< draft-ietf-ipsec-udp-encaps-06.txt   draft-ietf-ipsec-udp-encaps-07.txt >
IP Security Protocol Working Group (IPSEC) A. Huttunen IP Security Protocol Working Group (IPSEC) A. Huttunen
INTERNET-DRAFT F-Secure Corporation INTERNET-DRAFT F-Secure Corporation
Category: Standards track B. Swander Category: Standards track B. Swander
Expires: July 2003 Microsoft Expires: April 2004 Microsoft
M. Stenberg M. Stenberg
SSH Communications Security Corp SSH Communications Security Corp
V. Volpe V. Volpe
Cisco Systems Cisco Systems
L. DiBurro L. DiBurro
Nortel Networks Nortel Networks
January 2003 October 2003
UDP Encapsulation of IPsec Packets UDP Encapsulation of IPsec Packets
draft-ietf-ipsec-udp-encaps-06.txt draft-ietf-ipsec-udp-encaps-07.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at line 38 skipping to change at line 38
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July, 2003. This Internet-Draft will expire on April, 2004.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract Abstract
This draft defines methods to encapsulate and decapsulate This protocol specification defines methods to encapsulate and
IP Encapsulating Security Payload (ESP) packets inside UDP packets decapsulate IP Encapsulating Security Payload (ESP) packets inside
for the purpose of traversing Network Address Translators. UDP packets for the purpose of traversing Network Address Translators.
ESP encapsulation as defined in this document is capable of being ESP encapsulation as defined in this document is capable of being
used in both IPv4 and IPv6 scenarios. The encapsulation is used used in both IPv4 and IPv6 scenarios. The encapsulation is used
whenever negotiated using Internet Key Exchange (IKE). whenever negotiated using Internet Key Exchange (IKE).
Change Log
Version -01
- removed everything related to the AH-protocol
- added instructions on how to use the encapsulation with
some other key management protocol than IKE
Version -02
- changed to using 4-byte non-ESP marker, removed all references
to using this with other key management protocols
- TCP checksum handling for transport mode related discussion
modified
- copied tunnel mode security considerations from the
earlier draft-huttunen-ipsec-esp-in-udp-00.txt draft,
added transport mode considerations
Version -03
- Clarifications to security considerations
Version -04
- Clarified checksum handling
- Added an IANA considerations section
- Added an implementation options appendix
- Reworded 'Abstract'
- References grouped
Version -05
- Changed incremental checksum fixup for transport mode
Version -06
- Changed in 'Introduction' the text relating to
L2TP/IPsec modes
- [RFC 2119] to normative references
1. Introduction 1. Introduction
This draft defines methods to encapsulate and decapsulate ESP This protocol specification defines methods to encapsulate and
packets inside UDP packets for the purpose of traversing NATs. decapsulate ESP packets inside UDP packets for the purpose of
The UDP port numbers are the same as used by IKE traffic, as traversing NATs. The UDP port numbers are the same as used by IKE
defined in [Kiv05]. traffic, as defined in [Kiv07].
It is up to the need of the clients whether transport mode It is up to the need of the clients whether transport mode
or tunnel mode is to be supported. L2TP/IPsec clients must support or tunnel mode is to be supported. L2TP/IPsec clients MUST support
the modes as defined in [RFC 3193]. IPsec tunnel mode clients MUST the modes as defined in [RFC 3193]. IPsec tunnel mode clients MUST
support tunnel mode. support tunnel mode.
An IKE implementation supporting this draft MUST NOT use the An IKE implementation supporting this protocol specification MUST NOT
ESP SPI field zero for ESP packets. This ensures that use the ESP SPI field zero for ESP packets. This ensures that
IKE packets and ESP packets can be distinguished from each other. IKE packets and ESP packets can be distinguished from each other.
UDP encapsulation of ESP packets as defined in this document is UDP encapsulation of ESP packets as defined in this document is
written in terms of IPv4 headers. There is no technical reason written in terms of IPv4 headers. There is no technical reason
why an IPv6 header could not be used as the outer header and/or why an IPv6 header could not be used as the outer header and/or
as the inner header. as the inner header.
2. Packet Formats 2. Packet Formats
2.1 UDP-encapsulated ESP Header Format 2.1 UDP-encapsulated ESP Header Format
skipping to change at line 120 skipping to change at line 92
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum | | Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ESP header [RFC 2406] | | ESP header [RFC 2406] |
~ ~ ~ ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The UDP header is a standard [RFC 768] header, where The UDP header is a standard [RFC 768] header, where
- Source Port and Destination Port MUST be the same as used by - Source Port and Destination Port MUST be the same as used by
floated IKE traffic. IKE traffic.
- Checksum SHOULD be transmitted as a zero value. - Checksum SHOULD be transmitted as a zero value.
- Receivers MUST NOT depend upon the UDP checksum being - Receivers MUST NOT depend upon the UDP checksum being
a zero value. a zero value.
The SPI field in the ESP header must not be zero. The SPI field in the ESP header must not be zero.
2.2 Floated IKE Header Format 2.2 IKE Header Format for Port 4500
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port | | Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum | | Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Non-ESP Marker | | Non-ESP Marker |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IKE header [RFC 2409] | | IKE header [RFC 2409] |
~ ~ ~ ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The UDP header is a standard [RFC 768] header, and is used The UDP header is a standard [RFC 768] header, and is used
as defined in [Kiv05]. This document does not set any new as defined in [Kiv07]. This document does not set any new
requirements for the checksum handling of an IKE packet. requirements for the checksum handling of an IKE packet.
Non-ESP Marker is 4 bytes of zero aligning with the SPI field Non-ESP Marker is 4 bytes of zero aligning with the SPI field
of an ESP packet. of an ESP packet.
2.3 NAT-keepalive Packet Format 2.3 NAT-keepalive Packet Format
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at line 203 skipping to change at line 175
3.1.2 Transport Mode Decapsulation NAT Procedure 3.1.2 Transport Mode Decapsulation NAT Procedure
When a transport mode has been used to transmit packets, contained When a transport mode has been used to transmit packets, contained
TCP or UDP headers will contain incorrect checksums due to the change TCP or UDP headers will contain incorrect checksums due to the change
of parts of the IP header during transit. This procedure defines how of parts of the IP header during transit. This procedure defines how
to fix these checksums. to fix these checksums.
Depending on local policy, one of the following MUST be done: Depending on local policy, one of the following MUST be done:
a) If the protocol header after the ESP header is a TCP/UDP a) If the protocol header after the ESP header is a TCP/UDP
header and the peer's real source and destination IP address have header and the peer's real source and destination IP address have
been received according to [Kiv05], incrementally recompute the been received according to [Kiv07], incrementally recompute the
TCP/UDP checksum: TCP/UDP checksum:
- subtract the IP source address in the received packet - subtract the IP source address in the received packet
from the checksum from the checksum
- add the real IP source address received via IKE to the checksum - add the real IP source address received via IKE to the checksum
(obtained from the NAT-OA) (obtained from the NAT-OA)
- subtract the IP destination address in the received packet - subtract the IP destination address in the received packet
from the checksum from the checksum
- add the real IP destination address received via IKE to the - add the real IP destination address received via IKE to the
checksum (obtained from the NAT-OA) checksum (obtained from the NAT-OA)
Note: if received and real address are the same for a given address, Note: if received and real address are the same for a given address,
skipping to change at line 304 skipping to change at line 276
NAT mappings alive for the duration of a connection between NAT mappings alive for the duration of a connection between
the peers. Reception of NAT-keepalive packets MUST NOT be the peers. Reception of NAT-keepalive packets MUST NOT be
used to detect liveness of a connection. used to detect liveness of a connection.
A peer MAY send a NAT-keepalive packet if there exists one A peer MAY send a NAT-keepalive packet if there exists one
or more phase I or phase II SAs between the peers, or such or more phase I or phase II SAs between the peers, or such
an SA has existed at most N minutes earlier. N is a locally an SA has existed at most N minutes earlier. N is a locally
configurable parameter with a default value of 5 minutes. configurable parameter with a default value of 5 minutes.
A peer SHOULD send a NAT-keepalive packet if a need to send such A peer SHOULD send a NAT-keepalive packet if a need to send such
packets is detected according to [Kiv05] and if no other packet to packets is detected according to [Kiv07] and if no other packet to
the peer has been sent in M seconds. M is a locally configurable the peer has been sent in M seconds. M is a locally configurable
parameter with a default value of 20 seconds. parameter with a default value of 20 seconds.
5. Security Considerations 5. Security Considerations
5.1 DoS 5.1 Denial of Service
On some systems ESPUDP may have DoS attack consequences, On some systems ESPUDP may have DoS attack consequences,
especially if ordinary operating system UDP-functionality is especially if ordinary operating system UDP-functionality is
being used. It may be recommended not to open an ordinary UDP-port being used. It is RECOMMENDED that the UDP packets be processed
for this. by a system component that does the strictest possible checks
for UDP packets.
5.2 Tunnel Mode Conflict 5.2 Tunnel Mode Conflict
Implementors are warned that it is possible for remote peers to Implementors are warned that it is possible for remote peers to
negotiate entries that overlap in a GW, an issue affecting tunnel negotiate entries that overlap in a GW, an issue affecting tunnel
mode. mode.
+----+ \ / +----+ \ /
| |-------------|----\ | |-------------|----\
+----+ / \ \ +----+ / \ \
skipping to change at line 341 skipping to change at line 314
+----+ / \ +----+ +----+ +----+ / \ +----+ +----+
Bob's NAT 2 GW Suzy's Bob's NAT 2 GW Suzy's
Laptop Server Laptop Server
10.1.2.3 10.1.2.3
Because GW will now see two possible SAs that lead to 10.1.2.3, it Because GW will now see two possible SAs that lead to 10.1.2.3, it
can become confused where to send packets coming from Suzy's server. can become confused where to send packets coming from Suzy's server.
Implementators MUST devise ways of preventing such a thing from Implementators MUST devise ways of preventing such a thing from
occurring. occurring.
It is recommended that GW either assign locally unique IP addresses It is RECOMMENDED that GW either assign locally unique IP addresses
to A and B using a protocol such as DHCP over IPsec, or uses NAT to to A and B using a protocol such as DHCP over IPsec, or uses NAT to
change A's and B's source IP addresses to such locally unique change A's and B's source IP addresses to such locally unique
addresses before sending packets forward to S. addresses before sending packets forward to S.
Please see Appendix A.
5.3 Transport Mode Conflict 5.3 Transport Mode Conflict
Another similar issue may occur in transport mode, with 2 clients, Another similar issue may occur in transport mode, with 2 clients,
Ari and Bob, behind the same NAT talking securely to the same server. Ari and Bob, behind the same NAT talking securely to the same server.
Cliff wants to talk in the clear to the same server. Cliff wants to talk in the clear to the same server.
+----+ +----+
| | | |
+----+ \ +----+ \
skipping to change at line 429 skipping to change at line 404
a NAT, and also allow clear text from different clients behind the a NAT, and also allow clear text from different clients behind the
SAME NAT. If the server's security policy allows, however, it can SAME NAT. If the server's security policy allows, however, it can
do best effort security: if the client from behind the NAT do best effort security: if the client from behind the NAT
initiates security, his connection will be secured. If he sends initiates security, his connection will be secured. If he sends
in the clear, the server will still accept that clear text. in the clear, the server will still accept that clear text.
So, for security guarantees, the above problematic scenario MUST NOT So, for security guarantees, the above problematic scenario MUST NOT
be allowed on servers. For best effort security, this scenario MAY be allowed on servers. For best effort security, this scenario MAY
be used. be used.
Please see Appendix A.
6. IANA Considerations 6. IANA Considerations
No IANA assignments are needed.
This document depends on the reserved SPI value of zero (0) not This document depends on the reserved SPI value of zero (0) not
being sent over the wire as a part of an ESP-packet [RFC 2406]. being sent over the wire as a part of an ESP-packet [RFC 2406].
This document defines a "Non-ESP Marker" as 4 bytes of zero aligning This document defines a "Non-ESP Marker" as 4 bytes of zero aligning
with the SPI field of an ESP packet, and generally being followed with the SPI field of an ESP packet, and generally being followed
by something that is not an ESP packet. by something that is not an ESP packet.
With regard to NAT-traversal in IKEv1 case, the Non-ESP Marker is With regard to NAT-traversal in IKEv1 case, the Non-ESP Marker is
being followed by an IKEv1 packet as specified in section 2.2. being followed by an IKEv1 packet as specified in section 2.2.
skipping to change at line 453 skipping to change at line 432
The IETF has been notified of intellectual property rights claimed in The IETF has been notified of intellectual property rights claimed in
regard to some or all of the specification contained in this document. regard to some or all of the specification contained in this document.
For more information consult the online list of claimed rights. For more information consult the online list of claimed rights.
8. Acknowledgments 8. Acknowledgments
Thanks to Tero Kivinen and William Dixon who contributed actively Thanks to Tero Kivinen and William Dixon who contributed actively
to this document. to this document.
Thanks to Joern Sierwald, Tamir Zegman, Tatu Ylonen and Thanks to Joern Sierwald, Tamir Zegman, Tatu Ylonen and
Santeri Paavolainen who contributed to the previous drafts Santeri Paavolainen who contributed to the early drafts
about NAT traversal. about NAT traversal.
9. References 9. References
Normative references: Normative references:
[RFC 768] Postel, J., "User Datagram Protocol", August 1980 [RFC 768] Postel, J., "User Datagram Protocol", August 1980
[RFC 2119] Bradner, S., "Key words for use in RFCs to indicate [RFC 2119] Bradner, S., "Key words for use in RFCs to indicate
Requirement Levels", March 1997 Requirement Levels", March 1997
[RFC 2406] Kent, S., "IP Encapsulating Security Payload (ESP)", [RFC 2406] Kent, S., "IP Encapsulating Security Payload (ESP)",
November 1998 November 1998
[RFC 2409] D. Harkins, D. Carrel, "The Internet Key Exchange [RFC 2409] D. Harkins, D. Carrel, "The Internet Key Exchange
(IKE)", November 1998 (IKE)", November 1998
[Kiv05] Kivinen, T. et. al., draft-ietf-ipsec-nat-t-ike-05.txt, [Kiv07] Kivinen, T. et. al., draft-ietf-ipsec-nat-t-ike-07.txt,
"Negotiation of NAT-Traversal in the IKE", December 2002 "Negotiation of NAT-Traversal in the IKE", September 2003
Non-normative references: Non-normative references:
[RFC 1122] R. Braden (Editor), "Requirements for Internet Hosts [RFC 1122] R. Braden (Editor), "Requirements for Internet Hosts
-- Communication Layers", October 1989 -- Communication Layers", October 1989
[RFC 3193] Patel, B. et. al, "Securing L2TP using IPsec", [RFC 3193] Patel, B. et. al, "Securing L2TP using IPsec",
November 2001 November 2001
10. Authors' Addresses 10. Authors' Addresses
skipping to change at line 519 skipping to change at line 498
E-mail: vvolpe@cisco.com E-mail: vvolpe@cisco.com
Larry DiBurro Larry DiBurro
Nortel Networks Nortel Networks
80 Central Street 80 Central Street
Boxborough, MA 01719 Boxborough, MA 01719
ldiburro@nortelnetworks.com ldiburro@nortelnetworks.com
Appendix A: Clarification of potential NAT multiple client solutions Appendix A: Clarification of potential NAT multiple client solutions
There have been requests to clarify potential solutions to the problem This appendix provides clarification about potential solutions to the
of multiple clients behind the same NAT simultaneously connecting to the problem of multiple clients behind the same NAT simultaneously
same destination IP address. connecting to the same destination IP address.
Sections 5.2 and 5.3 say that you MUST avoid this Sections 5.2 and 5.3 say that you MUST avoid this
problem. As this isn't a wire protocol matter, but a local problem. As this isn't a wire protocol matter, but a local
implementation matter, specification of the mechanisms do not belong in implementation matter, specification of the mechanisms do not belong in
the draft itself. They are instead listed in this appendix. the protocol specification itself. They are instead listed in this appendix.
Choosing an option will likely depend on the scenarios for which you Choosing an option will likely depend on the scenarios for which you
use/support IPsec NAT-T. This list is not meant to be exhaustive, so use/support IPsec NAT-T. This list is not meant to be exhaustive, so
other solutions may exist. We first describe the generic choices that other solutions may exist. We first describe the generic choices that
solve the problem for all upper layer protocols. solve the problem for all upper layer protocols.
Generic choices for ESP transport mode: Generic choices for ESP transport mode:
Tr1) Implement a built-in NAT (network address translation) above IPsec Tr1) Implement a built-in NAT (network address translation) above IPsec
decapsulation. SSH may have intellectual property rights relating to decapsulation. SSH may have intellectual property rights relating to
this implementation technique. See their IPR notice on the IETF web this implementation technique. See their IPR notice on the IETF web
skipping to change at line 569 skipping to change at line 549
initiator may initially request an internal address via the DHCP-IPsec initiator may initially request an internal address via the DHCP-IPsec
method, regardless of whether it knows it is behind a NAT. Or it may method, regardless of whether it knows it is behind a NAT. Or it may
re-initiate an IKE quick mode negotiation for DHCP tunnel SA after the re-initiate an IKE quick mode negotiation for DHCP tunnel SA after the
responder fails the quick mode SA transport mode proposal, either when responder fails the quick mode SA transport mode proposal, either when
NAT-OA payload is sent or because it discovers from NAT-D the initiator NAT-OA payload is sent or because it discovers from NAT-D the initiator
is behind a NAT and it's local configuration/policy will only accept is behind a NAT and it's local configuration/policy will only accept
connecting through NAT when being assigned an address through connecting through NAT when being assigned an address through
DHCP-IPsec. DHCP-IPsec.
There are also implementation choices offereing limited There are also implementation choices offereing limited
interoperability. Vendors should specify what applications or interoperability. Implementors should specify what applications or
protocols should work using their NAT-T solution if these options protocols should work using their NAT-T solution if these options
are selected. Note that neither Tr4 nor Tn4 are expected to work are selected. Note that neither Tr4 nor Tn4, as described below, are
with TCP traffic. expected to work with TCP traffic.
Limited interoperability choices for ESP transport mode: Limited interoperability choices for ESP transport mode:
Tr4) Implement upper layer protocol awareness of the inbound & outbound Tr4) Implement upper layer protocol awareness of the inbound & outbound
IPsec SA so that it doesn't use the source IP and the source port as the IPsec SA so that it doesn't use the source IP and the source port as the
session identifier. (E.g. L2TP session ID mapped to the IPsec SA pair session identifier. (E.g. L2TP session ID mapped to the IPsec SA pair
which doesn't use the UDP source port or the source IP address for peer which doesn't use the UDP source port or the source IP address for peer
uniqueness.) uniqueness.)
Tr5) Implement application integration with IKE initiation such that it Tr5) Implement application integration with IKE initiation such that it
can rebind to a different source port if the IKE quick mode SA proposal can rebind to a different source port if the IKE quick mode SA proposal
is rejected by the responder, then repropose the new QM selector. is rejected by the responder, then repropose the new QM selector.
Microsoft may have intellectual property rights relating to this Microsoft may have intellectual property rights relating to this
implementation technique. See the Microsoft IPR notice on the IETF web implementation technique. See the Microsoft IPR notice on the IETF web
site for the details. site for the details.
Limited interoperability choices for ESP tunnel mode: Limited interoperability choices for ESP tunnel mode:
Tn4) Same as Tr4. Tn4) Same as Tr4.
</x-flowed>
 End of changes. 27 change blocks. 
61 lines changed or deleted 41 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/