draft-ietf-ipsecme-ikev2-fragmentation-04.txt   draft-ietf-ipsecme-ikev2-fragmentation-05.txt 
Network Working Group V. Smyslov Network Working Group V. Smyslov
Internet-Draft ELVIS-PLUS Internet-Draft ELVIS-PLUS
Intended status: Standards Track October 18, 2013 Intended status: Standards Track November 3, 2013
Expires: April 21, 2014 Expires: May 7, 2014
IKEv2 Fragmentation IKEv2 Fragmentation
draft-ietf-ipsecme-ikev2-fragmentation-04 draft-ietf-ipsecme-ikev2-fragmentation-05
Abstract Abstract
This document describes the way to avoid IP fragmentation of large This document describes the way to avoid IP fragmentation of large
IKEv2 messages. This allows IKEv2 messages to traverse network IKEv2 messages. This allows IKEv2 messages to traverse network
devices that don't allow IP fragments to pass through. devices that don't allow IP fragments to pass through.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2014. This Internet-Draft will expire on May 5, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 18 skipping to change at page 2, line 18
1.1. Conventions Used in This Document . . . . . . . . . . . . 3 1.1. Conventions Used in This Document . . . . . . . . . . . . 3
2. Protocol details . . . . . . . . . . . . . . . . . . . . . . . 4 2. Protocol details . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Limitations . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Limitations . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. Negotiation . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. Negotiation . . . . . . . . . . . . . . . . . . . . . . . 4
2.4. Using IKE Fragmentation . . . . . . . . . . . . . . . . . 5 2.4. Using IKE Fragmentation . . . . . . . . . . . . . . . . . 5
2.5. Fragmenting Message . . . . . . . . . . . . . . . . . . . 6 2.5. Fragmenting Message . . . . . . . . . . . . . . . . . . . 6
2.5.1. Selecting Fragment Size . . . . . . . . . . . . . . . 8 2.5.1. Selecting Fragment Size . . . . . . . . . . . . . . . 8
2.5.2. PMTU Discovery . . . . . . . . . . . . . . . . . . . . 8 2.5.2. PMTU Discovery . . . . . . . . . . . . . . . . . . . . 8
2.5.3. Fragmenting Messages containing unencrypted 2.5.3. Fragmenting Messages containing unencrypted
Payloads . . . . . . . . . . . . . . . . . . . . . . . 9 Payloads . . . . . . . . . . . . . . . . . . . . . . . 10
2.6. Receiving IKE Fragment Message . . . . . . . . . . . . . . 10 2.6. Receiving IKE Fragment Message . . . . . . . . . . . . . . 10
2.6.1. Changes in Replay Protection Logic . . . . . . . . . . 11 2.6.1. Changes in Replay Protection Logic . . . . . . . . . . 12
3. Interaction with other IKE extensions . . . . . . . . . . . . 13 3. Interaction with other IKE extensions . . . . . . . . . . . . 13
4. Transport Considerations . . . . . . . . . . . . . . . . . . . 14 4. Transport Considerations . . . . . . . . . . . . . . . . . . . 14
5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1. Normative References . . . . . . . . . . . . . . . . . . . 18 8.1. Normative References . . . . . . . . . . . . . . . . . . . 18
8.2. Informative References . . . . . . . . . . . . . . . . . . 18 8.2. Informative References . . . . . . . . . . . . . . . . . . 18
Appendix A. Design rationale . . . . . . . . . . . . . . . . . . 19 Appendix A. Design rationale . . . . . . . . . . . . . . . . . . 20
Appendix B. Correlation between IP Datagram size and Appendix B. Correlation between IP Datagram size and
Encrypted Payload content size . . . . . . . . . . . 20 Encrypted Payload content size . . . . . . . . . . . 21
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 21 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
The Internet Key Exchange Protocol version 2 (IKEv2), specified in The Internet Key Exchange Protocol version 2 (IKEv2), specified in
[RFC5996], uses UDP as a transport for its messages. When IKE [RFC5996], uses UDP as a transport for its messages. Most IKEv2
message size exceeds path MTU, it gets fragmented by IP level. The messages are relatively small, usually below several hundred bytes.
problem is that some network devices, specifically some NAT boxes, Noticeable exception is IKE_AUTH exchange, which requires fairly
don't allow IP fragments to pass through. This apparently blocks IKE large messages, up to several kbytes, especially when certificates
communication and, therefore, prevents peers from establishing IPsec are transferred. When IKE message size exceeds path MTU, it gets
SA. fragmented by IP level. The problem is that some network devices,
specifically some NAT boxes, don't allow IP fragments to pass
through. This apparently blocks IKE communication and, therefore,
prevents peers from establishing IPsec SA.
Widespread deployment of Carrier-Grade NATs (CGN) introduces new
challenges. RFC6888 [RFC6888] describes requirements for CGNs. It
states, that CGNs must comply with Section 11 of RFC4787 [RFC4787],
which requires NAT to support receiving IP fragments (REQ-14). In
real life fulfillment of this requirement creates an additional
burden in terms of memory, especially for high-capacity devices, used
in CGNs. It was found by people deploying IKE, that some ISPs have
begun to drop IP fragments, violating that requirement.
The solution to the problem described in this document is to perform The solution to the problem described in this document is to perform
fragmentation of large messages by IKE itself, replacing them by fragmentation of large messages by IKE itself, replacing them by
series of smaller messages. In this case the resulting IP Datagrams series of smaller messages. In this case the resulting IP Datagrams
will be small enough so that no fragmentation on IP level will take will be small enough so that no fragmentation on IP level will take
place. place.
Avoiding IP fragmentation is beneficial for IKEv2 in general.
Security Considerations Section of [RFC5996] mentions exhausting of
the IP reassembly buffers as one of possible attacks on the protocol.
In the paper [DOSUDPPROT] several aspects of attacks on IKE using IP
fragmentation are discussed, and one of defenses it proposes is to
perform IKE-level fragmentation, similar to the solution, described
in this document.
1.1. Conventions Used in This Document 1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Protocol details 2. Protocol details
2.1. Overview 2.1. Overview
The idea of the protocol is to split large IKE message into the set The idea of the protocol is to split large IKE message into a set of
of smaller ones, calling IKE Fragment Messages. Fragmentation takes smaller ones, called IKE Fragment Messages. Fragmentation takes
place before the original message is encrypted and authenticated, so place before the original message is encrypted and authenticated, so
that each IKE Fragment Message receives individual protection. On that each IKE Fragment Message receives individual protection. On
the receiving side IKE Fragment Messages are collected, verified, the receiving side IKE Fragment Messages are collected, verified,
decrypted and merged together to get the original message before decrypted and merged together to get the original message before
encryption. For design rationale see Appendix A. encryption. For design rationale see Appendix A.
2.2. Limitations 2.2. Limitations
As IKE Fragment Messages are cryptographically protected, SK_a and As IKE Fragment Messages are cryptographically protected, SK_a and
SK_e must already be calculated. In general, it means that original SK_e must already be calculated. In general, it means that original
skipping to change at page 8, line 28 skipping to change at page 8, line 28
fragmentation. fragmentation.
If sender has some knowledge about PMTU size it MAY use it. If If sender has some knowledge about PMTU size it MAY use it. If
sender is a Responder in the Exchange and it has received fragmented sender is a Responder in the Exchange and it has received fragmented
request, it MAY use maximum size of received IKE Fragment Message IP request, it MAY use maximum size of received IKE Fragment Message IP
Datagrams as threshold when constructing fragmented response. Datagrams as threshold when constructing fragmented response.
Otherwise for messages to be sent over IPv6 it is RECOMMENDED to use Otherwise for messages to be sent over IPv6 it is RECOMMENDED to use
value 1280 bytes as a maximum IP Datagram size ([RFC2460]). For value 1280 bytes as a maximum IP Datagram size ([RFC2460]). For
messages to be sent over IPv4 it is RECOMMENDED to use value 576 messages to be sent over IPv4 it is RECOMMENDED to use value 576
bytes as a maximum IP Datagram size. bytes as a maximum IP Datagram size. Presence of tunnels on the path
may reduce these values.
According to [RFC0791] the minimum IPv4 datagram size that is According to [RFC0791] the minimum IPv4 datagram size that is
guaranteed not to be further fragmented is 68 bytes, but it is guaranteed not to be further fragmented is 68 bytes, but it is
generally impossible to use such small value for solution, described generally impossible to use such small value for solution, described
in this document. Using 576 bytes is a compromise - the value is in this document. Using 576 bytes is a compromise - the value is
large enough for the presented solution and small enough to avoid IP large enough for the presented solution and small enough to avoid IP
fragmentation in most situations. Several other UDP-based protocol fragmentation in most situations. Several other UDP-based protocol
assume the value 576 bytes as a safe low limit for IP datagrams size assume the value 576 bytes as a safe low limit for IP datagrams size
(Syslog, DNS, etc.). Sender MAY use other values if they are (Syslog, DNS, etc.). Sender MAY use other values if they are
appropriate. appropriate.
See Appendix B for correlation between IP Datagram size and Encrypted See Appendix B for correlation between IP Datagram size and Encrypted
Payload content size. Payload content size.
2.5.2. PMTU Discovery 2.5.2. PMTU Discovery
Initiator MAY try to discover path MTU by using several values of Initiator MAY try to discover path MTU by probing several values of
fragmentation threshold, provided that it starts with larger values fragmentation threshold. While doing probes, node MUST start from
and fragments message again with next smaller value if it doesn't larger values and refragment message with next smaller value if it
receive response in a reasonable time after several retransmissions. doesn't receive response in a reasonable time after several
retransmissions. This time is supposed to be relatively short, so
that node could make all desired probes before exchange times out.
When starting new probe (with smaller threshold) node MUST reset its
retransmission timers so, that if it employs exponential back-off,
the timers start over. After reaching the smallest allowed value for
fragmentation threshold implementation MUST continue probing using it
untill either exchange completes ot times out.
PMTU discovery in IKE is supposed to be coarse-grained, i.e. it is
expected, that node will try only few fragmentation thresholds, in
order to minimize possible IKE SA establishment delay. In a corner
case, when host will use only one value, PMTU discovery will
effectively be disabled. In most cases PMTU discovery will not be
needed, as using values, recommended in section Section 2.5.1, should
suffice. It is expected, that PMTU discovery may be useful in
environments where PMTU size are smaller, than those listed in
Section 2.5.1, for example due to the presence of intermediate
tunnels.
PMTU discovery in IKE follows recommendations, given in Section 10.4
of RFC4821 [RFC4821] with some differences, induced by the
specialities of IKE. In particular:
o Unlike classical PMTUD [RFC1191] and PLMTUD [RFC4821] the goal of
Path MTU discovery in IKE is not to find the largest size of IP
packet, that will not be fragmented en route, but to find any
reasonal size, probably far from optimal.
o There is no goal to completely disallow IP fragmentation until its
presence leads to inability IKE to communicate (e.g. when IP
fragments are dropped)
o IKE usually sends large messages only in IKE_AUTH exchange, i.e.
once per IKE SA. Most of other messages will have size below
several hundred bytes. Performing full PMTUD for sending exactly
one large message is inefficient.
In case of PMTU discovery Total Fragments field is used to In case of PMTU discovery Total Fragments field is used to
distinguish between different sets of fragments, i.e. the sets that distinguish between different sets of fragments, i.e. the sets that
were obtained by fragmenting original message using different were obtained by fragmenting original message using different
fragmentation thresholds. As sender will start from larger fragments fragmentation thresholds. As sender will start from larger fragments
and then make them smaller, the value in Total Fragments field will and then make them smaller, the value in Total Fragments field will
increase with each new try. When selecting next smaller value of increase with each new try. When selecting next smaller value of
fragmentation threshold, sender MUST ensure that the value in Total fragmentation threshold, sender MUST ensure that the value in Total
Fragments field is really increased. This requirement should not Fragments field is really increased. This requirement should not
become a problem for the sender, as PMTU discovery in IKE is supposed become a problem for the sender, as PMTU discovery in IKE is supposed
skipping to change at page 10, line 30 skipping to change at page 11, line 19
* check that Fragment Number and Total Fragments fields are non- * check that Fragment Number and Total Fragments fields are non-
zero zero
* check that Fragment Number field is less than or equal to Total * check that Fragment Number field is less than or equal to Total
Fragments field Fragments field
* if reassembling has already started, check that Total Fragments * if reassembling has already started, check that Total Fragments
field is equal to or greater than Total Fragments field in field is equal to or greater than Total Fragments field in
fragments, that have already received fragments, that have already received
If either of this tests fails message MUST be silently discarded. If any of this tests fails message MUST be silently discarded.
o Check, that this IKE Fragment Message is new for the receiver and o Check, that this IKE Fragment Message is new for the receiver and
not a replay. If IKE Fragment message with the same Message ID, not a replay. If IKE Fragment message with the same Message ID,
same Fragment Number and same Total Fragments fields was already same Fragment Number and same Total Fragments fields was already
received and successfully processed, this message is considered a received and successfully processed, this message is considered a
replay and MUST be silently discarded. replay and MUST be silently discarded.
o Verify IKE Fragment Message authenticity by checking ICV in o Verify IKE Fragment Message authenticity by checking ICV in
Encrypted Fragment Payload. If ICV check fails message MUST be Encrypted Fragment Payload. If ICV check fails message MUST be
silently discarded. silently discarded.
skipping to change at page 10, line 52 skipping to change at page 11, line 41
o If reassembling isn't finished yet and Total Fragments field in o If reassembling isn't finished yet and Total Fragments field in
received IKE Fragment Message is greater than this field in received IKE Fragment Message is greater than this field in
previously received fragments, receiver MUST discard all received previously received fragments, receiver MUST discard all received
fragments and start reassembling over with just received IKE fragments and start reassembling over with just received IKE
Fragment Message. Fragment Message.
o Store message in the list waiting for the rest of fragments to o Store message in the list waiting for the rest of fragments to
arrive. arrive.
When all IKE Fragment Messages (as indicated in the Total Fragments When all IKE Fragment Messages (as indicated in the Total Fragments
field) are received, content of their Encrypted Fragment Payloads is field) are received, content of their already decrypted Encrypted
decrypted and merged together to form content of original Encrypted Fragment Payloads is merged together to form content of original
Payload, and, therefore, along with IKE Header and unencrypted Encrypted Payload, and, therefore, along with IKE Header and
Payloads (if any), original message. Then it is processed as if it unencrypted Payloads (if any), original message. Then it is
was received, verified and decrypted as regular unfragmented message. processed as if it was received, verified and decrypted as regular
unfragmented message.
If receiver does't get all IKE Fragment Messages needed to reassemble If receiver does't get all IKE Fragment Messages needed to reassemble
original Message for some Exchange within a timeout interval, it acts original Message for some Exchange within a timeout interval, it acts
according with Section 2.1 of [RFC5996], i.e. retransmits the according with Section 2.1 of [RFC5996], i.e. retransmits the
fragmented request Message (in case of Initiator) or deems Exchange fragmented request Message (in case of Initiator) or deems Exchange
to have failed. If Exchange is abandoned, all received so far IKE to have failed. If Exchange is abandoned, all received so far IKE
Fragment Messages for that Exchange MUST be discarded. Fragment Messages for that Exchange MUST be discarded.
2.6.1. Changes in Replay Protection Logic 2.6.1. Changes in Replay Protection Logic
skipping to change at page 15, line 11 skipping to change at page 15, line 11
response Fragment Messages are sent back all together only when all response Fragment Messages are sent back all together only when all
fragments of request are received, the original request Message is fragments of request are received, the original request Message is
reassembled and successfully processed. reassembled and successfully processed.
5. Security Considerations 5. Security Considerations
Most of the security considerations for IKE Fragmentation are the Most of the security considerations for IKE Fragmentation are the
same as those for base IKEv2 protocol described in [RFC5996]. This same as those for base IKEv2 protocol described in [RFC5996]. This
extension introduces Encrypted Fragment Payload to protect content of extension introduces Encrypted Fragment Payload to protect content of
IKE Message Fragment. This allows receiver to individually check IKE Message Fragment. This allows receiver to individually check
authenticity of fragments, thus protecting peers from Denial of authenticity of fragments, thus protecting peers from DoS attack.
Service attack.
Security Considerations Section of [RFC5996] mentions possible attack
on IKE by exhausting of the IP reassembly buffers. The mechanism,
described in this document, allows IKE to avoid IP-fragmentation and
therefore increases its robustness to DoS attacks.
6. IANA Considerations 6. IANA Considerations
This document defines new Payload in the "IKEv2 Payload Types" This document defines new Payload in the "IKEv2 Payload Types"
registry: registry:
<TBA> Encrypted Fragment Payload SKF <TBA> Encrypted Fragment Payload SKF
This document also defines new Notify Message Types in the "Notify This document also defines new Notify Message Types in the "Notify
Messages Types - Status Types" registry: Messages Types - Status Types" registry:
skipping to change at page 18, line 25 skipping to change at page 18, line 25
[RFC6311] Singh, R., Kalyani, G., Nir, Y., Sheffer, Y., and D. [RFC6311] Singh, R., Kalyani, G., Nir, Y., Sheffer, Y., and D.
Zhang, "Protocol Support for High Availability of IKEv2/ Zhang, "Protocol Support for High Availability of IKEv2/
IPsec", RFC 6311, July 2011. IPsec", RFC 6311, July 2011.
8.2. Informative References 8.2. Informative References
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
September 1981. September 1981.
[RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
November 1990.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998. (IPv6) Specification", RFC 2460, December 1998.
[RFC4787] Audet, F. and C. Jennings, "Network Address Translation
(NAT) Behavioral Requirements for Unicast UDP", BCP 127,
RFC 4787, January 2007.
[RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
Discovery", RFC 4821, March 2007.
[RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption
Algorithms with the Encrypted Payload of the Internet Key Algorithms with the Encrypted Payload of the Internet Key
Exchange version 2 (IKEv2) Protocol", RFC 5282, Exchange version 2 (IKEv2) Protocol", RFC 5282,
August 2008. August 2008.
[RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange [RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange
Protocol Version 2 (IKEv2) Session Resumption", RFC 5723, Protocol Version 2 (IKEv2) Session Resumption", RFC 5723,
January 2010. January 2010.
[RFC6290] Nir, Y., Wierbowski, D., Detienne, F., and P. Sethi, "A [RFC6290] Nir, Y., Wierbowski, D., Detienne, F., and P. Sethi, "A
Quick Crash Detection Method for the Internet Key Exchange Quick Crash Detection Method for the Internet Key Exchange
Protocol (IKE)", RFC 6290, June 2011. Protocol (IKE)", RFC 6290, June 2011.
[RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A.,
and H. Ashida, "Common Requirements for Carrier-Grade NATs
(CGNs)", BCP 127, RFC 6888, April 2013.
[DOSUDPPROT]
Kaufman, C., Perlman, R., and B. Sommerfeld, "DoS
protection for UDP-based protocols", ACM Conference on
Computer and Communications Security, October 2003.
Appendix A. Design rationale Appendix A. Design rationale
The simplest approach to the IKE fragmentation would have been to The simplest approach to the IKE fragmentation would have been to
fragment message that is fully formed and ready to be sent. But if fragment message that is fully formed and ready to be sent. But if
message got fragmented after being encrypted and authenticated, this message got fragmented after being encrypted and authenticated, this
could open a possibility for a simple Denial of Service attack. The could open a possibility for a simple Denial of Service attack. The
attacker could infrequently emit forged but looking valid fragments attacker could infrequently emit forged but looking valid fragments
into the network, and some of these fragments would be fetched by into the network, and some of these fragments would be fetched by
receiver into the reassempling queue. Receiver could not distinguish receiver into the reassempling queue. Receiver could not distinguish
forged fragments from valid ones and could only determine that some forged fragments from valid ones and could only determine that some
 End of changes. 18 change blocks. 
30 lines changed or deleted 111 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/