draft-ietf-ipsecme-ikev2-intermediate-00.txt   draft-ietf-ipsecme-ikev2-intermediate-01.txt 
Network Working Group V. Smyslov Network Working Group V. Smyslov
Internet-Draft ELVIS-PLUS Internet-Draft ELVIS-PLUS
Intended status: Standards Track May 31, 2019 Intended status: Standards Track June 27, 2019
Expires: December 2, 2019 Expires: December 29, 2019
Intermediate Exchange in the IKEv2 Protocol Intermediate Exchange in the IKEv2 Protocol
draft-ietf-ipsecme-ikev2-intermediate-00 draft-ietf-ipsecme-ikev2-intermediate-01
Abstract Abstract
This documents defines a new exchange, called Intermediate Exchange, This documents defines a new exchange, called Intermediate Exchange,
for the Internet Key Exchange protocol Version 2 (IKEv2). This for the Internet Key Exchange protocol Version 2 (IKEv2). This
exchange can be used for transferring large amount of data in the exchange can be used for transferring large amount of data in the
process of IKEv2 Security Association (SA) establishment. process of IKEv2 Security Association (SA) establishment.
Introducing Intermediate Exchange allows re-using existing IKE Introducing Intermediate Exchange allows re-using existing IKE
Fragmentation mechanism, that helps to avoid IP fragmentation of Fragmentation mechanism, that helps to avoid IP fragmentation of
large IKE messages, but cannot be used in the initial IKEv2 exchange. large IKE messages, but cannot be used in the initial IKEv2 exchange.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 2, 2019. This Internet-Draft will expire on December 29, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
skipping to change at page 8, line 27 skipping to change at page 8, line 27
Since messages of the IKE_INTERMEDIATE exchange are not authenticated Since messages of the IKE_INTERMEDIATE exchange are not authenticated
until the IKE_AUTH exchange successfully completes, possible errors until the IKE_AUTH exchange successfully completes, possible errors
need to be handled with care. There is a trade-off between providing need to be handled with care. There is a trade-off between providing
a better diagnostics of the problem and a risk to become a part of a better diagnostics of the problem and a risk to become a part of
DoS attack. See Section 2.21.1 and 2.21.2 of [RFC7296] describe how DoS attack. See Section 2.21.1 and 2.21.2 of [RFC7296] describe how
errors are handled in initial IKEv2 exchanges, these considerations errors are handled in initial IKEv2 exchanges, these considerations
are also applied to the IKE_INTERMEDIATE exchange. are also applied to the IKE_INTERMEDIATE exchange.
4. Interaction with other IKEv2 Extensions 4. Interaction with other IKEv2 Extensions
The IKE_INTERMEDIATE exchanges MAY be used in the IKEv2 Session The IKE_INTERMEDIATE exchanges MAY be used during the IKEv2 Session
Resumption [RFC5723] between the IKE_SESSION_RESUME and the IKE_AUTH Resumption [RFC5723] between the IKE_SESSION_RESUME and the IKE_AUTH
exchanges. exchanges. To be able to use it peers MUST negotiate support for
intermediate exchange by including INTERMEDIATE_EXCHANGE_SUPPORTED
notifications in the IKE_SESSION_RESUME messages. Note, that a flag
whether peers supported the IKE_INTERMEDIATE exchange is not stored
in the resumption ticket and is determined each time from the
IKE_SESSION_RESUME exchange.
5. Security Considerations 5. Security Considerations
The data that is transferred by means of the IKE_INTERMEDIATE The data that is transferred by means of the IKE_INTERMEDIATE
exchanges is not authenticated until the subsequent IKE_AUTH exchange exchanges is not authenticated until the subsequent IKE_AUTH exchange
is completed. However, if the data is placed inside the Encrypted is completed. However, if the data is placed inside the Encrypted
payload, then it is protected from passive eavesdroppers. In payload, then it is protected from passive eavesdroppers. In
addition the peers can be certain that they receives messages from addition the peers can be certain that they receives messages from
the party he/she performed the IKE_SA_INIT with if they can the party he/she performed the IKE_SA_INIT with if they can
successfully verify the Integrity Checksum Data of the Encrypted successfully verify the Integrity Checksum Data of the Encrypted
skipping to change at page 9, line 41 skipping to change at page 9, line 48
IKE_AUTH was first suggested by Tero Kivinen. Scott Fluhrer and IKE_AUTH was first suggested by Tero Kivinen. Scott Fluhrer and
Daniel Van Geest identified a possible problem with authentication of Daniel Van Geest identified a possible problem with authentication of
the IKE_INTERMEDIATE exchange and helped to resolve it. the IKE_INTERMEDIATE exchange and helped to resolve it.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>. 2014, <https://www.rfc-editor.org/info/rfc7296>.
[RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2
(IKEv2) Message Fragmentation", RFC 7383, (IKEv2) Message Fragmentation", RFC 7383,
DOI 10.17487/RFC7383, November 2014, <https://www.rfc- DOI 10.17487/RFC7383, November 2014,
editor.org/info/rfc7383>. <https://www.rfc-editor.org/info/rfc7383>.
8.2. Informative References 8.2. Informative References
[RFC8229] Pauly, T., Touati, S., and R. Mantha, "TCP Encapsulation [RFC8229] Pauly, T., Touati, S., and R. Mantha, "TCP Encapsulation
of IKE and IPsec Packets", RFC 8229, DOI 10.17487/RFC8229, of IKE and IPsec Packets", RFC 8229, DOI 10.17487/RFC8229,
August 2017, <https://www.rfc-editor.org/info/rfc8229>. August 2017, <https://www.rfc-editor.org/info/rfc8229>.
[RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange [RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange
Protocol Version 2 (IKEv2) Session Resumption", RFC 5723, Protocol Version 2 (IKEv2) Session Resumption", RFC 5723,
DOI 10.17487/RFC5723, January 2010, <https://www.rfc- DOI 10.17487/RFC5723, January 2010,
editor.org/info/rfc5723>. <https://www.rfc-editor.org/info/rfc5723>.
Author's Address Author's Address
Valery Smyslov Valery Smyslov
ELVIS-PLUS ELVIS-PLUS
PO Box 81 PO Box 81
Moscow (Zelenograd) 124460 Moscow (Zelenograd) 124460
RU RU
Phone: +7 495 276 0211 Phone: +7 495 276 0211
 End of changes. 10 change blocks. 
14 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/