| draft-ietf-ipsecme-ikev2-redirect-04.txt | draft-ietf-ipsecme-ikev2-redirect-05.txt | |||
|---|---|---|---|---|
| Network Working Group V. Devarapalli | Network Working Group V. Devarapalli | |||
| Internet-Draft WiChorus | Internet-Draft WiChorus | |||
| Intended status: Standards Track K. Weniger | Intended status: Standards Track K. Weniger | |||
| Expires: August 13, 2009 February 9, 2009 | Expires: September 10, 2009 March 9, 2009 | |||
| Re-direct Mechanism for IKEv2 | Redirect Mechanism for IKEv2 | |||
| draft-ietf-ipsecme-ikev2-redirect-04.txt | draft-ietf-ipsecme-ikev2-redirect-05.txt | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. This document may not be modified, | |||
| and derivative works of it may not be created, except to format it | ||||
| for publication as an RFC or to translate it into languages other | ||||
| than English. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on August 13, 2009. | This Internet-Draft will expire on September 10, 2009. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2009 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents in effect on the date of | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | publication of this document (http://trustee.ietf.org/license-info). | |||
| publication of this document. Please review these documents | Please review these documents carefully, as they describe your rights | |||
| carefully, as they describe your rights and restrictions with respect | and restrictions with respect to this document. | |||
| to this document. | ||||
| Abstract | Abstract | |||
| IKEv2 is a protocol for setting up VPN tunnels from a remote location | IKEv2 is a protocol for setting up VPN tunnels from a remote location | |||
| to a gateway so that the VPN client can access services in the | to a gateway so that the VPN client can access services in the | |||
| network behind the gateway. Currently there is no standard mechanism | network behind the gateway. Currently there is no standard mechanism | |||
| specified that allows an overloaded VPN gateway or a VPN gateway that | specified that allows an overloaded VPN gateway or a VPN gateway that | |||
| is being shut down for maintenance to re-direct the VPN client to | is being shut down for maintenance to redirect the VPN client to | |||
| attach to another gateway. This document proposes a re-direct | attach to another gateway. This document proposes a redirect | |||
| mechanism for IKEv2. The proposed mechanism can also be used in | mechanism for IKEv2. The proposed mechanism can also be used in | |||
| Mobile IPv6 to enable the home agent to re-direct the mobile node to | Mobile IPv6 to enable the home agent to redirect the mobile node to | |||
| another home agent. | another home agent. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. IKEv2 Exchange with Redirect . . . . . . . . . . . . . . . . . 4 | 3. IKEv2 Exchange with Redirect . . . . . . . . . . . . . . . . . 4 | |||
| 4. Use of Anycast Addresses with the Re-direct Mechanism . . . . 5 | 4. Use of Anycast Addresses with the Redirect Mechanism . . . . . 5 | |||
| 5. Gateway Initiated Redirect . . . . . . . . . . . . . . . . . . 6 | 5. Gateway Initiated Redirect . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Redirect Messages . . . . . . . . . . . . . . . . . . . . . . 7 | 6. Redirect Messages . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1. REDIRECT_SUPPORTED . . . . . . . . . . . . . . . . . . . . 7 | 6.1. REDIRECT_SUPPORTED . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.2. REDIRECT . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 6.2. REDIRECT . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.3. REDIRECTED_FROM . . . . . . . . . . . . . . . . . . . . . 9 | 6.3. REDIRECTED_FROM . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. Use of the Redirect Mechanism between IKEv2 Peers . . . . . . 10 | 7. Use of the Redirect Mechanism between IKEv2 Peers . . . . . . 10 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | 11.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . . 11 | 11.2. Informative References . . . . . . . . . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| IKEv2 [2] is used for setting up IPsec-based VPNs. The IP address of | IKEv2 [2] is used for setting up IPsec-based VPNs. The IP address of | |||
| the VPN gateway can be configured on the VPN client. But this does | the VPN gateway can be configured on the VPN client. But this does | |||
| not scale well, when the number of VPN gateways is large. Dynamic | not scale well, when the number of VPN gateways is large. Dynamic | |||
| discovery of VPN gateways using DNS is quite widely used too. | discovery of VPN gateways using DNS is quite widely used too. | |||
| However, using DNS is not flexible when it comes to assigning a VPN | However, using DNS is not flexible when it comes to assigning a VPN | |||
| gateway to the VPN client based on the load on the VPN gateways. The | gateway to the VPN client based on the load on the VPN gateways. The | |||
| VPN client typically tries to connect to the IP address of the VPN | VPN client typically tries to connect to the IP address of the VPN | |||
| gateways that appears first in the DNS response. If the VPN tunnel | gateways that appears first in the DNS response. If the VPN tunnel | |||
| setup fails, then the VPN client tries to attach to the other VPN | setup fails, then the VPN client tries to attach to the other VPN | |||
| gateways returned in the DNS response. | gateways returned in the DNS response. | |||
| This document proposes a re-direct mechanism for IKEv2 that enables a | This document proposes a redirect mechanism for IKEv2 that enables a | |||
| VPN gateway to re-direct the VPN client to another VPN gateway, for | VPN gateway to redirect the VPN client to another VPN gateway, for | |||
| example, based on the load condition. The re-direct can be done | example, based on the load condition. The redirect can be done | |||
| during during the IKE_SA_INIT or the IKE_AUTH exchange. Gateway- | during during the IKE_SA_INIT or the IKE_AUTH exchange. Gateway- | |||
| initiated re-direct in the middle of a session is also supported. | initiated redirect in the middle of a session is also supported. The | |||
| The re-direct mechanism can also be used in conjunction with anycast | redirect mechanism can also be used in conjunction with anycast | |||
| addresses. In this case, anycast address for the cluster of VPN | addresses. In this case, anycast address for the cluster of VPN | |||
| gateways is stored in the DNS instead of a list of unicast IP | gateways is stored in the DNS instead of a list of unicast IP | |||
| addresses of the VPN gateways. | addresses of the VPN gateways. | |||
| The re-direct can also happen because of administrative or optimal | The redirect can also happen because of administrative or optimal | |||
| routing reasons. This document does not attempt to provide an | routing reasons. This document does not attempt to provide an | |||
| exhaustive list of reasons for re-directing a VPN client to another | exhaustive list of reasons for redirecting a VPN client to another | |||
| VPN gateway. | VPN gateway. | |||
| Mobile IPv6 [3] may use IKEv2 for mutual authentication between the | Mobile IPv6 [3] may use IKEv2 for mutual authentication between the | |||
| mobile node and the home agent. IKEv2 may also be used for home | mobile node and the home agent. IKEv2 may also be used for home | |||
| address configuration and setting up IPsec security associations for | address configuration and setting up IPsec security associations for | |||
| protecting Mobile IPv6 signaling messages [4]. The IKEv2 exchange | protecting Mobile IPv6 signaling messages [4]. The IKEv2 exchange | |||
| precedes the exchange of Mobile IPv6 signaling messages. Therefore | precedes the exchange of Mobile IPv6 signaling messages. Therefore | |||
| the mechanism described in this document can be also be used by a | the mechanism described in this document can be also be used by a | |||
| Mobile IPv6 home agent to re-direct a mobile node to another home | Mobile IPv6 home agent to redirect a mobile node to another home | |||
| agent. | agent. | |||
| There is a Home Agent Switch mechanism available for re-directing a | There is a Home Agent Switch mechanism available for redirecting a | |||
| mobile node to another home agent, described in [5]. The Home Agent | mobile node to another home agent, described in [5]. The Home Agent | |||
| Switch mechanism can only be used after the binding cache had been | Switch mechanism can only be used after the binding cache had been | |||
| created at the home agent for the mobile node. The disadvantage with | created at the home agent for the mobile node. The disadvantage with | |||
| this is that quite a bit of state is created on the home agent before | this is that quite a bit of state is created on the home agent before | |||
| the mobile node can be re-directed to another home agent. The | the mobile node can be redirected to another home agent. The | |||
| mechanism described in this document can be used for re-directing a | mechanism described in this document can be used for redirecting a | |||
| mobile node before any state related to the Mobile IPv6 binding is | mobile node before any state related to the Mobile IPv6 binding is | |||
| created on the home agent. | created on the home agent. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [1]. | document are to be interpreted as described in [1]. | |||
| 3. IKEv2 Exchange with Redirect | 3. IKEv2 Exchange with Redirect | |||
| skipping to change at page 4, line 39 | skipping to change at page 4, line 39 | |||
| (IP_I:500 -> Initial_IP_R:500) | (IP_I:500 -> Initial_IP_R:500) | |||
| HDR(A,0), SAi1, KEi, Ni, --> | HDR(A,0), SAi1, KEi, Ni, --> | |||
| N(REDIRECT_SUPPORTED) | N(REDIRECT_SUPPORTED) | |||
| (Initial_IP_R:500 -> IP_I:500) | (Initial_IP_R:500 -> IP_I:500) | |||
| <-- HDR(A,0), N(REDIRECT, IP_R) | <-- HDR(A,0), N(REDIRECT, IP_R) | |||
| When the VPN client receives the IKE_SA_INIT response with the | When the VPN client receives the IKE_SA_INIT response with the | |||
| REDIRECT payload, it initiates a new IKE_SA_INIT exchange with the | REDIRECT payload, it initiates a new IKE_SA_INIT exchange with the | |||
| VPN gateway listed in the REDIRECT payload. The VPN client includes | VPN gateway listed in the REDIRECT payload. The VPN client includes | |||
| the IP address of the original VPN gateway that re-directed the | the IP address of the original VPN gateway that redirected the | |||
| client. The IKEv2 exchange then proceeds as normal with the selected | client. The IKEv2 exchange then proceeds as normal with the selected | |||
| VPN gateway. | VPN gateway. | |||
| Initiator Responder (Selected VPN GW) | Initiator Responder (Selected VPN GW) | |||
| --------- --------------------------- | --------- --------------------------- | |||
| (IP_I:500 -> IP_R:500) | (IP_I:500 -> IP_R:500) | |||
| HDR(A,0), SAi1, KEi, Ni, --> | HDR(A,0), SAi1, KEi, Ni, --> | |||
| N(REDIRECTED_FROM, Initial_IP_R) | N(REDIRECTED_FROM, Initial_IP_R) | |||
| skipping to change at page 5, line 31 | skipping to change at page 5, line 31 | |||
| SAr2, TSi, TSr} | SAr2, TSi, TSr} | |||
| When this mechanism is used with Mobile IPv6, a mobile node's | When this mechanism is used with Mobile IPv6, a mobile node's | |||
| security associations with its home agent may expire while it still | security associations with its home agent may expire while it still | |||
| has a valid binding cache entry at the home agent. In this case, the | has a valid binding cache entry at the home agent. In this case, the | |||
| mobile node MUST NOT use the original home agent address as the | mobile node MUST NOT use the original home agent address as the | |||
| destination address in the IKE_SA_INIT exchange to setup new security | destination address in the IKE_SA_INIT exchange to setup new security | |||
| associations. It MUST try to setup security associations with its | associations. It MUST try to setup security associations with its | |||
| existing home agent. | existing home agent. | |||
| 4. Use of Anycast Addresses with the Re-direct Mechanism | 4. Use of Anycast Addresses with the Redirect Mechanism | |||
| The use of anycast addresses will avoid having to configure a | The use of anycast addresses will avoid having to configure a | |||
| particular VPN gateway's IP address in the DNS. Instead, the anycast | particular VPN gateway's IP address in the DNS. Instead, the anycast | |||
| address that represents the group of VPN gateways is stored in the | address that represents the group of VPN gateways is stored in the | |||
| DNS. When the VPN client performs a DNS lookup for the VPN gateway, | DNS. When the VPN client performs a DNS lookup for the VPN gateway, | |||
| it receives the anycast address of the VPN gateway in the DNS | it receives the anycast address of the VPN gateway in the DNS | |||
| response. | response. | |||
| If an anycast address is returned in response to DNS resolution of an | If an anycast address is returned in response to DNS resolution of an | |||
| FQDN, the IKEv2 transaction between the VPN client and the VPN | FQDN, the VPN client sends the IKE_SA_INIT request to the anycast | |||
| gateway is slightly modified. The VPN client sends the IKE_SA_INIT | address. The IKE_SA_INIT request is routed to one of the VPN | |||
| request to the anycast address. The IKE_SA_INIT request is routed to | gateways that is part of the anycast group. The VPN gateway that | |||
| one of the VPN gateways that is part of the anycast group. The VPN | receives the IKE_SA_INIT request responds with an IKE_SA_INIT reply | |||
| gateway that receives the IKE_SA_INIT request responds with an | from the anycast address. | |||
| IKE_SA_INIT reply from the anycast address. | ||||
| Initiator Responder (any VPN GW) | Initiator Responder (any VPN GW) | |||
| --------- ------------------------- | --------- ------------------------- | |||
| (IP_I:500 -> ANYCAST:500) | (IP_I:500 -> ANYCAST:500) | |||
| HDR(A,0), SAi1, KEi, Ni) --> | HDR(A,0), SAi1, KEi, Ni) --> | |||
| N(REDIRECT_SUPPORTED) | N(REDIRECT_SUPPORTED) | |||
| (ANYCAST:500 -> IP_I:500) | (ANYCAST:500 -> IP_I:500) | |||
| <-- HDR(A,0), N(REDIRECT, IP_R) | <-- HDR(A,0), N(REDIRECT, IP_R) | |||
| If the destination address on the IKE_SA_INIT request is an anycast | If the destination address on the IKE_SA_INIT request is an anycast | |||
| address, the VPN gateway that received the IKE_SA_INIT request MUST | address, the VPN gateway that received the IKE_SA_INIT request MUST | |||
| include the REDIRECT payload to re-direct the VPN client to a unicast | include the REDIRECT payload to redirect the VPN client to a unicast | |||
| address of one of the VPN gateway. The VPN gateway that received the | address of one of the VPN gateway. The VPN gateway that received the | |||
| IKE_SA_INIT request MAY re-direct the client to its own unicast | IKE_SA_INIT request MAY redirect the client to its own unicast | |||
| address, if it is not overloaded. | address, if it is not overloaded. | |||
| The rest of the IKEv2 exchange is the same as described in Section 3. | The rest of the IKEv2 exchange is the same as described in Section 3. | |||
| 5. Gateway Initiated Redirect | 5. Gateway Initiated Redirect | |||
| The re-direct mechanism may also be used by a VPN gateway to re- | The redirect mechanism may also be used by a VPN gateway to redirect | |||
| direct the client to another VPN gateway in middle of a session. To | the client to another VPN gateway in middle of a session. To | |||
| re-direct a client, the gateway should send an INFORMATIONAL message | redirect a client, the gateway should send an INFORMATIONAL message | |||
| with the REDIRECT Notify payload. The REDIRECT payload MUST carry | with the REDIRECT Notify payload. The REDIRECT payload MUST carry | |||
| information about the new VPN gateway. When the client receives this | information about the new VPN gateway. When the client receives this | |||
| message, it MUST send an empty message as an acknowledgement. Until | message, it MUST send an empty message as an acknowledgement. Until | |||
| the client responds with an acknowledgement, the gateway SHOULD re- | the client responds with an acknowledgement, the gateway SHOULD re- | |||
| transmit the re-direct INFORMATIONAL message as described in [2]. | transmit the redirect INFORMATIONAL message as described in [2]. The | |||
| The following illustrates the INFORMATIONAL message exchange for | following illustrates the INFORMATIONAL message exchange for gateway- | |||
| gateway-initiated redirect. | initiated redirect. | |||
| Initiator (VPN client) Responder (VPN GW) | Initiator (VPN client) Responder (VPN GW) | |||
| ---------------------- ------------------ | ---------------------- ------------------ | |||
| <-- HDR, SK {N[REDIRECT, IP_R/FQDN_R]} | <-- HDR, SK {N[REDIRECT, IP_R/FQDN_R]} | |||
| HDR, SK {} --> | HDR, SK {} --> | |||
| The INFORMATIONAL message exchange described above is protected by | The INFORMATIONAL message exchange described above is protected by | |||
| the existing IKEv2 SA between the client and the gateway. | the existing IKEv2 SA between the client and the gateway. | |||
| Once the client sends an acknowledgement to the gateway, it SHOULD | Once the client sends an acknowledgement to the gateway, it SHOULD | |||
| delete the existing security associations with the old gateway by | delete the existing security associations with the old gateway by | |||
| sending an Informational message with a DELETE payload. The gateway | sending an Informational message with a DELETE payload. The gateway | |||
| MAY also decide to delete the security associations without any | MAY also decide to delete the security associations without any | |||
| signaling from the client. However, it should allow sufficient time | signaling from the client, again by sending an Informational message | |||
| for the client to setup the required security associations with the | with a DELETE payload. However, it should allow sufficient time for | |||
| new security gateway. This time period should be configurable on the | the client to setup the required security associations with the new | |||
| security gateway. This time period should be configurable on the | ||||
| gateway. | gateway. | |||
| If the gateway decides to re-direct the client during the IKE_AUTH | If the gateway decides to redirect the client during the IKE_AUTH | |||
| exchange, it prevents the creation of a CHILD SA by sending the | exchange, it prevents the creation of a CHILD SA by sending the | |||
| NO_ADDITIONAL_SAS Notify Payload in the IKE_AUTH response. It then | NO_ADDITIONAL_SAS Notify Payload in the IKE_AUTH response. It then | |||
| follows up with an INFORMATIONAL message with the REDIRECT payload | follows up with an INFORMATIONAL message with the REDIRECT payload | |||
| immediately. The following shows the message exchange between the | immediately. The following shows the message exchange between the | |||
| client and the gateway. | client and the gateway. | |||
| Initiator Responder ( VPN GW) | Initiator Responder ( VPN GW) | |||
| --------- ------------------- | --------- ------------------- | |||
| (IP_I:500 -> IP_R:500) | (IP_I:500 -> IP_R:500) | |||
| skipping to change at page 7, line 49 | skipping to change at page 7, line 50 | |||
| the IKEv2 SA. In case the gateway receives the INFORMATIONAL message | the IKEv2 SA. In case the gateway receives the INFORMATIONAL message | |||
| to delete the IKEv2 SA before sending the REDIRECT message, then the | to delete the IKEv2 SA before sending the REDIRECT message, then the | |||
| gateway includes the REDIRECT payload in the response along with the | gateway includes the REDIRECT payload in the response along with the | |||
| DELETE payload. | DELETE payload. | |||
| 6. Redirect Messages | 6. Redirect Messages | |||
| 6.1. REDIRECT_SUPPORTED | 6.1. REDIRECT_SUPPORTED | |||
| The REDIRECT_SUPPORTED payload is included in the initial IKE_SA_INIT | The REDIRECT_SUPPORTED payload is included in the initial IKE_SA_INIT | |||
| request by the initiator to indicate support for the IKEv2 re-direct | request by the initiator to indicate support for the IKEv2 redirect | |||
| mechanism described in this document. | mechanism described in this document. | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Next Payload |C| RESERVED | Payload Length | | | Next Payload |C| RESERVED | Payload Length | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Protocol ID | SPI Size (=0) | Notify Message Type | | | Protocol ID | SPI Size (=0) | Notify Message Type | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| The 'Next Payload', 'Payload Length', 'Protocol ID', 'SPI Size' and | The 'Next Payload', 'Payload Length', 'Protocol ID', 'SPI Size' and | |||
| the 'Notify Message Type' fields are the same as described in Section | the 'Notify Message Type' fields are the same as described in Section | |||
| 3.10 of [2]. The 'SPI Size' field MUST be set to 0 to indicate that | 3.10 of [2]. The 'SPI Size' field MUST be set to 0 to indicate that | |||
| the SPI is not present in this message. | the SPI is not present in this message. The 'Protocol ID' should be | |||
| set to 0, since the notification is not specific to a particular | ||||
| security association. | ||||
| The 'Payload Length' field MUST be set to '8'. The 'Notify Message | The 'Payload Length' field MUST be set to '8'. The 'Notify Message | |||
| Type' field is set to indicate the REDIRECT_SUPPORTED payload <value | Type' field is set to indicate the REDIRECT_SUPPORTED payload <value | |||
| to be assigned by IANA>. | to be assigned by IANA>. | |||
| 6.2. REDIRECT | 6.2. REDIRECT | |||
| The REDIRECT payload is included in an IKE_SA_INIT response from the | The REDIRECT payload is included in an IKE_SA_INIT response from the | |||
| responder when the responder wants to re-direct the initiator to | responder or an INFORMATIONAL message from the responder, when the | |||
| another VPN gateway. The message includes the new responder's IP | responder wants to redirect the initiator to another VPN gateway. | |||
| address. | The message includes the new responder's IP address. | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Next Payload |C| RESERVED | Payload Length | | | Next Payload |C| RESERVED | Payload Length | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Protocol ID | SPI Size (=0) | Notify Message Type | | | Protocol ID | SPI Size (=0) | Notify Message Type | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | GW Ident Type | | | | GW Ident Type | | | |||
| +---------------+ ~ | +---------------+ ~ | |||
| ~ New Responder GW Identity ~ | ~ New Responder GW Identity ~ | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| The 'Next Payload', 'Payload Length', 'Protocol ID', 'SPI Size' and | The 'Next Payload', 'Payload Length', 'Protocol ID', 'SPI Size' and | |||
| the 'Notify Message Type' fields are the same as described in Section | the 'Notify Message Type' fields are the same as described in Section | |||
| 3.10 of [2]. The 'SPI Size' field MUST be set to 0 to indicate that | 3.10 of [2]. The 'SPI Size' field MUST be set to 0 to indicate that | |||
| the SPI is not present in this message. | the SPI is not present in this message. The 'Protocol ID' should be | |||
| set to 0, since the notification is not specific to a particular | ||||
| security association. | ||||
| If the IP address of the new VPN gateway is sent, the 'Payload | If the IP address of the new VPN gateway is sent, the 'Payload | |||
| Length' field MUST be set to either '13' or '25' depending on whether | Length' field MUST be set to either '13' or '25' depending on whether | |||
| an IPv4 or IPv6 address is sent in the message. If the FQDN of the | an IPv4 or IPv6 address is sent in the message. If the FQDN of the | |||
| new VPN gateway is sent, the 'Payload Length' field is set to the | new VPN gateway is sent, the 'Payload Length' field is set to the | |||
| length of the FQDN plus the fixed fields in the message. The 'Notify | length of the FQDN plus the fixed fields in the message. The 'Notify | |||
| Message Type' field is set to indicate the REDIRECT payload <value to | Message Type' field is set to indicate the REDIRECT payload <value to | |||
| be assigned by IANA>. The 'GW Identity Type' field indicates the | be assigned by IANA>. The 'GW Identity Type' field indicates the | |||
| type of information that is sent to identify the new VPN gateway. | type of information that is sent to identify the new VPN gateway. | |||
| The following values are reserved by this document. | The following values are reserved by this document. | |||
| skipping to change at page 9, line 20 | skipping to change at page 9, line 27 | |||
| 3 - FQDN of the new VPN gateway | 3 - FQDN of the new VPN gateway | |||
| All other values for this field are reserved and MUST NOT be used. | All other values for this field are reserved and MUST NOT be used. | |||
| The identity of the new VPN gateway is carried in the 'New Responder | The identity of the new VPN gateway is carried in the 'New Responder | |||
| GW Identity' field. | GW Identity' field. | |||
| 6.3. REDIRECTED_FROM | 6.3. REDIRECTED_FROM | |||
| The REDIRECTED_FROM message type is included in the IKE_SA_INIT | The REDIRECTED_FROM message type is included in the IKE_SA_INIT | |||
| request from the initiator to the new VPN gateway to indicate the IP | request from the initiator to the new VPN gateway to indicate the IP | |||
| address of the original VPN gateway that re-directed the initiator. | address of the original VPN gateway that redirected the initiator. | |||
| The original VPN gateway's IP address is included in the message. | The original VPN gateway's IP address is included in the message. | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Next Payload |C| RESERVED | Payload Length | | | Next Payload |C| RESERVED | Payload Length | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Protocol ID | SPI Size (=0) | Notify Message Type | | | Protocol ID | SPI Size (=0) | Notify Message Type | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | GW Ident Type | | | | GW Ident Type | | | |||
| +---------------+ ~ | +---------------+ ~ | |||
| ~ Original Responder GW Identity ~ | ~ Original Responder GW Identity ~ | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| The 'Next Payload', 'Payload Length', 'Protocol ID', 'SPI Size' and | The 'Next Payload', 'Payload Length', 'Protocol ID', 'SPI Size' and | |||
| the 'Notify Message Type' fields are the same as described in Section | the 'Notify Message Type' fields are the same as described in Section | |||
| 3.10 of [2] The 'SPI Size' field MUST be set to 0 to indicate that | 3.10 of [2] The 'SPI Size' field MUST be set to 0 to indicate that | |||
| the SPI is not present in this message. | the SPI is not present in this message. The 'Protocol ID' should be | |||
| set to 0, since the notification is not specific to a particular | ||||
| security association. | ||||
| The 'Payload Length' field MUST be set to either '13' or '25' | The 'Payload Length' field MUST be set to either '13' or '25' | |||
| depending on whether an IPv4 or IPv6 address of the original VPN | depending on whether an IPv4 or IPv6 address of the original VPN | |||
| gateway is sent in the message. The 'Notify Message Type' field is | gateway is sent in the message. The 'Notify Message Type' field is | |||
| set to indicate the REDIRECTED_FROM payload <value to be assigned by | set to indicate the REDIRECTED_FROM payload <value to be assigned by | |||
| IANA>. The 'GW Identity Type' field indicates the type of | IANA>. The 'GW Identity Type' field indicates the type of | |||
| information that is sent to identify the new VPN gateway. The | information that is sent to identify the new VPN gateway. The | |||
| following values are reserved by this document. | following values are reserved by this document. | |||
| 1 - IPv4 address of the original VPN gateway | 1 - IPv4 address of the original VPN gateway | |||
| 2 - IPv6 address of the original VPN gateway | 2 - IPv6 address of the original VPN gateway | |||
| All other values for this field are reserved and MUST NOT be used. | All other values for this field are reserved and MUST NOT be used. | |||
| The identity of the original VPN gateway is carried in the 'Original | The identity of the original VPN gateway is carried in the 'Original | |||
| Responder GW Identity' field. | Responder GW Identity' field. | |||
| 7. Use of the Redirect Mechanism between IKEv2 Peers | 7. Use of the Redirect Mechanism between IKEv2 Peers | |||
| The Re-direct mechanism described in this document is mainly intended | The Redirect mechanism described in this document is mainly intended | |||
| for use in client-gateway scenarios. However, the mechanism can also | for use in client-gateway scenarios. However, the mechanism can also | |||
| be used between any two IKEv2 peers. This is especially useful for | be used between any two IKEv2 peers. But this protocol is | |||
| IKEv2 sessions between two gateway peer routers. | asymmetric, meaning that only the original responder can redirect the | |||
| original initiator to another server. | ||||
| When used between a client and gateway, the re-direct procedure is | ||||
| always initiated by the gateway. But when used between two IKEv2 | ||||
| peers, either of the IKEv2 end points can initiate the re-direct | ||||
| message. In order to prevent any race condition that might occur if | ||||
| both decide to re-direct at the same time, the responder MUST NOT | ||||
| respond to re-direct message from the initiator, if it has already | ||||
| decided to re-direct the initiator. | ||||
| Both IKEv2 peers SHOULD indicate support for the re-direct mechanism | ||||
| if they support it and are willing to process REDIRECT notification | ||||
| messages. This is done by including the REDIRECT_SUPPORTED payload | ||||
| in the IKE_SA_INIT exchange by both peers. REDIRECT Notification | ||||
| messages MUST NOT be sent unless the peer has indicated support for | ||||
| it. | ||||
| 8. Security Considerations | 8. Security Considerations | |||
| An eavesdropper on the path between VPN client and server may send a | An eavesdropper on the path between VPN client and server may send a | |||
| redirect to the client upon receiving an IKE_SA_INIT message from | redirect to the client upon receiving an IKE_SA_INIT message from | |||
| this client. This is no problem regarding DoS attacks for the VPN | this client. This is no problem regarding DoS attacks for the VPN | |||
| connection, since an on-path-attacker can as well drop the | connection, since an on-path-attacker can as well drop the | |||
| IKE_SA_INIT requests to prevent VPN access for the client. But an | IKE_SA_INIT requests to prevent VPN access for the client. But an | |||
| eavesdropper on the path between VPN client and server can redirect a | eavesdropper on the path between VPN client and server can redirect a | |||
| large number of clients to a victim, which is then flooded with | large number of clients to a victim, which is then flooded with | |||
| IKE_SA_INIT requests. Flooding only happens if many clients initiate | IKE_SA_INIT requests. Flooding only happens if many clients initiate | |||
| IKEv2 exchange at almost the same time, which is considered a rare | IKEv2 exchange at almost the same time, which is considered a rare | |||
| event. However, this may happen if a Home Agent/VPN server is | event. However, this may happen if a Home Agent/VPN server is | |||
| shutdown for maintenance and all clients need to re-establish VPN | shutdown for maintenance and all clients need to re-establish VPN | |||
| connections with another Home Agent/VPN server or if the on-path | connections with another Home Agent/VPN server or if the on-path | |||
| attacker forces all IPsec security associations to expire by dropping | attacker forces all IPsec security associations to expire by dropping | |||
| all received IKEv2 messages. | all received IKEv2 messages. | |||
| The use of REDIRECTED_FROM payload is intended to discourage a rogue | The use of REDIRECTED_FROM payload is intended to discourage a rogue | |||
| VPN gateway from re-directing a large number of VPN clients to a | VPN gateway from redirecting a large number of VPN clients to a | |||
| particular VPN gateway. It does not prevent such a DoS attack. | particular VPN gateway. It does not prevent such a DoS attack. | |||
| 9. IANA Considerations | 9. IANA Considerations | |||
| This document defines four new IKEv2 Notification Message types as | This document defines four new IKEv2 Notification Message types as | |||
| described in Section 6. The three Notify Message Types must be | described in Section 6. The three Notify Message Types must be | |||
| assigned values between 16396 and 40959. | assigned values between 16396 and 40959. | |||
| o REDIRECT_SUPPORTED | o REDIRECT_SUPPORTED | |||
| o REDIRECT | o REDIRECT | |||
| skipping to change at page 11, line 26 | skipping to change at page 11, line 19 | |||
| 10. Acknowledgements | 10. Acknowledgements | |||
| The use of anycast address with IKEv2 was first described in [6]. It | The use of anycast address with IKEv2 was first described in [6]. It | |||
| was then added to an early draft version of RFC 5026 and later | was then added to an early draft version of RFC 5026 and later | |||
| removed before the RFC was published. Therefore the authors of [6] | removed before the RFC was published. Therefore the authors of [6] | |||
| and RFC 5026 are acknowledged. | and RFC 5026 are acknowledged. | |||
| Thanks to Pasi Eronen, with whom the solution described in this | Thanks to Pasi Eronen, with whom the solution described in this | |||
| document was extensively discussed. Thanks to Tero Kivinen for | document was extensively discussed. Thanks to Tero Kivinen for | |||
| suggesting the use of REDIRECTED_FROM payload. The authors would | suggesting the use of REDIRECTED_FROM payload and other comments | |||
| also like to thank Yaron Sheffer, Sunil Kumar, Fan Zhao, Yoav Nir and | which helped improve the document. The authors would also like to | |||
| Arnaud Ebalard for their reviews and comments. | thank Yaron Sheffer, Sunil Kumar, Fan Zhao, Yoav Nir, Richard | |||
| Graveman, and Arnaud Ebalard for their reviews and comments. | ||||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | |||
| Levels", BCP 14, RFC 2119, March 1997. | Levels", BCP 14, RFC 2119, March 1997. | |||
| [2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, | [2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, | |||
| December 2005. | December 2005. | |||
| End of changes. 35 change blocks. | ||||
| 76 lines changed or deleted | 71 lines changed or added | |||
This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||