--- 1/draft-ietf-ipsecme-tcp-encaps-09.txt 2017-05-31 12:13:12.708840727 -0700 +++ 2/draft-ietf-ipsecme-tcp-encaps-10.txt 2017-05-31 12:13:12.756841873 -0700 @@ -1,21 +1,21 @@ Network T. Pauly Internet-Draft Apple Inc. Intended status: Standards Track S. Touati -Expires: September 13, 2017 Ericsson +Expires: December 1, 2017 Ericsson R. Mantha Cisco Systems - March 12, 2017 + May 30, 2017 TCP Encapsulation of IKE and IPsec Packets - draft-ietf-ipsecme-tcp-encaps-09 + draft-ietf-ipsecme-tcp-encaps-10 Abstract This document describes a method to transport IKE and IPsec packets over a TCP connection for traversing network middleboxes that may block IKE negotiation over UDP. This method, referred to as TCP encapsulation, involves sending both IKE packets for Security Association establishment and ESP packets over a TCP connection. This method is intended to be used as a fallback option when IKE cannot be negotiated over UDP. @@ -28,73 +28,74 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 13, 2017. + This Internet-Draft will expire on December 1, 2017. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Prior Work and Motivation . . . . . . . . . . . . . . . . 3 1.2. Terminology and Notation . . . . . . . . . . . . . . . . 4 - 2. Configuration . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2. Configuration . . . . . . . . . . . . . . . . . . . . . . . . 5 3. TCP-Encapsulated Header Formats . . . . . . . . . . . . . . . 5 3.1. TCP-Encapsulated IKE Header Format . . . . . . . . . . . 6 3.2. TCP-Encapsulated ESP Header Format . . . . . . . . . . . 6 4. TCP-Encapsulated Stream Prefix . . . . . . . . . . . . . . . 7 5. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 7 5.1. Recommended Fallback from UDP . . . . . . . . . . . . . . 8 6. Connection Establishment and Teardown . . . . . . . . . . . . 8 7. Interaction with NAT Detection Payloads . . . . . . . . . . . 10 8. Using MOBIKE with TCP encapsulation . . . . . . . . . . . . . 10 9. Using IKE Message Fragmentation with TCP encapsulation . . . 11 10. Considerations for Keep-alives and DPD . . . . . . . . . . . 11 - 11. Middlebox Considerations . . . . . . . . . . . . . . . . . . 11 + 11. Middlebox Considerations . . . . . . . . . . . . . . . . . . 12 12. Performance Considerations . . . . . . . . . . . . . . . . . 12 12.1. TCP-in-TCP . . . . . . . . . . . . . . . . . . . . . . . 12 - 12.2. Added Reliability for Unreliable Protocols . . . . . . . 12 - 12.3. Quality of Service Markings . . . . . . . . . . . . . . 12 - 12.4. Maximum Segment Size . . . . . . . . . . . . . . . . . . 12 - 13. Security Considerations . . . . . . . . . . . . . . . . . . . 13 - 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 - 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 - 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 - 16.1. Normative References . . . . . . . . . . . . . . . . . . 14 - 16.2. Informative References . . . . . . . . . . . . . . . . . 14 - Appendix A. Using TCP encapsulation with TLS . . . . . . . . . . 15 - Appendix B. Example exchanges of TCP Encapsulation with TLS . . 16 - B.1. Establishing an IKE session . . . . . . . . . . . . . . . 16 - B.2. Deleting an IKE session . . . . . . . . . . . . . . . . . 17 - B.3. Re-establishing an IKE session . . . . . . . . . . . . . 18 - B.4. Using MOBIKE between UDP and TCP Encapsulation . . . . . 19 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 + 12.2. Added Reliability for Unreliable Protocols . . . . . . . 13 + 12.3. Quality of Service Markings . . . . . . . . . . . . . . 13 + 12.4. Maximum Segment Size . . . . . . . . . . . . . . . . . . 13 + 12.5. Tunnelling ECN in TCP . . . . . . . . . . . . . . . . . 14 + 13. Security Considerations . . . . . . . . . . . . . . . . . . . 14 + 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 + 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 + 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 + 16.1. Normative References . . . . . . . . . . . . . . . . . . 15 + 16.2. Informative References . . . . . . . . . . . . . . . . . 16 + Appendix A. Using TCP encapsulation with TLS . . . . . . . . . . 17 + Appendix B. Example exchanges of TCP Encapsulation with TLS . . 17 + B.1. Establishing an IKE session . . . . . . . . . . . . . . . 17 + B.2. Deleting an IKE session . . . . . . . . . . . . . . . . . 19 + B.3. Re-establishing an IKE session . . . . . . . . . . . . . 20 + B.4. Using MOBIKE between UDP and TCP Encapsulation . . . . . 21 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction IKEv2 [RFC7296] is a protocol for establishing IPsec Security Associations (SAs), using IKE messages over UDP for control traffic, and using Encapsulating Security Payload (ESP) messages for encrypted data traffic. Many network middleboxes that filter traffic on public hotspots block all UDP traffic, including IKE and IPsec, but allow TCP connections through since they appear to be web traffic. Devices on these networks that need to use IPsec (to access private @@ -147,21 +148,22 @@ to create secure connections to cellular carrier networks for making voice calls and accessing other network services over Wi-Fi networks. 3GPP has recommended that IKEv2 and ESP packets be sent within a TLS connection to be able to establish connections on restrictive networks. ISAKMP over TCP Various non-standard extensions to ISAKMP have been deployed that send IPsec traffic over TCP or TCP-like packets. SSL VPNs Many proprietary VPN solutions use a combination of TLS and - IPsec in order to provide reliability. + IPsec in order to provide reliability. These often run on TCP + port 443. IKEv2 over TCP IKEv2 over TCP as described in [I-D.nir-ipsecme-ike-tcp] is used to avoid UDP fragmentation. The goal of this specification is to provide a standardized method for using TCP streams to transport IPsec that is compatible with the current IKE standard, and avoids the overhead of other alternatives that always rely on TCP or TLS. 1.2. Terminology and Notation @@ -184,36 +186,34 @@ document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Configuration One of the main reasons to use TCP encapsulation is that UDP traffic may be entirely blocked on a network. Because of this, support for TCP encapsulation is not specifically negotiated in the IKE exchange. Instead, support for TCP encapsulation must be pre-configured on both the TCP Originator and the TCP Responder. - The configuration defined on each peer should include the following - parameters: + Implementations MUST support TCP encapsulation on TCP port 4500, + which is reserved for IPsec NAT Traversal. - o One or more TCP ports on which the TCP Responder will listen for - incoming connections. Note that the TCP Originator may initiate - TCP connections to the TCP Responder from any local port. The - ports on which the TCP Responder listens will likely be based on - the ports commonly allowed on restricted networks. + Beyond a flag indicating support for TCP encapsulation, the + configuration for each peer can include the following optional + parameters: - o Optionally, an extra framing protocol to use on top of TCP to - further encapsulate the stream of IKE and IPsec packets. See - Appendix A for a detailed discussion. + o Alternate TCP ports on which the specific TCP Responder listens + for incoming connections. Note that the TCP Originator may + initiate TCP connections to the TCP Responder from any local port. - This document leaves the selection of TCP ports up to - implementations. It is suggested to use TCP port 4500, which is - allocated for IPsec NAT Traversal. + o An extra framing protocol to use on top of TCP to further + encapsulate the stream of IKE and IPsec packets. See Appendix A + for a detailed discussion. Since TCP encapsulation of IKE and IPsec packets adds overhead and has potential performance trade-offs compared to direct or UDP- encapsulated SAs (as described in Performance Considerations, Section 12), implementations SHOULD prefer ESP direct or UDP encapsulated SAs over TCP encapsulated SAs when possible. 3. TCP-Encapsulated Header Formats Like UDP encapsulation, TCP encapsulation uses the first four bytes @@ -283,28 +283,26 @@ The SPI field in the ESP header MUST NOT be a zero value. o Length (2 octets, unsigned integer) - Length of the ESP packet including the Length Field. 4. TCP-Encapsulated Stream Prefix Each stream of bytes used for IKE and IPsec encapsulation MUST begin with a fixed sequence of six bytes as a magic value, containing the - characters "IKETCP" as ASCII values. This allows peers to - differentiate this protocol from other protocols that may be run over - the same TCP port. Since TCP encapsulated IPsec is not assigned to a - specific port, TCP Responders may be able to receive multiple - protocols on the same port. The bytes of the stream prefix do not - overlap with the valid start of any other known stream protocol. - This value is only sent once, by the TCP Originator only, at the - beginning of any stream of IKE and ESP messages. + characters "IKETCP" as ASCII values. This value is intended to + identify and validate that the TCP connection is being used for TCP + encapsulation as defined in this document, to avoid conflicts with + the prevalence of previous non-standard protocols that used TCP port + 4500. This value is only sent once, by the TCP Originator only, at + the beginning of any stream of IKE and ESP messages. If other framing protocols are used within TCP to further encapsulate or encrypt the stream of IKE and ESP messages, the Stream Prefix must be at the start of the TCP Originator's IKE and ESP message stream within the added protocol layer [Appendix A]. Although some framing protocols do support negotiating inner protocols, the stream prefix should always be used in order for implementations to be as generic as possible and not rely on other framing protocols on top of TCP. 0 1 2 3 4 5 @@ -394,28 +392,36 @@ an existing IKE SA, it MUST send the stream prefix first, before any IKE or ESP messages. This follows the same behavior as the initial TCP connection. If a TCP connection is being used to resume a previous IKE session, the TCP Responder can recognize the session using either the IKE SPI from an encapsulated IKE message or the ESP SPI from an encapsulated ESP message. If the session had been fully established previously, it is suggested that the TCP Originator send an UPDATE_SA_ADDRESSES message if MOBIKE is supported, or an INFORMATIONAL message (a - keepalive) otherwise. If either TCP Originator or TCP Responder - receives a stream that cannot be parsed correctly (for example, if - the TCP Originator stream is missing the stream prefix, or message - frames are not parsable as IKE or ESP messages), it MUST close the - TCP connection. If there is instead a syntax issue within an IKE - message, an implementation MUST send the INVALID_SYNTAX notify - payload and tear down the IKE SA as usual, rather than tearing down - the TCP connection directly. + keepalive) otherwise. + + The TCP Responder MUST NOT accept any messages for the existing IKE + session on a new incoming connection unless that connection begins + with the stream prefix. If either the TCP Originator or TCP + Responder detects corruption on a connection that was started with a + valid stream prefix, it SHOULD close the TCP connection. The + connection can be determined as corrupted if there are too many + subsequent messages that cannot be parsed as valid IKE messages or + ESP messages with known SPIs, or if the authentication check for an + ESP message with a known SPI fails. Implementations SHOULD NOT tear + down a connection if only a single ESP message has an unknown SPI, + since the SPI databases may be momentarily out of sync. If there is + instead a syntax issue within an IKE message, an implementation MUST + send the INVALID_SYNTAX notify payload and tear down the IKE SA as + usual, rather than tearing down the TCP connection directly. An TCP Originator SHOULD only open one TCP connection per IKE SA, over which it sends all of the corresponding IKE and ESP messages. This helps ensure that any firewall or NAT mappings allocated for the TCP connection apply to all of the traffic associated with the IKE SA equally. Similarly, a TCP Responder SHOULD at any given time send packets for an IKE SA and its Child SAs over only one TCP connection. It SHOULD choose the TCP connection on which it last received a valid and @@ -515,47 +521,81 @@ 11. Middlebox Considerations Many security networking devices such as Firewalls or Intrusion Prevention Systems, network optimization/acceleration devices and Network Address Translation (NAT) devices keep the state of sessions that traverse through them. These devices commonly track the transport layer and/or the application layer data to drop traffic that is anomalous or malicious - in nature. - - A network device that monitors up to the application layer will - commonly expect to see HTTP traffic within a TCP socket running over - port 80, if non-HTTP traffic is seen (such as TCP encapsulated IKE), - this could be dropped by the security device. + in nature. While many of these devices will be more likely to pass + TCP-encapsulated traffic as opposed to UDP-encapsulated traffic, some + may still block or interfere with TCP-encapsulated IKE and IPsec. A network device that monitors the transport layer will track the state of TCP sessions, such as TCP sequence numbers. TCP encapsulation of IKE should therefore use standard TCP behaviors to avoid being dropped by middleboxes. 12. Performance Considerations Several aspects of TCP encapsulation for IKE and IPsec packets may negatively impact the performance of connections within a tunnel-mode - IPsec SA. Implementations should be aware of these and take these - into consideration when determining when to use TCP encapsulation. + IPsec SA. Implementations should be aware of these performance + impacts and take these into consideration when determining when to + use TCP encapsulation. Implementations SHOULD favor using direct ESP + or UDP encapsulation over TCP encapsulation whenever possible. 12.1. TCP-in-TCP If the outer connection between IKE peers is over TCP, inner TCP - connections may suffer effects from using TCP within TCP. In - particular, the inner TCP's round-trip-time estimation will be - affected by the burstiness of the outer TCP. This will make loss- - recovery of the inner TCP traffic less reactive and more prone to - spurious retransmission timeouts. + connections may suffer effects from using TCP within TCP. Running + TCP within TCP is discouraged, since the TCP algorithms generally + assume that they are running over an unreliable datagram layer. + + If the outer (tunnel) TCP connection experiences packet loss, this + loss will be hidden from any inner TCP connections, since the outer + connection will retransmit to account for the losses. Since the + outer TCP connection will deliver the inner messages in order, any + messages after a lost packet may have to wait until the loss is + recovered. This means that loss on the outer connection will be + interpreted only as delay by inner connections. The burstiness of + inner traffic can increase, since a large number of inner packets may + be delivered across the tunnel at once. The inner TCP connection may + interpret a long period of delay as a transmission problem, + triggering a retransmission timeout, which will cause spurious + retransmissions. The sending rate of the inner connection may be + unnecessarily reduced if the retransmissions are not detected as + spurious in time. + + The inner TCP connection's round-trip-time estimation will be + affected by the burstiness of the outer TCP connection if there are + long delays when packets are retransmitted by the outer TCP + connection. This will make the congestion control loop of the inner + TCP traffic less reactive, potentially permanently leading to a lower + sending rate than the outer TCP would allow for. + + TCP-in-TCP can also lead to increased buffering, or bufferbloat. + This can occur when the window size of the outer TCP connection is + reduced, and becomes smaller than the window sizes of the inner TCP + connections. This can lead to packets backing up in the outer TCP + connection's send buffers. In order to limit this effect, the outer + TCP connection should have limits on its send buffer size, and on the + rate at which it reduces its window size. + + Note that any negative effects will be shared between all flows going + through the outer TCP connection. This is of particular concern for + any latency-sensitive or real-time applications using the tunnel. If + such traffic is using a TCP encapsulated IPsec connection, it is + recommended that the number of inner connections sharing the tunnel + be limited as much as possible. 12.2. Added Reliability for Unreliable Protocols Since ESP is an unreliable protocol, transmitting ESP packets over a TCP connection will change the fundamental behavior of the packets. Some application-level protocols that prefer packet loss to delay (such as Voice over IP or other real-time protocols) may be negatively impacted if their packets are retransmitted by the TCP connection due to packet loss. @@ -566,33 +606,50 @@ Individual packets SHOULD NOT use different markings than the rest of the connection, since packets with different priorities may be routed differently and cause unnecessary delays in the connection. 12.4. Maximum Segment Size A TCP connection used for IKE encapsulation SHOULD negotiate its maximum segment size (MSS) in order to avoid unnecessary fragmentation of packets. +12.5. Tunnelling ECN in TCP + + Since there is not a one-to-one relationship between outer IP packets + and inner ESP/IP messages when using TCP encapsulation, the markings + for Explicit Congestion Notification (ECN) [RFC3168] cannot be simply + mapped. However, any ECN Congestion Experienced (CE) marking on + inner messages should be preserved through the tunnel. + + Implementations SHOULD follow the ECN compatibility mode as described + in [RFC6040]. In compatibility mode, the outer TCP connection SHOULD + mark its packets as not ECN-capable, and MUST NOT clear any ECN + markings on inner packets. Note that outer packets may be ECN marked + even though the outer connection did not negotiate support for ECN. + If an implementation receives such an outer packet, it MAY propagate + the markings as described in the Default Tunnel Egress Behaviour + [RFC6040] for any inner packet contained within a single outer TCP + packet, or simply apply the rules as if the outer packet were Not-ECT + if the inner packet spans multiple outer packets. + 13. Security Considerations IKE Responders that support TCP encapsulation may become vulnerable to new Denial-of-Service (DoS) attacks that are specific to TCP, such as SYN-flooding attacks. TCP Responders should be aware of this additional attack-surface. TCP Responders should be careful to ensure that the stream prefix - "IKETCP" uniquely identifies streams using the TCP encapsulation - protocol. The prefix was chosen to not overlap with the start of any - known valid protocol over TCP, but implementations should make sure - to validate this assumption in order to avoid unexpected processing - of TCP connections. + "IKETCP" uniquely identifies incoming streams as ones that use the + TCP encapsulation protocol, and they are not running any other + protocols on the same listening port that could conflict with this. Attackers may be able to disrupt the TCP connection by sending spurious RST packets. Due to this, implementations SHOULD make sure that IKE session state persists even if the underlying TCP connection is torn down. If MOBIKE is being used, all of the security considerations outlined for MOBIKE apply [RFC4555]. Similarly to MOBIKE, TCP encapsulation requires a TCP Responder to @@ -605,25 +662,31 @@ packets take. For this reason, the validation of messages on the TCP Responder must include decryption, authentication, and replay checks. Since TCP provides a reliable, in-order delivery of ESP messages, the ESP Anti-Replay Window size SHOULD be set to 1. See [RFC4303] for a complete description of the ESP Anti-Replay Window. This increases the protection of implementations against replay attacks. 14. IANA Considerations - This memo includes no request to IANA. + TCP port 4500 is already allocated to IPsec for NAT Traversal. This + port SHOULD be used for TCP encapsulated IKE and ESP as described in + this document. - TCP port 4500 is already allocated to IPsec. This port MAY be used - for the protocol described in this document, but implementations MAY - prefer to use other ports based on local policy. + This document updates the reference for TCP port 4500: + + Keyword Decimal Description Reference + ------- ------- ----------- --------- + ipsec-nat-t 4500/tcp IPsec NAT-Traversal [RFC-this-rfc] + + Figure 4 15. Acknowledgments The authors would like to acknowledge the input and advice of Stuart Cheshire, Delziel Fernandes, Yoav Nir, Christoph Paasch, Yaron Sheffer, David Schinazi, Graham Bartlett, Byju Pularikkal, March Wu, Kingwel Xie, Valery Smyslov, Jun Hu, and Tero Kivinen. Special thanks to Eric Kinnear for his implementation work. 16. References @@ -637,20 +700,24 @@ [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. Stenberg, "UDP Encapsulation of IPsec ESP Packets", RFC 3948, DOI 10.17487/RFC3948, January 2005, . [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, DOI 10.17487/RFC4303, December 2005, . + [RFC6040] Briscoe, B., "Tunnelling of Explicit Congestion + Notification", RFC 6040, DOI 10.17487/RFC6040, November + 2010, . + [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, . 16.2. Informative References [I-D.nir-ipsecme-ike-tcp] Nir, Y., "A TCP transport for the Internet Key Exchange", draft-nir-ipsecme-ike-tcp-01 (work in progress), July @@ -658,20 +725,25 @@ [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, DOI 10.17487/RFC1122, October 1989, . [RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within HTTP/1.1", RFC 2817, DOI 10.17487/RFC2817, May 2000, . + [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition + of Explicit Congestion Notification (ECN) to IP", + RFC 3168, DOI 10.17487/RFC3168, September 2001, + . + [RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol (MOBIKE)", RFC 4555, DOI 10.17487/RFC4555, June 2006, . [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, . [RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport @@ -680,29 +752,29 @@ DOI 10.17487/RFC6520, February 2012, . [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation", RFC 7383, DOI 10.17487/RFC7383, November 2014, . Appendix A. Using TCP encapsulation with TLS - This section provides recommendations on the support of TLS with the - TCP encapsulation. + This section provides recommendations on how to use TLS in addition + to TCP encapsulation. When using TCP encapsulation, implementations may choose to use TLS - [RFC5246], to be able to traverse middle-boxes, which may block non- - HTTP traffic. + [RFC5246] on the TCP connection to be able to traverse middle-boxes, + which may otherwise block the traffic. - If a web proxy is applied to the ports for the TCP connection, and - TLS is being used, the TCP Originator can send an HTTP CONNECT + If a web proxy is applied to the ports used for the TCP connection, + and TLS is being used, the TCP Originator can send an HTTP CONNECT message to establish an SA through the proxy [RFC2817]. The use of TLS should be configurable on the peers, and may be used as the default when using TCP encapsulation, or else be a fallback when basic TCP encapsulation fails. The TCP Responder may expect to read encapsulated IKE and ESP packets directly from the TCP connection, or it may expect to read them from a stream of TLS data packets. The TCP Originator should be pre-configured to use TLS or not when communicating with a given port on the TCP Responder. @@ -724,21 +796,21 @@ in situations in which TLS is not required in order to traverse middle-boxes. Appendix B. Example exchanges of TCP Encapsulation with TLS B.1. Establishing an IKE session Client Server ---------- ---------- 1) -------------------- TCP Connection ------------------- - (IP_I:Port_I -> IP_R:TCP443 or TCP4500) + (IP_I:Port_I -> IP_R:Port_R) TcpSyn ----------> <---------- TcpSyn,Ack TcpAck ----------> 2) --------------------- TLS Session --------------------- ClientHello ----------> ServerHello Certificate* ServerKeyExchange* <---------- ServerHelloDone @@ -774,40 +846,44 @@ repeat 1..N times <------ Length + Non-ESP Marker IKE_AUTH + EAP Length + Non-ESP Marker ----------> final IKE_AUTH HDR, SK {AUTH} <------ Length + Non-ESP Marker final IKE_AUTH HDR, SK {AUTH, CP(CFG_REPLY), SA, TSi, TSr, ...} + -------------- IKE and IPsec SAs Established ------------ Length + ESP frame ----------> - Figure 4 + Figure 5 - 1. Client establishes a TCP connection with the server on port 443 - or 4500. + 1. Client establishes a TCP connection with the server on port + 4500, or an alternate pre-configured port that the server is + listening on. - 2. Client initiates TLS handshake. During TLS handshake, the - server SHOULD NOT request the client's' certificate, since - authentication is handled as part of IKE negotiation. + 2. If configured to use TLS, the client initiates a TLS handshake. + During the TLS handshake, the server SHOULD NOT request the + client's certificate, since authentication is handled as part + of IKE negotiation. 3. Client send the Stream Prefix for TCP encapsulated IKE Section 4 traffic to signal the beginning of IKE negotiation. 4. Client and server establish an IKE connection. This example shows EAP-based authentication, although any authentication type may be used. B.2. Deleting an IKE session + Client Server ---------- ---------- 1) ----------------------- IKE Session --------------------- Length + Non-ESP Marker ----------> INFORMATIONAL HDR, SK {[N,] [D,] [CP,] ...} <------ Length + Non-ESP Marker INFORMATIONAL HDR, SK {[N,] [D,] @@ -816,21 +892,21 @@ 2) --------------------- TLS Session --------------------- close_notify ----------> <---------- close_notify 3) -------------------- TCP Connection ------------------- TcpFin ----------> <---------- Ack <---------- TcpFin Ack ----------> --------------------- IKE SA Deleted ------------------- - Figure 5 + Figure 6 1. Client and server exchange INFORMATIONAL messages to notify IKE SA deletion. 2. Client and server negotiate TLS session deletion using TLS CLOSE_NOTIFY. 3. The TCP connection is torn down. The deletion of the IKE SA should lead to the disposal of the @@ -830,40 +906,41 @@ 2. Client and server negotiate TLS session deletion using TLS CLOSE_NOTIFY. 3. The TCP connection is torn down. The deletion of the IKE SA should lead to the disposal of the underlying TLS and TCP state. B.3. Re-establishing an IKE session + Client Server ---------- ---------- 1) -------------------- TCP Connection ------------------- - (IP_I:Port_I -> IP_R:TCP443 or TCP4500) + (IP_I:Port_I -> IP_R:Port_R) TcpSyn ----------> <---------- TcpSyn,Ack TcpAck ----------> 2) --------------------- TLS Session --------------------- ClientHello ----------> <---------- ServerHello [ChangeCipherSpec] Finished [ChangeCipherSpec] ----------> Finished 3) ---------------------- Stream Prefix -------------------- "IKETCP" ----------> 4) <---------------------> IKE/ESP flow <------------------> Length + ESP frame ----------> - Figure 6 + Figure 7 1. If a previous TCP connection was broken (for example, due to a RST), the client is responsible for re-initiating the TCP connection. The TCP Originator's address and port (IP_I and Port_I) may be different from the previous connection's address and port. 2. In ClientHello TLS message, the client SHOULD send the Session ID it received in the previous TLS handshake if available. It is up to the server to perform either an abbreviated handshake @@ -897,21 +974,21 @@ 2) ------------ MOBIKE Attempt on new network -------------- (IP_I2:UDP4500 -> IP_R:UDP4500) Non-ESP Marker -----------> INFORMATIONAL HDR, SK { N(UPDATE_SA_ADDRESSES), N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP) } 3) -------------------- TCP Connection ------------------- - (IP_I2:PORT_I -> IP_R:TCP443 or TCP4500) + (IP_I2:Port_I -> IP_R:Port_R) TcpSyn -----------> <----------- TcpSyn,Ack TcpAck -----------> 4) --------------------- TLS Session --------------------- ClientHello -----------> ServerHello Certificate* ServerKeyExchange* <----------- ServerHelloDone @@ -923,26 +1001,27 @@ <----------- Finished 5) ---------------------- Stream Prefix -------------------- "IKETCP" ----------> 6) ----------------------- IKE Session --------------------- Length + Non-ESP Marker -----------> INFORMATIONAL (Same as step 2) HDR, SK { N(UPDATE_SA_ADDRESSES), N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP) } + <------- Length + Non-ESP Marker HDR, SK { N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP) } 7) <----------------- IKE/ESP data flow -------------------> - Figure 7 + Figure 8 1. During the IKE_SA_INIT exchange, the client and server exchange MOBIKE_SUPPORTED notify payloads to indicate support for MOBIKE. 2. The client changes its point of attachment to the network, and receives a new IP address. The client attempts to re-establish the IKE session using the UPDATE_SA_ADDRESSES notify payload, but the server does not respond because the network blocks UDP traffic.