draft-ietf-ipsecme-tcp-encaps-07.txt   draft-ietf-ipsecme-tcp-encaps-08.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track S. Touati Intended status: Standards Track S. Touati
Expires: August 13, 2017 Ericsson Expires: August 31, 2017 Ericsson
R. Mantha R. Mantha
Cisco Systems Cisco Systems
February 9, 2017 February 27, 2017
TCP Encapsulation of IKE and IPsec Packets TCP Encapsulation of IKE and IPsec Packets
draft-ietf-ipsecme-tcp-encaps-07 draft-ietf-ipsecme-tcp-encaps-08
Abstract Abstract
This document describes a method to transport IKE and IPsec packets This document describes a method to transport IKE and IPsec packets
over a TCP connection for traversing network middleboxes that may over a TCP connection for traversing network middleboxes that may
block IKE negotiation over UDP. This method, referred to as TCP block IKE negotiation over UDP. This method, referred to as TCP
encapsulation, involves sending both IKE packets for Security encapsulation, involves sending both IKE packets for Security
Association establishment and ESP packets over a TCP connection. Association establishment and ESP packets over a TCP connection.
This method is intended to be used as a fallback option when IKE This method is intended to be used as a fallback option when IKE
cannot be negotiated over UDP. cannot be negotiated over UDP.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 13, 2017. This Internet-Draft will expire on August 31, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 11 skipping to change at page 5, line 11
TCP encapsulation is not specifically negotiated in the IKE exchange. TCP encapsulation is not specifically negotiated in the IKE exchange.
Instead, support for TCP encapsulation must be pre-configured on both Instead, support for TCP encapsulation must be pre-configured on both
the TCP Originator and the TCP Responder. the TCP Originator and the TCP Responder.
The configuration defined on each peer should include the following The configuration defined on each peer should include the following
parameters: parameters:
o One or more TCP ports on which the TCP Responder will listen for o One or more TCP ports on which the TCP Responder will listen for
incoming connections. Note that the TCP Originator may initiate incoming connections. Note that the TCP Originator may initiate
TCP connections to the TCP Responder from any local port. The TCP connections to the TCP Responder from any local port. The
ports on which the TCP Responder listens will likey be based on ports on which the TCP Responder listens will likely be based on
the ports commonly allowed on restricted networks. the ports commonly allowed on restricted networks.
o Optionally, an extra framing protocol to use on top of TCP to o Optionally, an extra framing protocol to use on top of TCP to
further encapsulate the stream of IKE and IPsec packets. See further encapsulate the stream of IKE and IPsec packets. See
Appendix A for a detailed discussion. Appendix A for a detailed discussion.
This document leaves the selection of TCP ports up to This document leaves the selection of TCP ports up to
implementations. It is suggested to use TCP port 4500, which is implementations. It is suggested to use TCP port 4500, which is
allocated for IPsec NAT Traversal. allocated for IPsec NAT Traversal.
skipping to change at page 9, line 29 skipping to change at page 9, line 29
from an encapsulated IKE message or the ESP SPI from an encapsulated from an encapsulated IKE message or the ESP SPI from an encapsulated
ESP message. If the session had been fully established previously, ESP message. If the session had been fully established previously,
it is suggested that the TCP Originator send an UPDATE_SA_ADDRESSES it is suggested that the TCP Originator send an UPDATE_SA_ADDRESSES
message if MOBIKE is supported, or an INFORMATIONAL message (a message if MOBIKE is supported, or an INFORMATIONAL message (a
keepalive) otherwise. If either TCP Originator or TCP Responder keepalive) otherwise. If either TCP Originator or TCP Responder
receives a stream that cannot be parsed correctly (for example, if receives a stream that cannot be parsed correctly (for example, if
the TCP Originator stream is missing the stream prefix, or message the TCP Originator stream is missing the stream prefix, or message
frames are not parsable as IKE or ESP messages), it MUST close the frames are not parsable as IKE or ESP messages), it MUST close the
TCP connection. If there is instead a syntax issue within an IKE TCP connection. If there is instead a syntax issue within an IKE
message, an implementation MUST send the INVALID_SYNTAX notify message, an implementation MUST send the INVALID_SYNTAX notify
payload and tear down the IKE SA as ususal, rather than tearing down payload and tear down the IKE SA as usual, rather than tearing down
the TCP connection directly. the TCP connection directly.
An TCP Originator SHOULD only open one TCP connection per IKE SA, An TCP Originator SHOULD only open one TCP connection per IKE SA,
over which it sends all of the corresponding IKE and ESP messages. over which it sends all of the corresponding IKE and ESP messages.
This helps ensure that any firewall or NAT mappings allocated for the This helps ensure that any firewall or NAT mappings allocated for the
TCP connection apply to all of the traffic associated with the IKE SA TCP connection apply to all of the traffic associated with the IKE SA
equally. equally.
Similarly, a TCP Responder SHOULD at any given time send packets for Similarly, a TCP Responder SHOULD at any given time send packets for
an IKE SA and its Child SAs over only one TCP connection. It SHOULD an IKE SA and its Child SAs over only one TCP connection. It SHOULD
skipping to change at page 11, line 13 skipping to change at page 11, line 13
if a connection on a previous network did not use TCP encapsulation. if a connection on a previous network did not use TCP encapsulation.
9. Using IKE Message Fragmentation with TCP encapsulation 9. Using IKE Message Fragmentation with TCP encapsulation
IKE Message Fragmentation [RFC7383] is not required when using TCP IKE Message Fragmentation [RFC7383] is not required when using TCP
encapsulation, since a TCP stream already handles the fragmentation encapsulation, since a TCP stream already handles the fragmentation
of its contents across packets. Since fragmentation is redundant in of its contents across packets. Since fragmentation is redundant in
this case, implementations might choose to not negotiate IKE this case, implementations might choose to not negotiate IKE
fragmentation. Even if fragmentation is negotiated, an fragmentation. Even if fragmentation is negotiated, an
implementation SHOULD NOT send fragments when going over a TCP implementation SHOULD NOT send fragments when going over a TCP
connection, although it MUST support receiving fragements. connection, although it MUST support receiving fragments.
If an implementation supports both MOBIKE and IKE fragmentation, it If an implementation supports both MOBIKE and IKE fragmentation, it
SHOULD negotiate IKE fragmentation over a TCP encapsulated session in SHOULD negotiate IKE fragmentation over a TCP encapsulated session in
case the session switches to UDP encapsulation on another network. case the session switches to UDP encapsulation on another network.
10. Considerations for Keep-alives and DPD 10. Considerations for Keep-alives and DPD
Encapsulating IKE and IPsec inside of a TCP connection can impact the Encapsulating IKE and IPsec inside of a TCP connection can impact the
strategy that implementations use to detect peer liveness and to strategy that implementations use to detect peer liveness and to
maintain middlebox port mappings. Peer liveness should be checked maintain middlebox port mappings. Peer liveness should be checked
using IKE Informational packets [RFC7296]. using IKE Informational packets [RFC7296].
In general, TCP port mappings are maintained by NATs longers than UDP In general, TCP port mappings are maintained by NATs longer than UDP
port mappings, so IPsec ESP NAT keep-alives [RFC3948] SHOULD NOT be port mappings, so IPsec ESP NAT keep-alives [RFC3948] SHOULD NOT be
sent when using TCP encapsulation. Any implementation using TCP sent when using TCP encapsulation. Any implementation using TCP
encapsulation MUST silently drop incoming NAT keep-alive packets, and encapsulation MUST silently drop incoming NAT keep-alive packets, and
not treat them as errors. NAT keep-alive packets over a TCP not treat them as errors. NAT keep-alive packets over a TCP
encapsulated IPsec connection will be sent with a length value of 1 encapsulated IPsec connection will be sent with a length value of 1
byte, whose value is 0xFF [Figure 2]. byte, whose value is 0xFF [Figure 2].
Note that depending on the configuration of TCP and TLS on the Note that depending on the configuration of TCP and TLS on the
connection, TCP keep-alives [RFC1122] and TLS keep-alives [RFC6520] connection, TCP keep-alives [RFC1122] and TLS keep-alives [RFC6520]
may be used. These MUST NOT be used as indications of IKE peer may be used. These MUST NOT be used as indications of IKE peer
skipping to change at page 13, line 25 skipping to change at page 13, line 25
known valid protocol over TCP, but implementations should make sure known valid protocol over TCP, but implementations should make sure
to validate this assumption in order to avoid unexpected processing to validate this assumption in order to avoid unexpected processing
of TCP connections. of TCP connections.
Attackers may be able to disrupt the TCP connection by sending Attackers may be able to disrupt the TCP connection by sending
spurious RST packets. Due to this, implementations SHOULD make sure spurious RST packets. Due to this, implementations SHOULD make sure
that IKE session state persists even if the underlying TCP connection that IKE session state persists even if the underlying TCP connection
is torn down. is torn down.
If MOBIKE is being used, all of the security considerations outlined If MOBIKE is being used, all of the security considerations outlined
for MOBIKE apply [[RFC4555]]. for MOBIKE apply [RFC4555].
Similarly to MOBIKE, TCP encapsulation requires a TCP Responder to Similarly to MOBIKE, TCP encapsulation requires a TCP Responder to
handle changing of source address and port due to network or handle changing of source address and port due to network or
connection disruption. The successful delivery of valid IKE or ESP connection disruption. The successful delivery of valid IKE or ESP
messages over a new TCP connection is used by the TCP Responder to messages over a new TCP connection is used by the TCP Responder to
determine where to send subsequent responses. If an attacker is able determine where to send subsequent responses. If an attacker is able
to send packets on a new TCP connection that pass the validation to send packets on a new TCP connection that pass the validation
checks of the TCP Responder, it can influence which path future checks of the TCP Responder, it can influence which path future
packets take. For this reason, the validation of messages on the TCP packets take. For this reason, the validation of messages on the TCP
Responder must include decryption, authentication, and replay checks. Responder must include decryption, authentication, and replay checks.
skipping to change at page 14, line 22 skipping to change at page 14, line 22
16. References 16. References
16.1. Normative References 16.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.
Stenberg, "UDP Encapsulation of IPsec ESP Packets",
RFC 3948, DOI 10.17487/RFC3948, January 2005,
<http://www.rfc-editor.org/info/rfc3948>.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, DOI 10.17487/RFC4303, December 2005,
<http://www.rfc-editor.org/info/rfc4303>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <http://www.rfc-editor.org/info/rfc7296>. 2014, <http://www.rfc-editor.org/info/rfc7296>.
16.2. Informative References 16.2. Informative References
[I-D.nir-ipsecme-ike-tcp] [I-D.nir-ipsecme-ike-tcp]
Nir, Y., "A TCP transport for the Internet Key Exchange", Nir, Y., "A TCP transport for the Internet Key Exchange",
draft-nir-ipsecme-ike-tcp-01 (work in progress), July draft-nir-ipsecme-ike-tcp-01 (work in progress), July
skipping to change at page 14, line 43 skipping to change at page 15, line 5
[RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, Communication Layers", STD 3, RFC 1122,
DOI 10.17487/RFC1122, October 1989, DOI 10.17487/RFC1122, October 1989,
<http://www.rfc-editor.org/info/rfc1122>. <http://www.rfc-editor.org/info/rfc1122>.
[RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within [RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within
HTTP/1.1", RFC 2817, DOI 10.17487/RFC2817, May 2000, HTTP/1.1", RFC 2817, DOI 10.17487/RFC2817, May 2000,
<http://www.rfc-editor.org/info/rfc2817>. <http://www.rfc-editor.org/info/rfc2817>.
[RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.
Stenberg, "UDP Encapsulation of IPsec ESP Packets",
RFC 3948, DOI 10.17487/RFC3948, January 2005,
<http://www.rfc-editor.org/info/rfc3948>.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, DOI 10.17487/RFC4303, December 2005,
<http://www.rfc-editor.org/info/rfc4303>.
[RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol [RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol
(MOBIKE)", RFC 4555, DOI 10.17487/RFC4555, June 2006, (MOBIKE)", RFC 4555, DOI 10.17487/RFC4555, June 2006,
<http://www.rfc-editor.org/info/rfc4555>. <http://www.rfc-editor.org/info/rfc4555>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>. <http://www.rfc-editor.org/info/rfc5246>.
[RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport [RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport
skipping to change at page 17, line 36 skipping to change at page 17, line 36
Figure 4 Figure 4
1. Client establishes a TCP connection with the server on port 443 1. Client establishes a TCP connection with the server on port 443
or 4500. or 4500.
2. Client initiates TLS handshake. During TLS handshake, the 2. Client initiates TLS handshake. During TLS handshake, the
server SHOULD NOT request the client's' certificate, since server SHOULD NOT request the client's' certificate, since
authentication is handled as part of IKE negotiation. authentication is handled as part of IKE negotiation.
3. Client send the Stream Prefix for TCP encapsulated IKE 3. Client send the Stream Prefix for TCP encapsulated IKE
[Section 4] traffic to signal the beginning of IKE negotation. [Section 4] traffic to signal the beginning of IKE negotiation.
4. Client and server establish an IKE connection. This example 4. Client and server establish an IKE connection. This example
shows EAP-based authentication, although any authentication shows EAP-based authentication, although any authentication
type may be used. type may be used.
B.2. Deleting an IKE session B.2. Deleting an IKE session
Client Server Client Server
---------- ---------- ---------- ----------
1) ----------------------- IKE Session --------------------- 1) ----------------------- IKE Session ---------------------
Length + Non-ESP Marker ----------> Length + Non-ESP Marker ---------->
skipping to change at page 20, line 4 skipping to change at page 20, line 4
used, the Initiator SHOULD send UPDATE_SA_ADDRESSES. used, the Initiator SHOULD send UPDATE_SA_ADDRESSES.
B.4. Using MOBIKE between UDP and TCP Encapsulation B.4. Using MOBIKE between UDP and TCP Encapsulation
Client Server Client Server
---------- ---------- ---------- ----------
(IP_I1:UDP500 -> IP_R:UDP500) (IP_I1:UDP500 -> IP_R:UDP500)
1) ----------------- IKE_SA_INIT Exchange ----------------- 1) ----------------- IKE_SA_INIT Exchange -----------------
(IP_I1:UDP4500 -> IP_R:UDP4500) (IP_I1:UDP4500 -> IP_R:UDP4500)
Non-ESP Marker -----------> Non-ESP Marker ----------->
Intial IKE_AUTH Initial IKE_AUTH
HDR, SK { IDi, CERT, AUTH, HDR, SK { IDi, CERT, AUTH,
CP(CFG_REQUEST), CP(CFG_REQUEST),
SAi2, TSi, TSr, SAi2, TSi, TSr,
N(MOBIKE_SUPPORTED) } N(MOBIKE_SUPPORTED) }
<----------- Non-ESP Marker <----------- Non-ESP Marker
Initial IKE_AUTH Initial IKE_AUTH
HDR, SK { IDr, CERT, AUTH, HDR, SK { IDr, CERT, AUTH,
EAP, SAr2, TSi, TSr, EAP, SAr2, TSi, TSr,
N(MOBIKE_SUPPORTED) } N(MOBIKE_SUPPORTED) }
<------------------ IKE SA establishment ---------------> <------------------ IKE SA establishment --------------->
skipping to change at page 22, line 6 skipping to change at page 22, line 6
Tommy Pauly Tommy Pauly
Apple Inc. Apple Inc.
1 Infinite Loop 1 Infinite Loop
Cupertino, California 95014 Cupertino, California 95014
US US
Email: tpauly@apple.com Email: tpauly@apple.com
Samy Touati Samy Touati
Ericsson Ericsson
300 Holger Way 2755 Augustine
San Jose, California 95134 Santa Clara, California 95054
US US
Email: samy.touati@ericsson.com Email: samy.touati@ericsson.com
Ravi Mantha Ravi Mantha
Cisco Systems Cisco Systems
SEZ, Embassy Tech Village SEZ, Embassy Tech Village
Panathur, Bangalore 560 037 Panathur, Bangalore 560 037
India India
 End of changes. 14 change blocks. 
22 lines changed or deleted 22 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/