 132 S(node recei)-22.5 E(ving IPsec traf)-.25 E
(\214c with an unrecognized SPI should send an INV)-.25 E
(ALID_SPI noti\214cation.)-1.35 E(If this traf)132 144 Q
(\214c comes from a peer)-.25 E 2.5(,w)-.4 G
(hich it recognizes based on its IP address, then this node may set)-2.5
E(up an IKE SA so as to be able to send the noti\214cation in a protect\
ed IKE_INFORMA)132 156 Q(TION)-1.11 E(AL)-.35 E -.15(ex)132 168 S
(change.).15 E 25(oA)102 180 S(future e)-22.5 E(xtension may ha)-.15 E
.3 -.15(ve I)-.2 H(KE SAs used for generating k).15 E -.15(ey)-.1 G
(ing material for applications, without).15 E -2.15 -.25(ev e)132 192 T
2.5(rr).25 G(equiring Child SAs.)-2.5 E(This is similar to what [e)5 E
(xtractors] is doing in TLS.)-.15 E(In some of these cases it may be po\
ssible to create a dummy Child SA and then remo)102 216 Q .3 -.15(ve i)
-.15 H(t, b).15 E(ut this creates)-.2 E(undesirable side ef)102 228 Q
(fects and race conditions.)-.25 E(Moreo)5 E -.15(ve)-.15 G .8 -.4(r, t)
.15 H(he IKE peer might see the deletion of the Child SA).4 E
(as a reason to delete the IKE SA.)102 240 Q 2.5(3. Protocol)72 276 R
(Outline)2.5 E(The decision of whether or not to support an IKE_A)102
300 Q(UTH e)-.55 E(xchange without the piggy-back)-.15 E(ed Child SA)-.1
E(ne)102 312 Q(gotiation is ultimately up to the responder)-.15 E 5(.A)
-.55 G(supporting responder MUST include the Notify payload,)-2.5 E
(described in Section)102 324 Q(4, within the IKE_SA_INIT response.)5 E
2.5(As)102 348 S(upporting initiator MA)-2.5 E 2.5(Ys)-1.05 G
(end the modi\214ed IKE_A)-2.5 E(UTH request, described in Section)-.55
E(5, if the)5 E(Noti\214cation w)102 360 Q
(as included in the IKE_SA_INIT response.)-.1 E(The initiator MUST NO)5
E 2.5(Ts)-.4 G(end the modi\214ed)-2.5 E(IKE_A)102 372 Q
(UTH request if the Noti\214cation w)-.55 E(as not present.)-.1 E 2.5
(As)102 396 S(upporting responder that has adv)-2.5 E
(ertised support by including the noti\214cation in the IKE_SA_INIT)-.15
E(response MUST process a modi\214ed IKE_A)102 408 Q
(UTH request, and MUST reply with a modi\214ed IKE_A)-.55 E(UTH)-.55 E
2.5(response. Such)102 420 R 2.5(ar)2.5 G(esponder MUST NO)-2.5 E 2.5
(Tr)-.4 G(eply with a modi\214ed IKE_A)-2.5 E
(UTH response if the initiator did not)-.55 E(send a modi\214ed IKE_A)
102 432 Q(UTH request.)-.55 E 2.5(As)102 456 S
(upporting responder that has been con\214gured not to support this e)
-2.5 E(xtension to the protocol MUST beha)-.15 E -.15(ve)-.2 G
(as the same as if it didn\264t support this e)102 468 Q 2.5
(xtension. It)-.15 F(MUST NO)2.5 E 2.5(Ta)-.4 G(dv)-2.5 E
(ertise the capability with a noti\214cation,)-.15 E
(and it SHOULD reply with an INV)102 480 Q(ALID_SYNT)-1.35 E
(AX Notify payload if the client sends an IKE_A)-.93 E(UTH)-.55 E
(request that is modi\214ed as described in Section)102 492 Q(5.)5 E
(Nir)72 696 Q 2.5(,e)-.4 G 2.5(ta)-2.5 G 140.805(l. Expires)-2.5 F
(February 13, 2011)2.5 E([P)147.225 E(age 3])-.15 E 0 Cg EP
PStoPSsaved restore
%%Page: (3) 4
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
0.000000 -28.346457 translate
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 128.19(Internet-Draft Childless)72 48 R
(IKE Initiation)2.5 E(August 2010)134.83 E 2.5(4. CHILDLESS_IKE_SUPPOR)
72 84 R(TED Noti\214cation)-.6 E
(The Notify payload is as described in [IKEv2bis])102 108 Q/F1 10
/Courier@0 SF 114(123)252 132 S 6(01234567890123456789012345678901)132
144 S(+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+)
126 156 Q 6(!N)126 168 S(ext Payload)-6 E 6(!C! RESERVED)12 F 54(!P)18 G
(ayload Length)-54 E(!)48 E
(+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+)126
180 Q 12(!P)126 192 S(rotocol ID)-12 E 18(!S)12 G(PI Size)-18 E 6(!C)24
G(hildless Notify Message Type !)-6 E
(+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+)126
204 Q(XML2PDFRFC-ENDARTWORK)174 216 Q 24(oP)102 240 S
(rotocol ID \(1 octet\) MUST be 1, as this message is related to an)-24
E(IKE SA.)132 252 Q 24(oS)102 264 S
(PI Size \(1 octet\) MUST be zero, in conformance with section 3.10 of)
-24 E([IKEv2bis].)132 276 Q 24(oC)102 288 S
(hildless Notify Message Type \(2 octets\) - MUST be xxxxx, the value)
-24 E(assigned for CHILDLESS_IKE_SUPPORTED.)132 300 Q(TBA by IANA.)12 E
6(5. Modified)72 336 R(IKE_AUTH Exchange)6 E(For brevity, only the EAP \
version of an AUTH exchange will be presented)102 360 Q 6(here. The)102
372 R(non-EAP version is very similar.)6 E(The figures below are based)
12 E(on appendix C.3 of [IKEv2bis].)102 384 Q(first request)108 408 Q
(--> IDi,)42 E([N\(INITIAL_CONTACT\)],)252 420 Q
([[N\(HTTP_CERT_LOOKUP_SUPPORTED\)], CERTREQ+],)252 432 Q([IDr],)252 444
Q([CP\(CFG_REQUEST\)],)252 456 Q([V+][N+])252 468 Q(first response)108
492 Q(<-- IDr, [CERT+], AUTH,)36 E(EAP,)252 504 Q([V+][N+])252 516 Q 6
(/-)216 540 S(-> EAP)-6 E(repeat 1..N times |)108 552 Q 6(\\<)216 564 S
(-- EAP)-6 E(last request)108 588 Q(--> AUTH)48 E(last response)108 612
Q(<-- AUTH,)42 E([CP\(CFG_REPLY\)],)252 624 Q([V+][N+])252 636 Q
(XML2PDFRFC-ENDARTWORK)174 648 Q F0(Nir)72 696 Q 2.5(,e)-.4 G 2.5(ta)
-2.5 G 140.805(l. Expires)-2.5 F(February 13, 2011)2.5 E([P)147.225 E
(age 4])-.15 E 0 Cg EP
PStoPSsaved restore
%%Page: (4) 5
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
0.000000 -28.346457 translate
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 128.19(Internet-Draft Childless)72 48 R
(IKE Initiation)2.5 E(August 2010)134.83 E/F1 10/Courier@0 SF
(Note what is missing:)102 84 Q 24(oT)102 96 S
(he optional notifications: IPCOMP_SUPPORTED, USE_TRANSPORT_MODE,)-24 E
(ESP_TFC_PADDING_NOT_SUPPORTED, and NON_FIRST_FRAGMENTS_ALSO.)132 108 Q
24(oT)102 120 S(he SA payload.)-24 E 24(oT)102 132 S
(he traffic selector payloads.)-24 E 24(oA)102 144 S
(ny notification, extension payload or VendorID that has to do with)-24
E(Child SA negotiation.)132 156 Q 6(6. Security)72 192 R(Considerations)
6 E(This protocol variation inherits all the security properties of reg\
ular)102 216 Q(IKEv2 as described in [IKEv2bis].)102 228 Q
(The new notification carried in the initial exchange advertises the)102
252 Q(capability, and cannot be forged or added by an adversary without\
being)102 264 Q(detected, because the response to the initial exchange\
is authenticated)102 276 Q
(with the AUTH payload of the IKE_AUTH exchange.)102 288 Q
(Furthermore, both peers)12 E(have to be configured to use this variati\
on of the exchange in order for)102 300 Q
(the responder to accept a childless proposal from the initiator.)102
312 Q 6(7. IANA)72 348 R(Considerations)6 E(IANA is requested to assign\
a notify message type from the status types)102 372 Q(range \(16418-40\
959\) of the "IKEv2 Notify Message Types" registry with)102 384 Q
(name "CHILDLESS_IKE_SUPPORTED".)102 396 Q 6(8. References)72 432 R 6
(8.1. Normative)72 456 R(References)6 E([IKEv2bis])102 480 Q
(Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,)212 492 Q
("Internet Key Exchange Protocol: IKEv2",)212 504 Q
(draft-ietf-ipsecme-ikev2bis-11 \(work in progress\),)212 516 Q
(May 2010.)212 528 Q 6([RFC2119] Bradner,)102 552 R
(S., "Key words for use in RFCs to Indicate)6 E
(Requirement Levels", BCP 14, RFC 2119, March 1997.)212 564 Q 6
(8.2. Informative)72 588 R(References)6 E([3GPP.33.820])102 612 Q
(3GPP, "Security of H\(e\)NB", 3GPP TR 33.820 8.0.0,)212 624 Q
(March 2009.)212 636 Q F0(Nir)72 696 Q 2.5(,e)-.4 G 2.5(ta)-2.5 G
140.805(l. Expires)-2.5 F(February 13, 2011)2.5 E([P)147.225 E(age 5])
-.15 E 0 Cg EP
PStoPSsaved restore
%%Page: (5) 6
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
0.000000 -28.346457 translate
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 128.19(Internet-Draft Childless)72 48 R
(IKE Initiation)2.5 E(August 2010)134.83 E/F1 10/Courier@0 SF
([EAP-IKEv2])102 84 Q
(Tschofenig, H., Kroeselberg, D., Pashalidis, A., Ohba,)212 96 Q
(Y., and F. Bersani, "The Extensible Authentication)212 108 Q
(Protocol- Internet Key Exchange Protocol version 2)212 120 Q
(\(EAP-IKEv2\) Method", RFC 5106, February 2008.)212 132 Q
([SecureBeacon])102 156 Q
(Sheffer, Y. and Y. Nir, "Secure Beacon: Securely)212 168 Q
(Detecting a Trusted Network",)212 180 Q
(draft-sheffer-ipsecme-secure-beacon \(work in)212 192 Q
(progress\), June 2009.)212 204 Q([extractors])102 228 Q
(Rescorla, E., "Keying Material Exporters for Transport)212 240 Q
(Layer Security \(TLS\)", draft-ietf-tls-extractor \(work)212 252 Q
(in progress\), March 2009.)212 264 Q(Authors\264 Addresses)72 300 Q
(Yoav Nir)102 324 Q(Check Point Software Technologies Ltd.)102 336 Q 6
(5H)102 348 S(asolelim st.)-6 E(Tel Aviv)102 360 Q(67897)12 E(Israel)102
372 Q(Email: ynir@checkpoint.com)102 396 Q(Hannes Tschofenig)102 432 Q
(Nokia Siemens Networks)102 444 Q(Linnoitustie 6)102 456 Q 6
(Espoo 02600)102 468 R(Finland)102 480 Q(Phone: +358 \(50\) 4871445)102
504 Q(Email: Hannes.Tschofenig@gmx.net)102 516 Q 12
(URI: http://www.tschofenig.priv.at)102 528 R(Hui Deng)102 564 Q
(China Mobile)102 576 Q(53A,Xibianmennei Ave.)102 588 Q(Xuanwu District)
102 600 Q 6(Beijing 100053)102 612 R(China)102 624 Q
(Email: denghui02@gmail.com)102 648 Q F0(Nir)72 696 Q 2.5(,e)-.4 G 2.5
(ta)-2.5 G 140.805(l. Expires)-2.5 F(February 13, 2011)2.5 E([P)147.225
E(age 6])-.15 E 0 Cg EP
PStoPSsaved restore
%%Page: (6) 7
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
0.000000 -28.346457 translate
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 128.19(Internet-Draft Childless)72 48 R
(IKE Initiation)2.5 E(August 2010)134.83 E/F1 10/Courier@0 SF
(Rajeshwar Singh Jenwar)102 84 Q(Cisco Systems, Inc.)102 96 Q
(O\264Shaugnessy Road)102 108 Q(Bangalore, Karnataka)102 120 Q(560025)12
E(India)102 132 Q(Phone: +91 80 4103 3563)102 156 Q
(Email: rsj@cisco.com)102 168 Q F0(Nir)72 696 Q 2.5(,e)-.4 G 2.5(ta)-2.5
G 140.805(l. Expires)-2.5 F(February 13, 2011)2.5 E([P)147.225 E(age 7])
-.15 E 0 Cg EP
PStoPSsaved restore
%%Trailer
end
%%EOF
| PAFTECH AB 2003-2026 | 2026-04-24 14:46:24 |