idnits 2.17.1 draft-ietf-ipsec-udp-encaps-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 490 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([Kiv02]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 6 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 400 has weird spacing: '... do best ef...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 2002) is 7986 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC 1122' is defined on line 433, but no explicit reference was found in the text == Unused Reference: 'RFC-2119' is defined on line 436, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2406 (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2409 (Obsoleted by RFC 4306) == Outdated reference: A later version (-08) exists of draft-ietf-ipsec-nat-t-ike-02 Summary: 6 errors (**), 0 flaws (~~), 8 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 IP Security Protocol Working Group (IPSEC) A. Huttunen 2 INTERNET-DRAFT F-Secure Corporation 3 Category: Standards track B. Swander 4 Expires: December 2002 Microsoft 5 M. Stenberg 6 SSH Communications Security Corp 7 V. Volpe 8 Cisco Systems 9 L. DiBurro 10 Nortel Networks 11 June 2002 13 UDP Encapsulation of IPsec Packets 14 draft-ietf-ipsec-udp-encaps-03.txt 16 Status of this Memo 18 This document is an Internet-Draft and is in full conformance with 19 all provisions of Section 10 of RFC2026. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as 24 Internet-Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six 27 months and may be updated, replaced, or obsoleted by other documents 28 at any time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 This Internet-Draft will expire on December, 2002. 39 Copyright Notice 41 Copyright (C) The Internet Society (2002). All Rights Reserved. 43 Abstract 45 This draft defines methods to encapsulate and decapsulate ESP 46 packets inside UDP packets for the purpose of traversing NATs. 48 ESP encapsulation as defined in this document is capable of being 49 used in both IPv4 and IPv6 scenarios. 51 The encapsulation is used whenever negotiated using IKE, as 52 defined in [Kiv02]. 54 Change Log 55 Version -01 56 - removed everything related to the AH-protocol 57 - added instructions on how to use the encapsulation with 58 some other key management protocol than IKE 59 Version -02 60 - changed to using 4-byte non-ESP marker, removed all references 61 to using this with other key management protocols 62 - TCP checksum handling for transport mode related discussion 63 modified 64 - copied tunnel mode security considerations from the 65 earlier draft-huttunen-ipsec-esp-in-udp-00.txt draft, 66 added transport mode considerations 67 Version -03 68 - Clarifications to security considerations 70 1. Introduction 72 This draft defines methods to encapsulate and decapsulate ESP 73 packets inside UDP packets for the purpose of traversing NATs. 74 The UDP port numbers are the same as used by IKE traffic, as 75 defined in [Kiv02]. 77 It is up to the need of the clients whether transport mode 78 or tunnel mode is to be supported. L2TP/IPsec clients MUST support 79 transport mode since [RFC 3193] defines that L2TP/IPsec MUST use 80 transport mode], and IPsec tunnel mode clients MUST support tunnel 81 mode. 83 An IKE implementation supporting this draft MUST NOT use the 84 ESP SPI field zero for ESP packets. (XXX To be changed to 85 an IANA allocated SPI value later.) This ensures that 86 IKE packets and ESP packets can be distinguished from each other. 88 UDP encapsulation of ESP packets as defined in this document is 89 written in terms of IPv4 headers. There is no technical reason 90 why an IPv6 header could not be used as the outer header and/or 91 as the inner header. 93 2. Packet Formats 95 2.1 UDP-encapsulated ESP Header Format 97 0 1 2 3 98 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 99 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 100 | Source Port | Destination Port | 101 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 102 | Length | Checksum | 103 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 104 | ESP header [RFC 2406] | 105 ~ ~ 106 | | 107 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 109 The UDP header is a standard [RFC 768] header, where 110 - Source Port and Destination Port are the same as used by 111 floated IKE traffic. 112 - Checksum is zero. 114 The SPI field in the ESP header must not be zero. (XXX To be 115 changed to an IANA allocated SPI value later.) 117 2.2 Floated IKE Header Format 119 0 1 2 3 120 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 122 | Source Port | Destination Port | 123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 124 | Length | Checksum | 125 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 126 | Non-ESP Marker | 127 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 128 | IKE header [RFC 2409] | 129 ~ ~ 130 | | 131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 133 The UDP header is a standard [RFC 768] header, and is used 134 as defined in [Kiv02]. 136 Non-ESP Marker is 4 bytes of zero aligning with the SPI field 137 of an ESP packet. (XXX To be changed to an IANA allocated SPI 138 value later.) 140 2.3 NAT-keepalive Packet Format 142 0 1 2 3 143 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 144 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 145 | Source Port | Destination Port | 146 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 147 | Length | Checksum | 148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 149 | 0xFF | 150 +-+-+-+-+-+-+-+-+ 152 The UDP header is a standard [RFC 768] header, where 153 - Source Port and Destination Port are the same as used by floated 154 IKE traffic. 155 - Checksum is zero. 157 The sender SHOULD use a one octet long payload with the value 0xFF. 158 The receiver SHOULD ignore a received NAT-keepalive packet. 160 3. Encapsulation and Decapsulation Procedures 162 3.1 Auxiliary Procedures 164 3.1.1 Tunnel Mode Decapsulation NAT Procedure 166 When a tunnel mode has been used to transmit packets, the inner 167 IP header can contain addresses that are not suitable for the 168 current network. This procedure defines how these addresses are 169 to be converted to suitable addresses for the current network. 171 Depending on local policy, one of the following MUST be done: 172 a) If a valid source IP address space has been defined in the policy 173 for the encapsulated packets from the peer, check that the source 174 IP address of the inner packet is valid according to the policy. 175 b) If an address has been assigned for the remote peer, check 176 that the source IP address used in the inner packet is the 177 same as the IP address assigned. 178 c) NAT is performed for the packet, making it suitable for transport 179 in the local network. 181 3.1.2 Transport Mode Decapsulation NAT Procedure 183 When a transport mode has been used to transmit packets, contained 184 TCP or UDP headers will contain incorrect checksums due to the change 185 of parts of the IP header during transit. This procedure defines how 186 to fix these checksums. 188 Depending on local policy, one of the following MUST be done: 189 a) If the protocol header after the ESP header is a TCP/UDP 190 header and the peer's real source IP address has been received 191 according to [Kiv02], incrementally recompute the TCP/UDP checksum: 192 - subtract the IP source address in the received packet 193 from the checksum 194 - add the real IP source address received via IKE to the checksum 195 b) If the protocol header after the ESP header is a TCP/UDP 196 header, recompute the checksum field in the TCP/UDP header. 197 c) If the protocol header after the ESP header is an UDP 198 header, zero the checksum field in the UDP header. If the protocol 199 header after the ESP header is a TCP header, and there is an 200 option to flag to the stack that TCP checksum does not need to 201 be computed, then that flag MAY be used. This SHOULD only be done 202 for transport mode, and if the packet is integrity protected. Tunnel 203 mode TCP checksums MUST be verified. 204 [This is not a violation to the spirit of section 4.2.2.7 in RFC 1122 205 because a checksum is being generated by the sender, and verified 206 by the receiver. That checksum is the integrity over the packet 207 performed by IPsec.] 209 In addition an implementation MAY fix any contained protocols that 210 have been broken by NAT. 212 3.2 Transport Mode ESP Encapsulation 214 BEFORE APPLYING ESP/UDP 215 ---------------------------- 216 IPv4 |orig IP hdr | | | 217 |(any options)| TCP | Data | 218 ---------------------------- 220 AFTER APPLYING ESP/UDP 221 ------------------------------------------------------- 222 IPv4 |orig IP hdr | UDP | ESP | | | ESP | ESP| 223 |(any options)| Hdr | Hdr | TCP | Data | Trailer |Auth| 224 ------------------------------------------------------- 225 |<----- encrypted ---->| 226 |<------ authenticated ----->| 228 1) Ordinary ESP encapsulation procedure is used. 229 2) A properly formatted UDP header is inserted where shown. 230 3) The Total Length, Protocol and Header Checksum fields in the 231 IP header are edited to match the resulting IP packet. 233 3.3 Transport Mode ESP Decapsulation 235 1) The UDP header is removed from the packet. 236 2) The Total Length, Protocol and Header Checksum fields in the 237 new IP header are edited to match the resulting IP packet. 238 3) Ordinary ESP decapsulation procedure is used. 239 4) Transport mode decapsulation NAT procedure is used. 241 3.4 Tunnel Mode ESP Encapsulation 243 BEFORE APPLYING ESP/UDP 244 ---------------------------- 245 IPv4 |orig IP hdr | | | 246 |(any options)| TCP | Data | 247 ---------------------------- 249 AFTER APPLYING ESP/UDP 250 -------------------------------------------------------------- 251 IPv4 |new h.| UDP | ESP |orig IP hdr | | | ESP | ESP| 252 |(opts)| Hdr | Hdr |(any options)| TCP | Data | Trailer |Auth| 253 -------------------------------------------------------------- 254 |<------------ encrypted ----------->| 255 |<------------- authenticated ------------>| 257 1) Ordinary ESP encapsulation procedure is used. 258 2) A properly formatted UDP header is inserted where shown. 259 3) The Total Length, Protocol and Header Checksum fields in the 260 new IP header are edited to match the resulting IP packet. 262 3.5 Tunnel Mode ESP Decapsulation 264 1) The UDP header is removed from the packet. 265 2) The Total Length, Protocol and Header Checksum fields in the 266 new IP header are edited to match the resulting IP packet. 267 3) Ordinary ESP decapsulation procedure is used. 268 4) Tunnel mode decapsulation NAT procedure is used. 270 4. NAT Keepalive Procedure 272 The sole purpose of sending NAT-keepalive packets is to keep 273 NAT mappings alive for the duration of a connection between 274 the peers. Reception of NAT-keepalive packets MUST NOT be 275 used to detect liveness of a connection. 277 A peer MAY send a NAT-keepalive packet if there exists one 278 or more phase I or phase II SAs between the peers, or such 279 an SA has existed at most N minutes earlier. N is a locally 280 configurable parameter with a default value of 5 minutes. 282 A peer SHOULD send a NAT-keepalive packet if a need to send such 283 packets is detected according to [Kiv02] and if no other packet to 284 the peer has been sent in M seconds. M is a locally configurable 285 parameter with a default value of 20 seconds. 287 5. Security Considerations 289 5.1 DoS 291 On some systems ESPUDP may have DoS attack consequences, 292 especially if ordinary operating system UDP-functionality is 293 being used. It may be recommended not to open an ordinary UDP-port 294 for this. 296 5.2 Tunnel Mode Conflict 298 Implementors are warned that it is possible for remote peers to 299 negotiate entries that overlap in a GW, an issue affecting tunnel 300 mode. 302 +----+ \ / 303 | |-------------|----\ 304 +----+ / \ \ 305 Ari's NAT 1 \ 306 Laptop \ 307 10.1.2.3 \ 308 +----+ \ / \ +----+ +----+ 309 | |-------------|----------+------| |----------| | 310 +----+ / \ +----+ +----+ 311 Bob's NAT 2 GW Suzy's 312 Laptop Server 313 10.1.2.3 315 Because GW will now see two possible SAs that lead to 10.1.2.3, it 316 can become confused where to send packets coming from Suzy's server. 317 Implementators MUST devise ways of preventing such a thing from 318 occurring. 320 It is recommended that GW either assign locally unique IP addresses 321 to A and B using a protocol such as DHCP over IPsec, or uses NAT to 322 change A's and B's source IP addresses to such locally unique 323 addresses before sending packets forward to S. 325 5.3 Transport Mode Conflict 327 Another similar issue may occur in transport mode, with 2 clients, 328 Ari and Bob, behind the same NAT talking securely to the same server. 330 Cliff wants to talk in the clear to the same server. 332 +----+ 333 | | 334 +----+ \ 335 Ari's \ 336 Laptop \ 337 10.1.2.3 \ 338 +----+ \ / +----+ 339 | |-----+-----------------| | 340 +----+ / \ +----+ 341 Bob's NAT Server 342 Laptop / 343 10.1.2.4 / 344 / 345 +----+ / 346 | |/ 347 +----+ 348 Cliff's 349 Laptop 350 10.1.2.5 352 Now, transport SAs on the server will look like: 353 To Ari: S to NAT, , UDP encap <4500, Y> 354 To Bob: S to NAT, , UDP encap <4500, Z> 356 Cliff's traffic is in the clear, so there is no SA. 358 is the protocol and port information. 359 The UDP encap ports are the ports used in UDP encapsulated 360 ESP format of section 2.1. Y,Z are the dynamic ports assigned 361 by the NAT during the IKE negotiation. So IKE traffic from 362 Ari's laptop goes out on UDP <4500,4500>. It reaches the server 363 as UDP , where Y is the dynamically assigned port. 365 If the overlaps , then 366 simple filter lookups may not be sufficient to determine 367 which SA needs to be used to send traffic. Implementations 368 MUST handle this situation, either by disallowing 369 conflicting connections, or by other means. 371 Assume now that Cliff wants to connect to the server S in the 372 clear. This is going to be difficult to configure since 373 the server already has a policy from S to the NAT's external 374 address, for securing . For totally non-overlapping 375 traffic descriptions, this is possible. 377 Sample server policy could be: 378 To Ari: S to NAT, All UDP, secure 379 To Bob: S to NAT, All TCP, secure 380 To Cliff: S to NAT, ALL ICMP, clear text 382 Note, this policy also lets Ari and Bob send cleartext ICMP to the 383 server. 385 The server sees all clients behind the NAT as the same IP address, 386 so setting up different policies for the same traffic descriptor 387 is in principle impossible. 389 A problematic example configuration on the server is: 391 S to NAT, TCP, secure (for Ari and Bob) 392 S to NAT, TCP, clear (for Cliff) 394 The problem is that the server cannot enforce his policy, since it 395 is possible that misbehaving Bob sends traffic in the clear. This 396 is indistinguishable from Cliff sending traffic in the clear. 397 So it is impossible to guarantee security from some clients behind 398 a NAT, and also allow clear text from different clients behind the 399 SAME NAT. If the server's security policy allows, however, it can 400 do best effort security: if the client from behind the NAT 401 initiates security, his connection will be secured. If he sends 402 in the clear, the server will still accept that clear text. 404 So, for security guarantees, the above problematic scenario MUST NOT 405 be allowed on servers. For best effort security, this scenario MAY 406 be used. 408 6. Intellectual Property Rights 410 The IETF has been notified of intellectual property rights claimed in 411 regard to some or all of the specification contained in this document. 412 For more information consult the online list of claimed rights. 414 SSH Communications Security Corp has notified the working group of one 415 or more patents or patent applications that may be relevant to this 416 internet-draft. SSH Communications Security Corp has already given a 417 licence for those patents to the IETF. For more information consult the 418 online list of claimed rights. 420 7. Acknowledgments 422 Thanks to Tero Kivinen and William Dixon who contributed actively 423 to this document. 425 Thanks to Joern Sierwald, Tamir Zegman, Tatu Ylonen and 426 Santeri Paavolainen who contributed to the previous drafts 427 about NAT traversal. 429 8. References 431 [RFC 768] Postel, J., "User Datagram Protocol", August 1980 433 [RFC 1122] R. Braden (Editor), "Requirements for Internet Hosts 434 -- Communication Layers", October 1989 436 [RFC-2119] Bradner, S., "Key words for use in RFCs to indicate 437 Requirement Levels", March 1997 439 [RFC 2406] Kent, S., "IP Encapsulating Security Payload (ESP)", 440 November 1998 442 [RFC 2409] D. Harkins, D. Carrel, "The Internet Key Exchange 443 (IKE)", November 1998 445 [RFC 3193] Patel, B. et. al, "Securing L2TP using IPsec", 446 November 2001 448 [Kiv02] Kivinen, T. et. al., draft-ietf-ipsec-nat-t-ike-02.txt, 449 "Negotiation of NAT-Traversal in the IKE", April 2002 451 9. Authors' Addresses 453 Ari Huttunen 454 F-Secure Corporation 455 Tammasaarenkatu 7 456 FIN-00181 HELSINKI 457 Finland 458 E-mail: Ari.Huttunen@F-Secure.com 460 Brian Swander 461 Microsoft 462 One Microsoft Way 463 Redmond WA 98052 464 E-mail: briansw@microsoft.com 466 Markus Stenberg 467 SSH Communications Security Corp 468 Fredrikinkatu 42 469 FIN-00100 HELSINKI 470 Finland 471 E-mail: mstenber@ssh.com 473 Victor Volpe 474 Cisco Systems 475 124 Grove Street 476 Suite 205 477 Franklin, MA 02038 478 E-mail: vvolpe@cisco.com 480 Larry DiBurro 481 Nortel Networks 482 80 Central Street 483 Boxborough, MA 01719 484 ldiburro@nortelnetworks.com