draft-ietf-ipsecme-tcp-encaps-02.txt   draft-ietf-ipsecme-tcp-encaps-03.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track S. Touati Intended status: Standards Track S. Touati
Expires: February 18, 2017 Ericsson Expires: May 4, 2017 Ericsson
R. Mantha R. Mantha
Cisco Systems Cisco Systems
August 17, 2016 October 31, 2016
TCP Encapsulation of IKE and IPsec Packets TCP Encapsulation of IKE and IPsec Packets
draft-ietf-ipsecme-tcp-encaps-02 draft-ietf-ipsecme-tcp-encaps-03
Abstract Abstract
This document describes a method to transport IKE and IPsec packets This document describes a method to transport IKE and IPsec packets
over a TCP connection for traversing network middleboxes that may over a TCP connection for traversing network middleboxes that may
block IKE negotiation over UDP. This method, referred to as TCP block IKE negotiation over UDP. This method, referred to as TCP
encapsulation, involves sending both IKE packets for tunnel encapsulation, involves sending both IKE packets for tunnel
establishment as well as tunneled packets using ESP over a TCP establishment as well as tunneled packets using ESP over a TCP
connection. This method is intended to be used as a fallback option connection. This method is intended to be used as a fallback option
when IKE cannot be negotiated over UDP. when IKE cannot be negotiated over UDP.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 18, 2017. This Internet-Draft will expire on May 4, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Prior Work and Motivation . . . . . . . . . . . . . . . . 3 1.1. Prior Work and Motivation . . . . . . . . . . . . . . . . 3
1.2. Requirements Language . . . . . . . . . . . . . . . . . . 4 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 4
2. Configuration . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Configuration . . . . . . . . . . . . . . . . . . . . . . . . 4
3. TCP-Encapsulated Header Formats . . . . . . . . . . . . . . . 5 3. TCP-Encapsulated Header Formats . . . . . . . . . . . . . . . 5
3.1. TCP-Encapsulated IKE Header Format . . . . . . . . . . . 5 3.1. TCP-Encapsulated IKE Header Format . . . . . . . . . . . 5
3.2. TCP-Encapsulated ESP Header Format . . . . . . . . . . . 6 3.2. TCP-Encapsulated ESP Header Format . . . . . . . . . . . 6
4. TCP-Encapsulated Stream Prefix . . . . . . . . . . . . . . . 6 4. TCP-Encapsulated Stream Prefix . . . . . . . . . . . . . . . 6
5. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 7 5. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 7
6. Connection Establishment and Teardown . . . . . . . . . . . . 7 5.1. Recommended Fallback from UDP . . . . . . . . . . . . . . 7
7. Interaction with NAT Detection Payloads . . . . . . . . . . . 8 6. Connection Establishment and Teardown . . . . . . . . . . . . 8
7. Interaction with NAT Detection Payloads . . . . . . . . . . . 9
8. Using MOBIKE with TCP encapsulation . . . . . . . . . . . . . 9 8. Using MOBIKE with TCP encapsulation . . . . . . . . . . . . . 9
9. Using IKE Message Fragmentation with TCP encapsulation . . . 9 9. Using IKE Message Fragmentation with TCP encapsulation . . . 10
10. Considerations for Keep-alives and DPD . . . . . . . . . . . 9 10. Considerations for Keep-alives and DPD . . . . . . . . . . . 10
11. Middlebox Considerations . . . . . . . . . . . . . . . . . . 10 11. Middlebox Considerations . . . . . . . . . . . . . . . . . . 10
12. Performance Considerations . . . . . . . . . . . . . . . . . 10 12. Performance Considerations . . . . . . . . . . . . . . . . . 11
12.1. TCP-in-TCP . . . . . . . . . . . . . . . . . . . . . . . 10 12.1. TCP-in-TCP . . . . . . . . . . . . . . . . . . . . . . . 11
12.2. Added Reliability for Unreliable Protocols . . . . . . . 11 12.2. Added Reliability for Unreliable Protocols . . . . . . . 11
12.3. Quality of Service Markings . . . . . . . . . . . . . . 11 12.3. Quality of Service Markings . . . . . . . . . . . . . . 11
12.4. Maximum Segment Size . . . . . . . . . . . . . . . . . . 11 12.4. Maximum Segment Size . . . . . . . . . . . . . . . . . . 11
13. Security Considerations . . . . . . . . . . . . . . . . . . . 11 13. Security Considerations . . . . . . . . . . . . . . . . . . . 12
14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
16. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
16.1. Normative References . . . . . . . . . . . . . . . . . . 12 16.1. Normative References . . . . . . . . . . . . . . . . . . 12
16.2. Informative References . . . . . . . . . . . . . . . . . 12 16.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Using TCP encapsulation with TLS . . . . . . . . . . 13 Appendix A. Using TCP encapsulation with TLS . . . . . . . . . . 14
Appendix B. Example exchanges of TCP Encapsulation with TLS . . 14 Appendix B. Example exchanges of TCP Encapsulation with TLS . . 14
B.1. Establishing an IKE session . . . . . . . . . . . . . . . 14 B.1. Establishing an IKE session . . . . . . . . . . . . . . . 14
B.2. Deleting an IKE session . . . . . . . . . . . . . . . . . 16 B.2. Deleting an IKE session . . . . . . . . . . . . . . . . . 16
B.3. Re-establishing an IKE session . . . . . . . . . . . . . 17 B.3. Re-establishing an IKE session . . . . . . . . . . . . . 17
B.4. Using MOBIKE between UDP and TCP Encapsulation . . . . . 18 B.4. Using MOBIKE between UDP and TCP Encapsulation . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
IKEv2 [RFC7296] is a protocol for establishing IPsec tunnels, using IKEv2 [RFC7296] is a protocol for establishing IPsec tunnels, using
skipping to change at page 5, line 34 skipping to change at page 5, line 34
Authentication Header (AH) messages are not supported for TCP Authentication Header (AH) messages are not supported for TCP
encapsulation. encapsulation.
Although a TCP stream may be able to send very long messages, Although a TCP stream may be able to send very long messages,
implementations SHOULD limit message lengths to typical UDP datagram implementations SHOULD limit message lengths to typical UDP datagram
ESP payload lengths. The maximum message length is used as the ESP payload lengths. The maximum message length is used as the
effective MTU for connections that are being encrypted using ESP, so effective MTU for connections that are being encrypted using ESP, so
the maximum message length will influence characteristics of inner the maximum message length will influence characteristics of inner
connections, such as the TCP Maximum Segment Size (MSS). connections, such as the TCP Maximum Segment Size (MSS).
Note that this method of encapsulation will also work for placing IKE
and ESP messages within any protocol that presents a stream
abstraction, beyond TCP.
3.1. TCP-Encapsulated IKE Header Format 3.1. TCP-Encapsulated IKE Header Format
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Non-ESP Marker | | Non-ESP Marker |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
skipping to change at page 7, line 37 skipping to change at page 7, line 40
different IP addresses when connecting by Fully-Qualified Domain different IP addresses when connecting by Fully-Qualified Domain
Name, or endpoints used with IKE redirection), all of the endpoints Name, or endpoints used with IKE redirection), all of the endpoints
equally support TCP encapsulation. equally support TCP encapsulation.
If TCP encapsulation is being used for a specific IKE SA, all If TCP encapsulation is being used for a specific IKE SA, all
messages for that IKE SA and its Child SAs MUST be sent over a TCP messages for that IKE SA and its Child SAs MUST be sent over a TCP
connection until the SA is deleted or MOBIKE is used to change the SA connection until the SA is deleted or MOBIKE is used to change the SA
endpoints and/or encapsulation protocol. See Section 8 for more endpoints and/or encapsulation protocol. See Section 8 for more
details on using MOBIKE to transition between encapsulation modes. details on using MOBIKE to transition between encapsulation modes.
5.1. Recommended Fallback from UDP
Since UDP is the preferred method of transport for IKE messages,
implementations that use TCP encapsulation should have an algorithm
for deciding when to use TCP after determining that UDP is unusable.
If an initiator implementation has no prior knowledge about the
network it is on and the status of UDP on that network, it SHOULD
always attempt negotiate IKE over UDP first. IKEv2 defines how to
use retransmission timers with IKE messages, and IKE_SA_INIT messages
specifically [RFC7296]. Generally, this means that the
implementation will define a frequency of retransmission, and the
maximum number of retransmissions allowed before marking the IKE SA
as failed. An implementation can attempt negotiation over TCP once
it has hit the maximum retransmissions over UDP, or slightly before
to reduce connection setup delays. It is recommended that the
initial message over UDP is retransmitted at least once before
falling back to TCP, unless the initiator knows beforehand that the
network is likely to block UDP.
6. Connection Establishment and Teardown 6. Connection Establishment and Teardown
When the IKE initiator uses TCP encapsulation for its negotiation, it When the IKE initiator uses TCP encapsulation for its negotiation, it
will initiate a TCP connection to the responder using the configured will initiate a TCP connection to the responder using the configured
TCP port. The first bytes sent on the stream MUST be the stream TCP port. The first bytes sent on the stream MUST be the stream
prefix value [Section 4]. After this prefix, encapsulated IKE prefix value [Section 4]. After this prefix, encapsulated IKE
messages will negotiate the IKE SA and initial Child SA [RFC7296]. messages will negotiate the IKE SA and initial Child SA [RFC7296].
After this point, both encapsulated IKE Figure 1 and ESP Figure 2 After this point, both encapsulated IKE Figure 1 and ESP Figure 2
messages will be sent over the TCP connection. messages will be sent over the TCP connection.
skipping to change at page 8, line 35 skipping to change at page 9, line 9
message. If the session had been fully established previously, it is message. If the session had been fully established previously, it is
suggested that the initiator send an UPDATE_SA_ADDRESSES message if suggested that the initiator send an UPDATE_SA_ADDRESSES message if
MOBIKE is supported, or an INFORMATIONAL message (a keepalive) MOBIKE is supported, or an INFORMATIONAL message (a keepalive)
otherwise. If either initiator or responder receives a stream that otherwise. If either initiator or responder receives a stream that
cannot be parsed correctly, it MUST close the TCP connection. cannot be parsed correctly, it MUST close the TCP connection.
Multiple TCP connections between the initiator and the responder are Multiple TCP connections between the initiator and the responder are
allowed, but their use must take into account the initiator allowed, but their use must take into account the initiator
capabilities and the deployment model such as to connect to multiple capabilities and the deployment model such as to connect to multiple
gateways handling different ESP SAs when deployed in a high gateways handling different ESP SAs when deployed in a high
availability model. It is also possible to negotiate multiple IKE availability model. If multiple TCP connections are used,
SAs over the same TCP connection. implementations SHOULD allow receiving any IKE or ESP SA over any of
the TCP connections, not enforcing any strict mapping. It is also
possible to negotiate multiple IKE SAs over the same TCP connection
in order to reduce the number of connections between the two peers.
The processing of the TCP packets is the same whether its within a The processing of the TCP-encapsulated IKE and ESP packets is the
single or multiple TCP connections. same when using either a single TCP connection or multiple TCP
connections.
7. Interaction with NAT Detection Payloads 7. Interaction with NAT Detection Payloads
When negotiating over UDP port 500, IKE_SA_INIT packets include When negotiating over UDP port 500, IKE_SA_INIT packets include
NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP payloads to NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP payloads to
determine if UDP encapsulation of IPsec packets should be used. determine if UDP encapsulation of IPsec packets should be used.
These payloads contain SHA-1 digests of the SPIs, IP addresses, and These payloads contain SHA-1 digests of the SPIs, IP addresses, and
ports. IKE_SA_INIT packets sent on a TCP connection SHOULD include ports. IKE_SA_INIT packets sent on a TCP connection SHOULD include
these payloads, and SHOULD use the applicable TCP ports when creating these payloads, and SHOULD use the applicable TCP ports when creating
and checking the SHA-1 digests. and checking the SHA-1 digests.
 End of changes. 13 change blocks. 
18 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/