| < draft-ietf-ipsecme-failure-detection-07.txt | draft-ietf-ipsecme-failure-detection-08.txt > | |||
|---|---|---|---|---|
| IPsecME Working Group Y. Nir, Ed. | IPsecME Working Group Y. Nir, Ed. | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Standards Track D. Wierbowski | Intended status: Standards Track D. Wierbowski | |||
| Expires: September 29, 2011 IBM | Expires: October 3, 2011 IBM | |||
| F. Detienne | F. Detienne | |||
| P. Sethi | P. Sethi | |||
| Cisco | Cisco | |||
| March 28, 2011 | April 1, 2011 | |||
| A Quick Crash Detection Method for IKE | A Quick Crash Detection Method for IKE | |||
| draft-ietf-ipsecme-failure-detection-07 | draft-ietf-ipsecme-failure-detection-08 | |||
| Abstract | Abstract | |||
| This document describes an extension to the IKEv2 protocol that | This document describes an extension to the IKEv2 protocol that | |||
| allows for faster detection of Security Association (SA) | allows for faster detection of Security Association (SA) | |||
| desynchronization using a saved token. | desynchronization using a saved token. | |||
| When an IPsec tunnel between two IKEv2 peers is disconnected due to a | When an IPsec tunnel between two IKEv2 peers is disconnected due to a | |||
| restart of one peer, it can take as much as several minutes for the | restart of one peer, it can take as much as several minutes for the | |||
| other peer to discover that the reboot has occurred, thus delaying | other peer to discover that the reboot has occurred, thus delaying | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 29, 2011. | This Internet-Draft will expire on October 3, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 26 ¶ | skipping to change at page 2, line 26 ¶ | |||
| 1.1. Conventions Used in This Document . . . . . . . . . . . . 4 | 1.1. Conventions Used in This Document . . . . . . . . . . . . 4 | |||
| 2. RFC 5996 Crash Recovery . . . . . . . . . . . . . . . . . . . 5 | 2. RFC 5996 Crash Recovery . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Protocol Outline . . . . . . . . . . . . . . . . . . . . . . . 6 | 3. Protocol Outline . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Formats and Exchanges . . . . . . . . . . . . . . . . . . . . 7 | 4. Formats and Exchanges . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. Notification Format . . . . . . . . . . . . . . . . . . . 7 | 4.1. Notification Format . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. Passing a Token in the AUTH Exchange . . . . . . . . . . 8 | 4.2. Passing a Token in the AUTH Exchange . . . . . . . . . . 8 | |||
| 4.3. Replacing Tokens After Rekey or Resumption . . . . . . . 9 | 4.3. Replacing Tokens After Rekey or Resumption . . . . . . . 9 | |||
| 4.4. Replacing the Token for an Existing SA . . . . . . . . . 10 | 4.4. Replacing the Token for an Existing SA . . . . . . . . . 10 | |||
| 4.5. Presenting the Token in an Unprotected Message . . . . . 10 | 4.5. Presenting the Token in an Unprotected Message . . . . . 10 | |||
| 5. Token Generation and Verification . . . . . . . . . . . . . . 11 | 5. Token Generation and Verification . . . . . . . . . . . . . . 11 | |||
| 5.1. A Stateless Method of Token Generation . . . . . . . . . 11 | 5.1. A Stateless Method of Token Generation . . . . . . . . . 12 | |||
| 5.2. A Stateless Method with IP addresses . . . . . . . . . . 12 | 5.2. A Stateless Method with IP addresses . . . . . . . . . . 12 | |||
| 5.3. Token Lifetime . . . . . . . . . . . . . . . . . . . . . 12 | 5.3. Token Lifetime . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 6. Backup Gateways . . . . . . . . . . . . . . . . . . . . . . . 13 | 6. Backup Gateways . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 7. Interaction with Session Resumption . . . . . . . . . . . . . 13 | 7. Interaction with Session Resumption . . . . . . . . . . . . . 13 | |||
| 8. Operational Considerations . . . . . . . . . . . . . . . . . . 15 | 8. Operational Considerations . . . . . . . . . . . . . . . . . . 15 | |||
| 8.1. Who should implement this specification . . . . . . . . . 15 | 8.1. Who should implement this specification . . . . . . . . . 15 | |||
| 8.2. Response to unknown child SPI . . . . . . . . . . . . . . 16 | 8.2. Response to unknown child SPI . . . . . . . . . . . . . . 16 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | |||
| 9.1. QCD Token Generation and Handling . . . . . . . . . . . . 16 | 9.1. QCD Token Generation and Handling . . . . . . . . . . . . 17 | |||
| 9.2. QCD Token Transmission . . . . . . . . . . . . . . . . . 17 | 9.2. QCD Token Transmission . . . . . . . . . . . . . . . . . 18 | |||
| 9.3. QCD Token Enumeration . . . . . . . . . . . . . . . . . . 18 | 9.3. QCD Token Enumeration . . . . . . . . . . . . . . . . . . 18 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 | 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 12. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 12. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 12.1. Changes from draft-ietf-ipsecme-failure-detection-05 . . 19 | 12.1. Changes from draft-ietf-ipsecme-failure-detection-05 . . 19 | |||
| 12.2. Changes from draft-ietf-ipsecme-failure-detection-04 . . 19 | 12.2. Changes from draft-ietf-ipsecme-failure-detection-04 . . 19 | |||
| 12.3. Changes from draft-ietf-ipsecme-failure-detection-03 . . 19 | 12.3. Changes from draft-ietf-ipsecme-failure-detection-03 . . 20 | |||
| 12.4. Changes from draft-ietf-ipsecme-failure-detection-02 . . 19 | 12.4. Changes from draft-ietf-ipsecme-failure-detection-02 . . 20 | |||
| 12.5. Changes from draft-ietf-ipsecme-failure-detection-01 . . 19 | 12.5. Changes from draft-ietf-ipsecme-failure-detection-01 . . 20 | |||
| 12.6. Changes from draft-ietf-ipsecme-failure-detection-00 . . 19 | 12.6. Changes from draft-ietf-ipsecme-failure-detection-00 . . 20 | |||
| 12.7. Changes from draft-nir-ike-qcd-07 . . . . . . . . . . . . 20 | 12.7. Changes from draft-nir-ike-qcd-07 . . . . . . . . . . . . 20 | |||
| 12.8. Changes from draft-nir-ike-qcd-03 and -04 . . . . . . . . 20 | 12.8. Changes from draft-nir-ike-qcd-03 and -04 . . . . . . . . 21 | |||
| 12.9. Changes from draft-nir-ike-qcd-02 . . . . . . . . . . . . 20 | 12.9. Changes from draft-nir-ike-qcd-02 . . . . . . . . . . . . 21 | |||
| 12.10. Changes from draft-nir-ike-qcd-01 . . . . . . . . . . . . 20 | 12.10. Changes from draft-nir-ike-qcd-01 . . . . . . . . . . . . 21 | |||
| 12.11. Changes from draft-nir-ike-qcd-00 . . . . . . . . . . . . 20 | 12.11. Changes from draft-nir-ike-qcd-00 . . . . . . . . . . . . 21 | |||
| 12.12. Changes from draft-nir-qcr-00 . . . . . . . . . . . . . . 21 | 12.12. Changes from draft-nir-qcr-00 . . . . . . . . . . . . . . 21 | |||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . 21 | 13.1. Normative References . . . . . . . . . . . . . . . . . . 21 | |||
| 13.2. Informative References . . . . . . . . . . . . . . . . . 21 | 13.2. Informative References . . . . . . . . . . . . . . . . . 22 | |||
| Appendix A. The Path Not Taken . . . . . . . . . . . . . . . . . 21 | Appendix A. The Path Not Taken . . . . . . . . . . . . . . . . . 22 | |||
| A.1. Initiating a new IKE SA . . . . . . . . . . . . . . . . . 21 | A.1. Initiating a new IKE SA . . . . . . . . . . . . . . . . . 22 | |||
| A.2. SIR . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | A.2. SIR . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| A.3. Birth Certificates . . . . . . . . . . . . . . . . . . . 22 | A.3. Birth Certificates . . . . . . . . . . . . . . . . . . . 23 | |||
| A.4. Reducing Liveness Check Length . . . . . . . . . . . . . 23 | A.4. Reducing Liveness Check Length . . . . . . . . . . . . . 23 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 1. Introduction | 1. Introduction | |||
| IKEv2, as described in [RFC5996] and its predecessor RFC 4306, has a | IKEv2, as described in [RFC5996] and its predecessor RFC 4306, has a | |||
| method for recovering from a reboot of one peer. As long as traffic | method for recovering from a reboot of one peer. As long as traffic | |||
| flows in both directions, the rebooted peer should re-establish the | flows in both directions, the rebooted peer should re-establish the | |||
| tunnels immediately. However, in many cases the rebooted peer is a | tunnels immediately. However, in many cases the rebooted peer is a | |||
| VPN gateway that protects only servers, so all traffic is inbound. | VPN gateway that protects only servers, so all traffic is inbound. | |||
| skipping to change at page 11, line 40 ¶ | skipping to change at page 11, line 40 ¶ | |||
| SHOULD be indistinguishable from random data. | SHOULD be indistinguishable from random data. | |||
| o It should not be possible for an external attacker to guess the | o It should not be possible for an external attacker to guess the | |||
| QCD token generated by an implementation. Cryptographic | QCD token generated by an implementation. Cryptographic | |||
| mechanisms such as PRNG and hash functions are RECOMMENDED. | mechanisms such as PRNG and hash functions are RECOMMENDED. | |||
| o The token maker MUST be able to re-generate or retrieve the token | o The token maker MUST be able to re-generate or retrieve the token | |||
| based on the IKE SPIs even after it reboots. | based on the IKE SPIs even after it reboots. | |||
| o The method of token generation MUST be such that a collision of | o The method of token generation MUST be such that a collision of | |||
| QCD tokens between different pairs of IKE SPI will be highly | QCD tokens between different pairs of IKE SPI will be highly | |||
| unlikely. | unlikely. | |||
| For verification, the token taker makes a bitwise comparison of the | ||||
| token stored along with the IKE SA with the token sent in the | ||||
| unprotected message. Multihomed takers might flip back-and-forth | ||||
| between several addresses, and have their tokens replaced as | ||||
| described in Section 4.4. To help avoid the case where the latest | ||||
| stored token does not match the address used after the maker lost | ||||
| state, the token taker MAY store several earlier tokens associated | ||||
| with the IKE SA, and silently discard the SA if any of them matches. | ||||
| 5.1. A Stateless Method of Token Generation | 5.1. A Stateless Method of Token Generation | |||
| The following describes a stateless method of generating a token. In | The following describes a stateless method of generating a token. In | |||
| this case, 'stateless' means not maintaining any per-tunnel state, | this case, 'stateless' means not maintaining any per-tunnel state, | |||
| although there is a small amount of non-volatile storage required. | although there is a small amount of non-volatile storage required. | |||
| o At installation or immediately after the first boot of the token | o At installation or immediately after the first boot of the token | |||
| maker, 32 random octets are generated using a secure random number | maker, 32 random octets are generated using a secure random number | |||
| generator or a PRNG. | generator or a PRNG. | |||
| o Those 32 bytes, called the "QCD_SECRET", are stored in non- | o Those 32 bytes, called the "QCD_SECRET", are stored in non- | |||
| volatile storage on the machine, and kept indefinitely. | volatile storage on the machine, and kept indefinitely. | |||
| skipping to change at page 12, line 36 ¶ | skipping to change at page 12, line 46 ¶ | |||
| TOKEN_SECRET_DATA = HASH(QCD_SECRET | SPI-I | SPI-R | IPaddr-T) | TOKEN_SECRET_DATA = HASH(QCD_SECRET | SPI-I | SPI-R | IPaddr-T) | |||
| The IPaddr-T field specifies the IP address of the token taker. | The IPaddr-T field specifies the IP address of the token taker. | |||
| Secret rollover considerations are similar to those in the previous | Secret rollover considerations are similar to those in the previous | |||
| section. | section. | |||
| Note that with a multi-homed token taker, the QCD token matches just | Note that with a multi-homed token taker, the QCD token matches just | |||
| one of the token taker IP addresses. Usually this is not a problem, | one of the token taker IP addresses. Usually this is not a problem, | |||
| as packets sent to the token maker come out the same IP address. If | as packets sent to the token maker come out the same IP address. If | |||
| for some reason this changes, then the token maker can replace the | for some reason this changes, then the token maker can replace the | |||
| token as described in section 4.4. | token as described in section 4.4. If MOBIKE is used, replacing the | |||
| tokens SHOULD be piggybacked on the INFORMATIONAL exchange with the | ||||
| UPDATE_SA_ADDRESSES notifications. | ||||
| There is a corner case where the token taker begins using a different | There is a corner case where the token taker begins using a new IP | |||
| IP address (because of multi-homing, roaming or normal network | address (because of multi-homing, roaming or normal network | |||
| operations) and the token maker loses state before replacing the | operations) and the token maker loses state before replacing the | |||
| token. In that case, it will send a correct QCD token, but the token | token. In that case, it will send a correct QCD token, but the token | |||
| taker will still have the old token. In that case the extension will | taker will still have the old token. In that case the extension will | |||
| not work, and the peers will revert to RFC 5996 recovery. | not work, and the peers will revert to RFC 5996 recovery. | |||
| 5.3. Token Lifetime | 5.3. Token Lifetime | |||
| The token is associated with a single IKE SA, and SHOULD be deleted | The token is associated with a single IKE SA, and SHOULD be deleted | |||
| by the token taker when the SA is deleted or expires. More formally, | by the token taker when the SA is deleted or expires. More formally, | |||
| the token is associated with the pair (SPI-I, SPI-R). | the token is associated with the pair (SPI-I, SPI-R). | |||
| 6. Backup Gateways | 6. Backup Gateways | |||
| Making crash detection and recovery quick is a worthy goal, but since | Making crash detection and recovery quick is a worthy goal, but since | |||
| rebooting a gateway takes a non-zero amount of time, many | rebooting a gateway takes a non-zero amount of time, many | |||
| implementations choose to have a stand-by gateway ready to take over | implementations choose to have a stand-by gateway ready to take over | |||
| as soon as the primary gateway fails for any reason. [cluster] | as soon as the primary gateway fails for any reason. [RFC6027] | |||
| describes considerations for such clusters of gateways with | describes considerations for such clusters of gateways with | |||
| synchronized state, but the rest of this section is relevant even | synchronized state, but the rest of this section is relevant even | |||
| when there is no synchronized state. | when there is no synchronized state. | |||
| If such a configuration is available, it is RECOMMENDED that the | If such a configuration is available, it is RECOMMENDED that the | |||
| stand-by gateway be able to generate the same token as the active | stand-by gateway be able to generate the same token as the active | |||
| gateway. if the method described in Section 5.1 is used, this means | gateway. if the method described in Section 5.1 is used, this means | |||
| that the QCD_SECRET field is identical in both gateways. This has | that the QCD_SECRET field is identical in both gateways. This has | |||
| the effect of having the crash recovery available immediately. | the effect of having the crash recovery available immediately. | |||
| skipping to change at page 21, line 35 ¶ | skipping to change at page 22, line 14 ¶ | |||
| [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, | [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, | |||
| "Internet Key Exchange Protocol: IKEv2", RFC 5996, | "Internet Key Exchange Protocol: IKEv2", RFC 5996, | |||
| September 2010. | September 2010. | |||
| 13.2. Informative References | 13.2. Informative References | |||
| [RFC5723] Sheffer, Y. and H. Tschofenig, "IKEv2 Session Resumption", | [RFC5723] Sheffer, Y. and H. Tschofenig, "IKEv2 Session Resumption", | |||
| RFC 5723, January 2010. | RFC 5723, January 2010. | |||
| [cluster] Nir, Y., Ed., "IPsec Cluster Problem Statement", | [RFC6027] Nir, Y., Ed., "IPsec Cluster Problem Statement", RFC 6027, | |||
| draft-ietf-ipsecme-ipsec-ha (work in progress), July 2010. | October 2010. | |||
| [recovery] | [recovery] | |||
| Detienne, F., Sethi, P., and Y. Nir, "Safe IKE Recovery", | Detienne, F., Sethi, P., and Y. Nir, "Safe IKE Recovery", | |||
| draft-detienne-ikev2-recovery (work in progress), | draft-detienne-ikev2-recovery (work in progress), | |||
| January 2010. | July 2009. | |||
| Appendix A. The Path Not Taken | Appendix A. The Path Not Taken | |||
| A.1. Initiating a new IKE SA | A.1. Initiating a new IKE SA | |||
| Instead of sending a QCD token, we could have the rebooted | Instead of sending a QCD token, we could have the rebooted | |||
| implementation start an Initial exchange with the peer, including the | implementation start an Initial exchange with the peer, including the | |||
| INITIAL_CONTACT notification. This would have the same effect, | INITIAL_CONTACT notification. This would have the same effect, | |||
| instructing the peer to erase the old IKE SA, as well as establishing | instructing the peer to erase the old IKE SA, as well as establishing | |||
| a new IKE SA with fewer rounds. | a new IKE SA with fewer rounds. | |||
| End of changes. 18 change blocks. | ||||
| 30 lines changed or deleted | 41 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||