Internet DRAFT - draft-harkins-ikev3
draft-harkins-ikev3
Internet Engineering Task Force D. Harkins, Ed.
Internet-Draft Aruba Networks
Intended status: Standards Track April 12, 2013
Expires: October 14, 2013
The (Real) Internet Key Exchange
draft-harkins-ikev3-01
Abstract
The current version (v2) of the Internet Key Exchange failed to
address many of the shortcomings of the original version (v1). This
memo defines a new version (v3) of the Internet Key Exchange that
attempts to do so.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 14, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Harkins Expires October 14, 2013 [Page 1]
Internet-Draft IKEv3 April 2013
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
2. Characteristics of Version 3 of IKE . . . . . . . . . . . . . 4
3. Differences from Previous Versions of IKE . . . . . . . . . . 4
3.1. Identity Confidentiality . . . . . . . . . . . . . . . . . 5
3.2. Single IKE SA, No Lifetime . . . . . . . . . . . . . . . . 5
3.3. Not A Request/Response Exchange . . . . . . . . . . . . . 5
3.4. State Machine Definition . . . . . . . . . . . . . . . . . 6
4. Cryptographic Tools . . . . . . . . . . . . . . . . . . . . . 6
4.1. Authenticated Encryption . . . . . . . . . . . . . . . . . 6
4.2. Hash Function . . . . . . . . . . . . . . . . . . . . . . 7
4.3. Discrete Logarithm Cryptography . . . . . . . . . . . . . 7
4.4. Key Deriviation Function . . . . . . . . . . . . . . . . . 8
5. Authentication and Key Establishment . . . . . . . . . . . . . 9
5.1. Public Key Authentication . . . . . . . . . . . . . . . . 9
5.1.1. KE Payload with Public Key Authentication . . . . . . 9
5.1.2. AU Payload with Public Key Authentication . . . . . . 10
5.2. PSK Authentication . . . . . . . . . . . . . . . . . . . . 10
5.2.1. Hunting and Pecking with ECP Groups . . . . . . . . . 11
5.2.2. Hunting and Pecking with MODP Groups . . . . . . . . . 12
5.2.3. KE Payload with PSK Authentication . . . . . . . . . . 13
5.2.4. AU Payload with PSK Authentication . . . . . . . . . . 14
5.3. Deriving Shared Secrets . . . . . . . . . . . . . . . . . 15
6. The Internet Key Exchange Protocol . . . . . . . . . . . . . . 15
6.1. Message Flow . . . . . . . . . . . . . . . . . . . . . . . 16
6.1.1. Init Messages . . . . . . . . . . . . . . . . . . . . 16
6.1.1.1. Construction of Init Messages . . . . . . . . . . 16
6.1.1.2. Processing of Init Messages . . . . . . . . . . . 17
6.1.2. Auth Messages . . . . . . . . . . . . . . . . . . . . 18
6.1.2.1. Construction of Auth Messages . . . . . . . . . . 18
6.1.2.2. Processing of Auth Messages . . . . . . . . . . . 19
6.2. IPsec Security Associations . . . . . . . . . . . . . . . 21
6.3. State Machine . . . . . . . . . . . . . . . . . . . . . . 21
6.3.1. Parent Process . . . . . . . . . . . . . . . . . . . . 22
6.3.2. Components of State Machine . . . . . . . . . . . . . 23
6.3.3. States . . . . . . . . . . . . . . . . . . . . . . . . 24
6.3.3.1. Nothing State . . . . . . . . . . . . . . . . . . 24
6.3.3.2. Initiation State . . . . . . . . . . . . . . . . . 25
6.3.3.3. Reception State . . . . . . . . . . . . . . . . . 26
6.3.3.4. Done State . . . . . . . . . . . . . . . . . . . . 27
6.3.4. Cleaning Up Protocol Instances . . . . . . . . . . . . 28
6.4. IKEv3 Payload Formats . . . . . . . . . . . . . . . . . . 28
6.4.1. IKE header . . . . . . . . . . . . . . . . . . . . . . 28
6.4.2. Generic IKE payload header . . . . . . . . . . . . . . 30
6.4.3. IKE Attributes payload . . . . . . . . . . . . . . . . 31
6.4.4. Identity Payload . . . . . . . . . . . . . . . . . . . 33
Harkins Expires October 14, 2013 [Page 2]
Internet-Draft IKEv3 April 2013
6.4.5. Nonce Payload . . . . . . . . . . . . . . . . . . . . 34
6.4.6. Key Exchange Payload . . . . . . . . . . . . . . . . . 34
6.4.7. Certificate Payload . . . . . . . . . . . . . . . . . 35
6.4.8. Certificate Request Payload . . . . . . . . . . . . . 36
6.4.9. Authentication Payload . . . . . . . . . . . . . . . . 36
6.4.10. Address Indication Payload . . . . . . . . . . . . . . 37
6.4.11. Traffic Selecor Payload . . . . . . . . . . . . . . . 37
6.4.12. Security Association Payload . . . . . . . . . . . . . 39
6.4.13. Vendor Indication Payload . . . . . . . . . . . . . . 40
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 41
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41
9. Security Considerations . . . . . . . . . . . . . . . . . . . 41
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41
10.1. Normative References . . . . . . . . . . . . . . . . . . . 41
10.2. Informative References . . . . . . . . . . . . . . . . . . 42
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 43
Harkins Expires October 14, 2013 [Page 3]
Internet-Draft IKEv3 April 2013
1. Introduction
The Internet Key Exchange was first defined in [RFC2409] to generate
security associations for the IPsec protocols. That specification
was poorly written and suffered from too many options, many of which
were unneeeded and went unused. In short, it was confusing and
complicated. An effort was made to come up with a simpler and less
confusing version, and that resulted in [RFC4306], so-called IKEv2
([RFC2409] was then dubbed IKEv1). While it was arguably simpler and
less confusing, IKEv2 failed to achieve its goal. It went through an
extensive clarification process that produced [RFC4718] and
development of a replacement specification for IKEv2, in [RFC5996].
While [RFC5996] is definitely a cleaner protocol than [RFC2409] it
still has too many options and is too complicated, and confusing.
This memo defines an IKEv3 in an effort to have a simpler, more easy
to implement protocol, that that has a high probability of achieving
interoperability while retaining security and utility.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Characteristics of Version 3 of IKE
Version 3 of the Internet Key Exchange is a simple peer-to-peer
protocol in which each side sends and receives two messages. It
performs mutual authentication, derives a shared, secret and
authenticated key, and negotiates parameters for IPsec security
associations (SAs) to protect transient data between the peers.
Either side can initiate the exchange to the other and both sides can
initiate simultaneously (hence the claim of a true "peer-to-peer"
exchange). This is advantageous for certain smart devices-- aka "the
Internet of things"-- or sensor network deployments where there is no
strict roles of client or server, initiator or responder.
In an effort to keep the definition of the Internet Key Exchange as
simple as possible, negotiation of the terms of its operation-- e.g.
encryption algorithm, hash algorithm-- is kept to a minimum.
3. Differences from Previous Versions of IKE
Harkins Expires October 14, 2013 [Page 4]
Internet-Draft IKEv3 April 2013
3.1. Identity Confidentiality
IKEv3 does not provide identity confidentiality. This is a tradeoff
made to increase simplicity in specification and, more importantly,
implementation at the cost of a feature whose benefit is somewhat
dubious.
While security on the Internet is a large issue (one that IKEv3
addresses) the problems associated with exposure of the identities of
two peers that are engaging in secure communication is not.
If identity hiding critical for a particular deployment, IKEv3
supports obfuscation of identity using an ID blob which has meaning
to the two peers of the exchange but has no meaning to any third
party that may observe it.
3.2. Single IKE SA, No Lifetime
IKEv3 can handle the situation where both sides initiate to each
other without resorting to carrying on two conversations and ending
up with two IKE Security Associations.
The IKEv3 SA is also short-lived. Its purpose is to create SAs for
IPsec and once it has done that the state that governed a particular
protocol run can go away. There is no notion of a long-lived IKE SA.
There is no SA lifetime necessary for IKEv3 to negotiate. This also
has the benefit of doing away with the Delete payloads and their
corresponding complexity as well as the complexity associated with
rekeying of SAs.
There is no need for "initial contact" notification or the need to
negotiate, or rekey, multiple IKE SAs.
3.3. Not A Request/Response Exchange
[RFC2409] and [RFC5996] are both Request/Response protocols. There
are defined roles-- one side is an "Initiator" and the other is a
"Responder"-- and one side makes Requests and the other Responds to
those requests.
In IKEv3 there are no roles involved-- no clients and servers, no
Initiators and Responders-- just two peers who perform identical
behavior. Since either side can initiate and both sides can initiate
simultaneously, there is no need to deal with "Exchange Collisions".
All the protocol specification complexity to address the problems
that occur due to role-based protocol definition goes away.
Harkins Expires October 14, 2013 [Page 5]
Internet-Draft IKEv3 April 2013
Many of the IKEv1 and IKEv2 use cases involved strict roles and IKEv3
can support them because the state machine (see Section 6.3) can
handle the case where one side initiates and the other responds just
as easily as it can handle the case where both sides initiate
simulteneously.
3.4. State Machine Definition
IKEv3 defines a very simple state machine that each side runs through
to implement the protocol. Accurate compliance with the state
machine ensures interoperability.
The state machine allows the protocol definition to be entirely from
the point of view of the implementation, making protocol
implementation much easier. The protocol is defined in terms of
actions causing events which result in a deterministic advancement of
state until the protocol is finished. The state machine definition
assures that each side either completes the protocol or neither side
completes the protocol.
Previous versions of IKE lacked a state machine definition and it
showed. IKEv1 achieved interoperability through implementor "bake-
offs" and not through a coherent specification. IKEv2 has gone
through forty (40) revisions, in total, in an effort to clarify and
straighten out ambiguous and confusing text and remains to this day a
complicated, ambiguous and confusing specification.
4. Cryptographic Tools
IKEv3 makes use of certain cryptographic primitives to achieve its
goals of key generation, mutual authentication, and security. Each
of the following subsections indicate negotiable components of the
IKE Security Association that are used during the protocol run.
Different protocol runs can negotiate different components and the
components to use in a particular run of the protocol are established
by exchanging payloads in the Init message that describe the
attributes of the IKE Security Association (see Section 6.4).
4.1. Authenticated Encryption
Authenticated encryption is employed by IKEv3 to protect the payloads
that set up IPsec Security Associations as well as any vendor-
specific payloads that are added to the final two messages of the
protocol. It is therefore a negotiable component. The privacy
algorithm negotiated MUST be a cipher mode, or construction of cipher
mode plus integrity check, that provides authenticated encrytion.
Harkins Expires October 14, 2013 [Page 6]
Internet-Draft IKEv3 April 2013
AES in SIV mode as defined in [RFC5297] is used in IKEv3 to
accomplish this goal. SIV supports authenticated encryption with
associated data (which is authenticated but not encrypted) and does
not require complex managment of a unique counter space to ensure
security. It is simple, secure and robust. A perfect fit for IKEv3.
4.2. Hash Function
A hash function takes a arbitrary-sized input and deterministically
produces a fixed sized output, called a digest. It is also a one-way
function: it is very easy to produce a digest but computationally
infeasible to reconstruct the arbitrary-sized input given a
particular digest.
IKEv3 uses a hash function, in [RFC2104] mode for key derivation and
key confirmation. IKEv3 also uses a hash function to construct a
random function, H():
H(x) = HMAC-Hash(0^n, x)
where Hash is the agreed-upon hash function and "0^n" signifies a key
of all zeros whose length equals the digest size of the hash
function.
IKEv3 defines SHA-256 and SHA-512 (as defined in [RFC4634]) for use
as hash functions.
4.3. Discrete Logarithm Cryptography
The Internet Key Exchange uses discrete logarithm cryptography. Each
party to the protocol derives ephemeral public and private key pairs
with respect to a particular domain parameter set, called a "group".
The group can be based on either finite field cryptography (modular
exponentiation, or MODP, groups) or elliptic curve cryptography (ECP
groups).
In this memo, elements in a group are denoted in upper case and
scalar values are in lower case-- element X and scalar x.
Groups are identified in messages using a convenient registry
maintained by IANA (see Section 8). Each group's domain parmameter
set contains the following:
o p - a prime number defining a finite field
o G - a generator, a base element forming a group
Harkins Expires October 14, 2013 [Page 7]
Internet-Draft IKEv3 April 2013
o q - a prime number indicating the order of the group defined by G
ECP groups additionally define "a" and "b" which are components of
the equation of the elliptic curve-- y^2 = x^3 + ax + b. Some MODP
groups are based on safe primes and do not have a specific order
defined. For these groups only, the order, q, SHALL be (p-1)/2.
For each group, the following operations are defined:
o "scalar operation" -- takes a scalar and an element in the group
to produce another element in the group-- Z = scalar-op(x, Y).
For ECP groups this is multiplication of the element by the
scalar; for MODP groups this is exponentiation of the element to
the scalar.
o "element operation" -- takes two elements in the group to produce
a third element in the group-- Z = element-op(X, Y). For ECP
groups this is point addition; for MODP groups this is modular
multiplication.
o "inverse operation" -- takes an element in the group and returns
another element in the group such that the element operation on
the two produces the identity element of the group-- Y =
inverse(X).
ECP: element-op(Y, inverse(Y)) = "point at infinity"
MODP: element-op(Y, inverse(Y)) = 1
In addition, ECP groups require a mapping function, r = F(R), to
convert a group element to an integer. The mapping function used in
this memo returns the x-coordinate of the point it is passed. MODP
groups do not need a mapping function as group elements in MODP
groups can be directly represented as integers. For the purpose of
protocol definition, the function F() when used with MODP groups will
be the identity function-- i.e. i = F(i).
4.4. Key Deriviation Function
IKEv3 uses a key derivation function, KDF(), to stretch a random key
to an indeterminate length and bind some arbitrary data to the
stretched key.
For ease of programming, IKEv3 uses the prf+() function from
[RFC5996] which, in turn, was derived from the prf() function in
[RFC2409], as its KDF().
THe pseudo-random function at the core of the prf+() construct is the
Harkins Expires October 14, 2013 [Page 8]
Internet-Draft IKEv3 April 2013
agreed-upon hash function in HMAC ([RFC2104]) mode. When KDF() is
called for in this memo, it is prf+() from [RFC5996] using HMAC-Hash
where hash is the agreed-upon hash algorithm.
5. Authentication and Key Establishment
The goal of any pairwise authenticated key exchange is key
establishment and mutual authentication. The IKEv3 protocol achieves
these goals. The particular method of key establishment is tied to
the authentication method which is tied to the type of credential
used for authentication-- a (certified) public key or a PSK.
5.1. Public Key Authentication
Public key authentication uses a Diffie-Hellman key exchange for key
establishment and digital signatures by a private key whose public
analog is trusted by the peer.
5.1.1. KE Payload with Public Key Authentication
The KE payload is used to present a Diffie-Hellman public value to
the peer. Each peer generates a random number between one (1) and
the order of the group, q, exclusive. This represents the peer's
private value, priv. The peer then performs the group's scalar
operation (see Section 4.3) with the group's generator to produce the
public value, Pub:
Pub = scalar-op(priv, G)
The public value is encoded in to the body of the KE Payload (see
Section 6.4) according to the integer to octet string conversion
technique from [RFC6090].
The Diffie-Hellman key exchange is completed when both sides have
finished sending and receiving an Init message. Each side generates
the same shared secret, secret, by applying the mapping function, F()
(see Section 4.3), to the result of the group's scalar operation with
the entities private value, priv, and the peer's public key, PubPeer:
secret = F(scalar-op(priv, PubPeer))
The secret is then used to generate three additional keys, the
authenticated encryption key, the confirmation key, and a key-
derivation key. (see Section 5.3).
Harkins Expires October 14, 2013 [Page 9]
Internet-Draft IKEv3 April 2013
5.1.2. AU Payload with Public Key Authentication
The AU payload contains a digital signature of the confirmation key
and both peers' Init messages concatenated together, transmitter's
Init message first. For example, assuming Alice sent the message
InitA and Bob send the message InitB, Alice's digital signature would
be "sig" where:
sig = Sign-Alice(cKEY | InitA | InitB)
where "|" signifies concatenation, and Sign-Alice() indicates a
digital signature of that data passed to it using the public key of
Alice. The portions of the Init messages that are covered by the
digital signature consist of the IKE header (inclusive) to the end of
the payload.
Bob would similarly send:
sig = Sign-Bob(cKEY | InitB | InitA)
since Bob was the transmitter of InitB.
To maintain a consistent level of security for IKEv3, the hash
algorithm used to generate the digital signature SHALL be the one
negotiated in the IKE Security Association that is used for other
hashing purposes in IKEv3. The body of the AU payload (see
Section 6.4) SHALL consist of the digital signature as a bitstring.
5.2. PSK Authentication
PSK authentication uses the "dragonfly" key exchange to both generate
a shared, and secret, key and to mutually authenticate the peers to
each other. Each side proves knowledge of the PSK in a manner that
is resistant to dictionary attack.
Each side proves possession of a single PSK (or password), there is
no notion of a "client's password" and a "server's password"; there
is just the one. This single PSK MUST be provisioned on the two
peers prior to beginning the IKEv3 exchange. Since there is only one
PSK it SHOULD have only one name, which is provisioned along with the
PSK. It is this name that is used in the ID payload when initiating
the dragonfly exchange to the peer. Note: it may make sense in
certain client/server deployments to have a proper client username
assigned to the password, in which case the server proving possession
of the client's password-- identified by username-- authenticates it
to the client.
When PSK authentication is chosen for a particular run of the
Harkins Expires October 14, 2013 [Page 10]
Internet-Draft IKEv3 April 2013
protocol, the KE payload contains each peer's "commit" contribution
to the dragonfly exchange and the AU payload contains a keyed message
authentication code binding the secret key to both peers' Init
messages concatenated together.
Prior to beginning the "dragonfly" exchange, both peers MUST agree
upon a secret element in the chosen group. A secret seed is
generated and that see is used in a group-specific hunting-and-
pecking process-- one process for MODP groups and another for ECP
groups. First, an 8-bit counter is set to one (1) and a secret base
is computed using the negotiated one-way function with the secret
PSK, and the counter:
base = H(PSK | counter)
The base is then stretched using the key derivation function from
Section 4.4 to the length of the prime from the group's domain
parameter set:
seed = KDF(base, "IKE PSK Hunting and Pecking")
The seed is then passed to the group-specific hunting and pecking
technique.
5.2.1. Hunting and Pecking with ECP Groups
The ECP specific hunting and pecking technique entails looping until
a valid point on the elliptic curve has been found. The seed is used
as the x-coordinate with the equation of the curve to solve for a
y-coordinate. If there is no solution, the counter is incremented, a
new base and new seed are generated and the hunting and pecking
continues. If there is a solution an ambiguity exists because two
values for the y-coordinate would be valid. The low-order bit of the
base is used to unambiguously determine the y-coordinate and the
resulting (x,y) pair becomes the secret generator for the dragonfly
exchange, SKE.
Algorithmically, the process looks like this:
Harkins Expires October 14, 2013 [Page 11]
Internet-Draft IKEv3 April 2013
found = 0
counter = 1
do {
base = H(psk | counter)
seed = KDF(seed, "IKE PSK Hunting And Pecking")
if (seed < p)
then
x = seed
if ( (x^3 + ax + b) is a quadratic residue mod p)
then
y = sqrt(x^3 + ax + b)
if (LSB(y) == LSB(base))
then
SKE = (x,y)
else
SKE = (x, p-y)
fi
found = 1
fi
fi
counter = counter + 1
} while (found == 0)
Figure 1: Fixing SKE for ECP Groups
5.2.2. Hunting and Pecking with MODP Groups
The MODP specific hunting and pecking technique entails finding a
random element which, when used as a generator, will create a group
with the same order as the group created by the generator from the
domain parameter set. The secret generator is found by
exponentiating the seed to the value ((p-1)/q), where p is the prime
and q is the order from the domain parameter set. If that value is
greater than one (1) it becomes SKE, otherwise the counter is
incremented, a new base and seed are generated, and the hunting and
pecking continues.
Algorithmically, the process looks like this:
Harkins Expires October 14, 2013 [Page 12]
Internet-Draft IKEv3 April 2013
found = 0
counter = 1
do {
base = H(psk | counter)
seed = KDF(base, "IKE SKE Hunting And Pecking")
if (seed < p)
then
SKE = seed ^ ((p-1)/r) mod p
if (SKE > 1)
then
found = 1
fi
fi
counter = counter + 1
} while (found == 0)
Figure 2: Fixing SKE for MODP Groups
5.2.3. KE Payload with PSK Authentication
Once SKE has been determined, the peer randomly chooses two numbers
between one and the order of the group, q, exclusively. These
represent a private value and a mask. The peer then generates a
scalar and an element using private, mask, and SKE:
scalar = (private + mask) mod q
Element = inverse(scalar-op(mask, SKE))
The scalar and element, respectively, are encoded into the KE payload
by using the integer to octet string conversion technique from
[RFC6090]. Octet strings are pre-pended with zero (0), if necessary,
to achieve the required resulting length. Since the length of each
component of the KE payload is implicitly known, the scalar and
element can be extracted from the KE payload for processing.
The scalar is the same length as the order of the group. It is
converted into an octet string and then the octet string is inserted
into the body of the KE Payload.
If the selected group is MODP, the element can be treated directly as
an integer and converted into an octet string. Its length is the
same as the length of the prime of the group. The converted octet
string is appended to the octet string representation of the scalar.
If the selected group is ECP, the element is an (x,y) pair and each
coordinate is separately converted into an octet string, each of
which is the same length as the prime of the group. The octet string
Harkins Expires October 14, 2013 [Page 13]
Internet-Draft IKEv3 April 2013
representation of the x-coordinate SHALL be appended to the scalar
and the y-coordinate SHALL be appended to the x-coordinate.
The dragonfly key handshake is completed when both sides have
finished sending and receiving an Init message. Each side generates
the same shared secret, secret, by performing the following
computation:
secret = F(scalar-op(private,
element-op(PeerElement,
scalar-op(peerscalar, SKE))))
where peerscalar and PeerElement are scalar and element from the
peer's KE payload taken out of a received Init message. The secret
is then used to generate three additional keys, the authenticated
encryption key, the confirmation key, and a key-derivation key. (see
Section 5.3).
5.2.4. AU Payload with PSK Authentication
The AU payload contains a keyed message authentication code which
proves knowledge of the derived secret, and therefore knowledge of
the PSK, and binds the two Init messages to the authenticated state.
Each side produces an authenticating message authentication code,
mac, by invoking the HMAC version of the negotiated hash function and
passing the confirmation key, cKEY, as the key and the concatentation
of both peers' Init messages concatenated together, transmitter's
Init message first. For example, assuming Alice sent the message
InitA and Bob sent the message InitB, Alice's message authentication
code would be "mac" where:
mac = HMAC-Hash(cKEY, InitA | InitB)
where "|" signifies concatentation and HMAC-Hash is the [RFC2104]
instantiation of the negotiated hash algorithm, Hash. The portions
of the Init messages passed HMAC-Hash consist of the IKE header
(inclusive) to the end of the payload.
Bob would similarly send:
mac = HMAC-Hash(cKEY, InitB | InitA)
since Bob was the transmitter of InitB.
Harkins Expires October 14, 2013 [Page 14]
Internet-Draft IKEv3 April 2013
5.3. Deriving Shared Secrets
Upon successful completion of key establishment, IKEv3 produces three
keys, an authenticated encryption key, aeKEY, to protect the Auth
Messages, a confirmation key, cKEY, and a derivation key, dKEY, used
to derive (a) shared secret(s) when constructing IPsec Security
Associations (see Section 6.2).
The length of aeKEY depends on the authenticated encryption mode used
and the length of cKEY and dKEY SHALL be the length of the digest of
negotiated hash function. The keys are derived by passing the two
nonces, appended to each other with the lexicographically larger
nonce being first, as the key and secret from the authenticated key
exchange concatenated with the label "IKEv3 Key Derivation" as the
data:
aeKEY | cKEY | dKEY = KDF(max(Na, Nb) | min(Na, Nb),
secret | "IKEv3 Key Derivation")
where Na and Nb are the two nonces from the exchange (the transmitter
is irrelevant in this peer-to-peer protocol), max() returns the
lexicographically larger of the two parameters passed, and min()
returns the lexicographically smaller of the two parameters passed.
The key aeKEY SHALL be used to protect the exchange of Auth Messages,
the same key is used in both directions.
6. The Internet Key Exchange Protocol
The Internet Key Exchange (IKE) authenticates two peers to each other
and derives security associations for use by IPsec. The credentials
supported by IKE are PSKs and certificates.
IKE supports varying degrees of security by supporting various domain
parameter groups, encryption algorithms, and hash algorithms.
IKEv3 supports detection of NATs between two peers through the
exchange of source and destination indicators. When (a) NAT(s) is
(are) present between the peers the source and/or destination
addresses and/or ports will be modified and differ from those in the
indicators. When (a) NATS(s) is (are) detected, UDP encapsulation of
ESP traffic as defined by [RFC3948] is required. Note that IKEv3 is
not required to use port 4500 in the presense of (a) NAT(s).
Harkins Expires October 14, 2013 [Page 15]
Internet-Draft IKEv3 April 2013
6.1. Message Flow
In the IKEv3 protocol each peer sends and receives an Init message
and an Auth message. The Init message negotiates the type of
authentication to be used between the peers, identifies the peers to
each other, exchanges random nonces, and exchanges the components of
a cryptographic key exchange. The Auth message authenticates the
peer to the other peer and establishes IPsec security associations.
Messages are comprised of an IKE header followed by one or more
payloads. The on-the-wire format of the IKE header and all payloads
defined for use in IKE are in Section 6.4.
As is typical in these sorts of memos, the participants in the
protocol are Alice and Bob. The exchange of Init and Auth messages
between Alice and Bob look like this:
Alice Bob
------ ----
Init: hdr, IAa, IDa, NOa, hdr, IAb, IDb, NOb,
KEa [, CRa] ----> <----- KEb [, CRb ]
Auth: hdr, { [CEa, ] AUa, AIs, hdr, { [CEb, ] Aub, AIs,
AId, SAa, TSs, TSd } ----> <----- AId, SAb, TSs, TSd }
Where { x } indicates the authenticated encryption of payload x using
the mode agreed upon in the exchange of IA payloads.
6.1.1. Init Messages
6.1.1.1. Construction of Init Messages
The IKEv3 header contains two message identifiers called SPIs, one
chosen by the transmitter of the message and one chosen by the
(intended) recipient of the message. The local SPI from the IKE
security association is copied into the transmitter SPI field. If a
peer SPI exists in the IKE security association, it is copied into
the receipient SPI field. If there is no peer SPI in the IKE
security association, the receipient SPI field remains all zero.
The first payload in an Init message MUST be an IA payload which
indicates the terms by which the IKE protocol will be run (see
Section 4). If this Init message is being constructed in response to
receipt of an accepted Init message then the attributes from the
received, and accepted, Init message MUST be copied into the Init
message being constructed. If the Init message is being constructed
due to an indication to the IKEv3 protocol to establish IPsec SAs
with a remote peer (see Section 6.3) then the attributes MUST reflect
the policy that accompanied that indication.
Harkins Expires October 14, 2013 [Page 16]
Internet-Draft IKEv3 April 2013
The next payload after the IA payload MUST be the ID payload which
indicates the identity of the peer sending the Init message (see
Section 3.1 for a discussion on identity confidentiality). The next
payload MUST be a NO payload which contributes additional randomness
to the exchange. The next payload MUST be a KE payload. The
particular construction of the body of the KE payload depends on the
authentication method being used for this run of the protocol (see
Section 5). Finally, a CR payload MAY be added if the authentication
method is public key authentication and the sender of the Init
message believes that it needs the peer's public key.
Vendor specific payloads MAY be appended to an Init message to convey
some additional semantics governing the Init message.
6.1.1.2. Processing of Init Messages
The first step of processing an Init Message is to record the peer's
SPI by taking it out of the transmitter SPI field of the IKEv3 header
and storing it in the IKE security association as the peer's SPI.
Next, the attributes that govern the IKEv3 protocol are checked. If
the recipient SPI field is not all zeros (0) then the attributes in
the received Init message MUST be identical to the attributes that
have already been sent to the peer. If they are not, processing
indicates a failure and stops. If the recipient SPI field is all
zeros (0) and a message has not been sent to the peer then the
attributes are checked for acceptability. If they are not acceptable
processing SHALL indicate a failure and stop. If they are
acceptable, then processing continues. Otherwise, if the recipient
SPI field is all zeros (0) and a message has already been sent to the
peer then there are three possible cases:
1. The attributes are identical to the attributes sent to the peer,
so processing continues.
2. The attributes are not acceptable in which case the message is
discarded and processing stops.
3. The attributes are acceptable but differ from those sent. In
this case, a test is made to see which side drops its offer.
Each side has sent its SPI to the other as the transmitter SPI in
its Init message. If the low-order bit of those SPIs are
identical then the transmitter of the larger SPI wins, if the
low-order bit of those SPIs differ then the transmitter of the
smaller SPI wins. The winner SHALL discard the message and the
loser SHALL indicate a failure. In both cases, processing stops.
Note: the loser will destroy all state associated with this
conversation and the winner will retransmit, allowing the two to
Harkins Expires October 14, 2013 [Page 17]
Internet-Draft IKEv3 April 2013
synch up on the new, mutually acceptable attributes.
Finally, the nonce and key exchange data are extracted from the
received Init message and processing finishes successfully. If the
peer requested a certificate, that fact is noted to ensure that a
certificate is included in the subsequent Auth message.
6.1.2. Auth Messages
6.1.2.1. Construction of Auth Messages
The Auth message MAY optionally contain a certificate payload (CE)
with the public key of the transmitter and MUST contain, in the
following order, an Auth payload (AU), a source Address Indication
payload (AIs), a destination Address Indication payload (AId), a
Security Association payload (SA), and two Traffic Selector payloads
(TS). Optional vendor specific payload(s) MAY be appended to the
message but MUST be the last payload(s) in the message.
The contents of AU payload are determined by the authentication
method agreed-upon during the exchange of Init messages (see
Section 5). The value of the Auth payload, from the point of view of
the transmitter, SHALL be determined and copied into the data portion
of the payload.
The AIs and AId payloads are constructed from the point of view of
the transmitting peer. The source Address Indication payload, AIs,
is the address and port being used as the source of the Auth message
and the destination Address Indication payload, AId, is the address
and port of the destination of the Auth message. The source Address
Indication payload MUST precede the destination Address Indication
payload.
The contents of the SA payload describe the transforms and options
that will be represented in the IPsec SA after successful
authentication. If this Auth message is being constructed in
response to the receipt of an Auth message from the peer, the
transforms in the Auth payload MUST be identical to those accepted
when processing the peer's Auth message. If a locally-unique SPI
with which to identify the security association for received IPsec
packets has not yet been chosen, the transmitter choses a SPI.
The TS payloads contains a description of the flows to protect using
IPsec. There are two (2) TS payloads in each Auth message. The
first describes the source of the flow and the second describes the
sink of the flow, both from the perspective of the transmitter of the
Auth message. If local Traffic Selector policy has been narrowed due
to the processing of the peer's Auth message, then the narrowed
Harkins Expires October 14, 2013 [Page 18]
Internet-Draft IKEv3 April 2013
policy SHALL be reflected in the TS payloads.
Auth messages are sent after each side has both sent and received an
Init message and completed the key establishment phase of the IKEv3
protocol. While the peers have not yet authenticated each other,
they share a secret which can be used to secure the Auth messages.
This is accomplished by using the authenticated encryption mode that
was agreed-upon during the exchange of Init messages.
All the payloads of the Auth message are encrypted-- that is,
everything after the IKEv3 header to the end of the message. The
IKEv3 header, and the encrypted payloads are all authenticated.
When [RFC5297] is used for authenticated encryption the IKEv3 header
from the transmitter's SPI (inclusive) to the Length (inclusive) is
passed as associated data, and the data immediately following the
IKEv3 header, from the generic IKEv3 header of the first payload
(inclusive) to the end of the message is the data to encrypt. The
ICV/SIV field of the IKEv3 header is not included in the associated
data passed to AES-SIV.
The output of the [RFC5297] mode is ciphertext and a Synthetic
Initialization Vector (SIV). The SIV SHALL be copied into the IKEv3
header and the ciphertext is appended to the IKEv3 header to form the
complete Auth message.
6.1.2.2. Processing of Auth Messages
Auth messages are encrypted and authenticated so the first step in
processing is to verify their integrity and to decrypt them. When
[RFC5297] is used, the Synthetic Initialization Vector (SIV) is
copied from the ICV/SIV field in the IKEv3 header. The IKEv3 header
from the transmitter's SPI (inclusive) to the length (inclusive) is
passed, along with the SIV to AES-SIV. If AES-SIV outputs FAIL the
message is discarded and processing stops. If AES-SIV outputs
plaintext, the plaintext will be the sequence of payloads that
comprise the Auth message.
The first payload will be the Auth payload (AU). The contents of the
AU payload are determined by the authentication method agreed-upon
during the exchange of Init messages (see Section 5). The value of
the the Auth message from the point of view of the transmitter (i.e.
the peer) is calculated and compared to the value in the data portion
of the AU payload. If they differ, the peer fails authentication,
processing stops and a failure MUST be returned. If they are
identical processing continues.
Next the Address Indication payloads are checked. If the source
Harkins Expires October 14, 2013 [Page 19]
Internet-Draft IKEv3 April 2013
address or port of the received message differ from the address or
port in the source Address Indication payload, or if the destination
address or port of the received message differ from the address or
port in the destination Address Indication payload then a NAT is
detected. Othewise, a NAT is not detected.
The SA payload is next. The transforms in the SA payload are checked
to determine whether they are acceptable according to local policy.
If they are not the message is discarded and processing stops. If
they are, then there are three possibilities:
o An Auth message has not yet been sent to the peer, in which case
processing continues; or,
o An Auth message has been sent to the peer and the transforms are
identical to those sent, in which case processing continues; or,
o An Auth message has been sent to the peer and the transforms
differ from those sent. In this case, a test is made to see
which side's offer prevails. Each side has sent its IPsec SPI to
the other in the SA payload. If the low-order bit of those SPIs
are identical then the transmitter of the larger SPI prevails.
If the low-order bit of those SPIs differ then the transmitter of
the smaller SPI prevails. The transforms offered by the
prevailing party SHALL be adopted by the party which does not
prevail. Processing continues.
The Traffic Selectors in the TS payloads are next checked to
determine whether they are accptable according to local policy. If
the they are not acceptable, and no narrowing of the scope of the
traffic flows is possible-- i.e. no intersection between the TS
payloads and local policy-- the Auth message SHALL be discarded,
processing stops.
If the Traffic Selectors are completely satisfactory and require no
narrowing, then the Traffic Selectors are retained for creation of
IPsec SAs and construction of an Auth message (if one has not already
been sent).
If the Traffic Selectors are partially acceptable, and require
narrowing, then the union of the local policy describing the flow and
the Traffic Selectors describing the flow SHALL be retained for
creation of IPsec SAs and construction of an Auth message (if one has
not yet already been sent).
If an Auth message has not yet been sent, a locally-unique SPI SHALL
be created to identify the IPsec SA for received IPsec-protected
packets. This SPI MUST be retained for use when constructing the
Harkins Expires October 14, 2013 [Page 20]
Internet-Draft IKEv3 April 2013
Auth message response.
Upon completion of processing an Auth message, Two IPsec SAs MUST be
instantiated (e.g. plumbed into the kernel) with the indicated
transforms for the flow described in the (possibly narrowed) Traffic
Selectors, one in each direction. The locally-unique SPI becomes the
identifier to look up the SA for inbound IPsec packets and the peer's
SPI (from its SA payload) becomes the identifier to look up the SA
for outbound IPsec packets.
If a NAT was detected, the IPsec SAs MUST use UDP encapsulation for
IPsec (see [RFC3948]). Since both sides know the original addresses
and ports and the NATted addresses and ports, it is possible to
obtain the required information to perform the necessary
decapsulation procedures on received UDP-encapsulated IPsec packets.
6.2. IPsec Security Associations
The goal of the Internet Key Exchange is the creation of Security
Associations (SAs) for [RFC4301]. SAs are established using Security
Association (Section 6.4.12) and Traffic Selector (Section 6.4.11)
payloads to negotiate the flow(s) to protect and the means to go
about protecting it (them).
IKEv3 derives keys for IPsec SAs using the KDF (Section 4.4). The
key derivation key, dKEY, established in Section 5.3 is used as the
key and the label "IPsec Key Derivation" is used as the data:
key = KDF(dKEY, "IPsec Key Derivation")
The length of the key derived by KDF depends on the parameters of the
IPsec SA and the key lengths used by the underlying primitives. If
multiple, distinct, keying material is used-- for example, an ESP SA
that performs encryption and integrity protection separately-- the
key used for encryption MUST be taken from first and the key used for
integrity protection MUST be taken from the remaining bits.
6.3. State Machine
The IKEv3 protocol is managed by a parent process that receives
protocol events and IKEv3 packets and passes them on to instances of
the IKEv3 state machine.
The state machine for IKE defines the behavior of a single run of the
protocol. Each peer maintains a "protocol instance" for each remote
peer that it is actively performing the protocol with that defines
the current state of the protocol for that peer. The state machine
guarantees that both sides will complete the protocol with each side
Harkins Expires October 14, 2013 [Page 21]
Internet-Draft IKEv3 April 2013
installing IPsec Security Associations or each side will fail to
complete the protocol.
The state machine addresses the potential of dropped messages with a
retransmission timer. This memo does not specify a period that state
machines use when setting its retransmission timer.
6.3.1. Parent Process
The parent process of the IKEv3 state machine handles events from the
IPsec SADB (e.g. an "acquire" message to create an IPsec security
association) as well as receives incoming IKEv3 messages that it
dispatches to state machine instances.
The parent process is also responsible for creation of state machine
processes. The state of a state machine is stored in an IKEv3
security association so creation of a state machine process entails
creation of a nascent IKEv3 security association, generating a unique
and unpredictable local SPI, setting the peer address, and putting
the state machine in NOTHING state.
When the parent process receives an event from the IPsec SADB to
create an IPsec security association it first checks whether there is
an existing IKEv3 state machine process with the indicated peer. If
so, the parent process drops the event and waits for the process to
complete. If there is no existing state machine process, the parent
process creates a new state machine (see above) and sends the newly
created state machine process a START event.
When the parent process receives an IKEv3 packet from a remote peer
it first checks the receipient SPI field in the received packet.
If the recipient SPI field is all zeros, it indicates a peer that is
initiating. If the IKEv3 message is an Auth frame, it SHALL be
dropped as being meaningless (it is not possible to initiate IKEv3
with an Auth message). If the IKEv3 message is an Init message, the
parent process checks whether there is an existing IKEv3 state
machine process for the remote peer (the transmitter of the packet)
that is in Initiation State. If so, the received message is passed
to the state machine process with an INIT event. Otherwise, if there
is no existing IKEv3 state machine process in Initiation State, the
parent process creates an IKEv3 state machine process (see above) and
passes the received message and an INIT event to it.
If the receipient SPI field is not all zeros, the parent process uses
the recipient SPI to look up an existing IKEv3 process. If none
exists, the packet SHALL be dropped. If the parent process succeeds
in looking up an existing IKEv3 state machine process using the
Harkins Expires October 14, 2013 [Page 22]
Internet-Draft IKEv3 April 2013
recipient SPI, the message is passed to that state machine process
with the appropriate event-- an INIT event for an Init message and an
AUTH event for an Auth message.
6.3.2. Components of State Machine
The following states are part of the state machine:
- Nothing: a quiescent state in which nothing has happened
- Initiation: an Initiator has sent an Initiate message to a peer
- Reception: a Responder has sent an Initiate message to a peer
- Done: an Authenticate message has been sent to a peer
The following variables are used in the state machine:
- retrans: the number of retransmissions made (unsigned)
- thresh: the maximum nuber of retransmissions allowed (unsigned)
- committed: a counter on transmitted Auth messages (signed)
- reauth: a counter on received Auth messages (signed)
The following events are delivered to the state machine:
- START: an instruction to initiate IKE to a peer
- INIT: receipt of an Initiate message from a peer
- AUTH: receipt of an Authenticate message from a peer
- TM: expiry of the retransmission timer
The following actions are taken by the state machine:
- init: send an Initiate message to a peer
- auth: send an Authenticate message to a peer
The following timers are used by the state machine:
- tm: the retransmission timer
- fin: a deletion timer
Harkins Expires October 14, 2013 [Page 23]
Internet-Draft IKEv3 April 2013
6.3.3. States
The state machine for an IKEv3 process is show in Figure 3.
-----------
| Nothing |
-----------
/ \
START/init / \ INIT/init
/ \
/ \
___ / \ ___
/ \ V V / \ INIT/init
TM/init | \ ------------ ------------ / | TM/init
\ ----->| Initiation | | Reception | <----/
------------ ------------
| |
| INIT/auth* |
| TM/auth |
INIT/auth | ___ | AUTH/auth
\ / \ /
\ / \ /
\ | | / ____
V \ V V / \
-------------- / | AUTH/auth*
| Done | <------/
--------------
Figure 3: Protocol State Machine
6.3.3.1. Nothing State
Nothing state is the state in which an instance of the IKE state
machine has just been created and has not received any events or
performed any actions yet. Two events cause the state machine to
exit Nothing state: a START event, and an INIT event.
When a state machine instance in Nothing state receives a START event
the IKE peer initiates a connection to another peer. The information
the IKE peer obtains as part of the START event is implementation
specific but MUST idicate at a minimum the following:
o IP address of peer
o SPD information regarding the type of IPsec security association
to form.
Harkins Expires October 14, 2013 [Page 24]
Internet-Draft IKEv3 April 2013
The method in which policy information regarding the type of
authentication to propose, what group to use, etc., is out of scope
of this memo. This information MUST be obtained but whether it is
part of the START event indication or obtained as part of separate
IKE configuration is irrelevant to the protocol.
The peer derives a session identifier, or SPI, to use as its
transmitting SPI.
The peer retains the SPD information and SPI and constructs an Init
message according Section 6.1.1.1 and transmits the message to the IP
address of the peer. The state machine assigns the value zero (0) to
the retrans counter, to the committed counter, and to the reauth
counter. It sets the restransmission timer, and transitions to state
Initiation.
When a state machine instance in Nothing state receives an INIT
event, it signifies the reception of an Init message from a remote
peer. The instance retains the IP address of the peer, extracts the
transmitter's SPI from the message, and assigns the value zero (0) to
the retrans counter, the committed counter and the reauth counter.
It then processes the Init message according to Section 6.1.1.2. If
processing of the Init message is successful, the instance generates
an Init message for the peer according to Section 6.1.1.1, transmits
the message to the peer, sets the retransmission timer and
transitions to state Reception. If processing of the Init message is
unsuccessful, the protocol instance remains in Nothing state and all
state created as a result of receipt of the Init message MUST be
deleted.
Note: a protocol instance that transition from Nothing state to
Reception state has both received and sent an Initiate message. It
MAY choose to finish the key exchange protocol and generate shared
secret state according to the negotiated authentication method, or it
may choose to delay such compuation until it receives an AUTH event
in Reception state.
6.3.3.2. Initiation State
In Initiation state a protocol instance has initiated the IKE
protocol to a peer. An INIT event causes the instance to leave
Initiation state, and a TM event causes it to remain in Initiation
state.
When a protocol instance in Initiation state receives an INIT event,
it signifies receipt of an Initiate message from the peer. The
protocol instance first cancels the retransmission timer and then
processes the Init message according to Section 6.1.1.2. If
Harkins Expires October 14, 2013 [Page 25]
Internet-Draft IKEv3 April 2013
processing indicates that the message was discarded, the protocol
instance sets the TM timer and remains in Initiation state. If
processing indicates a failure, the protocol instance deletes all
state it has created or retained and transitions back to Nothing
state. Otherwise, processing is successful and the protocol instance
shall finish the key exchange protocol and generate shared secret
state according to the negotiated authentication method. It then
increments the committed counter and generates an Auth message for
the peer according to Section 6.1.2.1, transmits the message to the
peer, sets the retransmission timer and transitions to state Done.
When a protocol instance in Initiation state receives a TM event it
indicates that the retransmission timer has expired. If the retrans
counter is higher than the retransmission threshold it indicates
failure of the protocol. In this case the protocol instance deletes
all state it has created or retained and transitions back to Nothing
state. If the retrans counter is not greater than the retransmission
threshhold, the Init message that was transmitted to the peer as part
of transitioning into Initiation state is sent again to the peer, the
retrans counter is incremented and the protocol instance remains in
Initiation state.
6.3.3.3. Reception State
In Reception state a protocol instance is acting as the traditional
"responder" in the IKE protocol. It has both sent and received an
Init message. An AUTH event causes the instance to leave Reception
state, and both an INIT and a TM event cause it to remain in
Reception state.
When a protocol instance in Reception state receives an INIT event it
signifies that the Init message it sent in order to transition into
Reception state was not received by the peer. When it receives a TM
event it indicates that its retransmission timer has expired. For an
INIT event, the protocol instance first cancels the retransmission
timer, after that the behavior a protocol instance takes is the same
for an INIT or TM event. The instance retransmits the Init message
it sent to the peer in order to transition in to Reception state, it
sets its retransmission timer, and it remains in Reception state.
When a protocol instance in Reception state receives an AUTH event it
signifies reception of an Auth message from its peer. First the
protocol instance cancels its retransmission timer. Next, if the
protocol instance has not finished the key exchange protocol (see the
note in Section 6.3.3.1) and generated a shared secret it does so
here. It then sets the reauth counter to the value of the
"committed" field in the processed Auth messages, sets its committed
counter to negative one (-1), generates an Auth message for the peer
Harkins Expires October 14, 2013 [Page 26]
Internet-Draft IKEv3 April 2013
according to Section 6.1.2.1, transmits the message to the peer,
installs the IPsec SAs (per Section 6.2) and transitions to Done
state. Note that the retransmission timer is not set.
6.3.3.4. Done State
Done state is the final state of the state machine. An initiator
arrives in Done state after it has sent both of its messages to the
peer and awaits a final Auth message. A responder arrives in Done
state after it has sent and received both messages. To address the
possibility of dropped packets and retransmission there are several
events that can happen in Done state. Regardless of the event,
though, after a state machine enters Done state it never leaves Done
state.
When a protocol in Done state receives an INIT event, it signfies the
receipt of a retransmitted Init message. Since the protocol has
entered Done state it has already received and processed an Init
message. If its committed counter is less than zero the protocol
instance drops the Init message and remains in Done state. If its
committed counter is not less than zero it cancels its retransmission
timer, increments the committed counter, generates an Auth message,
transmits the Auth message to the peer, sets its retransmission
timer, and remains in Done state.
When a protocol in Done state receives a TM event, it signiifies that
a previously sent Auth message has not been replied to in a timely
manner. In this case, the protocol instance, checks the
retransmission counter. If it is greater than the thresh counter the
protocol instance destroys all state associated with the current run
of the protocol (including any IPsec SAs that it might have
installed) and transitions back to Nothing state. If the
retransmission counter is not greater than the thresh counter, the
protocol instance increments the retransmission counter, increments
the committed counter, generates an Auth message, transmits the Auth
message to the peer, sets the retransmission counter, and remains in
Done state.
When a protocol instance in Done state receives an AUTH event it
signifies the receipt of an Auth message from the peer. This could
be in response to a message from the protocol instance or it could be
a retransmission or the replay of an old Auth message. To prevent a
storm of Auth messages going back and forth between protocol
instances in Done state, the response to an AUTH message is
conditional. If the committed counter is less than zero the protocol
instance drops the received Auth message and remains in Done state.
If the committed counter is not less than zero, the protocol instance
cancels its retransmission timer and processes the Auth message. If
Harkins Expires October 14, 2013 [Page 27]
Internet-Draft IKEv3 April 2013
processing of the Auth message fails the protocol instance sets the
retransmission timer and remains in Done state. If processing of the
Auth message succeeds, the value of the "committed" field in the
received Auth message is checked. If it is not numerically greater
than the reauth counter the message is dropped, the retransmission
timer is set, and the protocol instance remains in Done state. If
the "committed" field in the received Auth message is numerically
greater than the reauth counter, the reauth counter is set to the
value in the "committed" field, the committed counter is set to
negative one (-1), and an Auth message is generated. The protocol
instance then sends the Auth message to the peer, and installs the
IPsec SAs (per Section 6.2) and remains in Done state. Note that the
retransmission timer is not set.
6.3.4. Cleaning Up Protocol Instances
The state machine ensures that once each side has sent and received
an Auth message it installs IPsec SAs. To handle potential lost
messages and retransmissions of its final Auth message a protocol
instance remains in for a period of time after it has installed its
IPsec SAs. These stale protocol instances can have their state
deleted and transitioned back to Nothing state after a sufficient
period of time. This memo does not define what "sufficient" means
but suggests that after installing IPsec SAs, a protocol instance
waits at least the amount of time it would spend before
retranmissions would cause it to expire. That is:
wait = (thresh - retrans) * retrans-period
where "retrans-period" is the amount of time that the retransmission
timer is set for. This will ensure that either the protocol instance
expires because it retransmitted too many times or it will expire
because the protocol has naturally completed.
6.4. IKEv3 Payload Formats
All messages in the IKEv3 protocol consist of an IKE header followed
by additional payloads which define the semantics of the message.
All payloads contain the same generic header. The IKE header
indicates the first payload that follows and the generic header of
each payload indicates the payload, if any, that follows. In this
fashion payloads are chained together to form messages.
6.4.1. IKE header
The IKE header contains two message identifiers, called Security
Parameter Indicies (SPIs), one for the transmitter and one for the
receiver, an indicator of the first payload of the message,
Harkins Expires October 14, 2013 [Page 28]
Internet-Draft IKEv3 April 2013
versioning information, and the type of message, either an Init or an
Auth. The format of the IKE header is shown in Figure 4.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IKE SA Transmitter's SPI |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IKE SA Receivers's SPI |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| First Payload | MjVer | MnVer | Message Type | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ ICV/SIV ~
~ (presence conditional) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: IKE Header Format
o Transmitter's SPI (8 octets) - A session identifier chosen by the
transmitter of the message.
o Receiver's SPI (8 octets) - A session identifier chosen by the
receiver of the message.
o First Payload (1 octet) - The type of payload that follows the
header. See Figure 6.
o Major Version (4 bits) - The major version of this version of
IKE. Implementations based on this memo MUST set the major
version to three (3). Reciept of an IKE message with a different
Major Version is governed by the memo which defines the version.
An implementation that is only compliant with this version of IKE
MUST drop any message with a Major version other than three (3).
o Minor Version (4 bits) - The minor version of this version of
IKE. Implementations based on this memo MUST set the minor
version to zero (0) on transmitted messages and ignore the Minor
Version on received messages.
o Message Type (1 octet) - The type of message being transmitted:
an Init message is type one (1) and an Auth message is type (2).
Harkins Expires October 14, 2013 [Page 29]
Internet-Draft IKEv3 April 2013
o Flags (1 octet) - A bitmask that indicates specific options for
the message. The bits in this bitmask are as follows:
+-+-+-+-+-+-+-+-+
|X|X|X|V|X|X|X|S|
+-+-+-+-+-+-+-+-+
Bits indicated as 'X' MUST be cleared on transmission and ignored
on reception. Setting a bit to one (1) indicates that the option
applies and clearing the bit to zero (0) indicates the option
does not apply.
* V (Version) - This bit indicates that the transmitter is
capable of speaking a higher major version number of the IKE
protocol than the one indicated in the major version field of
this header.
* S (Secured) - This bit indicates that the message following
this header is authenticated and encrypted. When this bit is
set the ICV/SIV field in the header is present.
o Length (4 octets) - an unsigned integer that indicates the length
of the total IKE message (IKE header + all payloads) in octets.
Note: if the 'E' bit in the Flags is set this length includes the
conditional field to hold the Synthetic Initialization Vector/
MAC.
o ICV/SIV (variable) - a conditional field that is present when the
message following the header is secured. This field is the
byproduct of authenticated encryption and is required for
verified decryption. The exact format of the ICV/SIV field
depends on the type of authenticated encryption used by the
peers.
6.4.2. Generic IKE payload header
The Generic IKE payload header is used to demark and chain all
payloads in a message. Each payload used in a message contains this
header. The Generic IKE payload header is defined in Figure 5.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: IKE Header Format
Harkins Expires October 14, 2013 [Page 30]
Internet-Draft IKEv3 April 2013
o Next Payload (1 octet) - Indicates the payload, if any, that
follows the current payload. See Figure 6.
o RESERVED (1 octet) - Unused by this version of IKE. It MUST be
set to zero on all payloads in a transmitted message and ignored
on all payloads in a received message.
o Payload Length (2 octets) - An unsigned integer indicating the
entire length of the current payload, including this generic
header.
Subsequently defined payloads are all shown with the generic header
for completeness. Payload types listed here are current as of
publication of this memo. Readers are encouraged to see [IKEV3IANA]
for the latest values.
Payload Type Notation Value
------------------------------------------------------------
No Next Payload 0
IKE Attributes Payload IA 1
Identity Payload ID 2
Nonce Payload NO 3
Key Exchange Payload KE 4
Certificate Request Payload CR 5
Certificate Payload CE 6
Authentication Payload AU 7
Address Indication AI 8
Traffic Selector TS 9
Security Assocation Payload SA 10
Vendor Indication VE 11
Figure 6: IKEv3 Payload Assignment
The value "No Next Payload" SHALL only be used in the last payload of
a message.
6.4.3. IKE Attributes payload
The IKE attributes payload lists a number of attributes that define
the manner in which a run of the IKEv3 protocol occurs. Attributes
consist of type-value tuples to identify the type of attribute and
its particular value. These attributes are offered, not negotiated.
See Section 6.1.1.2 for a description of the processing and potential
rejection of an IA offer. The IA payload is defined in Figure 7.
Harkins Expires October 14, 2013 [Page 31]
Internet-Draft IKEv3 April 2013
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute Number 1 Type | Attribute Number 1 Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ . . . ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute Number N Type | Attribute Number N Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: IA Payload
The following attributes types are defined and are indicated by
assigning the indicated number to the Attributes Number <X> Type
field:
1. Authentication Method
2. Authenticated Encryption Mode
3. Hash Algorithm
4. Diffie-Hellman Group
All other values are reserved to IANA.
When the Attribute Type indicates "Authentication Method", the
following values are defined:
1. Digital Signatures
2. Pre-shared Key
All other values are reserved to IANA.
When the Attribute Type indicates "Authentication Encryption Mode",
the following values are defined:
1. AES in Synthetic Initialization Mode ([RFC5297]) with a 256-bit
key
2. AES in Synthetic Initialization Mode ([RFC5297]) with a 512-bit
key
All other values are reserved to IANA.
Harkins Expires October 14, 2013 [Page 32]
Internet-Draft IKEv3 April 2013
When the Attribute Type indicates "Hash Algorithm, the following
values are defined:
1. SHA-256 ([RFC4634])
2. SHA-512 ([RFC4634])
All other values are reserved to IANA.
When the Attribute Type indicates "Diffie-Hellman Group", the
attribute values are taken from the "Diffie-Hellman Group Transform
IDs" from [IKEV2IANA].
6.4.4. Identity Payload
The ID payload is used to convey the identity that is to be
authenticated by the remote peer.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ID Type | RESERVED |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Identification Data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 8: ID Payload
The following ID Types are defined:
ID Type Value Description
------- -------------- ----------------------------------------------
1 ID_IPV4_ADDR A single four (4) octet IPv4 address
2 ID_FQDN A fully-qualified domain name string. An
ID_FQDN string MUST NOT contain any
terminators (e.g. NULL, CR, etc.). All
characters in the ID_FQDN are ASCII.
3 ID_RFC822_ADDR A fully-qualified RFC 822 email address
string. An ID_RFC822_ADDR string MUST NOT
contain any terminators (e.g. NULL, CR,
etc.). This field SHOULD be treated as UTF-8
encoded text.
4 ID_IPV6_ADDR A single sixteen (16) octet IPv6 address
Harkins Expires October 14, 2013 [Page 33]
Internet-Draft IKEv3 April 2013
5 ID_DER_ASN1_DN The binary Distinguished Encoding Rules (DER)
encoding of an ASN.1 X.500 Distinguished Name.
See [RFC5280].
6 ID_DER_ASN1_GN The binary DER encoding of an ASN.1 X.500
GeneralName. See [RFC5280].
7 ID_BLOB_ID An opaque octet stream used for identity
obfuscation. The two parties to the exchange
MUST agree in an out-of-band fashion on how to
map a Blob ID to an unobfuscated identity.
Table 1
Identification Data is a variable-length field that contains the
identity of the specified type.
6.4.5. Nonce Payload
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Nonce of the transmitter ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9: NO Payload
6.4.6. Key Exchange Payload
The KE payload is used to pass data used to perform the key exchange
portion of the IKEv3 protocol (see Section 5). The body of the KE
payload is authentication method specific. When doing The KE payload
is authentication method specific. authentication using digital
signatures, the body of the KE payload is a Diffie-Hellman public
value. When doing PSK authentication, the body of the KE payload is
a concatentation of the Commit and Confirm portions of the Dragonfly
key exchange.
Harkins Expires October 14, 2013 [Page 34]
Internet-Draft IKEv3 April 2013
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Key exchange data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10: KE Payload
The key exhange data is a variable-length field that contains data to
be transmitted to the remote peer to perform a cryptographic key
exchange.
6.4.7. Certificate Payload
The CE payload is used to convey a public key which will be used for
authentication to a remote peer. The public key can be certified or
raw.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encoding Type | |
+-+-+-+-+-+-+-+-+ |
~ (Cerfified) Public Key Data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 11: CE Payload
Encoding Description
-------- ------------------------------------------------------------
1 A DER-enocded X.509 certificate
2 Subject public key info for a raw key encoded according to
[RFC5480]
3 Subject public key info for a raw key encoded accoding to
[RFC3279]
Table 2
The Public key data is a variable-length field that contains the
public key of the specified encoding.
Harkins Expires October 14, 2013 [Page 35]
Internet-Draft IKEv3 April 2013
6.4.8. Certificate Request Payload
The CR payload is used to request a certificate from a remote peer.
The transmitter indicates a preference for the type of certificate
using by setting the Encoding type according to Table 2. The
transmitter SHOULD indicate a trusted Certification Authority for
certified pubilc keys.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encoding Type | |
+-+-+-+-+-+-+-+-+ |
~ Certification Authority ~
~ (optional) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 12: CR Payload
The Certificate Authority field, when present, is a variable-length
field that contains the DER encoding of an ASN.1 X.509 IssuerName.
6.4.9. Authentication Payload
The AU payload contains data that authenticates a remote peer. The
content of the body of an AU payload is either a digital signature
(see Section 5.1.2) when authenticating with digital signatures, or a
keyed message authentication function using the negotiated hash
algorithm (see Section 5.2.4) when authenticating with a PSK.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Sig or MAC ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 13: AU Payload
Sig or MAC is a variable-length field that contains either a digital
signature of a message authentication code.
Harkins Expires October 14, 2013 [Page 36]
Internet-Draft IKEv3 April 2013
6.4.10. Address Indication Payload
The AI payload is used to convey the local view of addressing and
port selection to the remote peer for the purposes of NAT detection.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Address Type | Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Address ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 14: AI Payload
Address Types have the following meaning:
Address Type Description
-------------- ------------------------------------------------------
1 The Address field is a single four (4) octet IPv4
address
2 The Address field is a single sixteeen (16) octet IPv6
address
Table 3
All other Address Types are reserved and MUST NOT be used.
6.4.11. Traffic Selecor Payload
The TS payload is used to convey a set of traffic selectors used to
identify traffic flows for processing by IPsec security services.
Harkins Expires October 14, 2013 [Page 37]
Internet-Draft IKEv3 April 2013
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| # of Tr Sels | RESERVED |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Sequence of one or more ~
~ Traffic Selectors ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 15: TS Payload
The traffic selectors conveyed to a peer are determined by the local
Security Policy Database (see [RFC4301]). They define the data that
MUST be protected by IPsec by individual flow. Each Traffic Selector
in the set is defined by the following structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Selector Type | IP Protocol ID| Traffic Selector Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Start Port | End Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Starting Address ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Ending Address ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 16: Traffic Selector
o Select Type (one octet) - either a one (1) to indicate an
IPV4_ADDR_RANGE or two (2) to indicate an IPV6_ADDR_RANGE. All
other types are invalid and MUST be rejected.
o IP Protocol ID (one octet) - indicates the associated IP protocol
(such as UDP, TCP, and ICMP). A value of zero (0) means that the
traffic selector convers all protocols.
o Traffic Selector Length (two octets) - the total length of the
selector, including this sub header.
Harkins Expires October 14, 2013 [Page 38]
Internet-Draft IKEv3 April 2013
o Start Port (two octets) - the lowest port in a range of ports
that are covered by this traffic selector. A value of zero (0)
means that the traffic selector covers all ports. ICMP and
ICMPv6 Type and Code values, as well as Mobile IP version 6
(MIPv6) mobility header (MH) Type values, are represented
according to Section 4.4.1.1 of [RFC4301]. ICMP Type and Code
values are treated as a single 16-bit integer port number, with
Type in the most significant 8 bits and Code in the least
significant 8 bits. MIPv6 MH Type and Code values are treated as
a single 16-bit integer port number with Type in the most
significant 8 bits and the least signficant 8 bits set to zero.
o End Port (two octets) - the highest port in a range of ports that
are covered by this traffic selector. For protocols for which
port is undefined (including protocol 0), or if all ports are
allowed, this field MUST be 65535. ICMP and ICMPv6 Type and COde
values, as well as MIPv6 MH Type values, are represented in this
field as specified in Section 4.4.1.1 of [RFC4301]. ICMP Type
and COde values are treated as a single 16-bit port number with
Type in the most significant 8 bits and Code in the least
significant 8 bits. MIPv6 MH Type values are treated as a single
16-bit integer port number with Type in the most significant 8
bit and the least significant 8 bits set to zero.
o Starting Address (variable) - the lowest address in a range of
addresses that are covered by this traffic selector. This field
will be either sixteen (16) octets or four (4) octets depending
on whether the Selector Type was IPV6_ADDR_RANGE or
IPV4_ADDR_RANGE, respectively.
o Ending Address (variable) - the highest address in a range of
addresses that are covered by this traffic selector. This field
will be either sixteen (16) octets or four (4) octets depending
on whether the Selector Type was IPV6_ADDR_RANGE or
IPV4_ADDR_RANGE, respectively.
6.4.12. Security Association Payload
The SA payload indicates the type of protection that IPsec will apply
to the data that is covered by the Traffic Selector(s) in the TS
payload. Protection is described as a number of attributes with each
attribute consisting of a type-value tuple to identify the type of
attribute and its particular value.
Harkins Expires October 14, 2013 [Page 39]
Internet-Draft IKEv3 April 2013
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute Number 1 Type | Attribute Number 1 Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ . . . ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute Number N Type | Attribute Number N Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 17: SA Payload
SPI (4 octets) - the Security Parameter Index that the transmitter of
the SA payload will use to identify the resulting security
association for received IPsec-protected packets.
The following attribute types are defined:
1. Encryption Algorithm
2. Integrity Algorithm
3. Extended Sequence Numbers
If the Encryption Algorithm attribute is present in an SA payload the
SA SHALL be for ESP. If it is absent the SA SHALL be for AH. The
Integrity Algorithm attribute is OPTIONAL for ESP and MANDATORY for
AH. The Extended Sequence Number attribute is OPTIONAL.
The attribute values for the Encryption Algorithm attribute are
defined in [IKEV2IANA] in the "Encryption Algorithm Transform IDs"
table. The attribute values for the Integrity Algorithm attribute
are defined in [IKEV2IANA] in the "Integrity Algorithm Transform IDs"
table. The attribute values for the Extended Sequence Numbers
attribute are defined in [IKEV2IANA] in the "Extended Sequence
Numbers Transform IDs".
6.4.13. Vendor Indication Payload
The VI payload allows vendors of IKEv3 products to identify each
other during the protocol.
Harkins Expires October 14, 2013 [Page 40]
Internet-Draft IKEv3 April 2013
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Vendor Identifying Blob ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 18: VI Payload
The Vendor Identifying Blob is a variable length field that contains
information to identify the vendor of the transmitter of the payload.
No registry for vendor identification is used and it is advised that
vendors produce an opaque blob that will be different for each run of
the protocol to identify themselves. This can be accomplished, for
instance, by hashing the transmitter and receiver SPIs and/or the IP
addresses of the peers with a vendor-specific constant.
7. Acknowledgements
Portions of the payload descriptions (e.g. Traffic Selector payload)
were lifted from [RFC5996]. The author thanks the editors of that
document and the IPsecME Working Group that produced that document.
8. IANA Considerations
This section is incomplete.
9. Security Considerations
This section is incomplete.
10. References
10.1. Normative References
[IKEV2IANA]
"Internet Key Exchange Version 2 (IKEv2) Parameters",
<http://www.iana.org>.
[IKEV3IANA]
"Internet Key Exchange Version 3 (IKEv3) Parameters",
Harkins Expires October 14, 2013 [Page 41]
Internet-Draft IKEv3 April 2013
<http://www.iana.org>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104,
February 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 3279, April 2002.
[RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.
Stenberg, "UDP Encapsulation of IPsec ESP Packets",
RFC 3948, January 2005.
[RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and HMAC-SHA)", RFC 4634, July 2006.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC5297] Harkins, D., "Synthetic Initialization Vector (SIV)
Authenticated Encryption Using the Advanced Encryption
Standard (AES)", RFC 5297, October 2008.
[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
"Elliptic Curve Cryptography Subject Public Key
Information", RFC 5480, March 2009.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
Curve Cryptography Algorithms", RFC 6090, February 2011.
10.2. Informative References
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
Harkins Expires October 14, 2013 [Page 42]
Internet-Draft IKEv3 April 2013
[RFC4718] Eronen, P. and P. Hoffman, "IKEv2 Clarifications and
Implementation Guidelines", RFC 4718, October 2006.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 5996, September 2010.
Author's Address
Dan Harkins (editor)
Aruba Networks
1322 Crossman avenue
Sunnyvale, Californaia 94089
United States of America
Phone: +1 408 227 4500
Email: dharkins@arubanetworks.com
Harkins Expires October 14, 2013 [Page 43]