draft-ietf-ipsecme-ikev2-fragmentation-08.txt   draft-ietf-ipsecme-ikev2-fragmentation-09.txt 
Network Working Group V. Smyslov Network Working Group V. Smyslov
Internet-Draft ELVIS-PLUS Internet-Draft ELVIS-PLUS
Intended status: Standards Track May 23, 2014 Intended status: Standards Track June 6, 2014
Expires: November 24, 2014 Expires: December 8, 2014
IKEv2 Fragmentation IKEv2 Fragmentation
draft-ietf-ipsecme-ikev2-fragmentation-08 draft-ietf-ipsecme-ikev2-fragmentation-09
Abstract Abstract
This document describes the way to avoid IP fragmentation of large This document describes the way to avoid IP fragmentation of large
IKEv2 messages. This allows IKEv2 messages to traverse network IKEv2 messages. This allows IKEv2 messages to traverse network
devices that do not allow IP fragments to pass through. devices that do not allow IP fragments to pass through.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 24, 2014. This Internet-Draft will expire on December 8, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 13 skipping to change at page 3, line 13
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
1.1. Problem description 1.1. Problem description
The Internet Key Exchange Protocol version 2 (IKEv2), specified in The Internet Key Exchange Protocol version 2 (IKEv2), specified in
[IKEv2], uses UDP as a transport for its messages. Most IKEv2 [IKEv2], uses UDP as a transport for its messages. Most IKEv2
messages are relatively small, usually below several hundred bytes. messages are relatively small, usually below several hundred bytes.
Noticeable exception is IKE_AUTH Exchange, which requires fairly Noticeable exception is IKE_AUTH Exchange, which requires fairly
large messages, up to several kbytes, especially when certificates large messages, up to several kBytes, especially when certificates
are transferred. When IKE message size exceeds path MTU, it gets are transferred. When IKE message size exceeds path MTU, it gets
fragmented by IP level. The problem is that some network devices, fragmented by IP level. The problem is that some network devices,
specifically some NAT boxes, do not allow IP fragments to pass specifically some NAT boxes, do not allow IP fragments to pass
through. This apparently blocks IKE communication and, therefore, through. This apparently blocks IKE communication and, therefore,
prevents peers from establishing IPsec SA. Section 2 of [IKEv2] prevents peers from establishing IPsec SA. Section 2 of [IKEv2]
discusses the impact of IP fragmentation on IKEv2 and acknowledges discusses the impact of IP fragmentation on IKEv2 and acknowledges
this problem. this problem.
Widespread deployment of Carrier-Grade NATs (CGN) introduces new Widespread deployment of Carrier-Grade NATs (CGN) introduces new
challenges. [RFC6888] describes requirements for CGNs. It states, challenges. [RFC6888] describes requirements for CGNs. It states,
skipping to change at page 4, line 6 skipping to change at page 4, line 6
1.2. Proposed solution 1.2. Proposed solution
The solution to the problem described in this document is to perform The solution to the problem described in this document is to perform
fragmentation of large messages by IKEv2 itself, replacing them by fragmentation of large messages by IKEv2 itself, replacing them by
series of smaller messages. In this case the resulting IP Datagrams series of smaller messages. In this case the resulting IP Datagrams
will be small enough so that no fragmentation on IP level will take will be small enough so that no fragmentation on IP level will take
place. place.
The primary goal of this solution is to allow IKEv2 to operate in The primary goal of this solution is to allow IKEv2 to operate in
environments, that may block IP fragments. This goal does not assume environments, that might block IP fragments. This goal does not
that IP fragmentation should be avoided completely, but only in those assume that IP fragmentation should be avoided completely, but only
cases when it interferes with IKE operations. However this solution in those cases when it interferes with IKE operations. However this
could be used to avoid IP fragmentation in all situations where solution could be used to avoid IP fragmentation in all situations
fragmentation within IKE is applicable, as it is recommended in where fragmentation within IKE is applicable, as it is recommended in
Section 3.2 of [RFC5405]. Avoiding IP fragmentation would be Section 3.2 of [RFC5405]. Avoiding IP fragmentation would be
beneficial for IKEv2 in general. Security Considerations Section of beneficial for IKEv2 in general. Security Considerations Section of
[IKEv2] mentions exhausting of the IP reassembly buffers as one of [IKEv2] mentions exhausting of the IP reassembly buffers as one of
the possible attacks on the protocol. In the paper [DOSUDPPROT] the possible attacks on the protocol. In the paper [DOSUDPPROT]
several aspects of attacks on IKE using IP fragmentation are several aspects of attacks on IKE using IP fragmentation are
discussed, and one of the defenses it proposes is to perform discussed, and one of the defenses it proposes is to perform
fragmentation within IKE similarly to the solution described in this fragmentation within IKE similarly to the solution described in this
document. document.
1.3. Conventions Used in This Document 1.3. Conventions Used in This Document
skipping to change at page 5, line 21 skipping to change at page 5, line 21
place before the original message is encrypted and authenticated, so place before the original message is encrypted and authenticated, so
that each IKE Fragment Message receives individual protection. On that each IKE Fragment Message receives individual protection. On
the receiving side IKE Fragment Messages are collected, verified, the receiving side IKE Fragment Messages are collected, verified,
decrypted and merged together to get the original message before decrypted and merged together to get the original message before
encryption. See Appendix A for design rationale. encryption. See Appendix A for design rationale.
2.2. Limitations 2.2. Limitations
Since IKE Fragment Messages are cryptographically protected, SK_a and Since IKE Fragment Messages are cryptographically protected, SK_a and
SK_e must already be calculated. In general, it means that original SK_e must already be calculated. In general, it means that original
message can be fragmented if and only if it contains Encrypted message can be fragmented if and only if it contains an Encrypted
Payload. Payload.
This implies that messages of the IKE_SA_INIT Exchange cannot be This implies that messages of the IKE_SA_INIT Exchange cannot be
fragmented. In most cases this is not a problem because IKE_SA_INIT fragmented. In most cases this is not a problem because IKE_SA_INIT
messages are usually small enough to avoid IP fragmentation. But in messages are usually small enough to avoid IP fragmentation. But in
some cases (advertising a badly structured long list of algorithms, some cases (advertising a badly structured long list of algorithms,
using large MODP Groups, etc.) these messages may become fairly large using large MODP Groups, etc.) these messages may become fairly large
and get fragmented by IP level. In this case the described solution and get fragmented by IP level. In this case the described solution
will not help. will not help.
skipping to change at page 5, line 46 skipping to change at page 5, line 46
Another limitation is that the minimal size of IP Datagram bearing Another limitation is that the minimal size of IP Datagram bearing
IKE Fragment Message is about 100 bytes depending on the algorithms IKE Fragment Message is about 100 bytes depending on the algorithms
employed. According to [RFC0791] the minimum IPv4 Datagram size that employed. According to [RFC0791] the minimum IPv4 Datagram size that
is guaranteed not to be further fragmented is 68 bytes. So, even the is guaranteed not to be further fragmented is 68 bytes. So, even the
smallest IKE Fragment Messages could be fragmented by IP level in smallest IKE Fragment Messages could be fragmented by IP level in
some circumstances. But such extremely small PMTU sizes are very some circumstances. But such extremely small PMTU sizes are very
rare in real life. rare in real life.
2.3. Negotiation 2.3. Negotiation
Initiator indicates its support for the IKE Fragmentation and The Initiator indicates its support for the IKE Fragmentation and
willingness to use it by including Notification Payload of type willingness to use it by including Notification Payload of type
IKEV2_FRAGMENTATION_SUPPORTED in IKE_SA_INIT request message. If IKEV2_FRAGMENTATION_SUPPORTED in IKE_SA_INIT request message. If
Responder also supports this extension and is willing to use it, it Responder also supports this extension and is willing to use it, it
includes this notification in response message. includes this notification in response message.
Initiator Responder Initiator Responder
----------- ----------- ----------- -----------
HDR, SAi1, KEi, Ni, HDR, SAi1, KEi, Ni,
[N(IKEV2_FRAGMENTATION_SUPPORTED)] --> [N(IKEV2_FRAGMENTATION_SUPPORTED)] -->
skipping to change at page 6, line 35 skipping to change at page 6, line 35
o SPI Size (1 octet) MUST be 0, meaning no SPI is present. o SPI Size (1 octet) MUST be 0, meaning no SPI is present.
o Notify Message Type (2 octets) - MUST be xxxxx, the value assigned o Notify Message Type (2 octets) - MUST be xxxxx, the value assigned
for IKEV2_FRAGMENTATION_SUPPORTED notification. for IKEV2_FRAGMENTATION_SUPPORTED notification.
This Notification contains no data. This Notification contains no data.
2.4. Using IKE Fragmentation 2.4. Using IKE Fragmentation
The IKE Fragmentation MUST NOT be used unless both peers have The IKE Fragmentation MUST NOT be used unless both peers have
indicated their support for it. After that it is up to the the indicated their support for it. After that it is up to the Initiator
Initiator of each exchange to decide whether to use it or not. The of each exchange to decide whether or not to use it. The Responder
Responder usually replies in the same form as the request message, usually replies in the same form as the request message, but other
but other considerations might override this. considerations might override this.
The Initiator may employ various policies regarding the use of IKE The Initiator can employ various policies regarding the use of IKE
Fragmentation. It may first try to send an unfragmented message and Fragmentation. It might first try to send an unfragmented message
resend it as fragmented only if no complete response is received even and resend it as fragmented only if no complete response is received
after several retransmissions. Alternatively, it may choose always even after several retransmissions. Alternatively, it might choose
to send fragmented messages (but see Section 3), or it may fragment always to send fragmented messages (but see Section 3), or it might
only large messages and messages that are expected to result in large fragment only large messages and messages that are expected to result
responses. in large responses.
The following general guidelines apply: The following general guidelines apply:
o If either peer has information that a part of the transaction is o If either peer has information that a part of the transaction is
likely to be fragmented at the IP layer, causing interference with likely to be fragmented at the IP layer, causing interference with
the IKE exchange, that peer SHOULD use IKE Fragmentation. This the IKE exchange, that peer SHOULD use IKE Fragmentation. This
information may be passed from a lower layer, provided by information might be passed from a lower layer, provided by
configuration, or derived through heuristics. Examples of configuration, or derived through heuristics. Examples of
heuristics are the lack of a complete response after several heuristics are the lack of a complete response after several
retransmissions for the Initiator, and receiving repeated retransmissions for the Initiator, and receiving repeated
retransmissions of the request for the Responder. retransmissions of the request for the Responder.
o If either peer knows that IKE Fragmentation has been used in a o If either peer knows that IKE Fragmentation has been used in a
previous exchange in the context of the current IKE SA, that peer previous exchange in the context of the current IKE SA, that peer
SHOULD continue the use of IKE Fragmentation for the messages that SHOULD continue the use of IKE Fragmentation for the messages that
are larger than the current fragmentation threshold (see are larger than the current fragmentation threshold (see
Section 2.5.1). Section 2.5.1).
skipping to change at page 7, line 31 skipping to change at page 7, line 31
o If none of the above apply, the Responder SHOULD respond in the o If none of the above apply, the Responder SHOULD respond in the
same form (fragmented or not) as the request message it is same form (fragmented or not) as the request message it is
responding to. Note that the other guidelines might override this responding to. Note that the other guidelines might override this
because of information or heuristics available to the Responder. because of information or heuristics available to the Responder.
In most cases IKE Fragmentation will be used in the IKE_AUTH In most cases IKE Fragmentation will be used in the IKE_AUTH
Exchange, especially if certificates are employed. Exchange, especially if certificates are employed.
2.5. Fragmenting Message 2.5. Fragmenting Message
Message to be fragmented MUST contain Encrypted Payload. For the Only messages that contain an Encrypted Payload are subject for IKE
purpose of IKE Fragment Messages construction original (unencrypted) Fragmentation. For the purpose of IKE Fragment Messages construction
content of Encrypted Payload is split into chunks. The content is original (unencrypted) content of the Encrypted Payload is split into
treated as a binary blob and is split regardless of inner Payloads chunks. The content is treated as a binary blob and is split
boundaries. Each of resulting chunks is treated as an original regardless of inner Payloads boundaries. Each of resulting chunks is
content of Encrypted Fragment Payload and is then encrypted and treated as an original content of the Encrypted Fragment Payload and
authenticated. Thus, the Encrypted Fragment Payload contains a chunk is then encrypted and authenticated. Thus, the Encrypted Fragment
of the original content of Encrypted Payload in encrypted form. The Payload contains a chunk of the original content of the Encrypted
cryptographic processing of Encrypted Fragment Payload is identical Payload in encrypted form. The cryptographic processing of the
to Section 3.14 of [IKEv2], as well as documents updating it for Encrypted Fragment Payload is identical to Section 3.14 of [IKEv2],
particular algorithms or modes, such as [RFC5282]. as well as documents updating it for particular algorithms or modes,
such as [RFC5282].
The Encrypted Fragment Payload, similarly to the Encrypted Payload, The Encrypted Fragment Payload, similarly to the Encrypted Payload,
if present in a message, MUST be the last payload in the message. if present in a message, MUST be the last payload in the message.
The Encrypted Fragment Payload is denoted SKF{...} and its payload The Encrypted Fragment Payload is denoted SKF{...} and its payload
type is XXX (TBA by IANA). This payload is also called the type is XXX (TBA by IANA). This payload is also called the
"Encrypted and Authenticated Fragment" payload. "Encrypted and Authenticated Fragment" payload.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 9, line 20 skipping to change at page 9, line 20
HDR(MID=n), SKF(NextPld=0, Frag#=2, TotalFrags=m) {...}, HDR(MID=n), SKF(NextPld=0, Frag#=2, TotalFrags=m) {...},
... ...
HDR(MID=n), SKF(NextPld=0, Frag#=m, TotalFrags=m) {...} HDR(MID=n), SKF(NextPld=0, Frag#=m, TotalFrags=m) {...}
IKE Fragment Messages IKE Fragment Messages
2.5.1. Selecting Fragment Size 2.5.1. Selecting Fragment Size
When splitting content of Encrypted Payload into chunks sender SHOULD When splitting content of Encrypted Payload into chunks sender SHOULD
choose their size so, that resulting IP Datagrams be smaller than choose their size so, that resulting IP Datagrams be smaller than
some fragmentation threshold. Implementation may calculate some fragmentation threshold. Implementations may calculate
fragmentation threshold using various sources of information. fragmentation threshold using various sources of information.
If sender has information about PMTU size it SHOULD use it. The If the Sender has information about PMTU size it SHOULD use it. The
Responder in the exchange may use maximum size of received IKE Responder in the exchange may use maximum size of received IKE
Fragment Message IP Datagrams as threshold when constructing Fragment Message IP Datagrams as threshold when constructing
fragmented response. Successful completion of previous exchanges fragmented response. Successful completion of previous exchanges
(including those exchanges, that cannot employ IKE Fragmentation, (including those exchanges, that cannot employ IKE Fragmentation,
e.g. IKE_SA_INIT) may be an indication, that fragmentation threshold e.g. IKE_SA_INIT) may be an indication, that fragmentation threshold
can be set to the size of the largest of already sent messages. can be set to the size of the largest of already sent messages.
Otherwise for messages to be sent over IPv6 it is RECOMMENDED to use Otherwise for messages to be sent over IPv6 it is RECOMMENDED to use
value 1280 bytes as a maximum IP Datagram size ([RFC2460]). For value 1280 bytes as a maximum IP Datagram size ([RFC2460]). For
messages to be sent over IPv4 it is RECOMMENDED to use value 576 messages to be sent over IPv4 it is RECOMMENDED to use value 576
bytes as a maximum IP Datagram size. Presence of tunnels on the path bytes as a maximum IP Datagram size. Presence of tunnels on the path
may reduce these values. Implementation may use other values if they may reduce these values. Implementations may use other values if
are appropriate in current environment. they are appropriate in current environment.
According to [RFC0791] the minimum IPv4 datagram size that is According to [RFC0791] the minimum IPv4 Datagram size that is
guaranteed not to be further fragmented is 68 bytes, but it is guaranteed not to be further fragmented is 68 bytes, but it is
generally impossible to use such small value for solution, described generally impossible to use such small value for solution, described
in this document. Using 576 bytes is a compromise - the value is in this document. Using 576 bytes is a compromise - the value is
large enough for the presented solution and small enough to avoid IP large enough for the presented solution and small enough to avoid IP
fragmentation in most situations. Several other UDP-based protocol fragmentation in most situations. Several other UDP-based protocol
assume the value 576 bytes as a safe low limit for IP datagrams size assume the value 576 bytes as a safe low limit for IP Datagrams size
(Syslog, DNS, etc.). (Syslog, DNS, etc.).
See Appendix B for correlation between IP Datagram size and Encrypted See Appendix B for correlation between IP Datagram size and Encrypted
Payload content size. Payload content size.
2.5.2. PMTU Discovery 2.5.2. PMTU Discovery
The amount of traffic that IKE endpoint produces during lifetime of The amount of traffic that IKE endpoint produces during lifetime of
IKE SA is fairly modest - usually it is below one hundred kBytes IKE SA is fairly modest - usually it is below one hundred kBytes
within a period of several hours. Most of this traffic consists of within a period of several hours. Most of this traffic consists of
relatively short messages - usually below several hundred bytes. In relatively short messages - usually below several hundred bytes. In
most cases the only time when IKE endpoints exchange messages of most cases the only time when IKE endpoints exchange messages of
several kBytes in size is IKE SA establishment and often each several kBytes in size is IKE SA establishment and often each
endpoint sends exactly one such message. endpoint sends exactly one such message.
For the reasons atriculated above implementing PMTU discovery in IKE For the reasons articulated above implementing PMTU discovery in IKE
is OPTIONAL. It is believed that using the values recommended in is OPTIONAL. It is believed that using the values recommended in
Section 2.5.1 as fragmentation threshold will be sufficient in most Section 2.5.1 as fragmentation threshold will be sufficient in most
cases. Using these values could lead to suboptimal fragmentation, cases. Using these values could lead to suboptimal fragmentation,
but it is acceptable given the amount of traffic IKE produces. but it is acceptable given the amount of traffic IKE produces.
Implementation may support PMTU discovery if there are good reasons Implementations may support PMTU discovery if there are good reasons
to do it (for example if it is intended to be used in environments to do it (for example if it is intended to be used in environments
where MTU size is possible to be less that values listed in where MTU size is possible to be less that values listed in
Section 2.5.1). Section 2.5.1).
PMTU discovery in IKE follows recommendations given in Section 10.4 PMTU discovery in IKE follows recommendations given in Section 10.4
of [RFC4821] with the difference, induced by the specialties of IKE of [RFC4821] with the difference, induced by the specialties of IKE
listed above. The difference is that the PMTU search is performed listed above. The difference is that the PMTU search is performed
downward, while in [RFC4821] it is performed upward. The reason for downward, while in [RFC4821] it is performed upward. The reason for
this change is that IKE usually sends large messages only when IKE SA this change is that IKE usually sends large messages only when IKE SA
is being established and in many cases there is only one such is being established and in many cases there is only one such
message. If the probing were performed upward this message would be message. If the probing were performed upward this message would be
fragmented using the smallest allowable threshold, and usually all fragmented using the smallest allowable threshold, and usually all
other messages are small enough to avoid IP fragmentation, so there other messages are small enough to avoid IP fragmentation, so there
would be little value to continue probing. would be little value to continue probing.
It is the Initiator of the exchange, who performs PMTU discovery. It It is the Initiator of the exchange, who performs PMTU discovery. It
is done by probing several values of fragmentation threshold. is done by probing several values of fragmentation threshold.
Implementation MUST be prepared to probe in every exchange that Implementations MUST be prepared to probe in every exchange that
utilizes IKE Fragmentation to deal with possible changes of path MTU utilizes IKE Fragmentation to deal with possible changes of path MTU
over time. While doing probes, it MUST start from larger values and over time. While doing probes, it MUST start from larger values and
refragment original message using next smaller value of threshold if refragment original message using next smaller value of threshold if
it did not receive response in a reasonable time after several it did not receive response in a reasonable time after several
retransmissions. The exact number of retransmissions and length of retransmissions. The exact number of retransmissions and length of
timeouts are not covered in this specification because they do not timeouts are not covered in this specification because they do not
affect interoperability. However, the timeout interval is supposed affect interoperability. However, the timeout interval is supposed
to be relatively short, so that unsuccessful probes would not delay to be relatively short, so that unsuccessful probes would not delay
IKE operations too much. Performimg few retries within several IKE operations too much. Performing few retries within several
seconds for each probe seems appropriate, but different environments seconds for each probe seems appropriate, but different environments
may require different rules. When starting new probe node MUST reset may require different rules. When starting new probe node MUST reset
its retransmission timers so, that if it employs exponential back- its retransmission timers so, that if it employs exponential back-
off, the timers will start over. After reaching the smallest allowed off, the timers will start over. After reaching the smallest allowed
value for fragmentation threshold implementation MUST continue value for the fragmentation threshold an implementation MUST continue
retransmitting until either exchange completes or times out using retransmitting until either exchange completes or times out using
timeout interval from Section 2.4 of [IKEv2]. timeout interval from Section 2.4 of [IKEv2].
PMTU discovery in IKE is supposed to be coarse-grained, i.e. it is PMTU discovery in IKE is supposed to be coarse-grained, i.e. it is
expected, that node will try only few fragmentation thresholds, in expected, that node will try only few fragmentation thresholds, in
order to minimize delays caused by unsuccessful probes. If no order to minimize delays caused by unsuccessful probes. If no
information about path MTU is known yet, endpoint may start probing information about path MTU is known yet, endpoint may start probing
from link MTU size. In the following exchanges node should start from link MTU size. In the following exchanges node should start
from the current value of fragmentation threshold. from the current value of fragmentation threshold.
If implementation is capable to receive ICMP error messages it may If an implementation is capable to receive ICMP error messages it can
additionally utilize classic PMTU discovery methods, described in additionally utilize classic PMTU discovery methods, described in
[RFC1191] and [RFC1981]. In particular, if the Initiator receives [RFC1191] and [RFC1981]. In particular, if the Initiator receives
Packet Too Big error in response to the probe, and it contains Packet Too Big error in response to the probe, and it contains
smaller value, than current fragmentation threshold, then the smaller value, than current fragmentation threshold, then the
Initiator SHOULD stop retransmitting the probe and SHOULD select new Initiator SHOULD stop retransmitting the probe and SHOULD select new
value for fragmentation threshold that is less than or equal to the value for fragmentation threshold that is less than or equal to the
value from the ICMP message and meets the requirements listed below. value from the ICMP message and meets the requirements listed below.
In case of PMTU discovery Total Fragments field is used to In case of PMTU discovery Total Fragments field is used to
distinguish between different sets of fragments, i.e. the sets that distinguish between different sets of fragments, i.e. the sets that
skipping to change at page 12, line 27 skipping to change at page 12, line 27
should not exceed fragmentation threshold, including the first one, should not exceed fragmentation threshold, including the first one,
that contains unprotected Payloads. This will reduce the size of that contains unprotected Payloads. This will reduce the size of
Encrypted Fragment Payload content in the first IKE Fragment Message Encrypted Fragment Payload content in the first IKE Fragment Message
to accommodate all unprotected Payloads. In extreme case Encrypted to accommodate all unprotected Payloads. In extreme case Encrypted
Fragment Payload will contain no data, but it still must be present Fragment Payload will contain no data, but it still must be present
in the message, because only its presence allows receiver to in the message, because only its presence allows receiver to
determine that sender have used IKE Fragmentation. determine that sender have used IKE Fragmentation.
2.6. Receiving IKE Fragment Message 2.6. Receiving IKE Fragment Message
Receiver identifies IKE Fragment Message by the presence of Encrypted The Receiver identifies the IKE Fragment Message by the presence of
Fragment Payload in it. In most cases it will be the first and the an Encrypted Fragment Payload in it. In most cases it will be the
only payload in the message, however this may not be true for some first and the only payload in the message, however this may not be
hypothetical IKE exchanges (see Section 2.5.3) true for some hypothetical IKE exchanges (see Section 2.5.3)
Upon receiving IKE Fragment Message the following actions are Upon receiving the IKE Fragment Message the following actions are
performed: performed:
o Check message validity - in particular, check whether values of o Check message validity - in particular, check whether the values
Fragment Number and Total Fragments in Encrypted Fragment Payload in the Fragment Number and the Total Fragments fields in the
are valid. The following tests need to be performed. Encrypted Fragment Payload are valid. The following tests need to
be performed.
* check that Fragment Number and Total Fragments fields are non- * check that the Fragment Number and the Total Fragments fields
zero contain non-zero values
* check that Fragment Number field is less than or equal to Total * check that the value in the Fragment Number field is less than
Fragments field or equal to the value in the Total Fragments field
* if reassembling has already started, check that Total Fragments * if reassembling has already started, check that the value in
field is equal to or greater than Total Fragments field in the Total Fragments field is equal to or greater than Total
fragments that have already been stored in the reassembling Fragments field in the fragments that have already been stored
queue in the reassembling queue
If any of this tests fails message MUST be silently discarded. If any of this tests fails the message MUST be silently discarded.
o Check, that this IKE Fragment Message is new for the receiver and o Check, that this IKE Fragment Message is new for the receiver and
not a replay. If IKE Fragment message with the same Message ID, not a replay. If IKE Fragment message with the same Message ID,
same Fragment Number and same Total Fragments fields is already same Fragment Number and same Total Fragments fields is already
present in the reassembling queue, this message is considered a present in the reassembling queue, this message is considered a
replay and MUST be silently discarded. replay and MUST be silently discarded.
o Verify IKE Fragment Message authenticity by checking ICV in o Verify IKE Fragment Message authenticity by checking ICV in
Encrypted Fragment Payload. If ICV check fails message MUST be Encrypted Fragment Payload. If ICV check fails message MUST be
silently discarded. silently discarded.
skipping to change at page 13, line 25 skipping to change at page 13, line 25
o If reassembling is not finished yet and Total Fragments field in o If reassembling is not finished yet and Total Fragments field in
received fragment is greater than this field in those fragments, received fragment is greater than this field in those fragments,
that are in the reassembling queue, receiver MUST discard all that are in the reassembling queue, receiver MUST discard all
received fragments and start reassembling over with just received received fragments and start reassembling over with just received
IKE Fragment Message. IKE Fragment Message.
o Store message in the reassembling queue waiting for the rest of o Store message in the reassembling queue waiting for the rest of
fragments to arrive. fragments to arrive.
When all IKE Fragment Messages (as indicated in the Total Fragments When all IKE Fragment Messages (as indicated in the Total Fragments
field) are received, decrypted content of all Encrypted Fragment field) are received, the decrypted content of all Encrypted Fragment
Payloads is merged together to form content of original Encrypted Payloads is merged together to form content of original Encrypted
Payload, and, therefore, along with IKE Header and unprotected Payload, and, therefore, along with IKE Header and unprotected
Payloads (if any), original message. Then it is processed as if it Payloads (if any), original message. Then it is processed as if it
was received, verified and decrypted as regular IKE message. was received, verified and decrypted as regular IKE message.
If receiver does not get all IKE fragments needed to reassemble If receiver does not get all IKE fragments needed to reassemble the
original Message within a timeout interval, it MUST discard all original Message within a timeout interval, it MUST discard all IKE
received so far IKE Fragment Messages for the exchange. Next actions Fragment Messages received so far for the exchange. The next actions
depend on the role of receiver in the exchange. depend on the role of receiver in the exchange.
o The Initiator acts as described in Section 2.1 of [IKEv2]. It o The Initiator acts as described in Section 2.1 of [IKEv2]. It
either retransmits the fragmented request Message or deems IKE SA either retransmits the fragmented request Message or deems IKE SA
to have failed and deletes it. The number of retransmits and to have failed and deletes it. The number of retransmits and
length of timeouts for the Initiator are not covered in this length of timeouts for the Initiator are not covered in this
specification since they are assumed to be the same as in regular specification since they are assumed to be the same as in regular
IKEv2 exchange and are discussed in Section 2.4 of [IKEv2]. IKEv2 exchange and are discussed in Section 2.4 of [IKEv2].
o The Responder in this case acts as if no request message was o The Responder in this case acts as if no request message was
received. The reassembling timeout for Responder is RECOMMENDED received. It would delete any memory of the incomplete request
to be equal to the time interval that implementation waits before message, and not treat it as an IKE SA failure. The reassembling
completely giving up when acting as Initiator of exchange. timeout for the Responder is RECOMMENDED to be equal to the time
Section 2.4 of [IKEv2] gives recommendations for selecting this interval that the implementation waits before completely giving up
interval. Implementation MAY use shorter timeout to conserve when acting as Initiator of exchange. Section 2.4 of [IKEv2]
memory. gives recommendations for selecting this interval.
Implementations can use a shorter timeout to conserve memory.
2.6.1. Replay Detection and Retransmissions 2.6.1. Replay Detection and Retransmissions
According to [IKEv2] implementation must reject message with the same According to [IKEv2] implementations must reject message with the
Message ID as it has seen before (taking into consideration Response same Message ID as it has seen before (taking into consideration
bit). This logic has already been updated by [RFC6311], which Response bit). This logic has already been updated by [RFC6311],
deliberately allows any number of messages with zero Message ID. which deliberately allows any number of messages with zero Message
This document also updates this logic for the situations, when IKE ID. This document also updates this logic for the situations, when
Fragmentation is in use. IKE Fragmentation is in use.
If incomimg message contains Encrypted Fragment Payload, the values If incoming message contains Encrypted Fragment Payload, the values
of Fragment Number and Total Fragments fields MUST be used along with of Fragment Number and Total Fragments fields MUST be used along with
Message ID to detect retransmissions and replays. Message ID to detect retransmissions and replays.
If Responder receives retransmitted fragment of request when it has If Responder receives retransmitted fragment of request when it has
already processed that request and has sent back a response, that already processed that request and has sent back a response, that
event MUST only trigger retransmission of the response message event MUST only trigger retransmission of the response message
(fragmented or not) if Fragment Number field in received fragment is (fragmented or not) if Fragment Number field in received fragment is
set to 1 and MUST be ignored otherwise. set to 1 and MUST be ignored otherwise.
3. Interaction with other IKE extensions 3. Interaction with other IKE extensions
skipping to change at page 17, line 31 skipping to change at page 17, line 31
fragments. These fragments will pass the ICV check and will be fragments. These fragments will pass the ICV check and will be
stored in reassembly buffers, but since the set is incomplete, the stored in reassembly buffers, but since the set is incomplete, the
reassembling will never succeed and eventually will time out. If the reassembling will never succeed and eventually will time out. If the
set is large, this attack could potentially exhaust the receiver's set is large, this attack could potentially exhaust the receiver's
memory resources. memory resources.
To mitigate the impact of this attack, it is RECOMMENDED that To mitigate the impact of this attack, it is RECOMMENDED that
receiver limits the number of fragments it stores in reassembling receiver limits the number of fragments it stores in reassembling
queue so that the sum of the sizes of Encrypted Fragment Payload queue so that the sum of the sizes of Encrypted Fragment Payload
contents (after decryption) for fragments that are already placed contents (after decryption) for fragments that are already placed
into the reassembling queue be less than some value that is into the reassembling queue is less than some value that is
reasonable for the implementation. If the peer sends so many reasonable for the implementation. If the peer sends so many
fragments, that the above condition is not met, the receiver can fragments that the above condition is not met, the receiver can
consider this situation to be either attack or as broken sender consider this situation to be either attack or as broken sender
implementation. In either case, the receiver SHOULD drop the implementation. In either case, the receiver SHOULD drop the
connection and discard all the received fragments. connection and discard all the received fragments.
This value can be predefined, can be a configurable option, or can be This value can be predefined, can be a configurable option, or can be
calculated dynamically depending on receiver's memory load. In any calculated dynamically depending on the receiver's memory load. Some
case, the value SHOULD NOT exceed 64 Kbytes (the maximum size of UDP care should be taken when selecting this value because, if it is too
datagram) because any IKE message before fragmentation must be small, it might prevent legitimate peer to establish IKE SA if the
shorter than that. size of messages it sends exceeds this value. It is NOT RECOMMENDED
for this value to exceed 64 Kbytes because any IKE message before
fragmentation would likely be shorter than that.
6. IANA Considerations 6. IANA Considerations
This document defines new Payload in the "IKEv2 Payload Types" This document defines new Payload in the "IKEv2 Payload Types"
registry: registry:
<TBA> Encrypted and Authenticated Fragment SKF <TBA> Encrypted and Authenticated Fragment SKF
This document also defines new Notify Message Types in the "Notify This document also defines new Notify Message Types in the "Notify
Message Types - Status Types" registry: Message Types - Status Types" registry:
 End of changes. 37 change blocks. 
87 lines changed or deleted 92 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/