idnits 2.17.1 draft-smyslov-ipsecme-ikev2-r-mobike-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC4555, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC6311, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4555, updated by this document, for RFC5378 checks: 2005-06-29) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 30, 2017) is 2333 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group V. Smyslov 3 Internet-Draft ELVIS-PLUS 4 Updates: 4555, 6311 (if approved) November 30, 2017 5 Intended status: Standards Track 6 Expires: June 3, 2018 8 Responder Initiated IP Addresses Update in MOBIKE 9 draft-smyslov-ipsecme-ikev2-r-mobike-01 11 Abstract 13 IKEv2 Mobility and Multihoming Protocol (MOBIKE) allows peers to 14 update their IP addresses without re-establishing IKE and IPsec 15 Security Associations (SAs). In the MOBIKE protocol it is the 16 Initiator of the IKE SA, who is responsible for selecting new SA 17 addresses and for initiating the IP addresses update procedure. This 18 document presents an extension to the MOBIKE protocol that allows the 19 Responder to initiate the update. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on June 3, 2018. 38 Copyright Notice 40 Copyright (c) 2017 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Terminology and Notation . . . . . . . . . . . . . . . . . . 3 57 3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 3 58 4. Protocol Description . . . . . . . . . . . . . . . . . . . . 4 59 4.1. Capability Advertising . . . . . . . . . . . . . . . . . 4 60 4.2. Responder Initiated IP Address Update . . . . . . . . . . 5 61 4.2.1. High Availability Cluster Scenario . . . . . . . . . 7 62 5. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 8 63 5.1. MOBIKE_SUPPORTED Notification . . . . . . . . . . . . . . 8 64 5.2. SWITCH_TO_IP_ADDRESS Notification . . . . . . . . . . . . 9 65 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 66 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 67 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 68 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 69 8.2. Informative References . . . . . . . . . . . . . . . . . 10 70 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 72 1. Introduction 74 The Internet Key Exchange protocol version 2 (IKEv2), specified in 75 [RFC7296], is a key part of the IP Security (IPsec) architecture. It 76 allows peers to perform authenticated key exchange, which results in 77 establishing IKE Security Association (IKE SA) and to create a data 78 protection channels called IPsec Security Associations (IPsec SAs). 79 In original IKEv2 the IKE and IPsec SAs are established between the 80 IP addresses used in IKEv2 negotiation. The IKEv2 Mobility and 81 Multihoming Protocol (MOBIKE), specified in [RFC4555], extends the 82 IKEv2 functionality by allowing peers to dynamically change IP 83 addresses of the established SAs without the need to re-establish 84 these SAs. 86 The main use case for the MOBIKE protocol is a remote access user 87 that travels and moves from one from one IP address to another 88 without re-establishing existing SAs with the VPN gateway. However, 89 the MOBIKE also supports more complex scenarios when VPN gateway is 90 multihomed and its addresses may change over time. 92 In the MOBIKE it is the Initiator (e.g. the remote access client) who 93 is responsible for detecting the working IP addresses pairs and for 94 deciding which pair to use. In other words, the Responder (e.g. the 95 VPN gateway) plays a passive role and could neither initiate the IP 96 address update process nor tell the Initiator which IP address is 97 preferred to use. This limitation makes use of complex scenarios 98 less efficient and decreases the value of MOBIKE protocol. 100 For example, if the VPN gateway is a load sharing cluster where each 101 node has its own IP address, then the cluster must be able to move SA 102 between nodes depending on their current load. Currently Redirect 103 Mechanism for IKEv2 [RFC5685] can accomplish this task, however it 104 requires IKE SA to be re-established, that is very inefficient. 105 Another possible solution is to use IKE SA Cloning along with the 106 MOBIKE (see [RFC7791] for scenario description), but the limitation 107 of the MOBIKE protocol makes this problematic. Obviously, the client 108 has insufficient information to select when and to which of cluster 109 IP addresses to move an SA to and the VPN gateway has no means to 110 provide the client with this information. 112 This specification extends the MOBIKE protocol by adding ability for 113 the Responder to ask the Initiator for IP address update and to 114 provide it with the new IP address to use. 116 2. Terminology and Notation 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in [RFC2119]. 122 In this document the term "Initiator" means the party who originally 123 initiated the first IKE SA (in a series of possibly several rekeyed 124 IKE SAs), and "Responder" means the other party. This is consistent 125 with a way these terms are used in [RFC4555]. Note, that in 126 [RFC7296] the terms "original initiator" and "original responder" 127 mean the party, who initiated (or responded to) the latest IKE SA in 128 a series of possibly several rekeyed IKE SAs. 130 3. Protocol Overview 132 The MOBIKE protocol is designed in such a way, that it is the IKE SA 133 Initiator, who is responsible for performing the actions concerned 134 with the selecting of a working IP addresses pair and for initiating 135 an IP addresses update exchange. Usually the Initiator selects an IP 136 addresses pair by continuously probing different pairs and choosing 137 the working one. If several pairs work then the choice between them 138 is arbitrary. The Responder cannot influence the process of 139 selecting and cannot ask the client to immediately switch to a 140 particular gateway's address. As a result the process of selection a 141 new pair takes substantial time and may ends up with a suboptimal 142 path. Moreover, in case the Responder isn't multihomed (and thus 143 doesn't provide the Initiator with a list of additional IP 144 addresses), the change of its IP address cannot be handled by the 145 MOBIKE. 147 Obviously, this limitation comes from the fact that there might be 148 middleboxes on the path (like Network Address Translators (NAT) or 149 firewalls) that might disallow IP packets to come from VPN gateway to 150 the client unless the client first contacts the VPN gateway. For 151 example, the client might reside behind a dynamic NAT that creates a 152 mapping when IP packet first come from the client to the gateway. If 153 the gateway tries to send an IP packet to the client from different 154 IP address, the packet would be dropped since the NAT box has no 155 corresponding mapping. 157 This specification provides the following solution to the described 158 problem. When the Responder decides that its end of existing SA 159 should be switched from its original IP address IP_R1 to a new 160 address IP_R2, it initiates an INFORMATIONAL exchange containing a 161 new notification SWITCH_TO_IP_ADDRESS, that contains IP_R2. The 162 request message of this exchange is sent from IP_R1 address, so that 163 an existing middlebox mappings are used and the message can reach the 164 Initiator. However, the response message is sent to a newly 165 presented IP_R2 address, so that a new middlebox mappings are 166 created. Once the Initiator completes exchange containing 167 SWITCH_TO_IP_ADDRESS notification, it immediately initiates standard 168 MOBIKE procedure for updating SA addresses by starting the 169 INFORMATIONAL exchange containing UPDATE_SA_ADDRESSES notification. 171 4. Protocol Description 173 4.1. Capability Advertising 175 According to [RFC4555], the peers must exchange MOBIKE_SUPPORTED 176 notifications in the IKE_AUTH exchange before they can use the MOBIKE 177 protocol. If the Initiator supports this specification and is 178 willing to use it, then it MUST include a single octet 0x52 ('R') in 179 the notification data of the MOBIKE_SUPPORTED notification sent to 180 the Responder. There is no need for the Initiator to know whether 181 the Responder supports this specification or not, so the 182 MOBIKE_SUPPORTED notification sent by the Responder has an empty 183 notification data. 185 Note, that [RFC4555] specifies that MOBIKE_SUPPORTED notification 186 must contains no data when sending and the content of the 187 notification data must be ignored while parsing. So, So, if the 188 Responder doesn't support this specification, it will just ignore the 189 content of the MOBIKE_SUPPORTED notification and will use MOBIKE 190 without this extension. 192 (IP_I1:500 -> IP_R1:500) 193 HDR, SAi1, KEi, Ni, 194 N(NAT_DETECTION_SOURCE_IP), 195 N(NAT_DETECTION_DESTINATION_IP) --> 197 <-- (IP_R1:500 -> IP_I1:500) 198 HDR, SAr1, KEr, Nr, 199 N(NAT_DETECTION_SOURCE_IP), 200 N(NAT_DETECTION_DESTINATION_IP) 202 (IP_I1:4500 -> IP_R1:4500) 203 HDR, SK { IDi, CERT, AUTH, 204 SAi2, TSi, TSr, 205 N(MOBIKE_SUPPORTED('R')) } --> 207 <-- (IP_R1:4500 -> IP_I1:4500) 208 HDR, SK { IDr, CERT, AUTH, 209 SAr2, TSi, TSr, 210 N(MOBIKE_SUPPORTED), 211 N(ADDITIONAL_IP4_ADDRESS) } 213 4.2. Responder Initiated IP Address Update 215 If the Initiator advertised its support for this specification during 216 the initial exchange as described in Section 4.1, then the Responder 217 is free to initiate IP Address Update request at any time. If the 218 Initiator doesn't indicate its support for this extension, then the 219 Responder MUST NOT initiate IP Address Update request. The IP 220 Address Update request NUST NOT be initiated by the Initiator, the 221 Responder MUST take no action if it receives such a request (apart 222 from sending an empty response message to complete the exchange). 224 It is up to the Responder to decide when to initiate an IP Address 225 request and what new address to include into it. Some of the 226 possible reasons are: 228 o Responder is multihomed and wishes to switch SA to a different IP 229 address 231 o Responder is a cluster and wishes to move SA to a different node 232 having its own IP address 234 The Responder requests the Initiator to update SA Address by 235 initiating the INFORMATIONAL exchange containing a new status type 236 notification SWITCH_TO_IP_ADDRESS. The notification data of this 237 notification contains a new IP address the Responder requests the 238 Initiator to use for the IKE SA and its Child SAs. Note, that the 239 exchange request message MUST be sent using old SA addresses. In the 240 example below the SA was established using IP_I1 and IP_R1 addresses 241 for the Initiator and Responder respectively, and the Responder 242 wishes to change the address of its end of the SA to IP_R2. So, it 243 initiates the INFORMATIONAL exchange from IP_R1 address containing 244 the SWITCH_TO_IP_ADDRESS notification with IP_R2 address. However, 245 since the response message should come on a new address (IP_R2), at 246 this point the Responder MUST be able to receive packets on the IP 247 address it included in the SWITCH_TO_IP_ADDRESS notification. 249 <-- (IP_R1:4500 -> IP_I1:4500) 250 HDR, SK { N(SWITCH_TO_IP_ADDRESS(IP_R2)) } 252 Since the request is sent using old SA addresses, it is expected to 253 pass through the middleboxes and reach the Initiator because it must 254 use existing mappings. 256 Upon receiving the SWITCH_TO_IP_ADDRESS notification the Initiator 257 extracts its content and makes a decision whether the received IP 258 address is appropriate for the SA. If the received IP address is 259 among the addresses previously received from the Responder in 260 ADDITIONAL_IP4_ADDRESS or ADDITIONAL_IP6_ADDRESS notifications, then 261 it is definitely appropriate for the SA. Otherwise local policy must 262 be consulted to decide whether the received IP is appropriate. If 263 the address is considered inappropriate, then the Initiator MUST 264 complete the exchange by sending an empty message to an old address 265 (IP_R1) and continue to use this address. It is RECOMMENDED that the 266 Initiator immediately initiates Liveness Check exchange to ensure 267 that the Responder is able to operate using old address. 269 (IP_I1:4500 -> IP_R1:4500) 270 HDR, SK {} --> 272 If the Initiator decides that the received address is appropriate, it 273 completes the exchange by sending an empty response message to the 274 newly received address (IP_R2). Since the response message to the 275 new Responder's address flows in the original direction (from the 276 Initiator to the Responder), it should create new mappings in 277 middleboxes, thus allowing further communication between them. After 278 the response message is sent the Initiator MUST immediately initiate 279 an IP address update procedure according to the MOBIKE specification 280 by sending the INFORMATIONAL exchange request message containing the 281 UPDATE_SA_ADDRESSES notification. See [RFC4555] for details. As a 282 result, the remote IP address of the SA is changed from IP_R1 to 283 IP_R2. Note that only the IP address is changed, the port remains 284 the same. 286 (IP_I1:4500 -> IP_R2:4500) 287 HDR, SK {} --> 289 (IP_I1:4500 -> IP_R2:4500) 290 HDR, SK { N(UPDATE_SA_ADDRESSES), 291 N(NAT_DETECTION_SOURCE_IP), 292 N(NAT_DETECTION_DESTINATION_IP), 293 N(COOKIE2) } --> 295 <-- (IP_R2:4500 -> IP_I1:4500) 296 HDR, SK { N(NAT_DETECTION_SOURCE_IP), 297 N(NAT_DETECTION_DESTINATION_IP), 298 N(COOKIE2) } 300 The Responder MUST NOT change IP address of the SA until it receives 301 the UPDATE_SA_ADDRESSES notification from the Initiator. Note, that 302 there is no need for the Responder to perform Return Routability 303 check once the addresses are updated since it itself requested to 304 change IP address of the SA and it successfully received a response 305 from the Initiator sent to the new address. However, depending on 306 the Responder's policy, the Return Routability check MAY be 307 performed. 309 If the Responder doesn't receive a response message on a request 310 containing the SWITCH_TO_IP_ADDRESS notification after several 311 retransmissions, then it means that either request or response 312 message cannot use the new path and pass through the middleboxes. In 313 this case the Responder's behavior depends on whether it advertised 314 additional IP addresses before and whether old SA address is still 315 available. 317 If old SA address is unavailable and no alternative addresses were 318 advertised before, then the IKE SA and all associated Child SAs MUST 319 be torn down. Otherwise the SA MAY be kept in an anticipation that 320 the Initiator after some time detects the old IP address failure 321 itself and performs IP addresses update. 323 4.2.1. High Availability Cluster Scenario 325 In case a VPN gateway is a cluster consisting of several nodes each 326 having its own IP address, both Load Sharing (LS) and High 327 Availability (HA) goals may be achieved. For the purposes of HA all 328 the nodes share an IKE SA state while only one of them communicate 329 with an IKE SA peer at any given time. If an active node fails, the 330 other nodes detect this fact and select a new active node for the SAs 331 the failed node served. The selected node must then instruct the 332 failed node peers to switch their SAs to a new IP address using this 333 specification. 335 Since some exchanges might be in progress when the active node fails, 336 special measures must be taken to ensure that the IKE SA state is 337 synchronised between the new active cluster node and the client. 338 Protocol Support for High Availability of IKEv2/IPsec [RFC6311] 339 describes the necessary measures. In particular, the new active node 340 initiates the INFORMATIONAL exchange containing the 341 IKEV2_MESSAGE_ID_SYNC notification and optionally the 342 IPSEC_REPLAY_COUNTER_SYNC notification. [RFC6311] states that no 343 other payload must be included in this exchange. However, in case 344 the IP address of the new active node differs from the IP address of 345 the failed active node it is necessary to combine the 346 IKEV2_MESSAGE_ID_SYNC and the SWITCH_TO_IP_ADDRESS notifications in 347 one exchange. So, this specification updates [RFC6311] in this 348 regard: if HA cluster nodes have different IP addresses then in case 349 of failover the request to synchronize Message IDs and the request to 350 change IP address MUST be sent together in the same INFORMATIONAL 351 exchange. 353 <-- (IP_R1:4500 -> IP_I1:4500) 354 HDR, SK { N(SWITCH_TO_IP_ADDRESS(IP_R2)) 355 N(IKEV2_MESSAGE_ID_SYNC), 356 [N(IPSEC_REPLAY_COUNTER_SYNC)] } 358 (IP_I1:4500 -> IP_R2:4500) 359 HDR, SK { N(IKEV2_MESSAGE_ID_SYNC) } --> 361 Once this exchange is completed the client MUST immediately perform 362 an IP address update procedure according to the MOBIKE specification 363 as described in Section 4.2. 365 5. Payload Formats 367 5.1. MOBIKE_SUPPORTED Notification 369 The MOBIKE_SUPPORTED Notification is defined in [RFC4555], 370 Section 4.2.1 with the Notify Message Type 16396. This definition 371 requires the notification data to be empty while sending and to be 372 ignored when notification is received. 374 This document updates the definition from [RFC4555]. Exchange 375 Initiator sets the notification data of the MOBIKE_SUPPORTED 376 Notification to a single octet 0x52 ('R') to indicate that this 377 specification is supported. 379 5.2. SWITCH_TO_IP_ADDRESS Notification 381 The Notify Message Type for this notification is . The 382 notification data contains new Responder's IP address. 384 For IPv4, the notification data is 4 octets long and is defined as 385 follows: 387 1 2 3 388 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 389 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 390 | New Responder's IPv4 Address | 391 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 393 For IPv6, the notification data is 16 octets long and is defined as 394 follows: 396 1 2 3 397 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 398 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 399 | | 400 | New Responder's IPv6 Address | 401 | | 402 | | 403 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 405 The Protocol ID and SPI Size fields are set to zero. 407 6. Security Considerations 409 This specification is an extension of the MOBIKE protocol, so the 410 Security Considerations described in [RFC4555] are applied. 412 7. IANA Considerations 414 This document defines new Notify Message Types in the "IKEv2 Notify 415 Message Types - Status Types" registry: 417 SWITCH_TO_IP_ADDRESS 419 8. References 421 8.1. Normative References 423 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 424 Requirement Levels", BCP 14, RFC 2119, 425 DOI 10.17487/RFC2119, March 1997, . 428 [RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol 429 (MOBIKE)", RFC 4555, DOI 10.17487/RFC4555, June 2006, 430 . 432 [RFC6311] Singh, R., Ed., Kalyani, G., Nir, Y., Sheffer, Y., and D. 433 Zhang, "Protocol Support for High Availability of IKEv2/ 434 IPsec", RFC 6311, DOI 10.17487/RFC6311, July 2011, 435 . 437 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 438 Kivinen, "Internet Key Exchange Protocol Version 2 439 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 440 2014, . 442 8.2. Informative References 444 [RFC5685] Devarapalli, V. and K. Weniger, "Redirect Mechanism for 445 the Internet Key Exchange Protocol Version 2 (IKEv2)", 446 RFC 5685, DOI 10.17487/RFC5685, November 2009, 447 . 449 [RFC7791] Migault, D., Ed. and V. Smyslov, "Cloning the IKE Security 450 Association in the Internet Key Exchange Protocol Version 451 2 (IKEv2)", RFC 7791, DOI 10.17487/RFC7791, March 2016, 452 . 454 Author's Address 456 Valery Smyslov 457 ELVIS-PLUS 458 PO Box 81 459 Moscow (Zelenograd) 124460 460 Russian Federation 462 Phone: +7 495 276 0211 463 Email: svan@elvis.ru