| draft-ietf-ipsecme-tcp-encaps-01.txt | draft-ietf-ipsecme-tcp-encaps-02.txt | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track S. Touati | Intended status: Standards Track S. Touati | |||
| Expires: January 8, 2017 Ericsson | Expires: February 18, 2017 Ericsson | |||
| R. Mantha | R. Mantha | |||
| Cisco Systems | Cisco Systems | |||
| July 7, 2016 | August 17, 2016 | |||
| TCP Encapsulation of IKE and IPSec Packets | TCP Encapsulation of IKE and IPsec Packets | |||
| draft-ietf-ipsecme-tcp-encaps-01 | draft-ietf-ipsecme-tcp-encaps-02 | |||
| Abstract | Abstract | |||
| This document describes a method to transport IKE and IPSec packets | This document describes a method to transport IKE and IPsec packets | |||
| over a TCP connection for traversing network middleboxes that may | over a TCP connection for traversing network middleboxes that may | |||
| block IKE negotiation over UDP. This method, referred to as TCP | block IKE negotiation over UDP. This method, referred to as TCP | |||
| encapsulation, involves sending all packets for tunnel establishment | encapsulation, involves sending both IKE packets for tunnel | |||
| as well as tunneled packets over a TCP connection. This method is | establishment as well as tunneled packets using ESP over a TCP | |||
| intended to be used as a fallback option when IKE cannot be | connection. This method is intended to be used as a fallback option | |||
| negotiated over UDP. | when IKE cannot be negotiated over UDP. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 8, 2017. | This Internet-Draft will expire on February 18, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 34 ¶ | skipping to change at page 2, line 34 ¶ | |||
| 9. Using IKE Message Fragmentation with TCP encapsulation . . . 9 | 9. Using IKE Message Fragmentation with TCP encapsulation . . . 9 | |||
| 10. Considerations for Keep-alives and DPD . . . . . . . . . . . 9 | 10. Considerations for Keep-alives and DPD . . . . . . . . . . . 9 | |||
| 11. Middlebox Considerations . . . . . . . . . . . . . . . . . . 10 | 11. Middlebox Considerations . . . . . . . . . . . . . . . . . . 10 | |||
| 12. Performance Considerations . . . . . . . . . . . . . . . . . 10 | 12. Performance Considerations . . . . . . . . . . . . . . . . . 10 | |||
| 12.1. TCP-in-TCP . . . . . . . . . . . . . . . . . . . . . . . 10 | 12.1. TCP-in-TCP . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 12.2. Added Reliability for Unreliable Protocols . . . . . . . 11 | 12.2. Added Reliability for Unreliable Protocols . . . . . . . 11 | |||
| 12.3. Quality of Service Markings . . . . . . . . . . . . . . 11 | 12.3. Quality of Service Markings . . . . . . . . . . . . . . 11 | |||
| 12.4. Maximum Segment Size . . . . . . . . . . . . . . . . . . 11 | 12.4. Maximum Segment Size . . . . . . . . . . . . . . . . . . 11 | |||
| 13. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 13. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 | 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 16.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 16.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 16.2. Informative References . . . . . . . . . . . . . . . . . 12 | 16.2. Informative References . . . . . . . . . . . . . . . . . 12 | |||
| Appendix A. Using TCP encapsulation with TLS . . . . . . . . . . 13 | Appendix A. Using TCP encapsulation with TLS . . . . . . . . . . 13 | |||
| Appendix B. Example exchanges of TCP Encapsulation with TLS . . 14 | Appendix B. Example exchanges of TCP Encapsulation with TLS . . 14 | |||
| B.1. Establishing an IKE session . . . . . . . . . . . . . . . 14 | B.1. Establishing an IKE session . . . . . . . . . . . . . . . 14 | |||
| B.2. Deleting an IKE session . . . . . . . . . . . . . . . . . 16 | B.2. Deleting an IKE session . . . . . . . . . . . . . . . . . 16 | |||
| B.3. Re-establishing an IKE session . . . . . . . . . . . . . 17 | B.3. Re-establishing an IKE session . . . . . . . . . . . . . 17 | |||
| B.4. Using MOBIKE between UDP and TCP Encapsulation . . . . . 18 | B.4. Using MOBIKE between UDP and TCP Encapsulation . . . . . 18 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 1. Introduction | 1. Introduction | |||
| IKEv2 [RFC7296] is a protocol for establishing IPSec tunnels, using | IKEv2 [RFC7296] is a protocol for establishing IPsec tunnels, using | |||
| IKE messages over UDP for control traffic, and using Encapsulating | IKE messages over UDP for control traffic, and using Encapsulating | |||
| Security Payload (ESP) messages for tunneled data traffic. Many | Security Payload (ESP) messages for tunneled data traffic. Many | |||
| network middleboxes that filter traffic on public hotspots block all | network middleboxes that filter traffic on public hotspots block all | |||
| UDP traffic, including IKE and IPSec, but allow TCP connections | UDP traffic, including IKE and IPsec, but allow TCP connections | |||
| through since they appear to be web traffic. Devices on these | through since they appear to be web traffic. Devices on these | |||
| networks that need to use IPSec (to access private enterprise | networks that need to use IPsec (to access private enterprise | |||
| networks, to route voice-over-IP calls to carrier networks, or | networks, to route voice-over-IP calls to carrier networks, or | |||
| because of security policies) are unable to establish IPSec tunnels. | because of security policies) are unable to establish IPsec tunnels. | |||
| This document defines a method for encapsulating both the IKE control | This document defines a method for encapsulating both the IKE control | |||
| messages as well as the IPSec data messages within a TCP connection. | messages as well as the IPsec data messages within a TCP connection. | |||
| Using TCP as a transport for IPSec packets adds a third option to the | Using TCP as a transport for IPsec packets adds a third option to the | |||
| list of traditional IPSec transports: | list of traditional IPsec transports: | |||
| 1. Direct. Currently, IKE negotiations begin over UDP port 500. | 1. Direct. Currently, IKE negotiations begin over UDP port 500. | |||
| If no NAT is detected between the initiator and the receiver, | If no NAT is detected between the initiator and the receiver, | |||
| then subsequent IKE packets are sent over UDP port 500 and | then subsequent IKE packets are sent over UDP port 500 and | |||
| IPSec data packets are sent using ESP [RFC4303]. | IPsec data packets are sent using ESP [RFC4303]. | |||
| 2. UDP Encapsulation [RFC3948]. If a NAT is detected between the | 2. UDP Encapsulation [RFC3948]. If a NAT is detected between the | |||
| initiator and the receiver, then subsequent IKE packets are | initiator and the receiver, then subsequent IKE packets are | |||
| sent over UDP port 4500 with four bytes of zero at the start of | sent over UDP port 4500 with four bytes of zero at the start of | |||
| the UDP payload and ESP packets are sent out over UDP port | the UDP payload and ESP packets are sent out over UDP port | |||
| 4500. Some peers default to using UDP encapsulation even when | 4500. Some peers default to using UDP encapsulation even when | |||
| no NAT are detected on the path as some middleboxes do not | no NAT are detected on the path as some middleboxes do not | |||
| support IP protocols other than TCP and UDP. | support IP protocols other than TCP and UDP. | |||
| 3. TCP Encapsulation. If both of the other two methods are not | 3. TCP Encapsulation. If both of the other two methods are not | |||
| available or appropriate, both IKE negotiation packets as well | available or appropriate, both IKE negotiation packets as well | |||
| as ESP packets can be sent over a single TCP connection to the | as ESP packets can be sent over a single TCP connection to the | |||
| peer. | peer. | |||
| Direct use of ESP or UDP Encapsulation should be preferred by IKE | Direct use of ESP or UDP Encapsulation should be preferred by IKE | |||
| implementations due to performance concerns when using TCP | implementations due to performance concerns when using TCP | |||
| Encapsulation Section 12. Most implementations should use TCP | Encapsulation [Section 12]. Most implementations should use TCP | |||
| Encapsulation only on networks where negotiation over UDP has been | Encapsulation only on networks where negotiation over UDP has been | |||
| attempted without receiving responses from the peer, or if a network | attempted without receiving responses from the peer, or if a network | |||
| is known to not support UDP. | is known to not support UDP. | |||
| 1.1. Prior Work and Motivation | 1.1. Prior Work and Motivation | |||
| Encapsulating IKE connections within TCP streams is a common approach | Encapsulating IKE connections within TCP streams is a common approach | |||
| to solve the problem of UDP packets being blocked by network | to solve the problem of UDP packets being blocked by network | |||
| middleboxes. The goal of this document is to promote | middleboxes. The goal of this document is to promote | |||
| interoperability by providing a standard method of framing IKE and | interoperability by providing a standard method of framing IKE and | |||
| ESP message within streams, and to provide guidelines for how to | ESP message within streams, and to provide guidelines for how to | |||
| configure and use TCP encapsulation. | configure and use TCP encapsulation. | |||
| Some previous solutions include: | Some previous alternatives include: | |||
| Cellular Network Access Interworking Wireless LAN (IWLAN) uses IKEv2 | Cellular Network Access Interworking Wireless LAN (IWLAN) uses IKEv2 | |||
| to create secure connections to cellular carrier networks for | to create secure connections to cellular carrier networks for | |||
| making voice calls and accessing other network services over | making voice calls and accessing other network services over | |||
| Wi-Fi networks. 3GPP has recommended that IKEv2 and ESP packets | Wi-Fi networks. 3GPP has recommended that IKEv2 and ESP packets | |||
| be sent within a TLS connection to be able to establish | be sent within a TLS connection to be able to establish | |||
| connections on restrictive networks. | connections on restrictive networks. | |||
| ISAKMP over TCP Various non-standard extensions to ISAKMP have been | ISAKMP over TCP Various non-standard extensions to ISAKMP have been | |||
| deployed that send IPSec traffic over TCP or TCP-like packets. | deployed that send IPsec traffic over TCP or TCP-like packets. | |||
| SSL VPNs Many proprietary VPN solutions use a combination of TLS and | SSL VPNs Many proprietary VPN solutions use a combination of TLS and | |||
| IPSec in order to provide reliability. | IPsec in order to provide reliability. | |||
| IKEv2 over TCP IKEv2 over TCP as described in | IKEv2 over TCP IKEv2 over TCP as described in | |||
| [I-D.nir-ipsecme-ike-tcp] is used to avoid UDP fragmentation. | [I-D.nir-ipsecme-ike-tcp] is used to avoid UDP fragmentation. | |||
| The goal of this specification is to provide a standardized method | ||||
| for using TCP streams to transport IPsec that is compatible with the | ||||
| current IKE standard, and avoids the overhead of other alternatives | ||||
| that always rely on TCP or TLS. | ||||
| 1.2. Requirements Language | 1.2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 2. Configuration | 2. Configuration | |||
| One of the main reasons to use TCP encapsulation is that UDP traffic | One of the main reasons to use TCP encapsulation is that UDP traffic | |||
| may be entirely blocked on a network. Because of this, support for | may be entirely blocked on a network. Because of this, support for | |||
| TCP encapsulation is not specifically negotiated in the IKE exchange. | TCP encapsulation is not specifically negotiated in the IKE exchange. | |||
| Instead, support for TCP encapsulation must be pre-configured on both | Instead, support for TCP encapsulation must be pre-configured on both | |||
| the initiator and the responder. | the initiator and the responder. | |||
| The configuration defined on each peer should include the following | The configuration defined on each peer should include the following | |||
| parameters: | parameters: | |||
| o One or more TCP ports on which the responder will listen for | o One or more TCP ports on which the responder will listen for | |||
| incoming connections. Note that the initiator may initiate TCP | incoming connections. Note that the initiator may initiate TCP | |||
| connections to the responder from any local port. | connections to the responder from any local port. The ports on | |||
| which the responder listens will likey be based on the ports | ||||
| commonly allowed on restricted networks. | ||||
| o Optionally, an extra framing protocol to use on top of TCP to | o Optionally, an extra framing protocol to use on top of TCP to | |||
| further encapsulate the stream of IKE and IPSec packets. See | further encapsulate the stream of IKE and IPsec packets. See | |||
| Appendix A for a detailed discussion. | Appendix A for a detailed discussion. | |||
| This document leaves the selection of TCP ports up to | This document leaves the selection of TCP ports up to | |||
| implementations. It is suggested to use TCP port 4500, which is | implementations. It is suggested to use TCP port 4500, which is | |||
| allocated for IPSec NAT Traversal. | allocated for IPsec NAT Traversal. | |||
| Since TCP encapsulation of IKE and IPSec packets adds overhead and | Since TCP encapsulation of IKE and IPsec packets adds overhead and | |||
| has potential performance trade-offs compared to direct or UDP- | has potential performance trade-offs compared to direct or UDP- | |||
| encapsulated tunnels (as described in Performance Considerations, | encapsulated tunnels (as described in Performance Considerations, | |||
| Section 12), implementations SHOULD prefer ESP direct or UDP | Section 12), implementations SHOULD prefer ESP direct or UDP | |||
| encapsulated tunnels over TCP encapsulated tunnels when possible. | encapsulated tunnels over TCP encapsulated tunnels when possible. | |||
| 3. TCP-Encapsulated Header Formats | 3. TCP-Encapsulated Header Formats | |||
| In order to encapsulate IKE and ESP messages within a TCP stream, a | Like UDP encapsulation, TCP encapsulation uses the first four bytes | |||
| 16-bit length field precedes every message. If the first 32-bits of | of a message to differentiate IKE and ESP messages. TCP | |||
| the message are zeros (a Non-ESP Marker), then the contents comprise | encapsulation also adds a length field to define the boundaries of | |||
| an IKE message. Otherwise, the contents comprise an ESP message. | messages within a stream. The message length is sent in a 16-bit | |||
| field that precedes every message. If the first 32-bits of the | ||||
| message are zeros (a Non-ESP Marker), then the contents comprise an | ||||
| IKE message. Otherwise, the contents comprise an ESP message. | ||||
| Authentication Header (AH) messages are not supported for TCP | Authentication Header (AH) messages are not supported for TCP | |||
| encapsulation. | encapsulation. | |||
| Although a TCP stream may be able to send very long messages, | Although a TCP stream may be able to send very long messages, | |||
| implementations SHOULD limit message lengths to typical UDP datagram | implementations SHOULD limit message lengths to typical UDP datagram | |||
| ESP payload lengths. The maximum message length is used as the | ESP payload lengths. The maximum message length is used as the | |||
| effective MTU for connections that are being encrypted using ESP, so | effective MTU for connections that are being encrypted using ESP, so | |||
| the maximum message length will influence characteristics of inner | the maximum message length will influence characteristics of inner | |||
| connections, such as the TCP Maximum Segment Size (MSS). | connections, such as the TCP Maximum Segment Size (MSS). | |||
| skipping to change at page 5, line 40 ¶ | skipping to change at page 5, line 51 ¶ | |||
| | Non-ESP Marker | | | Non-ESP Marker | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | | | | | | |||
| ~ IKE header [RFC7296] ~ | ~ IKE header [RFC7296] ~ | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 1 | Figure 1 | |||
| The IKE header is preceded by a 16-bit length field in network byte | The IKE header is preceded by a 16-bit length field in network byte | |||
| order that specifies the length of the IKE packet within the TCP | order that specifies the length of the IKE message (including the | |||
| stream. As with IKE over UDP port 4500, a zeroed 32-bit Non-ESP | Non-ESP marker) within the TCP stream. As with IKE over UDP port | |||
| Marker is inserted before the start of the IKE header in order to | 4500, a zeroed 32-bit Non-ESP Marker is inserted before the start of | |||
| differentiate the traffic from ESP traffic between the same addresses | the IKE header in order to differentiate the traffic from ESP traffic | |||
| and ports. | between the same addresses and ports. | |||
| o Length (2 octets, unsigned integer) - Length of the IKE packet | o Length (2 octets, unsigned integer) - Length of the IKE packet | |||
| including the Length Field and Non-ESP Marker. | including the Length Field and Non-ESP Marker. | |||
| 3.2. TCP-Encapsulated ESP Header Format | 3.2. TCP-Encapsulated ESP Header Format | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Length | | | Length | | |||
| skipping to change at page 6, line 30 ¶ | skipping to change at page 6, line 36 ¶ | |||
| order that specifies the length of the ESP packet within the TCP | order that specifies the length of the ESP packet within the TCP | |||
| stream. | stream. | |||
| The SPI field in the ESP header MUST NOT be a zero value. | The SPI field in the ESP header MUST NOT be a zero value. | |||
| o Length (2 octets, unsigned integer) - Length of the ESP packet | o Length (2 octets, unsigned integer) - Length of the ESP packet | |||
| including the Length Field. | including the Length Field. | |||
| 4. TCP-Encapsulated Stream Prefix | 4. TCP-Encapsulated Stream Prefix | |||
| Each stream of bytes used for IKE and IPSec encapsulation MUST begin | Each stream of bytes used for IKE and IPsec encapsulation MUST begin | |||
| with a fixed sequence of six bytes as a magic value, containing the | with a fixed sequence of six bytes as a magic value, containing the | |||
| characters "IKETCP" as ASCII values. This allows peers to | characters "IKETCP" as ASCII values. This allows peers to | |||
| differentiate this protocol from other protocols that may be run over | differentiate this protocol from other protocols that may be run over | |||
| TCP streams, since the bytes do not overlap with the valid start of | the same TCP port. Since TCP encapsulated IPsec is not assigned to a | |||
| any other known stream protocol. This value is only sent once, by | specific port, responders may be able to receive multiple protocols | |||
| the Initiator only, at the beginning of any stream of IKE and ESP | on the same port. The bytes of the stream prefix do not overlap with | |||
| messages. | the valid start of any other known stream protocol. This value is | |||
| only sent once, by the Initiator only, at the beginning of any stream | ||||
| of IKE and ESP messages. | ||||
| If other framing protocols are used within TCP to further encapsulate | If other framing protocols are used within TCP to further encapsulate | |||
| or encrypt the stream of IKE and ESP messages, the Stream Prefix must | or encrypt the stream of IKE and ESP messages, the Stream Prefix must | |||
| be at the start of the Initiator's IKE and ESP message stream within | be at the start of the Initiator's IKE and ESP message stream within | |||
| the added protocol layer [Appendix A]. | the added protocol layer [Appendix A]. Although some framing | |||
| protocols do support negotiating inner protocols, the stream prefix | ||||
| should always be used in order for implementations to be as generic | ||||
| as possible and not rely on other framing protocols on top of TCP. | ||||
| 0 1 2 3 4 5 | 0 1 2 3 4 5 | |||
| +------+------+------+------+------+------+ | +------+------+------+------+------+------+ | |||
| | 0x49 | 0x4b | 0x45 | 0x54 | 0x43 | 0x50 | | | 0x49 | 0x4b | 0x45 | 0x54 | 0x43 | 0x50 | | |||
| +------+------+------+------+------+------+ | +------+------+------+------+------+------+ | |||
| Figure 3 | Figure 3 | |||
| 5. Applicability | 5. Applicability | |||
| skipping to change at page 7, line 25 ¶ | skipping to change at page 7, line 34 ¶ | |||
| Since the support of TCP encapsulation is a configured property, not | Since the support of TCP encapsulation is a configured property, not | |||
| a negotiated one, it is recommended that if there are multiple IKE | a negotiated one, it is recommended that if there are multiple IKE | |||
| endpoints representing a single peer (such as multiple machines with | endpoints representing a single peer (such as multiple machines with | |||
| different IP addresses when connecting by Fully-Qualified Domain | different IP addresses when connecting by Fully-Qualified Domain | |||
| Name, or endpoints used with IKE redirection), all of the endpoints | Name, or endpoints used with IKE redirection), all of the endpoints | |||
| equally support TCP encapsulation. | equally support TCP encapsulation. | |||
| If TCP encapsulation is being used for a specific IKE SA, all | If TCP encapsulation is being used for a specific IKE SA, all | |||
| messages for that IKE SA and its Child SAs MUST be sent over a TCP | messages for that IKE SA and its Child SAs MUST be sent over a TCP | |||
| connection until the SA is deleted or MOBIKE is used to change the SA | connection until the SA is deleted or MOBIKE is used to change the SA | |||
| endpoints and/or encapsulation protocol. No packets should be sent | endpoints and/or encapsulation protocol. See Section 8 for more | |||
| over UDP or direct ESP for the IKE SA or its Child SAs while using | details on using MOBIKE to transition between encapsulation modes. | |||
| TCP encapsulation. | ||||
| 6. Connection Establishment and Teardown | 6. Connection Establishment and Teardown | |||
| When the IKE initiator uses TCP encapsulation for its negotiation, it | When the IKE initiator uses TCP encapsulation for its negotiation, it | |||
| will initiate a TCP connection to the responder using the configured | will initiate a TCP connection to the responder using the configured | |||
| TCP port. The first bytes sent on the stream MUST be the stream | TCP port. The first bytes sent on the stream MUST be the stream | |||
| prefix value [Section 4]. After this prefix, encapsulated IKE | prefix value [Section 4]. After this prefix, encapsulated IKE | |||
| messages will negotiate the IKE SA and initial Child SA [RFC7296]. | messages will negotiate the IKE SA and initial Child SA [RFC7296]. | |||
| After this point, both encapsulated IKE Figure 1 and ESP Figure 2 | After this point, both encapsulated IKE Figure 1 and ESP Figure 2 | |||
| messages will be sent over the TCP connection. | messages will be sent over the TCP connection. | |||
| skipping to change at page 8, line 36 ¶ | skipping to change at page 8, line 45 ¶ | |||
| availability model. It is also possible to negotiate multiple IKE | availability model. It is also possible to negotiate multiple IKE | |||
| SAs over the same TCP connection. | SAs over the same TCP connection. | |||
| The processing of the TCP packets is the same whether its within a | The processing of the TCP packets is the same whether its within a | |||
| single or multiple TCP connections. | single or multiple TCP connections. | |||
| 7. Interaction with NAT Detection Payloads | 7. Interaction with NAT Detection Payloads | |||
| When negotiating over UDP port 500, IKE_SA_INIT packets include | When negotiating over UDP port 500, IKE_SA_INIT packets include | |||
| NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP payloads to | NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP payloads to | |||
| determine if UDP encapsulation of IPSec packets should be used. | determine if UDP encapsulation of IPsec packets should be used. | |||
| These payloads contain SHA-1 digests of the SPIs, IP addresses, and | These payloads contain SHA-1 digests of the SPIs, IP addresses, and | |||
| ports. IKE_SA_INIT packets sent on a TCP connection SHOULD include | ports. IKE_SA_INIT packets sent on a TCP connection SHOULD include | |||
| these payloads, and SHOULD use the applicable TCP ports when creating | these payloads, and SHOULD use the applicable TCP ports when creating | |||
| and checking the SHA-1 digests. | and checking the SHA-1 digests. | |||
| If a NAT is detected due to the SHA-1 digests not matching the | If a NAT is detected due to the SHA-1 digests not matching the | |||
| expected values, no change should be made for encapsulation of | expected values, no change should be made for encapsulation of | |||
| subsequent IKE or ESP packets, since TCP encapsulation inherently | subsequent IKE or ESP packets, since TCP encapsulation inherently | |||
| supports NAT traversal. Implementations MAY use the information that | supports NAT traversal. Implementations MAY use the information that | |||
| a NAT is present to influence keep-alive timer values. | a NAT is present to influence keep-alive timer values. | |||
| 8. Using MOBIKE with TCP encapsulation | 8. Using MOBIKE with TCP encapsulation | |||
| When an IKE session is transitioned between networks using MOBIKE | When an IKE session is transitioned between networks using MOBIKE | |||
| [RFC4555], the initiator of the transition may switch between using | [RFC4555], the initiator of the transition may switch between using | |||
| TCP encapsulation, UDP encapsulation, or no encapsulation. | TCP encapsulation, UDP encapsulation, or no encapsulation. | |||
| Implementations that implement both MOBIKE and TCP encapsulation MUST | Implementations that implement both MOBIKE and TCP encapsulation MUST | |||
| support dynamically enabling and disabling TCP encapsulation as | support dynamically enabling and disabling TCP encapsulation as | |||
| interfaces change. | interfaces change. | |||
| The encapsulation method of ESP packets MUST always match the | When a MOBIKE-enabled initiator changes networks, the | |||
| encapsulation method of the IKE negotiation, which may be different | UPDATE_SA_ADDRESSES notification SHOULD be sent out first over UDP | |||
| when an IKE endpoint changes networks. When a MOBIKE-enabled | before attempting over TCP. If there is a response to the | |||
| initiator changes networks, the UPDATE_SA_ADDRESSES notification | UPDATE_SA_ADDRESSES notification sent over UDP, then the ESP packets | |||
| SHOULD be sent out first over UDP before attempting over TCP. If | should be sent directly over IP or over UDP port 4500 (depending on | |||
| there is a response to the UPDATE_SA_ADDRESSES notification sent over | if a NAT was detected), regardless of if a connection on a previous | |||
| UDP, then the ESP packets should be sent directly over IP or over UDP | network was using TCP encapsulation. Similarly, if the responder | |||
| port 4500 (depending on if a NAT was detected), regardless of if a | only responds to the UPDATE_SA_ADDRESSES notification over TCP, then | |||
| connection on a previous network was using TCP encapsulation. | the ESP packets should be sent over the TCP connection, regardless of | |||
| Similarly, if the responder only responds to the UPDATE_SA_ADDRESSES | if a connection on a previous network did not use TCP encapsulation. | |||
| notification over TCP, then the ESP packets should be sent over the | ||||
| TCP connection, regardless of if a connection on a previous network | ||||
| did not use TCP encapsulation. | ||||
| 9. Using IKE Message Fragmentation with TCP encapsulation | 9. Using IKE Message Fragmentation with TCP encapsulation | |||
| IKE Message Fragmentation [RFC7383] is not required when using TCP | IKE Message Fragmentation [RFC7383] is not required when using TCP | |||
| encapsulation, since a TCP stream already handles the fragmentation | encapsulation, since a TCP stream already handles the fragmentation | |||
| of its contents across packets. Since fragmentation is redundant in | of its contents across packets. Since fragmentation is redundant in | |||
| this case, implementations might choose to not negotiate IKE | this case, implementations might choose to not negotiate IKE | |||
| fragmentation. Even if fragmentation is negotiated, an | fragmentation. Even if fragmentation is negotiated, an | |||
| implementation MAY choose to not fragment when going over a TCP | implementation MAY choose to not fragment when going over a TCP | |||
| connection. | connection. | |||
| If an implementation supports both MOBIKE and IKE fragmentation, it | If an implementation supports both MOBIKE and IKE fragmentation, it | |||
| SHOULD negotiate IKE fragmentation over a TCP encapsulated session in | SHOULD negotiate IKE fragmentation over a TCP encapsulated session in | |||
| case the session switches to UDP encapsulation on another network. | case the session switches to UDP encapsulation on another network. | |||
| 10. Considerations for Keep-alives and DPD | 10. Considerations for Keep-alives and DPD | |||
| Encapsulating IKE and IPSec inside of a TCP connection can impact the | Encapsulating IKE and IPsec inside of a TCP connection can impact the | |||
| strategy that implementations use to detect peer liveness and to | strategy that implementations use to detect peer liveness and to | |||
| maintain middlebox port mappings. Peer liveness should be checked | maintain middlebox port mappings. Peer liveness should be checked | |||
| using IKE Informational packets [RFC7296]. | using IKE Informational packets [RFC7296]. | |||
| In general, TCP port mappings are maintained by NATs longers than UDP | In general, TCP port mappings are maintained by NATs longers than UDP | |||
| port mappings, so IPSec ESP NAT keep-alives [RFC3948] SHOULD NOT be | port mappings, so IPsec ESP NAT keep-alives [RFC3948] SHOULD NOT be | |||
| sent when using TCP encapsulation. Any implementation using TCP | sent when using TCP encapsulation. Any implementation using TCP | |||
| encapsulation MUST silently drop incoming NAT keep-alive packets, and | encapsulation MUST silently drop incoming NAT keep-alive packets, and | |||
| not treat them as errors. NAT keep-alive packets over a TCP | not treat them as errors. NAT keep-alive packets over a TCP | |||
| encapsulated IPSec connection will be sent with a length value of 1 | encapsulated IPsec connection will be sent with a length value of 1 | |||
| byte, whose value is 0xFF [Figure 2]. | byte, whose value is 0xFF [Figure 2]. | |||
| Note that depending on the configuration of TCP and TLS on the | Note that depending on the configuration of TCP and TLS on the | |||
| connection, TCP keep-alives [RFC1122] and TLS keep-alives [RFC6520] | connection, TCP keep-alives [RFC1122] and TLS keep-alives [RFC6520] | |||
| may be used. These MUST NOT be used as indications of IKE peer | may be used. These MUST NOT be used as indications of IKE peer | |||
| liveness. | liveness. | |||
| 11. Middlebox Considerations | 11. Middlebox Considerations | |||
| Many security networking devices such as Firewalls or Intrusion | Many security networking devices such as Firewalls or Intrusion | |||
| skipping to change at page 10, line 36 ¶ | skipping to change at page 10, line 37 ¶ | |||
| port 80, if non-HTTP traffic is seen (such as TCP encapsulated IKE), | port 80, if non-HTTP traffic is seen (such as TCP encapsulated IKE), | |||
| this could be dropped by the security device. | this could be dropped by the security device. | |||
| A network device that monitors the transport layer will track the | A network device that monitors the transport layer will track the | |||
| state of TCP sessions, such as TCP sequence numbers. TCP | state of TCP sessions, such as TCP sequence numbers. TCP | |||
| encapsulation of IKE should therefore use standard TCP behaviors to | encapsulation of IKE should therefore use standard TCP behaviors to | |||
| avoid being dropped by middleboxes. | avoid being dropped by middleboxes. | |||
| 12. Performance Considerations | 12. Performance Considerations | |||
| Several aspects of TCP encapsulation for IKE and IPSec packets may | Several aspects of TCP encapsulation for IKE and IPsec packets may | |||
| negatively impact the performance of connections within the tunnel. | negatively impact the performance of connections within the tunnel. | |||
| Implementations should be aware of these and take these into | Implementations should be aware of these and take these into | |||
| consideration when determining when to use TCP encapsulation. | consideration when determining when to use TCP encapsulation. | |||
| 12.1. TCP-in-TCP | 12.1. TCP-in-TCP | |||
| If the outer connection between IKE peers is over TCP, inner TCP | If the outer connection between IKE peers is over TCP, inner TCP | |||
| connections may suffer effects from using TCP within TCP. In | connections may suffer effects from using TCP within TCP. In | |||
| particular, the inner TCP's round-trip-time estimation will be | particular, the inner TCP's round-trip-time estimation will be | |||
| affected by the burstiness of the outer TCP. This will make loss- | affected by the burstiness of the outer TCP. This will make loss- | |||
| skipping to change at page 11, line 35 ¶ | skipping to change at page 11, line 35 ¶ | |||
| maximum segment size (MSS) in order to avoid unnecessary | maximum segment size (MSS) in order to avoid unnecessary | |||
| fragmentation of packets. | fragmentation of packets. | |||
| 13. Security Considerations | 13. Security Considerations | |||
| IKE responders that support TCP encapsulation may become vulnerable | IKE responders that support TCP encapsulation may become vulnerable | |||
| to new Denial-of-Service (DoS) attacks that are specific to TCP, such | to new Denial-of-Service (DoS) attacks that are specific to TCP, such | |||
| as SYN-flooding attacks. Responders should be aware of this | as SYN-flooding attacks. Responders should be aware of this | |||
| additional attack-surface. | additional attack-surface. | |||
| Responders should be careful to ensure that the stream prefix | ||||
| "IKETCP" uniquely identifies streams using the TCP encapsulation | ||||
| protocol. The prefix was chosen to not overlap with the start of any | ||||
| known valid protocol over TCP, but implementations should make sure | ||||
| to validate this assumption in order to avoid unexpected processing | ||||
| of TCP connections. | ||||
| Attackers may be able to disrupt the TCP connection by sending | Attackers may be able to disrupt the TCP connection by sending | |||
| spurious RST packets. Due to this, implementations SHOULD make sure | spurious RST packets. Due to this, implementations SHOULD make sure | |||
| that IKE session state persists even if the underlying TCP connection | that IKE session state persists even if the underlying TCP connection | |||
| is torn down. | is torn down. | |||
| 14. IANA Considerations | 14. IANA Considerations | |||
| This memo includes no request to IANA. | This memo includes no request to IANA. | |||
| TCP port 4500 is already allocated to IPSec. This port MAY be used | TCP port 4500 is already allocated to IPsec. This port MAY be used | |||
| for the protocol described in this document, but implementations MAY | for the protocol described in this document, but implementations MAY | |||
| prefer to use other ports based on local policy. | prefer to use other ports based on local policy. | |||
| 15. Acknowledgments | 15. Acknowledgments | |||
| The authors would like to acknowledge the input and advice of Stuart | The authors would like to acknowledge the input and advice of Stuart | |||
| Cheshire, Delziel Fernandes, Yoav Nir, Christoph Paasch, Yaron | Cheshire, Delziel Fernandes, Yoav Nir, Christoph Paasch, Yaron | |||
| Sheffer, David Schinazi, Graham Bartlett, Byju Pularikkal, March Wu | Sheffer, David Schinazi, Graham Bartlett, Byju Pularikkal, March Wu | |||
| and Kingwel Xie. Special thanks to Eric Kinnear for his | and Kingwel Xie. Special thanks to Eric Kinnear for his | |||
| implementation work. | implementation work. | |||
| skipping to change at page 14, line 4 ¶ | skipping to change at page 14, line 14 ¶ | |||
| The security of the IKE session is entirely derived from the IKE | The security of the IKE session is entirely derived from the IKE | |||
| negotiation and key establishment and not from the TLS session (which | negotiation and key establishment and not from the TLS session (which | |||
| in this context is only used for encapsulation purposes), therefore | in this context is only used for encapsulation purposes), therefore | |||
| when TLS is used on the TCP connection, both the initiator and | when TLS is used on the TCP connection, both the initiator and | |||
| responder SHOULD allow the NULL cipher to be selected for performance | responder SHOULD allow the NULL cipher to be selected for performance | |||
| reasons. | reasons. | |||
| Implementations should be aware that the use of TLS introduces | Implementations should be aware that the use of TLS introduces | |||
| another layer of overhead requiring more bytes to transmit a given | another layer of overhead requiring more bytes to transmit a given | |||
| IKE and IPSec packet. For this reason, direct ESP, UDP | IKE and IPsec packet. For this reason, direct ESP, UDP | |||
| encapsulation, or TCP encapsulation without TLS should be preferred | encapsulation, or TCP encapsulation without TLS should be preferred | |||
| in situations in which TLS is not required in order to traverse | in situations in which TLS is not required in order to traverse | |||
| middle-boxes. | middle-boxes. | |||
| Appendix B. Example exchanges of TCP Encapsulation with TLS | Appendix B. Example exchanges of TCP Encapsulation with TLS | |||
| B.1. Establishing an IKE session | B.1. Establishing an IKE session | |||
| Client Server | Client Server | |||
| ---------- ---------- | ---------- ---------- | |||
| 1) -------------------- TCP Connection ------------------- | 1) -------------------- TCP Connection ------------------- | |||
| End of changes. 38 change blocks. | ||||
| 65 lines changed or deleted | 83 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||