|
|
Network Working Group P. Eronen
Request for Comments: 4718 Nokia
Category: Informational P. Hoffman
VPN Consortium
October 2006
IKEv2 Clarifications and Implementation Guidelines
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document clarifies many areas of the IKEv2 specification. It
does not to introduce any changes to the protocol, but rather
provides descriptions that are less prone to ambiguous
interpretations. The purpose of this document is to encourage the
development of interoperable implementations.
Table of Contents
1. Introduction ....................................................4
2. Creating the IKE_SA .............................................4
2.1. SPI Values in IKE_SA_INIT Exchange .........................4
2.2. Message IDs for IKE_SA_INIT Messages .......................5
2.3. Retransmissions of IKE_SA_INIT Requests ....................5
2.4. Interaction of COOKIE and INVALID_KE_PAYLOAD ...............6
2.5. Invalid Cookies ............................................8
3. Authentication ..................................................9
3.1. Data Included in AUTH Payload Calculation ..................9
3.2. Hash Function for RSA Signatures ...........................9
3.3. Encoding Method for RSA Signatures ........................10
3.4. Identification Type for EAP ...............................11
3.5. Identity for Policy Lookups When Using EAP ................11
3.6. Certificate Encoding Types ................................12
3.7. Shared Key Authentication and Fixed PRF Key Size ..........12
3.8. EAP Authentication and Fixed PRF Key Size .................13
3.9. Matching ID Payloads to Certificate Contents ..............13
3.10. Message IDs for IKE_AUTH Messages ........................14
4. Creating CHILD_SAs .............................................14
4.1. Creating SAs with the CREATE_CHILD_SA Exchange ............14
4.2. Creating an IKE_SA without a CHILD_SA .....................16
4.3. Diffie-Hellman for First CHILD_SA .........................16
4.4. Extended Sequence Numbers (ESN) Transform .................17
4.5. Negotiation of ESP_TFC_PADDING_NOT_SUPPORTED ..............17
4.6. Negotiation of NON_FIRST_FRAGMENTS_ALSO ...................18
4.7. Semantics of Complex Traffic Selector Payloads ............18
4.8. ICMP Type/Code in Traffic Selector Payloads ...............19
4.9. Mobility Header in Traffic Selector Payloads ..............20
4.10. Narrowing the Traffic Selectors ..........................20
4.11. SINGLE_PAIR_REQUIRED .....................................21
4.12. Traffic Selectors Violating Own Policy ...................21
4.13. Traffic Selector Authorization ...........................22
5. Rekeying and Deleting SAs ......................................23
5.1. Rekeying SAs with the CREATE_CHILD_SA Exchange ............23
5.2. Rekeying the IKE_SA vs. Reauthentication ..................24
5.3. SPIs When Rekeying the IKE_SA .............................25
5.4. SPI When Rekeying a CHILD_SA ..............................25
5.5. Changing PRFs When Rekeying the IKE_SA ....................26
5.6. Deleting vs. Closing SAs ..................................26
5.7. Deleting a CHILD_SA Pair ..................................26
5.8. Deleting an IKE_SA ........................................27
5.9. Who is the original initiator of IKE_SA ...................27
5.10. Comparing Nonces .........................................27
5.11. Exchange Collisions ......................................28
5.12. Diffie-Hellman and Rekeying the IKE_SA ...................36
6. Configuration Payloads .........................................37
6.1. Assigning IP Addresses ....................................37
6.2. Requesting any INTERNAL_IP4/IP6_ADDRESS ...................38
6.3. INTERNAL_IP4_SUBNET/INTERNAL_IP6_SUBNET ...................38
6.4. INTERNAL_IP4_NETMASK ......................................41
6.5. Configuration Payloads for IPv6 ...........................42
6.6. INTERNAL_IP6_NBNS .........................................43
6.7. INTERNAL_ADDRESS_EXPIRY ...................................43
6.8. Address Assignment Failures ...............................44
7. Miscellaneous Issues ...........................................45
7.1. Matching ID_IPV4_ADDR and ID_IPV6_ADDR ....................45
7.2. Relationship of IKEv2 to RFC 4301 .........................45
7.3. Reducing the Window Size ..................................46
7.4. Minimum Size of Nonces ....................................46
7.5. Initial Zero Octets on Port 4500 ..........................46
7.6. Destination Port for NAT Traversal ........................47
7.7. SPI Values for Messages outside an IKE_SA .................47
7.8. Protocol ID/SPI Fields in Notify Payloads .................48
7.9. Which message should contain INITIAL_CONTACT ..............48
7.10. Alignment of Payloads ....................................48
7.11. Key Length Transform Attribute ...........................48
7.12. IPsec IANA Considerations ................................49
7.13. Combining ESP and AH .....................................50
8. Implementation Mistakes ........................................50
9. Security Considerations ........................................51
10. Acknowledgments ...............................................51
11. References ....................................................51
11.1. Normative References .....................................51
11.2. Informative References ...................................52
Appendix A. Exchanges and Payloads ................................54
A.1. IKE_SA_INIT Exchange ......................................54
A.2. IKE_AUTH Exchange without EAP .............................54
A.3. IKE_AUTH Exchange with EAP ................................55
A.4. CREATE_CHILD_SA Exchange for Creating/Rekeying
CHILD_SAs .................................................56
A.5. CREATE_CHILD_SA Exchange for Rekeying the IKE_SA ..........56
A.6. INFORMATIONAL Exchange ....................................56
1. Introduction
This document clarifies many areas of the IKEv2 specification that
may be difficult to understand to developers not intimately familiar
with the specification and its history. The clarifications in this
document come from the discussion on the IPsec WG mailing list, from
experience in interoperability testing, and from implementation
issues that have been brought to the editors’ attention.
IKEv2/IPsec can be used for several different purposes, including
IPsec-based remote access (sometimes called the "road warrior" case),
site-to-site virtual private networks (VPNs), and host-to-host
protection of application traffic. While this document attempts to
consider all of these uses, the remote access scenario has perhaps
received more attention here than the other uses.
This document does not place any requirements on anyone and does not
use [RFC2119] keywords such as "MUST" and "SHOULD", except in
quotations from the original IKEv2 documents. The requirements are
given in the IKEv2 specification [IKEv2] and IKEv2 cryptographic
algorithms document [IKEv2ALG].
In this document, references to a numbered section (such as "Section
2.15") mean that section in [IKEv2]. References to mailing list
messages or threads refer to the IPsec WG mailing list at
ipsec@ietf.org. Archives of the mailing list can be found at
<http://www.ietf.org/mail-archive/web/ipsec/index.html>.
2. Creating the IKE_SA
2.1. SPI Values in IKE_SA_INIT Exchange
Normal IKE messages include the initiator’s and responder’s Security
Parameter Indexes (SPIs), both of which are non-zero, in the IKE
header. However, there are some corner cases where the IKEv2
specification is not fully consistent about what values should be
used.
First, Section 3.1 says that the Responder’s SPI "...MUST NOT be zero
in any other message" (than the first message of the IKE_SA_INIT
exchange). However, the figure in Section 2.6 shows the second
IKE_SA_INIT message as "HDR(A,0), N(COOKIE)", contradicting the text
in 3.1.
Since the responder’s SPI identifies security-related state held by
the responder, and in this case no state is created, sending a zero
value seems reasonable.
Second, in addition to cookies, there are several other cases when
the IKE_SA_INIT exchange does not result in the creation of an IKE_SA
(for instance, INVALID_KE_PAYLOAD or NO_PROPOSAL_CHOSEN). What
responder SPI value should be used in the IKE_SA_INIT response in
this case?
Since the IKE_SA_INIT request always has a zero responder SPI, the
value will not be actually used by the initiator. Thus, we think
sending a zero value is correct also in this case.
If the responder sends a non-zero responder SPI, the initiator should
not reject the response only for that reason. However, when retrying
the IKE_SA_INIT request, the initiator will use a zero responder SPI,
as described in Section 3.1: "Responder’s SPI [...] This value MUST
be zero in the first message of an IKE Initial Exchange (including
repeats of that message including a cookie) [...]". We believe the
intent was to cover repeats of that message due to other reasons,
such as INVALID_KE_PAYLOAD, as well.
(References: "INVALID_KE_PAYLOAD and clarifications document" thread,
Sep-Oct 2005.)
2.2. Message IDs for IKE_SA_INIT Messages
The Message ID for IKE_SA_INIT messages is always zero. This
includes retries of the message due to responses such as COOKIE and
INVALID_KE_PAYLOAD.
This is because Message IDs are part of the IKE_SA state, and when
the responder replies to IKE_SA_INIT request with N(COOKIE) or
N(INVALID_KE_PAYLOAD), the responder does not allocate any state.
(References: "Question about N(COOKIE) and N(INVALID_KE_PAYLOAD)
combination" thread, Oct 2004. Tero Kivinen’s mail "Comments of
draft-eronen-ipsec-ikev2-clarifications-02.txt", 2005-04-05.)
2.3. Retransmissions of IKE_SA_INIT Requests
When a responder receives an IKE_SA_INIT request, it has to determine
whether the packet is a retransmission belonging to an existing
"half-open" IKE_SA (in which case the responder retransmits the same
response), or a new request (in which case the responder creates a
new IKE_SA and sends a fresh response).
The specification does not describe in detail how this determination
is done. In particular, it is not sufficient to use the initiator’s
SPI and/or IP address for this purpose: two different peers behind a
single NAT could choose the same initiator SPI (and the probability
of this happening is not necessarily small, since IKEv2 does not
require SPIs to be chosen randomly). Instead, the responder should
do the IKE_SA lookup using the whole packet or its hash (or at the
minimum, the Ni payload which is always chosen randomly).
For all other packets than IKE_SA_INIT requests, looking up right
IKE_SA is of course done based on the recipient’s SPI (either the
initiator or responder SPI depending on the value of the Initiator
bit in the IKE header).
2.4. Interaction of COOKIE and INVALID_KE_PAYLOAD
There are two common reasons why the initiator may have to retry the
IKE_SA_INIT exchange: the responder requests a cookie or wants a
different Diffie-Hellman group than was included in the KEi payload.
Both of these cases are quite simple alone, but it is not totally
obvious what happens when they occur at the same time, that is, the
IKE_SA_INIT exchange is retried several times.
The main question seems to be the following: if the initiator
receives a cookie from the responder, should it include the cookie in
only the next retry of the IKE_SA_INIT request, or in all subsequent
retries as well? Section 3.10.1 says that:
"This notification MUST be included in an IKE_SA_INIT request
retry if a COOKIE notification was included in the initial
response."
This could be interpreted as saying that when a cookie is received in
the initial response, it is included in all retries. On the other
hand, Section 2.6 says that:
"Initiators who receive such responses MUST retry the
IKE_SA_INIT with a Notify payload of type COOKIE containing
the responder supplied cookie data as the first payload and
all other payloads unchanged."
Including the same cookie in later retries makes sense only if the
"all other payloads unchanged" restriction applies only to the first
retry, but not to subsequent retries.
It seems that both interpretations can peacefully coexist. If the
initiator includes the cookie only in the next retry, one additional
roundtrip may be needed in some cases:
Initiator Responder
----------- -----------
HDR(A,0), SAi1, KEi, Ni -->
<-- HDR(A,0), N(COOKIE)
HDR(A,0), N(COOKIE), SAi1, KEi, Ni -->
<-- HDR(A,0), N(INVALID_KE_PAYLOAD)
HDR(A,0), SAi1, KEi’, Ni -->
<-- HDR(A,0), N(COOKIE’)
HDR(A,0), N(COOKIE’), SAi1, KEi’,Ni -->
<-- HDR(A,B), SAr1, KEr, Nr
An additional roundtrip is needed also if the initiator includes the
cookie in all retries, but the responder does not support this
functionality. For instance, if the responder includes the SAi1 and
KEi payloads in cookie calculation, it will reject the request by
sending a new cookie (see also Section 2.5 of this document for more
text about invalid cookies):
Initiator Responder
----------- -----------
HDR(A,0), SAi1, KEi, Ni -->
<-- HDR(A,0), N(COOKIE)
HDR(A,0), N(COOKIE), SAi1, KEi, Ni -->
<-- HDR(A,0), N(INVALID_KE_PAYLOAD)
HDR(A,0), N(COOKIE), SAi1, KEi’, Ni -->
<-- HDR(A,0), N(COOKIE’)
HDR(A,0), N(COOKIE’), SAi1, KEi’,Ni -->
<-- HDR(A,B), SAr1, KEr, Nr
If both peers support including the cookie in all retries, a slightly
shorter exchange can happen:
Initiator Responder
----------- -----------
HDR(A,0), SAi1, KEi, Ni -->
<-- HDR(A,0), N(COOKIE)
HDR(A,0), N(COOKIE), SAi1, KEi, Ni -->
<-- HDR(A,0), N(INVALID_KE_PAYLOAD)
HDR(A,0), N(COOKIE), SAi1, KEi’, Ni -->
<-- HDR(A,B), SAr1, KEr, Nr
This document recommends that implementations should support this
shorter exchange, but it must not be assumed the other peer also
supports the shorter exchange.
In theory, even this exchange has one unnecessary roundtrip, as both
the cookie and Diffie-Hellman group could be checked at the same
time:
Initiator Responder
----------- -----------
HDR(A,0), SAi1, KEi, Ni -->
<-- HDR(A,0), N(COOKIE),
N(INVALID_KE_PAYLOAD)
HDR(A,0), N(COOKIE), SAi1, KEi’,Ni -->
<-- HDR(A,B), SAr1, KEr, Nr
However, it is clear that this case is not allowed by the text in
Section 2.6, since "all other payloads" clearly includes the KEi
payload as well.
(References: "INVALID_KE_PAYLOAD and clarifications document" thread,
Sep-Oct 2005.)
2.5. Invalid Cookies
There has been some confusion what should be done when an IKE_SA_INIT
request containing an invalid cookie is received ("invalid" in the
sense that its contents do not match the value expected by the
responder).
The correct action is to ignore the cookie and process the message as
if no cookie had been included (usually this means sending a response
containing a new cookie). This is shown in Section 2.6 when it says
"The responder in that case MAY reject the message by sending another
response with a new cookie [...]".
Other possible actions, such as ignoring the whole request (or even
all requests from this IP address for some time), create strange
failure modes even in the absence of any malicious attackers and do
not provide any additional protection against DoS attacks.
(References: "Invalid Cookie" thread, Sep-Oct 2005.)
3. Authentication
3.1. Data Included in AUTH Payload Calculation
Section 2.15 describes how the AUTH payloads are calculated; this
calculation involves values prf(SK_pi,IDi’) and prf(SK_pr,IDr’). The
text describes the method in words, but does not give clear
definitions of what is signed or MACed (i.e., protected with a
message authentication code).
The initiator’s signed octets can be described as:
InitiatorSignedOctets = RealMessage1 | NonceRData | MACedIDForI
GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR
RealIKEHDR = SPIi | SPIr | . . . | Length
RealMessage1 = RealIKEHDR | RestOfMessage1
NonceRPayload = PayloadHeader | NonceRData
InitiatorIDPayload = PayloadHeader | RestOfIDPayload
RestOfInitIDPayload = IDType | RESERVED | InitIDData
MACedIDForI = prf(SK_pi, RestOfInitIDPayload)
The responder’s signed octets can be described as:
ResponderSignedOctets = RealMessage2 | NonceIData | MACedIDForR
GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR
RealIKEHDR = SPIi | SPIr | . . . | Length
RealMessage2 = RealIKEHDR | RestOfMessage2
NonceIPayload = PayloadHeader | NonceIData
ResponderIDPayload = PayloadHeader | RestOfIDPayload
RestOfRespIDPayload = IDType | RESERVED | InitIDData
MACedIDForR = prf(SK_pr, RestOfRespIDPayload)
3.2. Hash Function for RSA Signatures
Section 3.8 says that RSA digital signature is "Computed as specified
in section 2.15 using an RSA private key over a PKCS#1 padded hash."
Unlike IKEv1, IKEv2 does not negotiate a hash function for the
IKE_SA. The algorithm for signatures is selected by the signing
party who, in general, may not know beforehand what algorithms the
verifying party supports. Furthermore, [IKEv2ALG] does not say what
algorithms implementations are required or recommended to support.
This clearly has a potential for causing interoperability problems,
since authentication will fail if the signing party selects an
algorithm that is not supported by the verifying party, or not
acceptable according to the verifying party’s policy.
This document recommends that all implementations support SHA-1 and
use SHA-1 as the default hash function when generating the
signatures, unless there are good reasons (such as explicit manual
configuration) to believe that the peer supports something else.
Note that hash function collision attacks are not important for the
AUTH payloads, since they are not intended for third-party
verification, and the data includes fresh nonces. See [HashUse] for
more discussion about hash function attacks and IPsec.
Another reasonable choice would be to use the hash function that was
used by the CA when signing the peer certificate. However, this does
not guarantee that the IKEv2 peer would be able to validate the AUTH
payload, because the same code might not be used to validate
certificate signatures and IKEv2 message signatures, and these two
routines may support a different set of hash algorithms. The peer
could be configured with a fingerprint of the certificate, or
certificate validation could be performed by an external entity using
[SCVP]. Furthermore, not all CERT payloads types include a
signature, and the certificate could be signed with some algorithm
other than RSA.
Note that unlike IKEv1, IKEv2 uses the PKCS#1 v1.5 [PKCS1v20]
signature encoding method (see next section for details), which
includes the algorithm identifier for the hash algorithm. Thus, when
the verifying party receives the AUTH payload it can at least
determine which hash function was used.
(References: Magnus Alstrom’s mail "RE:", 2005-01-03. Pasi Eronen’s
reply, 2005-01-04. Tero Kivinen’s reply, 2005-01-04. "First draft
of IKEv2.1" thread, Dec 2005/Jan 2006.)
3.3. Encoding Method for RSA Signatures
Section 3.8 says that the RSA digital signature is "Computed as
specified in section 2.15 using an RSA private key over a PKCS#1
padded hash."
The PKCS#1 specification [PKCS1v21] defines two different encoding
methods (ways of "padding the hash") for signatures. However, the
Internet-Draft approved by the IESG had a reference to the older
PKCS#1 v2.0 [PKCS1v20]. That version has only one encoding method
for signatures (EMSA-PKCS1-v1_5), and thus there is no ambiguity.
Note that this encoding method is different from the encoding method
used in IKEv1. If future revisions of IKEv2 provide support for
other encoding methods (such as EMSA-PSS), they will be given new
Auth Method numbers.
(References: Pasi Eronen’s mail "RE:", 2005-01-04.)
3.4. Identification Type for EAP
Section 3.5 defines several different types for identification
payloads, including, e.g., ID_FQDN, ID_RFC822_ADDR, and ID_KEY_ID.
EAP [EAP] does not mandate the use of any particular type of
identifier, but often EAP is used with Network Access Identifiers
(NAIs) defined in [NAI]. Although NAIs look a bit like email
addresses (e.g., "joe@example.com"), the syntax is not exactly the
same as the syntax of email address in [RFC822]. This raises the
question of which identification type should be used.
This document recommends that ID_RFC822_ADDR identification type is
used for those NAIs that include the realm component. Therefore,
responder implementations should not attempt to verify that the
contents actually conform to the exact syntax given in [RFC822] or
[RFC2822], but instead should accept any reasonable looking NAI.
For NAIs that do not include the realm component, this document
recommends using the ID_KEY_ID identification type.
(References: "need your help on this IKEv2/i18n/EAP issue" and "IKEv2
identifier issue with EAP" threads, Aug 2004.)
3.5. Identity for Policy Lookups When Using EAP
When the initiator authentication uses EAP, it is possible that the
contents of the IDi payload is used only for AAA routing purposes and
selecting which EAP method to use. This value may be different from
the identity authenticated by the EAP method (see [EAP], Sections 5.1
and 7.3).
It is important that policy lookups and access control decisions use
the actual authenticated identity. Often the EAP server is
implemented in a separate AAA server that communicates with the IKEv2
responder using, e.g., RADIUS [RADEAP]. In this case, the
authenticated identity has to be sent from the AAA server to the
IKEv2 responder.
(References: Pasi Eronen’s mail "RE: Reauthentication in IKEv2",
2004-10-28. "Policy lookups" thread, Oct/Nov 2004. RFC 3748,
Section 7.3.)
3.6. Certificate Encoding Types
Section 3.6 defines a total of twelve different certificate encoding
types, and continues that "Specific syntax is for some of the
certificate type codes above is not defined in this document."
However, the text does not provide references to other documents that
would contain information about the exact contents and use of those
values.
Without this information, it is not possible to develop interoperable
implementations. Therefore, this document recommends that the
following certificate encoding values should not be used before new
specifications that specify their use are available.
PKCS #7 wrapped X.509 certificate 1
PGP Certificate 2
DNS Signed Key 3
Kerberos Token 6
SPKI Certificate 9
This document recommends that most implementations should use only
those values that are "MUST"/"SHOULD" requirements in [IKEv2]; i.e.,
"X.509 Certificate - Signature" (4), "Raw RSA Key" (11), "Hash and
URL of X.509 certificate" (12), and "Hash and URL of X.509 bundle"
(13).
Furthermore, Section 3.7 says that the "Certificate Encoding" field
for the Certificate Request payload uses the same values as for
Certificate payload. However, the contents of the "Certification
Authority" field are defined only for X.509 certificates (presumably
covering at least types 4, 10, 12, and 13). This document recommends
that other values should not be used before new specifications that
specify their use are available.
The "Raw RSA Key" type needs one additional clarification. Section
3.6 says it contains "a PKCS #1 encoded RSA key". What this means is
a DER-encoded RSAPublicKey structure from PKCS#1 [PKCS1v21].
3.7. Shared Key Authentication and Fixed PRF Key Size
Section 2.15 says that "If the negotiated prf takes a fixed-size key,
the shared secret MUST be of that fixed size". This statement is
correct: the shared secret must be of the correct size. If it is
not, it cannot be used; there is no padding, truncation, or other
processing involved to force it to that correct size.
This requirement means that it is difficult to use these pseudo-
random functions (PRFs) with shared key authentication. The authors
think this part of the specification was very poorly thought out, and
using PRFs with a fixed key size is likely to result in
interoperability problems. Thus, we recommend that such PRFs should
not be used with shared key authentication. PRF_AES128_XCBC
[RFC3664] originally used fixed key sizes; that RFC has been updated
to handle variable key sizes in [RFC4434].
Note that Section 2.13 also contains text that is related to PRFs
with fixed key size: "When the key for the prf function has fixed
length, the data provided as a key is truncated or padded with zeros
as necessary unless exceptional processing is explained following the
formula". However, this text applies only to the prf+ construction,
so it does not contradict the text in Section 2.15.
(References: Paul Hoffman’s mail "Re: ikev2-07: last nits",
2003-05-02. Hugo Krawczyk’s reply, 2003-05-12. Thread "Question
about PRFs with fixed size key", Jan 2005.)
3.8. EAP Authentication and Fixed PRF Key Size
As described in the previous section, PRFs with a fixed key size
require a shared secret of exactly that size. This restriction
applies also to EAP authentication. For instance, a PRF that
requires a 128-bit key cannot be used with EAP since [EAP] specifies
that the MSK is at least 512 bits long.
(References: Thread "Question about PRFs with fixed size key", Jan
2005.)
3.9. Matching ID Payloads to Certificate Contents
In IKEv1, there was some confusion about whether or not the
identities in certificates used to authenticate IKE were required to
match the contents of the ID payloads. The PKI4IPsec Working Group
produced the document [PKI4IPsec] which covers this topic in much
more detail. However, Section 3.5 of [IKEv2] explicitly says that
the ID payload "does not necessarily have to match anything in the
CERT payload".
3.10. Message IDs for IKE_AUTH Messages
According to Section 2.2, "The IKE_SA initial setup messages will
always be numbered 0 and 1." That is true when the IKE_AUTH exchange
does not use EAP. When EAP is used, each pair of messages has their
message numbers incremented. The first pair of AUTH messages will
have an ID of 1, the second will be 2, and so on.
(References: "Question about MsgID in AUTH exchange" thread, April
2005.)
4. Creating CHILD_SAs
4.1. Creating SAs with the CREATE_CHILD_SA Exchange
Section 1.3’s organization does not lead to clear understanding of
what is needed in which environment. The section can be reorganized
with subsections for each use of the CREATE_CHILD_SA exchange
(creating child SAs, rekeying IKE SAs, and rekeying child SAs.)
The new Section 1.3 with subsections and the above changes might look
like the following.
NEW-1.3 The CREATE_CHILD_SA Exchange
The CREATE_CHILD_SA Exchange is used to create new CHILD_SAs and
to rekey both IKE_SAs and CHILD_SAs. This exchange consists of
a single request/response pair, and some of its function was
referred to as a phase 2 exchange in IKEv1. It MAY be initiated
by either end of the IKE_SA after the initial exchanges are
completed.
All messages following the initial exchange are
cryptographically protected using the cryptographic algorithms
and keys negotiated in the first two messages of the IKE
exchange. These subsequent messages use the syntax of the
Encrypted Payload described in section 3.14. All subsequent
messages include an Encrypted Payload, even if they are referred
to in the text as "empty".
The CREATE_CHILD_SA is used for rekeying IKE_SAs and CHILD_SAs.
This section describes the first part of rekeying, the creation
of new SAs; Section 2.8 covers the mechanics of rekeying,
including moving traffic from old to new SAs and the deletion of
the old SAs. The two sections must be read together to
understand the entire process of rekeying.
Either endpoint may initiate a CREATE_CHILD_SA exchange, so in
this section the term initiator refers to the endpoint
initiating this exchange. An implementation MAY refuse all
CREATE_CHILD_SA requests within an IKE_SA.
The CREATE_CHILD_SA request MAY optionally contain a KE payload
for an additional Diffie-Hellman exchange to enable stronger
guarantees of forward secrecy for the CHILD_SA or IKE_SA. The
keying material for the SA is a function of SK_d established
during the establishment of the IKE_SA, the nonces exchanged
during the CREATE_CHILD_SA exchange, and the Diffie-Hellman
value (if KE payloads are included in the CREATE_CHILD_SA
exchange). The details are described in sections 2.17 and 2.18.
If a CREATE_CHILD_SA exchange includes a KEi payload, at least
one of the SA offers MUST include the Diffie-Hellman group of
the KEi. The Diffie-Hellman group of the KEi MUST be an element
of the group the initiator expects the responder to accept
(additional Diffie-Hellman groups can be proposed). If the
responder rejects the Diffie-Hellman group of the KEi payload,
the responder MUST reject the request and indicate its preferred
Diffie-Hellman group in the INVALID_KE_PAYLOAD Notification
payload. In the case of such a rejection, the CREATE_CHILD_SA
exchange fails, and the initiator SHOULD retry the exchange with
a Diffie-Hellman proposal and KEi in the group that the
responder gave in the INVALID_KE_PAYLOAD.
NEW-1.3.1 Creating New CHILD_SAs with the CREATE_CHILD_SA Exchange
A CHILD_SA may be created by sending a CREATE_CHILD_SA request.
The CREATE_CHILD_SA request for creating a new CHILD_SA is:
Initiator Responder
----------- -----------
HDR, SK {[N+], SA, Ni, [KEi],
TSi, TSr} -->
The initiator sends SA offer(s) in the SA payload, a nonce in
the Ni payload, optionally a Diffie-Hellman value in the KEi
payload, and the proposed traffic selectors for the proposed
CHILD_SA in the TSi and TSr payloads. The request can also
contain Notify payloads that specify additional details for the
CHILD_SA: these include IPCOMP_SUPPORTED, USE_TRANSPORT_MODE,
ESP_TFC_PADDING_NOT_SUPPORTED, and NON_FIRST_FRAGMENTS_ALSO.
The CREATE_CHILD_SA response for creating a new CHILD_SA is:
<-- HDR, SK {[N+], SA, Nr,
[KEr], TSi, TSr}
The responder replies with the accepted offer in an SA payload,
and a Diffie-Hellman value in the KEr payload if KEi was
included in the request and the selected cryptographic suite
includes that group. As with the request, optional Notification
payloads can specify additional details for the CHILD_SA.
The traffic selectors for traffic to be sent on that SA are
specified in the TS payloads in the response, which may be a
subset of what the initiator of the CHILD_SA proposed.
The text about rekeying SAs can be found in Section 5.1 of this
document.
4.2. Creating an IKE_SA without a CHILD_SA
CHILD_SAs can be created either by being piggybacked on the IKE_AUTH
exchange, or using a separate CREATE_CHILD_SA exchange. The
specification is not clear about what happens if creating the
CHILD_SA during the IKE_AUTH exchange fails for some reason.
Our recommendation in this situation is that the IKE_SA is created as
usual. This is also in line with how the CREATE_CHILD_SA exchange
works: a failure to create a CHILD_SA does not close the IKE_SA.
The list of responses in the IKE_AUTH exchange that do not prevent an
IKE_SA from being set up include at least the following:
NO_PROPOSAL_CHOSEN, TS_UNACCEPTABLE, SINGLE_PAIR_REQUIRED,
INTERNAL_ADDRESS_FAILURE, and FAILED_CP_REQUIRED.
(References: "Questions about internal address" thread, April 2005.)
4.3. Diffie-Hellman for First CHILD_SA
Section 1.2 shows that IKE_AUTH messages do not contain KEi/KEr or
Ni/Nr payloads. This implies that the SA payload in IKE_AUTH
exchange cannot contain Transform Type 4 (Diffie-Hellman Group) with
any other value than NONE. Implementations should probably leave the
transform out entirely in this case.
4.4. Extended Sequence Numbers (ESN) Transform
The description of the ESN transform in Section 3.3 has be proved
difficult to understand. The ESN transform has the following
meaning:
o A proposal containing one ESN transform with value 0 means "do not
use extended sequence numbers".
o A proposal containing one ESN transform with value 1 means "use
extended sequence numbers".
o A proposal containing two ESN transforms with values 0 and 1 means
"I support both normal and extended sequence numbers, you choose".
(Obviously this case is only allowed in requests; the response
will contain only one ESN transform.)
In most cases, the exchange initiator will include either the first
or third alternative in its SA payload. The second alternative is
rarely useful for the initiator: it means that using normal sequence
numbers is not acceptable (so if the responder does not support ESNs,
the exchange will fail with NO_PROPOSAL_CHOSEN).
Note that including the ESN transform is mandatory when creating
ESP/AH SAs (it was optional in earlier drafts of the IKEv2
specification).
(References: "Technical change needed to IKEv2 before publication",
"STRAW POLL: Dealing with the ESN negotiation interop issue in IKEv2"
and "Results of straw poll regarding: IKEv2 interoperability issue"
threads, March-April 2005.)
4.5. Negotiation of ESP_TFC_PADDING_NOT_SUPPORTED
The description of ESP_TFC_PADDING_NOT_SUPPORTED notification in
Section 3.10.1 says that "This notification asserts that the sending
endpoint will NOT accept packets that contain Flow Confidentiality
(TFC) padding".
However, the text does not say in which messages this notification
should be included, or whether the scope of this notification is a
single CHILD_SA or all CHILD_SAs of the peer.
Our interpretation is that the scope is a single CHILD_SA, and thus
this notification is included in messages containing an SA payload
negotiating a CHILD_SA. If neither endpoint accepts TFC padding,
this notification will be included in both the request proposing an
SA and the response accepting it. If this notification is included
in only one of the messages, TFC padding can still be sent in one
direction.
4.6. Negotiation of NON_FIRST_FRAGMENTS_ALSO
NON_FIRST_FRAGMENTS_ALSO notification is described in Section 3.10.1
simply as "Used for fragmentation control. See [RFC4301] for
explanation."
[RFC4301] says "Implementations that will transmit non-initial
fragments on a tunnel mode SA that makes use of non-trivial port (or
ICMP type/code or MH type) selectors MUST notify a peer via the IKE
NOTIFY NON_FIRST_FRAGMENTS_ALSO payload. The peer MUST reject this
proposal if it will not accept non-initial fragments in this context.
If an implementation does not successfully negotiate transmission of
non-initial fragments for such an SA, it MUST NOT send such fragments
over the SA."
However, it is not clear exactly how the negotiation works. Our
interpretation is that the negotiation works the same way as for
IPCOMP_SUPPORTED and USE_TRANSPORT_MODE: sending non-first fragments
is enabled only if NON_FIRST_FRAGMENTS_ALSO notification is included
in both the request proposing an SA and the response accepting it.
In other words, if the peer "rejects this proposal", it only omits
NON_FIRST_FRAGMENTS_ALSO notification from the response, but does not
reject the whole CHILD_SA creation.
4.7. Semantics of Complex Traffic Selector Payloads
As described in Section 3.13, the TSi/TSr payloads can include one or
more individual traffic selectors.
There is no requirement that TSi and TSr contain the same number of
individual traffic selectors. Thus, they are interpreted as follows:
a packet matches a given TSi/TSr if it matches at least one of the
individual selectors in TSi, and at least one of the individual
selectors in TSr.
For instance, the following traffic selectors:
TSi = ((17, 100, 192.0.1.66-192.0.1.66),
(17, 200, 192.0.1.66-192.0.1.66))
TSr = ((17, 300, 0.0.0.0-255.255.255.255),
(17, 400, 0.0.0.0-255.255.255.255))
would match UDP packets from 192.0.1.66 to anywhere, with any of the
four combinations of source/destination ports (100,300), (100,400),
(200,300), and (200, 400).
This implies that some types of policies may require several CHILD_SA
pairs. For instance, a policy matching only source/destination ports
(100,300) and (200,400), but not the other two combinations, cannot
be negotiated as a single CHILD_SA pair using IKEv2.
(References: "IKEv2 Traffic Selectors?" thread, Feb 2005.)
4.8. ICMP Type/Code in Traffic Selector Payloads
The traffic selector types 7 and 8 can also refer to ICMP type and
code fields. As described in Section 3.13.1, "For the ICMP protocol,
the two one-octet fields Type and Code are treated as a single 16-bit
integer (with Type in the most significant eight bits and Code in the
least significant eight bits) port number for the purposes of
filtering based on this field."
Since ICMP packets do not have separate source and destination port
fields, there is some room for confusion what exactly the four TS
payloads (two in the request, two in the response, each containing
both start and end port fields) should contain.
The answer to this question can be found from [RFC4301] Section
4.4.1.3.
To give a concrete example, if a host at 192.0.1.234 wants to create
a transport mode SA for sending "Destination Unreachable" packets
(ICMPv4 type 3) to 192.0.2.155, but is not willing to receive them
over this SA pair, the CREATE_CHILD_SA exchange would look like this:
Initiator Responder
----------- -----------
HDR, SK { N(USE_TRANSPORT_MODE), SA, Ni,
TSi(1, 0x0300-0x03FF, 192.0.1.234-192.0.1.234),
TSr(1, 65535-0, 192.0.2.155-192.0.2.155) } -->
<-- HDR, SK { N(USE_TRANSPORT_MODE), SA, Nr,
TSi(1, 0x0300-0x03FF, 192.0.1.234-192.0.1.234),
TSr(1, 65535-0, 192.0.2.155-192.0.2.155) }
Since IKEv2 always creates IPsec SAs in pairs, two SAs are also
created in this case, even though the second SA is never used for
data traffic.
An exchange creating an SA pair that can be used both for sending and
receiving "Destination Unreachable" places the same value in all the
port:
Initiator Responder
----------- -----------
HDR, SK { N(USE_TRANSPORT_MODE), SA, Ni,
TSi(1, 0x0300-0x03FF, 192.0.1.234-192.0.1.234),
TSr(1, 0x0300-0x03FF, 192.0.2.155-192.0.2.155) } -->
<-- HDR, SK { N(USE_TRANSPORT_MODE), SA, Nr,
TSi(1, 0x0300-0x03FF, 192.0.1.234-192.0.1.234),
TSr(1, 0x0300-0x03FF, 192.0.2.155-192.0.2.155) }
(References: "ICMP and MH TSs for IKEv2" thread, Sep 2005.)
4.9. Mobility Header in Traffic Selector Payloads
Traffic selectors can use IP Protocol ID 135 to match the IPv6
mobility header [MIPv6]. However, the IKEv2 specification does not
define how to represent the "MH Type" field in traffic selectors.
At some point, it was expected that this will be defined in a
separate document later. However, [RFC4301] says that "For IKE, the
IPv6 mobility header message type (MH type) is placed in the most
significant eight bits of the 16 bit local "port" selector". The
direction semantics of TSi/TSr port fields are the same as for ICMP
and are described in the previous section.
(References: Tero Kivinen’s mail "Issue #86: Add IPv6 mobility header
message type as selector", 2003-10-14. "ICMP and MH TSs for IKEv2"
thread, Sep 2005.)
4.10. Narrowing the Traffic Selectors
Section 2.9 describes how traffic selectors are negotiated when
creating a CHILD_SA. A more concise summary of the narrowing process
is presented below.
o If the responder’s policy does not allow any part of the traffic
covered by TSi/TSr, it responds with TS_UNACCEPTABLE.
o If the responder’s policy allows the entire set of traffic covered
by TSi/TSr, no narrowing is necessary, and the responder can
return the same TSi/TSr values.
o Otherwise, narrowing is needed. If the responder’s policy allows
all traffic covered by TSi[1]/TSr[1] (the first traffic selectors
in TSi/TSr) but not entire TSi/TSr, the responder narrows to an
acceptable subset of TSi/TSr that includes TSi[1]/TSr[1].
o If the responder’s policy does not allow all traffic covered by
TSi[1]/TSr[1], but does allow some parts of TSi/TSr, it narrows to
an acceptable subset of TSi/TSr.
In the last two cases, there may be several subsets that are
acceptable (but their union is not); in this case, the responder
arbitrarily chooses one of them and includes ADDITIONAL_TS_POSSIBLE
notification in the response.
4.11. SINGLE_PAIR_REQUIRED
The description of the SINGLE_PAIR_REQUIRED notify payload in
Sections 2.9 and 3.10.1 is not fully consistent.
We do not attempt to describe this payload in this document either,
since it is expected that most implementations will not have policies
that require separate SAs for each address pair.
Thus, if only some part (or parts) of the TSi/TSr proposed by the
initiator is (are) acceptable to the responder, most responders
should simply narrow TSi/TSr to an acceptable subset (as described in
the last two paragraphs of Section 2.9), rather than use
SINGLE_PAIR_REQUIRED.
4.12. Traffic Selectors Violating Own Policy
Section 2.9 describes traffic selector negotiation in great detail.
One aspect of this negotiation that may need some clarification is
that when creating a new SA, the initiator should not propose traffic
selectors that violate its own policy. If this rule is not followed,
valid traffic may be dropped.
This is best illustrated by an example. Suppose that host A has a
policy whose effect is that traffic to 192.0.1.66 is sent via host B
encrypted using Advanced Encryption Standard (AES), and traffic to
all other hosts in 192.0.1.0/24 is also sent via B, but encrypted
using Triple Data Encryption Standard (3DES). Suppose also that host
B accepts any combination of AES and 3DES.
If host A now proposes an SA that uses 3DES, and includes TSr
containing (192.0.1.0-192.0.1.0.255), this will be accepted by host
B. Now, host B can also use this SA to send traffic from 192.0.1.66,
but those packets will be dropped by A since it requires the use of
AES for those traffic. Even if host A creates a new SA only for
192.0.1.66 that uses AES, host B may freely continue to use the first
SA for the traffic. In this situation, when proposing the SA, host A
should have followed its own policy, and included a TSr containing
((192.0.1.0-192.0.1.65),(192.0.1.67-192.0.1.255)) instead.
In general, if (1) the initiator makes a proposal "for traffic X
(TSi/TSr), do SA", and (2) for some subset X’ of X, the initiator
does not actually accept traffic X’ with SA, and (3) the initiator
would be willing to accept traffic X’ with some SA’ (!=SA), valid
traffic can be unnecessarily dropped since the responder can apply
either SA or SA’ to traffic X’.
(References: "Question about "narrowing" ..." thread, Feb 2005.
"IKEv2 needs a "policy usage mode"..." thread, Feb 2005. "IKEv2
Traffic Selectors?" thread, Feb 2005. "IKEv2 traffic selector
negotiation examples", 2004-08-08.)
4.13. Traffic Selector Authorization
IKEv2 relies on information in the Peer Authorization Database (PAD)
when determining what kind of IPsec SAs a peer is allowed to create.
This process is described in [RFC4301] Section 4.4.3. When a peer
requests the creation of an IPsec SA with some traffic selectors, the
PAD must contain "Child SA Authorization Data" linking the identity
authenticated by IKEv2 and the addresses permitted for traffic
selectors.
For example, the PAD might be configured so that authenticated
identity "sgw23.example.com" is allowed to create IPsec SAs for
192.0.2.0/24, meaning this security gateway is a valid
"representative" for these addresses. Host-to-host IPsec requires
similar entries, linking, for example, "fooserver4.example.com" with
192.0.1.66/32, meaning this identity a valid "owner" or
"representative" of the address in question.
As noted in [RFC4301], "It is necessary to impose these constraints
on creation of child SAs to prevent an authenticated peer from
spoofing IDs associated with other, legitimate peers." In the
example given above, a correct configuration of the PAD prevents
sgw23 from creating IPsec SAs with address 192.0.1.66 and prevents
fooserver4 from creating IPsec SAs with addresses from 192.0.2.0/24.
It is important to note that simply sending IKEv2 packets using some
particular address does not imply a permission to create IPsec SAs
with that address in the traffic selectors. For example, even if
sgw23 would be able to spoof its IP address as 192.0.1.66, it could
not create IPsec SAs matching fooserver4’s traffic.
The IKEv2 specification does not specify how exactly IP address
assignment using configuration payloads interacts with the PAD. Our
interpretation is that when a security gateway assigns an address
using configuration payloads, it also creates a temporary PAD entry
linking the authenticated peer identity and the newly allocated inner
address.
It has been recognized that configuring the PAD correctly may be
difficult in some environments. For instance, if IPsec is used
between a pair of hosts whose addresses are allocated dynamically
using Dynamic Host Configuration Protocol (DHCP), it is extremely
difficult to ensure that the PAD specifies the correct "owner" for
each IP address. This would require a mechanism to securely convey
address assignments from the DHCP server and link them to identities
authenticated using IKEv2.
Due to this limitation, some vendors have been known to configure
their PADs to allow an authenticated peer to create IPsec SAs with
traffic selectors containing the same address that was used for the
IKEv2 packets. In environments where IP spoofing is possible (i.e.,
almost everywhere) this essentially allows any peer to create IPsec
SAs with any traffic selectors. This is not an appropriate or secure
configuration in most circumstances. See [Aura05] for an extensive
discussion about this issue, and the limitations of host-to-host
IPsec in general.
5. Rekeying and Deleting SAs
5.1. Rekeying SAs with the CREATE_CHILD_SA Exchange
Continued from Section 4.1 of this document.
NEW-1.3.2 Rekeying IKE_SAs with the CREATE_CHILD_SA Exchange
The CREATE_CHILD_SA request for rekeying an IKE_SA is:
Initiator Responder
----------- -----------
HDR, SK {SA, Ni, [KEi]} -->
The initiator sends SA offer(s) in the SA payload, a nonce in
the Ni payload, and optionally a Diffie-Hellman value in the KEi
payload.
The CREATE_CHILD_SA response for rekeying an IKE_SA is:
<-- HDR, SK {SA, Nr, [KEr]}
The responder replies (using the same Message ID to respond)
with the accepted offer in an SA payload, a nonce in the Nr
payload, and, optionally, a Diffie-Hellman value in the KEr
payload.
The new IKE_SA has its message counters set to 0, regardless of
what they were in the earlier IKE_SA. The window size starts at
1 for any new IKE_SA. The new initiator and responder SPIs are
supplied in the SPI fields of the SA payloads.
NEW-1.3.3 Rekeying CHILD_SAs with the CREATE_CHILD_SA Exchange
The CREATE_CHILD_SA request for rekeying a CHILD_SA is:
Initiator Responder
----------- -----------
HDR, SK {N(REKEY_SA), [N+], SA,
Ni, [KEi], TSi, TSr} -->
The leading Notify payload of type REKEY_SA identifies the
CHILD_SA being rekeyed, and it contains the SPI that the initiator
expects in the headers of inbound packets. In addition, the
initiator sends SA offer(s) in the SA payload, a nonce in the Ni
payload, optionally a Diffie-Hellman value in the KEi payload,
and the proposed traffic selectors in the TSi and TSr payloads.
The request can also contain Notify payloads that specify
additional details for the CHILD_SA.
The CREATE_CHILD_SA response for rekeying a CHILD_SA is:
<-- HDR, SK {[N+], SA, Nr,
[KEr], TSi, TSr}
The responder replies with the accepted offer in an SA payload,
and a Diffie-Hellman value in the KEr payload if KEi was
included in the request and the selected cryptographic suite
includes that group.
The traffic selectors for traffic to be sent on that SA are
specified in the TS payloads in the response, which may be a
subset of what the initiator of the CHILD_SA proposed.
5.2. Rekeying the IKE_SA vs. Reauthentication
Rekeying the IKE_SA and reauthentication are different concepts in
IKEv2. Rekeying the IKE_SA establishes new keys for the IKE_SA and
resets the Message ID counters, but it does not authenticate the
parties again (no AUTH or EAP payloads are involved).
While rekeying the IKE_SA may be important in some environments,
reauthentication (the verification that the parties still have access
to the long-term credentials) is often more important.
IKEv2 does not have any special support for reauthentication.
Reauthentication is done by creating a new IKE_SA from scratch (using
IKE_SA_INIT/IKE_AUTH exchanges, without any REKEY_SA notify
payloads), creating new CHILD_SAs within the new IKE_SA (without
REKEY_SA notify payloads), and finally deleting the old IKE_SA (which
deletes the old CHILD_SAs as well).
This means that reauthentication also establishes new keys for the
IKE_SA and CHILD_SAs. Therefore, while rekeying can be performed
more often than reauthentication, the situation where "authentication
lifetime" is shorter than "key lifetime" does not make sense.
While creation of a new IKE_SA can be initiated by either party
(initiator or responder in the original IKE_SA), the use of EAP
authentication and/or configuration payloads means in practice that
reauthentication has to be initiated by the same party as the
original IKE_SA. IKEv2 base specification does not allow the
responder to request reauthentication in this case; however, this
functionality is added in [ReAuth].
(References: "Reauthentication in IKEv2" thread, Oct/Nov 2004.)
5.3. SPIs When Rekeying the IKE_SA
Section 2.18 says that "New initiator and responder SPIs are supplied
in the SPI fields". This refers to the SPI fields in the Proposal
structures inside the Security Association (SA) payloads, not the SPI
fields in the IKE header.
(References: Tom Stiemerling’s mail "Rekey IKE SA", 2005-01-24.
Geoffrey Huang’s reply, 2005-01-24.)
5.4. SPI When Rekeying a CHILD_SA
Section 3.10.1 says that in REKEY_SA notifications, "The SPI field
identifies the SA being rekeyed."
Since CHILD_SAs always exist in pairs, there are two different SPIs.
The SPI placed in the REKEY_SA notification is the SPI the exchange
initiator would expect in inbound ESP or AH packets (just as in
Delete payloads).
5.5. Changing PRFs When Rekeying the IKE_SA
When rekeying the IKE_SA, Section 2.18 says that "SKEYSEED for the
new IKE_SA is computed using SK_d from the existing IKE_SA as
follows:
SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)"
If the old and new IKE_SA selected a different PRF, it is not totally
clear which PRF should be used.
Since the rekeying exchange belongs to the old IKE_SA, it is the old
IKE_SA’s PRF that is used. This also follows the principle that the
same key (the old SK_d) should not be used with multiple
cryptographic algorithms.
Note that this may work poorly if the new IKE_SA’s PRF has a fixed
key size, since the output of the PRF may not be of the correct size.
This supports our opinion earlier in the document that the use of
PRFs with a fixed key size is a bad idea.
(References: "Changing P |
您现在的位置: 
