| < draft-ietf-ipsecme-tcp-encaps-08.txt | draft-ietf-ipsecme-tcp-encaps-09.txt > | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track S. Touati | Intended status: Standards Track S. Touati | |||
| Expires: August 31, 2017 Ericsson | Expires: September 13, 2017 Ericsson | |||
| R. Mantha | R. Mantha | |||
| Cisco Systems | Cisco Systems | |||
| February 27, 2017 | March 12, 2017 | |||
| TCP Encapsulation of IKE and IPsec Packets | TCP Encapsulation of IKE and IPsec Packets | |||
| draft-ietf-ipsecme-tcp-encaps-08 | draft-ietf-ipsecme-tcp-encaps-09 | |||
| Abstract | Abstract | |||
| This document describes a method to transport IKE and IPsec packets | This document describes a method to transport IKE and IPsec packets | |||
| over a TCP connection for traversing network middleboxes that may | over a TCP connection for traversing network middleboxes that may | |||
| block IKE negotiation over UDP. This method, referred to as TCP | block IKE negotiation over UDP. This method, referred to as TCP | |||
| encapsulation, involves sending both IKE packets for Security | encapsulation, involves sending both IKE packets for Security | |||
| Association establishment and ESP packets over a TCP connection. | Association establishment and ESP packets over a TCP connection. | |||
| This method is intended to be used as a fallback option when IKE | This method is intended to be used as a fallback option when IKE | |||
| cannot be negotiated over UDP. | cannot be negotiated over UDP. | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 31, 2017. | This Internet-Draft will expire on September 13, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 37 ¶ | skipping to change at page 3, line 37 ¶ | |||
| no NAT are detected on the path as some middleboxes do not | no NAT are detected on the path as some middleboxes do not | |||
| support IP protocols other than TCP and UDP. | support IP protocols other than TCP and UDP. | |||
| 3. TCP Encapsulation. If both of the other two methods are not | 3. TCP Encapsulation. If both of the other two methods are not | |||
| available or appropriate, both IKE negotiation packets as well | available or appropriate, both IKE negotiation packets as well | |||
| as ESP packets can be sent over a single TCP connection to the | as ESP packets can be sent over a single TCP connection to the | |||
| peer. | peer. | |||
| Direct use of ESP or UDP Encapsulation should be preferred by IKE | Direct use of ESP or UDP Encapsulation should be preferred by IKE | |||
| implementations due to performance concerns when using TCP | implementations due to performance concerns when using TCP | |||
| Encapsulation [Section 12]. Most implementations should use TCP | Encapsulation Section 12. Most implementations should use TCP | |||
| Encapsulation only on networks where negotiation over UDP has been | Encapsulation only on networks where negotiation over UDP has been | |||
| attempted without receiving responses from the peer, or if a network | attempted without receiving responses from the peer, or if a network | |||
| is known to not support UDP. | is known to not support UDP. | |||
| 1.1. Prior Work and Motivation | 1.1. Prior Work and Motivation | |||
| Encapsulating IKE connections within TCP streams is a common approach | Encapsulating IKE connections within TCP streams is a common approach | |||
| to solve the problem of UDP packets being blocked by network | to solve the problem of UDP packets being blocked by network | |||
| middleboxes. The goal of this document is to promote | middleboxes. The goal of this document is to promote | |||
| interoperability by providing a standard method of framing IKE and | interoperability by providing a standard method of framing IKE and | |||
| skipping to change at page 10, line 18 ¶ | skipping to change at page 10, line 18 ¶ | |||
| Multiple IKE SAs MUST NOT share a single TCP connection, unless one | Multiple IKE SAs MUST NOT share a single TCP connection, unless one | |||
| is a rekey of an existing IKE SA, in which case there will | is a rekey of an existing IKE SA, in which case there will | |||
| temporarily be two IKE SAs on the same TCP connection. | temporarily be two IKE SAs on the same TCP connection. | |||
| 7. Interaction with NAT Detection Payloads | 7. Interaction with NAT Detection Payloads | |||
| When negotiating over UDP port 500, IKE_SA_INIT packets include | When negotiating over UDP port 500, IKE_SA_INIT packets include | |||
| NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP payloads to | NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP payloads to | |||
| determine if UDP encapsulation of IPsec packets should be used. | determine if UDP encapsulation of IPsec packets should be used. | |||
| These payloads contain SHA-1 digests of the SPIs, IP addresses, and | These payloads contain SHA-1 digests of the SPIs, IP addresses, and | |||
| ports. IKE_SA_INIT packets sent on a TCP connection SHOULD include | ports as defined in [RFC7296]. IKE_SA_INIT packets sent on a TCP | |||
| these payloads, and SHOULD use the applicable TCP ports when creating | connection SHOULD include these payloads with the same content as | |||
| and checking the SHA-1 digests. | when sending over UDP, and SHOULD use the applicable TCP ports when | |||
| creating and checking the SHA-1 digests. | ||||
| If a NAT is detected due to the SHA-1 digests not matching the | If a NAT is detected due to the SHA-1 digests not matching the | |||
| expected values, no change should be made for encapsulation of | expected values, no change should be made for encapsulation of | |||
| subsequent IKE or ESP packets, since TCP encapsulation inherently | subsequent IKE or ESP packets, since TCP encapsulation inherently | |||
| supports NAT traversal. Implementations MAY use the information that | supports NAT traversal. Implementations MAY use the information that | |||
| a NAT is present to influence keep-alive timer values. | a NAT is present to influence keep-alive timer values. | |||
| If a NAT is detected, implementations need to handle transport mode | If a NAT is detected, implementations need to handle transport mode | |||
| TCP and UDP packet checksum fixup as defined for UDP encapsulation | TCP and UDP packet checksum fixup as defined for UDP encapsulation in | |||
| [RFC3948]. | [RFC3948]. | |||
| 8. Using MOBIKE with TCP encapsulation | 8. Using MOBIKE with TCP encapsulation | |||
| When an IKE session that has negotiated MOBIKE [RFC4555] is | When an IKE session that has negotiated MOBIKE [RFC4555] is | |||
| transitioning between networks, the Initiator of the transition may | transitioning between networks, the Initiator of the transition may | |||
| switch between using TCP encapsulation, UDP encapsulation, or no | switch between using TCP encapsulation, UDP encapsulation, or no | |||
| encapsulation. Implementations that implement both MOBIKE and TCP | encapsulation. Implementations that implement both MOBIKE and TCP | |||
| encapsulation MUST support dynamically enabling and disabling TCP | encapsulation MUST support dynamically enabling and disabling TCP | |||
| encapsulation as interfaces change. | encapsulation as interfaces change. | |||
| skipping to change at page 11, line 32 ¶ | skipping to change at page 11, line 32 ¶ | |||
| strategy that implementations use to detect peer liveness and to | strategy that implementations use to detect peer liveness and to | |||
| maintain middlebox port mappings. Peer liveness should be checked | maintain middlebox port mappings. Peer liveness should be checked | |||
| using IKE Informational packets [RFC7296]. | using IKE Informational packets [RFC7296]. | |||
| In general, TCP port mappings are maintained by NATs longer than UDP | In general, TCP port mappings are maintained by NATs longer than UDP | |||
| port mappings, so IPsec ESP NAT keep-alives [RFC3948] SHOULD NOT be | port mappings, so IPsec ESP NAT keep-alives [RFC3948] SHOULD NOT be | |||
| sent when using TCP encapsulation. Any implementation using TCP | sent when using TCP encapsulation. Any implementation using TCP | |||
| encapsulation MUST silently drop incoming NAT keep-alive packets, and | encapsulation MUST silently drop incoming NAT keep-alive packets, and | |||
| not treat them as errors. NAT keep-alive packets over a TCP | not treat them as errors. NAT keep-alive packets over a TCP | |||
| encapsulated IPsec connection will be sent with a length value of 1 | encapsulated IPsec connection will be sent with a length value of 1 | |||
| byte, whose value is 0xFF [Figure 2]. | byte, whose value is 0xFF Figure 2. | |||
| Note that depending on the configuration of TCP and TLS on the | Note that depending on the configuration of TCP and TLS on the | |||
| connection, TCP keep-alives [RFC1122] and TLS keep-alives [RFC6520] | connection, TCP keep-alives [RFC1122] and TLS keep-alives [RFC6520] | |||
| may be used. These MUST NOT be used as indications of IKE peer | may be used. These MUST NOT be used as indications of IKE peer | |||
| liveness. | liveness. | |||
| 11. Middlebox Considerations | 11. Middlebox Considerations | |||
| Many security networking devices such as Firewalls or Intrusion | Many security networking devices such as Firewalls or Intrusion | |||
| Prevention Systems, network optimization/acceleration devices and | Prevention Systems, network optimization/acceleration devices and | |||
| skipping to change at page 13, line 38 ¶ | skipping to change at page 13, line 38 ¶ | |||
| handle changing of source address and port due to network or | handle changing of source address and port due to network or | |||
| connection disruption. The successful delivery of valid IKE or ESP | connection disruption. The successful delivery of valid IKE or ESP | |||
| messages over a new TCP connection is used by the TCP Responder to | messages over a new TCP connection is used by the TCP Responder to | |||
| determine where to send subsequent responses. If an attacker is able | determine where to send subsequent responses. If an attacker is able | |||
| to send packets on a new TCP connection that pass the validation | to send packets on a new TCP connection that pass the validation | |||
| checks of the TCP Responder, it can influence which path future | checks of the TCP Responder, it can influence which path future | |||
| packets take. For this reason, the validation of messages on the TCP | packets take. For this reason, the validation of messages on the TCP | |||
| Responder must include decryption, authentication, and replay checks. | Responder must include decryption, authentication, and replay checks. | |||
| Since TCP provides a reliable, in-order delivery of ESP messages, the | Since TCP provides a reliable, in-order delivery of ESP messages, the | |||
| ESP Anti-Replay Window size [RFC4303] SHOULD be set to 1. This | ESP Anti-Replay Window size SHOULD be set to 1. See [RFC4303] for a | |||
| increases the protection of implementations against replay attacks. | complete description of the ESP Anti-Replay Window. This increases | |||
| the protection of implementations against replay attacks. | ||||
| 14. IANA Considerations | 14. IANA Considerations | |||
| This memo includes no request to IANA. | This memo includes no request to IANA. | |||
| TCP port 4500 is already allocated to IPsec. This port MAY be used | TCP port 4500 is already allocated to IPsec. This port MAY be used | |||
| for the protocol described in this document, but implementations MAY | for the protocol described in this document, but implementations MAY | |||
| prefer to use other ports based on local policy. | prefer to use other ports based on local policy. | |||
| 15. Acknowledgments | 15. Acknowledgments | |||
| skipping to change at page 15, line 31 ¶ | skipping to change at page 15, line 31 ¶ | |||
| (IKEv2) Message Fragmentation", RFC 7383, | (IKEv2) Message Fragmentation", RFC 7383, | |||
| DOI 10.17487/RFC7383, November 2014, | DOI 10.17487/RFC7383, November 2014, | |||
| <http://www.rfc-editor.org/info/rfc7383>. | <http://www.rfc-editor.org/info/rfc7383>. | |||
| Appendix A. Using TCP encapsulation with TLS | Appendix A. Using TCP encapsulation with TLS | |||
| This section provides recommendations on the support of TLS with the | This section provides recommendations on the support of TLS with the | |||
| TCP encapsulation. | TCP encapsulation. | |||
| When using TCP encapsulation, implementations may choose to use TLS | When using TCP encapsulation, implementations may choose to use TLS | |||
| [RFC5246], to be able to traverse middle-boxes, which may block non | [RFC5246], to be able to traverse middle-boxes, which may block non- | |||
| HTTP traffic. | HTTP traffic. | |||
| If a web proxy is applied to the ports for the TCP connection, and | If a web proxy is applied to the ports for the TCP connection, and | |||
| TLS is being used, the TCP Originator can send an HTTP CONNECT | TLS is being used, the TCP Originator can send an HTTP CONNECT | |||
| message to establish an SA through the proxy [RFC2817]. | message to establish an SA through the proxy [RFC2817]. | |||
| The use of TLS should be configurable on the peers. The TCP | The use of TLS should be configurable on the peers, and may be used | |||
| Responder may expect to read encapsulated IKE and ESP packets | as the default when using TCP encapsulation, or else be a fallback | |||
| directly from the TCP connection, or it may expect to read them from | when basic TCP encapsulation fails. The TCP Responder may expect to | |||
| a stream of TLS data packets. The TCP Originator should be pre- | read encapsulated IKE and ESP packets directly from the TCP | |||
| configured to use TLS or not when communicating with a given port on | connection, or it may expect to read them from a stream of TLS data | |||
| the TCP Responder. | packets. The TCP Originator should be pre-configured to use TLS or | |||
| not when communicating with a given port on the TCP Responder. | ||||
| When new TCP connections are re-established due to a broken | When new TCP connections are re-established due to a broken | |||
| connection, TLS must be re-negotiated. TLS Session Resumption is | connection, TLS must be re-negotiated. TLS Session Resumption is | |||
| recommended to improve efficiency in this case. | recommended to improve efficiency in this case. | |||
| The security of the IKE session is entirely derived from the IKE | The security of the IKE session is entirely derived from the IKE | |||
| negotiation and key establishment and not from the TLS session (which | negotiation and key establishment and not from the TLS session (which | |||
| in this context is only used for encapsulation purposes), therefore | in this context is only used for encapsulation purposes), therefore | |||
| when TLS is used on the TCP connection, both the TCP Originator and | when TLS is used on the TCP connection, both the TCP Originator and | |||
| TCP Responder SHOULD allow the NULL cipher to be selected for | TCP Responder SHOULD allow the NULL cipher to be selected for | |||
| skipping to change at page 17, line 36 ¶ | skipping to change at page 17, line 37 ¶ | |||
| Figure 4 | Figure 4 | |||
| 1. Client establishes a TCP connection with the server on port 443 | 1. Client establishes a TCP connection with the server on port 443 | |||
| or 4500. | or 4500. | |||
| 2. Client initiates TLS handshake. During TLS handshake, the | 2. Client initiates TLS handshake. During TLS handshake, the | |||
| server SHOULD NOT request the client's' certificate, since | server SHOULD NOT request the client's' certificate, since | |||
| authentication is handled as part of IKE negotiation. | authentication is handled as part of IKE negotiation. | |||
| 3. Client send the Stream Prefix for TCP encapsulated IKE | 3. Client send the Stream Prefix for TCP encapsulated IKE | |||
| [Section 4] traffic to signal the beginning of IKE negotiation. | Section 4 traffic to signal the beginning of IKE negotiation. | |||
| 4. Client and server establish an IKE connection. This example | 4. Client and server establish an IKE connection. This example | |||
| shows EAP-based authentication, although any authentication | shows EAP-based authentication, although any authentication | |||
| type may be used. | type may be used. | |||
| B.2. Deleting an IKE session | B.2. Deleting an IKE session | |||
| Client Server | Client Server | |||
| ---------- ---------- | ---------- ---------- | |||
| 1) ----------------------- IKE Session --------------------- | 1) ----------------------- IKE Session --------------------- | |||
| Length + Non-ESP Marker ----------> | Length + Non-ESP Marker ----------> | |||
| skipping to change at page 19, line 37 ¶ | skipping to change at page 19, line 37 ¶ | |||
| connection. The TCP Originator's address and port (IP_I and | connection. The TCP Originator's address and port (IP_I and | |||
| Port_I) may be different from the previous connection's address | Port_I) may be different from the previous connection's address | |||
| and port. | and port. | |||
| 2. In ClientHello TLS message, the client SHOULD send the Session | 2. In ClientHello TLS message, the client SHOULD send the Session | |||
| ID it received in the previous TLS handshake if available. It | ID it received in the previous TLS handshake if available. It | |||
| is up to the server to perform either an abbreviated handshake | is up to the server to perform either an abbreviated handshake | |||
| or full handshake based on the session ID match. | or full handshake based on the session ID match. | |||
| 3. After TCP and TLS are complete, the client sends the Stream | 3. After TCP and TLS are complete, the client sends the Stream | |||
| Prefix for TCP encapsulated IKE traffic [Section 4]. | Prefix for TCP encapsulated IKE traffic Section 4. | |||
| 4. The IKE and ESP packet flow can resume. If MOBIKE is being | 4. The IKE and ESP packet flow can resume. If MOBIKE is being | |||
| used, the Initiator SHOULD send UPDATE_SA_ADDRESSES. | used, the Initiator SHOULD send UPDATE_SA_ADDRESSES. | |||
| B.4. Using MOBIKE between UDP and TCP Encapsulation | B.4. Using MOBIKE between UDP and TCP Encapsulation | |||
| Client Server | Client Server | |||
| ---------- ---------- | ---------- ---------- | |||
| (IP_I1:UDP500 -> IP_R:UDP500) | (IP_I1:UDP500 -> IP_R:UDP500) | |||
| 1) ----------------- IKE_SA_INIT Exchange ----------------- | 1) ----------------- IKE_SA_INIT Exchange ----------------- | |||
| skipping to change at page 21, line 27 ¶ | skipping to change at page 21, line 27 ¶ | |||
| the IKE session using the UPDATE_SA_ADDRESSES notify payload, | the IKE session using the UPDATE_SA_ADDRESSES notify payload, | |||
| but the server does not respond because the network blocks UDP | but the server does not respond because the network blocks UDP | |||
| traffic. | traffic. | |||
| 3. The client brings up a TCP connection to the server in order to | 3. The client brings up a TCP connection to the server in order to | |||
| use TCP encapsulation. | use TCP encapsulation. | |||
| 4. The client initiates and TLS handshake with the server. | 4. The client initiates and TLS handshake with the server. | |||
| 5. The client sends the Stream Prefix for TCP encapsulated IKE | 5. The client sends the Stream Prefix for TCP encapsulated IKE | |||
| traffic [Section 4]. | traffic Section 4. | |||
| 6. The client sends the UPDATE_SA_ADDRESSES notify payload on the | 6. The client sends the UPDATE_SA_ADDRESSES notify payload on the | |||
| TCP encapsulated connection. Note that this IKE message is the | TCP encapsulated connection. Note that this IKE message is the | |||
| same as the one sent over UDP in step 2, and should have the | same as the one sent over UDP in step 2, and should have the | |||
| same message ID and contents. | same message ID and contents. | |||
| 7. The IKE and ESP packet flow can resume. | 7. The IKE and ESP packet flow can resume. | |||
| Authors' Addresses | Authors' Addresses | |||
| End of changes. 14 change blocks. | ||||
| 22 lines changed or deleted | 25 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||