Network Working Group | Amjad. Inamdar |
Internet-Draft | R. Singh |
Intended status: Standards Track | Cisco |
Expires: September 13, 2014 | March 12, 2014 |
IKEv2 based lightweight secure data communication
draft-amjads-ipsecme-ikev2-data-channel-01 (D-IKE)
The Internet Key Exchange (IKEv2) protocol provides authentication, confidentiality, integrity, data-origin authentication and anti-replay. Currently, IKEv2 is mainly used as a control channel to negotiate IPsec SA(s). IPsec is not well suited to provide transport layer security for applications as it resides at the network layer and most of the IPsec implementations require integration into operating systems making it difficult to deploy. IPsec uses different sessions for control and data traffic which is not NAT and load balancer friendly. TLS/DTLS, the other popular security mechanism to provide the above security services does not mandate mutual peer authentication and Diffie Hellman exchange.
This document describes an IKEv2 based lightweight secure data communication protocol and a way to provide transport layer security for UDP client/server applications. The protocol provides integrity protected encryption and integrity-only protection based on application needs. As most of the IoT applications are UDP based, IKEv2 can be used for key management as well secure data communication in IoT due to its simplicity, scalability, lightweightedness and ease of deployment.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2014.
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The Internet Key Exchange Protocol version 2 (IKEv2), specified in RFC5996 [RFC5996], is a UDP based protocol that provides a secure communication channel similar to ESP defined in RFC4303 [RFC4303]. IKEv2 defines mechanisms for mutual authentication of peers, key management, SA management and exchange of configuration information. IKEv2 is mainly used as a secure control channel to negotiate child IPsec SAs. As IKEv2 provides encryption, integrity protection, data origin authenication and replay protection similar to ESP, IKEv2 can be leveraged for secure data communication. This document defines an IKEv2 based secure data communication mechanism (henceforth referred to as D-IKE) and describes a way to secure UDP applications with D-IKE. While the IKE control channel is always encryption and integrity protected, the IKE data channel can provide encryption and integrity protection as well as integrity-only protection depending on the needs of the application.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
Each UDP application using D-IKE for security will use different UDP port numbers. So with D-IKE, IKEv2 packets are no longer identified by UDP ports 500 and 4500. D-IKE will use a different UDP port number for each UDP application to carry the D-IKE control messages for IKEv2 negotiation as well as application data. The first octet in the UDP payload will identify D-IKE control and data packets. D-IKE control packets will carry the IKEv2 header and payloads as defined in RFC5996 [RFC5996] and will be used to negotiate a childless IKEv2 session between UDP client and server. D-IKE data packets will carry encrypted and authenticated UDP application data.
The following diagram depicts the format of UDP encapsulated D-IKE control and Data packets.
+------------+------+----------+---------------------------+ | UDP Header | Type | RESERVED | D-IKE Control/Data Packet | +------------+------+----------+---------------------------+ |<---------------- UDP Payload -------------->|
Encapsulation of D-IKE packets
D-IKE can provide integrity-only protection in addition to integrity protected encryption. D-IKE does not negotiate child IPsec SAs in the IKEv2 initial exchange and subsequently as depicted in D-IKE Negotiation section, similar to Childless IKEv2 defined in RFC6023 [RFC6023].
Please refer the appendix section of this document for details on the alternative mechanisms that were considered for data communication over IKEv2 and their drawbacks.
This document introduces the concept of D-IKE sockets to secure communication between UDP client/server applications. D-IKE socket is an IKEv2 session between a UDP client and server uniquely identified by the 4 tuple of client and server IP addresses and UDP ports.
+--------------+ +--------------+ | UDP Client | | UDP Service | +--------------+ +--------------+ | D-IKE socket | | D-IKE socket | +--------------+ +--------------+ | UDP | | UDP | +--------------+ +--------------+ | IP |<------------>| IP | +--------------+ +--------------+
D-IKE Sockets
UDP Client UDP Server ---------- ---------- | | |<-------- IKE negotiation --------->| | | |<----- Secure Data Transfer ------->| | |
Secure UDP communication over D-IKE
For a node running multiple UDP applications(Clients and/or Services), each UDP application will have a unique D-IKE socket
+----------------+----------------+----------------+ | UDP App 1 | UDP App 2 | UDP App N | +----------------+----------------+----------------+ | D-IKE socket 1 | D-IKE socket 2 | D-IKE socket N | +----------------+----------------+----------------+ | UDP | +--------------------------------------------------+ | IP | +--------------------------------------------------+
D-IKE socket per UDP Application
A well known UDP service can simultaneously open a UDP socket as well as D-IKE socket.
+--------------+ +---------------------------+ +------------+ | UDP Client | | UDP Service | | UDP Client | +--------------+ +---------------------------+ +------------+ | D-IKE socket | | D-IKE socket | UDP Socket |<-->| UDP Socket | +--------------+ +--------------+------------+ +------------+ | UDP |<-->| UDP | |<-- Unsecured -->| +--------------+ +--------------+ Communication |<----- Secure ----->| Communication
Securing UDP Applications using D-IKE
The following diagram shows the format of D-IKE packet.
|<------------- D-IKE packet -------------->| +----+------+--------+-------------+---------+----------+ | IP | UDP | D-IKE | UDP App | D-IKE | D-IKE | | | | Header | Data | Trailer | Checksum | +----+------+--------+-------------+-- ------+----------+ | |<----- Encrypted ----->| |<----- Integrity Protected ---->|
D-IKE packet format
D-IKE packet consists of D-IKE header, UDP application data, an optional D-IKE trailer and D-IKE integrity checksum value.
This document proposes following extensions to IKEv2 protocol for data communication:
D-IKE will support the following data protection modes:
This protection mode provides encryption and integrity protection of D-IKE packets similar to the IKEv2 Encrypted payload as defined in RFC5996 [RFC5996]
The UDP app data and D-IKE trailer are encrypted and the D-IKE header, UDP app data and D-IKE trailer are integrity protected.
+----+------+--------+-------------+---------+----------+ | IP | UDP | D-IKE | UDP App | D-IKE | D-IKE | | | | Header | Data | Trailer | Checksum | +----+------+--------+-------------+-- ------+----------+ | |<----- Encrypted ----->| |<----- Integrity Protected ---->|
Encryption and Integrity protection
This protection mode provides integrity protection of IKEv2 data packets and no encryption similar to ESP null encryption as described in RFC4303 [RFC4303]. This is suitable for applications that just need data integrity and not confidentiality such as routing protocol exchanges. It may be noted that integrity only protection applies only to D-IKE packets and that D-IKE control packets will always use integrity protected encryption.
The UDP app data and D-IKE trailer are encrypted and the D-IKE header, UDP app data and D-IKE trailer are integrity protected.
+----+------+--------+-------------+----------+ | IP | UDP | D-IKE | UDP App | D-IKE | | | | Header | Data | Checksum | +----+------+--------+-------------+----------+ |<---- Integrity ----->| Protected
Integrity only protection
IKEv2 nodes can negotiate to use D-IKE and its capabilities by exchanging D-IKE_SUPPORTED Notify type in IKE_SA_INIT exchange.
Initiator Responder ------------------------------------------------------ HDR, SAi1, KEi, Ni [N(D-IKE_SUPPORTED)] --> <-- HDR, SAr1, KEr, Nr, [CERTREQ] N(D-IKE_SUPPORTED) HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, [CP(CFG_REQUEST)] --> <-- HDR, SK {IDr, [CERT,] AUTH, [CP(CFG_REPLY)]
IKEv2 data channel negotiation
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload !C! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Protocol ID ! SPI Size ! Notify Message Type ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Flags ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
D-IKE_SUPPORTED Notify payload
The first octet in the UDP payload will identify D-IKE control and data packets. D-IKE control packets will carry the IKEv2 header and payloads as defined in RFC 5996 and will be used to negotiate a childless IKEv2 session between UDP client and server. D-IKE data packets will carry encrypted and authenticated UDP application data.
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ IKEv2 Header and payloads ~ | or | | D-IKE data payload | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
D-IKE Control and Data packets
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initialization Vector | | (length is block size for encryption algorithm) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Encrypted/Cleartext Data ~ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Padding (0-255 octets) | +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ | | Pad Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Integrity Checksum Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
D-IKE payload
This protocol variation inherits all the security properties of regular IKEv2 as described in [RFC5996]. The new notification carried in the initial exchange advertises the capability, and cannot be forged or added by an adversary without being detected, because the response to the initial exchange is authenticated with the AUTH payload of the IKE_AUTH exchange. IKEv2 data payload inherits all security properties of ESP protocol defined in [RFC4303].
This document introduces one new IKEv2 Notification Message types as described in Section 11.1. The new Notify Message Types must be assigned values between 16429 and 40959.
For UDP applications that need a well known port number to secure the application using D-IKE (for example, CoAP over D-IKE), the port number MUST be reserved from IANA.
We would like to thank following people (in alphabetical order) for their review comments and valuable suggestions for idea and initial version of the document: Amit Phadnis, Arif Shouqi, Balaji B L, Brian Weis, Cheryl Madson, Frederic Detienne, J P Vasseur, Kalyani Garigipati, Mike Sullenberger, Naresh Sunkara, Nick Doyle, Paul Hoffman, Rajiv Shankar Daulath, Ramesh Nethi, Sandeep Rao, Scott Fluhrer, and Thamil Kandasamy.
This section lists all the changes in this document.
NOTE TO RFC EDITOR: Please remove this section in before final RFC publication.
Reworked the draft with more focus on UDP application security. Updated the problem statement. Added comparision with IPsec and TLS/DTLS. Updated D-IKE Notify and Data payloads. Added possible extensions.
[1] | Kaufman, C., Hoffman, P., Nir, Y. and P. Eronen, "Internet Key Exchange Protocol Version 2: IKEv2", RFC 5996, September 2010. |
[2] | Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. |
[3] | Nir, Y., Tschofenig, H., Deng, H. and R. Singh, "A Childless Initiation of IKEv2 SA", RFC 6023, October 2010. |
[4] | Smyslov, V., "IKEv2 Fragmentation", Internet-Draft draft-ietf-ipsecme-ikev2-fragmentation-02, September 2013. |
[5] | Rowles, S. R., Yeung, A.Y., Tran, P. T. and Y. Nir, "Group Key Management using IKEv2", Internet-Draft draft-yeung-g-ikev2-06, April 2013. |
[6] | Kivinen, T., "Minimal IKEv2", Internet-Draft draft-ietf-lwig-ikev2-minimal-00.txt, April 2013. |
[7] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[1] | Devarapalli, V. and K. Weniger, "Redirect Mechanism for IKEv2", RFC 5685, November 2009. |
This section describes the alternative mechanisms for data communication over IKEv2 that were considered and their drawbacks.
The existing IKEv2 control channel can be used for data transfer using a new IKEv2 exchange type DATA exchange similar to INFORMATIONAL exchange, and a new payload type to encapsulate cleartext data that will be protected by Encrypted payload.
A drawback with this approach is that the data packets will incur the overhead of IKEv2 header (28 octets) and a minimum of two generic payload headers (4 octets each) with a total protocol overhead of 36 octets per data packet. Also, it is difficult to support unacknowledged data transfer and integrity-only protection for data packets.
IKEv2 header can be modified to allow differentiation between control and data packets using the first four bytes of the header and the rest of the header can be different for control and data packets. A possible way to accomplish this is to move the Exchange type field to the beginning of IKEv2 header.
The obvious drawback with this approach is that it is not backward compatible with existing IKEv2 protocol. Also, it makes it difficult to support unacknowledged data transfer and integrity-only protection for data packets.
A separate UDP port e.g 501 can be used for IKEv2 data channel that allows to leverage the IKEv2 protocol's security and reliability mechanisms and security parameters for data communication while avoiding the overhead of IKEv2 header and generic payload headers for data packets. Use of a fixed UDP port for data channel instead of dynamically negotiated UDP ports has the advantage of not requiring the firewalls to snoop the IKEv2 control channel to be able to determine and allow the traffic on data channel UDP port.
A drawback with this approach is that the use of different ports for IKEv2 control and data channels makes it difficult for load balancers to associate an IKEv2 control channel with its data channel when there are multiple IKEv2 initiators behind a PAT device. Also when IKEv2 initiator is behind a PAT device, the data packets from responder will be dropped by the PAT device as port 501 will not be open unless there is data traffic from initiator.
This section describes the possible extensions to D-IKE protocol.
D-IKE can be used to secure TCP applications using one of the following methods.