Internet DRAFT - draft-mglt-ipsecme-alternate-outer-address
draft-mglt-ipsecme-alternate-outer-address
IPSECME D. Migault (Ed)
Internet-Draft Francetelecom - Orange
Intended status: Standards Track February 15, 2013
Expires: August 19, 2013
IKEv2 Alternate Outer IP Address Extension
draft-mglt-ipsecme-alternate-outer-address-00.txt
Abstract
Current IKEv2 protocol has been designed to establish VPNs with the
same outer IP addresses as those used for the IKEv2 channel. This
describes the alternate outer IP address extension, and IKEv2
extension that enables the VPN End User to negotiate a VPN on
different interfaces as those used for the IKEv2 channel.
Thus, this extension makes possible a VPN End User with multiple
interfaces to set an IPsec tunnel on each interface with a Security
Gateway by using a single IKEv2 channel instead of using an IKEv2
channel per interface. Similarly, for distributed Security Gateways,
it also makes possible to split the IKEv2 and IPsec traffic on
different interfaces.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 19, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Migault (Ed) Expires August 19, 2013 [Page 1]
Internet-Draft Alternate Outer IP Address Extension February 2013
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Alternate outer address scenarios . . . . . . . . . . . . . . 4
4.1. VPN End User with Multiple Interfaces . . . . . . . . . . 4
4.2. Security Gateway with Multiple Interfaces . . . . . . . . 6
4.3. Distributed Security Gateways . . . . . . . . . . . . . . 7
5. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Alternate outer IP addresses Transform . . . . . . . . . . 8
5.2. Initiator: Sending OADD Transforms in Proposals . . . . . 10
5.3. Responder: Receiving OADD Transforms in Proposals . . . . 11
5.4. Incompatible Proposal with OADD Transforms . . . . . . . . 11
5.5. Supporting alternate outer IP address exchange . . . . . . 11
5.6. Basic Exchange . . . . . . . . . . . . . . . . . . . . . . 12
6. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 13
6.1. Outer IP address Transform OADD . . . . . . . . . . . . . 14
6.2. IP Attribute with IP addresses . . . . . . . . . . . . . . 15
6.3. IP Attribute indicating ANY_IP . . . . . . . . . . . . . . 15
6.4. Alternate Outer IP Address Notify Payload . . . . . . . . 16
7. NAT considerations . . . . . . . . . . . . . . . . . . . . . . 16
7.1. Prohibiting NAT . . . . . . . . . . . . . . . . . . . . . 18
7.2. NAT detection . . . . . . . . . . . . . . . . . . . . . . 19
7.3. The VPN End User does not know the NATted IP addresses . . 19
7.4. The VPN End User does know the NATted IP addresses . . . . 20
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
9. Security Considerations . . . . . . . . . . . . . . . . . . . 21
10. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 21
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
11.1. Normative References . . . . . . . . . . . . . . . . . . . 21
11.2. Informational References . . . . . . . . . . . . . . . . . 21
Appendix A. Document Change Log . . . . . . . . . . . . . . . . . 22
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22
Migault (Ed) Expires August 19, 2013 [Page 2]
Internet-Draft Alternate Outer IP Address Extension February 2013
1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Introduction
When a VPN End User establishes a VPN with a Security Gateway, it
starts by establishing an authenticated channel for IKEv2. Then the
VPN Security Associations [RFC4301] are negotiated via the IKEv2
[RFC5996] channel. Once the peers agree on the Security
Associations, the VPN can be used.
Currently, IKEv2 does not negotiate the outer IP addresses of the
VPN. The security Association set these VPN outer IP addresses as
the IP addresses used by the IKEv2 channel.
These implicit values are perfect for VPN End Users with a single
interface. This was the case for a long time, making them
unnecessary to be negotiated. However, today's VPN End Users and
Security Gateways have multiple interfaces. Relying on the default
value of the VPN outer IP addresses makes it hard, - or at least in a
non optimal way - to take advantage of multiple interfaces. This
document specifies how alternate outer IP addresses can be negotiated
during the Security Association negotiation. This involves new
signaling, thus the document also specify how the VPN End User and
the Security Gateway can optionally inform each other they support
the alternate outer IP address extension.
The remaining of this document is as follows. Section 3 defines the
terminology used in this document. Section 4 provides scenarios that
motivate this alternate outer IP address extension. Section 5
describes the new protocol, as well as the new involved entities and
Section 6 describes the payload format defined for the protocol. In
this document, we assumed that no NAT are between the VPN End User
and the Security Gateway, however, Section 7 provides some
considerations when NAT is used.
The alternate outer IP address extension provides VPN End Users and
Security Gateway a way to take advantage of multiple interfaces for a
VPN service.
3. Terminology
This section defines terms and acronyms used in this document.
Migault (Ed) Expires August 19, 2013 [Page 3]
Internet-Draft Alternate Outer IP Address Extension February 2013
- VPN End User: designates the End User that initiates the VPN with
a Security Gateway. This End User may be mobile and moves its
VPN from on Security Gateway to the other.
- Security Gateway: designates a point of attachment for the VPN
service. In this document, the VPN service is provided by
multiple Security Gateways. Each Security Gateway may be
considered as a specific hardware.
- Security Association (SA): The Security Association is defined in
[RFC4301].
4. Alternate outer address scenarios
This section provides scenarios where a VPN End User and a Security
Gateways share more than one VPN. For each scenario, the document
describes the alternatives that currently exist, their limitations
and the motivations for the alternate outer IP address extension.
The scenarios herein are a subset of the scenarios described in
[I-D.mglt-mif-security-requirements].
4.1. VPN End User with Multiple Interfaces
More and more terminals have multiple interfaces, and a VPN End User
may take advantage of these multiple interfaces by setting multiple
tunnels with its Security Gateways as represented in figure 1. A
typical example would be a VPN End User attached to its Radio Access
Network via Interface_0 and attached to a WLAN access point via
Interface_1. The VPN End User may use one or the other interface
according to the Quality of Service or the fees associated to each
network. In figure 1. the VPN End User has established two distinct
VPNs, one on each of its interfaces. Both VPNs are attached to the
same Security Gateway interface. A packet can be sent or received
from either one or the other VPN.
+------------+ +------------+
| | Interface_0 : VPN_0 | |
| =================== | Security |
| VPN | v | Gateway |
| End User | ============== |
| ========================^ | |
| | Interface_1 : VPN_1 | |
+------------+ +------------+
Figure 1: VPN End User with Multiple Interfaces
SAs negotiated for the VPN_0 and VPN_1 have the same network
Migault (Ed) Expires August 19, 2013 [Page 4]
Internet-Draft Alternate Outer IP Address Extension February 2013
configuration except that the outer interface of VPN_0 on the End
User side is Interface_0 whereas VPN_1 has Interface_1. More
specifically, these SAs have the same Selectors.
[RFC4301] section 4.1 states that parallel SAs are compliant with the
IPsec architecture, and that traffic may be sent to one or the other
VPN, for example, according to the Differentiated Services Code Point
(DSCP). DSCP is called a "classifier" which differs from the
Selector. How the End User chooses which interface to use is beyond
the scope of this document.
As mentioned in [RFC5996] the VPN uses the IP addresses of the IKEv2
channel as outer IP addresses. One way to establish these two VPNs
is to create an IKEv2 channel for each interface. This results in
unnecessary IKE negotiations with multiple authentications
Nbr(EU_interfaces) X Nbr(SG_interface) X Nbr(Flows). This number
rapidly grows with the number of involved interfaces both on the
Security Gateway and on the End User.
[RFC6027] section 3.8 mentions that peers using different IP
addresses for the VPN and the IKEv2 channel SHOULD be modified unless
they may drop the packets. The alternate outer IP address described
in this document is described so that any VPN End User can interact
with any Security Gateway.
[I-D.arora-ipsecme-ikev2-alt-tunnel-addresses] addresses this issue.
The End User VPN indicates during the SA negotiation the outer IP
address it wants, and in return the Security Gateway indicates the
outer IP address of the Security Gateway. Motivations for
[I-D.arora-ipsecme-ikev2-alt-tunnel-addresses] is a cluster of
Security Gateways that splits the IKEv2 traffic and the VPN traffic,
so that the VPN traffic avoids overloading some equipments like
firewalls or load balancers for example.
[I-D.arora-ipsecme-ikev2-alt-tunnel-addresses] would also address the
case of figure 1 because the the path used by the VPN is defined by
the interface used by the VPN End User VPN. This results from the
fact that the Security Gateway has only one interface. However,
[I-D.arora-ipsecme-ikev2-alt-tunnel-addresses] would need slight
modifications in order to address the more general case where VPN End
User and the Security Gateways have multiple interfaces. In that
case, a path would be defined not by a single interface (as in figure
1), but by a pair of interface.
In addition to path negotiation,
[I-D.arora-ipsecme-ikev2-alt-tunnel-addresses] uses a Notify Payload
that is not bound to a SA Proposal, thus making multiple SA Proposals
with different outer IP address difficult. Again this case is very
Migault (Ed) Expires August 19, 2013 [Page 5]
Internet-Draft Alternate Outer IP Address Extension February 2013
specific to multiple interfaces. Even though the protocol described
in this document address these limitations, it remains very closed to
[I-D.arora-ipsecme-ikev2-alt-tunnel-addresses].
4.2. Security Gateway with Multiple Interfaces
In the scenario presented in figure 2, the VPN End User has two
interfaces and the VPN End User has a single interface. Like the VPN
End User with multiple interfaces presented in Section 4.1, we
suppose that the VPNs are established by the VPN End User with the
Security Gateway. Unlike the scenarios of Section 4.1, motivations
for choosing VPN_0 or VPN_1 are not associated to the interface used
by the VPN End User, but the path taken by the packets. As a result,
the VPN End User cares about both source and destination outer IP
addresses that defines the path.
+------------+ +------------+
| | Interface_0 : VPN_0 | |
| | ============= Security |
| VPN | v | Gateway |
| End User =================== | |
| | ^ ============ |
| | Interface_1 : VPN_1 | |
+------------+ +------------+
Figure 2: Security Gateway with Multiple Interfaces
Comments of Section 4.1 also applies to this scenario, but this
scenario stresses that the choice of the VPN outer IP addresses
SHOULD result from a negotiation between the two peers, and both
outer IP addresses SHOULD be negotiated.
Note that the scenario described in figure 2, considers that all
interfaces are used to setup all different VPNs. As described in
Section 4.1, if VPN End Users and Security Gateways have both
multiple interfaces, setting up all possible tunnels may be
unnecessarily heavy. As a result, the VPN End User SHOULD be able to
negotiate both outer IP addresses of its VPN.
Note that if the VPN End User negotiates the outer IP address used by
the Security Gateway, the VPN End User may know in advance what
interfaces are available. It is beyond the scope of this document to
define how the VPN End User may know this information. MOBIKE
[RFC4555] defines the ADDITIONAL_IP*_ADDRESSES Notify Payload, and
[I-D.mglt-ipsecme-security-gateway-discovery] defines how these
pieces of information may be provided by other Security Gateways.
Migault (Ed) Expires August 19, 2013 [Page 6]
Internet-Draft Alternate Outer IP Address Extension February 2013
4.3. Distributed Security Gateways
The scenario described in figure 3 considers a distributed Security
Gateway. The IKEv2 channel and the VPNs are handled by different
nodes. As a result the VPN does not uses the same outer IP addresses
as the IKEv2 channel.
+------------+ +------------+
| | Interface_0 | IKE |
| | IKEv2 channel ^------------- Security |
| VPN ------------------- ^ | Gateway |
| End User =================== v +------------+
| | VPN channel v +------------+
| | v Interface_1| VPN |
+------------+ v============= Security |
| Gateway |
+------------+
...
+------------+
Interface_i| VPN |
============= Security |
| Gateway |
+------------+
Figure 3: Distributed Security Gateways
This scenario is addressed by
[I-D.arora-ipsecme-ikev2-alt-tunnel-addresses] where each part can
choose the interface it will use as the outer IP address for the VPN.
As mentioned in Section 4.1, being able to specify a single interface
is not sufficient to select a path. More specifically, in figure 3,
this would not provide the possibility for the VPN End User to choose
between Interface_1 and Interface_i.
5. Protocol Overview
The alternate outer IP address extension, makes possible two peers to
negotiate and agree on alternate IP addresses for their VPN. We
consider the outer IP addresses as parameters of the Security
Association. (Tunnel header IP source and destination address as
described in [RFC4301]). As a consequence, the negotiation of these
parameters occurs during the negotiation of the Security Association,
that is during the IKE_INIT exchange or the CREATE_CHILD_SA exchange
as described in [RFC5996].
VPN SA negotiation can be initiated by either VPN End User or the
Security Gateway, so in the remaining of the document we simply use
Migault (Ed) Expires August 19, 2013 [Page 7]
Internet-Draft Alternate Outer IP Address Extension February 2013
initiator and responder, as the peer initiating the negotiation.
Note that these negotiations makes possible that any peer can
negotiate one, or both outer IP address, that is to say, the outer IP
address source and destination.
Section 5.1 briefly reminds how the Security Association' parameters
are negotiated with IKEv2, and then proposes the new involved
payloads to negotiate the outer IP addresses. Basically a new
Alternate Outer Address Transform (OADD) and a new IP Attribute are
defined. Section 5.2 and Section 5.3 and Section 5.4 are focused on
the exchanged when both peers support the alternate outer IP address
extension. Section 5.2 describes how the initiator builds a SA
Proposal and Section 5.3 defines how the responder handles it.
Section 5.4 defines the case where the Proposal MUST be discarded.
Although not mandatory, there MAY be an advantage that peers are
informed whether the alternate outer IP address is supported or not
before sending Proposals. Section 5.5 presents how peers can inform
each other the support this extension. At last, Section 5.6
illustrates the different exchanged described in the document.
5.1. Alternate outer IP addresses Transform
This section does not intend to explain how SAs are negotiated, and
the reader is expected to refer to [RFC5996] section 3.3. This
section briefly sums up the different type of payload involved in
order to clarify our purpose. Figure 4 is copied from [RFC5996] to
illustrate concepts involved in the Security Association negotiation.
Migault (Ed) Expires August 19, 2013 [Page 8]
Internet-Draft Alternate Outer IP Address Extension February 2013
SA Payload
|
+--- Proposal #1 ( Proto ID = ESP(3), SPI size = 4,
| | 7 transforms, SPI = 0x052357bb )
| |
| +-- Transform ENCR ( Name = ENCR_AES_CBC )
| | +-- Attribute ( Key Length = 128 )
| |
| +-- Transform ENCR ( Name = ENCR_AES_CBC )
| | +-- Attribute ( Key Length = 192 )
| |
| +-- Transform ENCR ( Name = ENCR_AES_CBC )
| | +-- Attribute ( Key Length = 256 )
| |
| +-- Transform INTEG ( Name = AUTH_HMAC_SHA1_96 )
| +-- Transform INTEG ( Name = AUTH_AES_XCBC_96 )
| +-- Transform ESN ( Name = ESNs )
| +-- Transform ESN ( Name = No ESNs )
|
+--- Proposal #2 ( Proto ID = ESP(3), SPI size = 4,
| 4 transforms, SPI = 0x35a1d6f2 )
|
+-- Transform ENCR ( Name = AES-GCM with a 8 octet ICV )
| +-- Attribute ( Key Length = 128 )
|
+-- Transform ENCR ( Name = AES-GCM with a 8 octet ICV )
| +-- Attribute ( Key Length = 256 )
|
+-- Transform ESN ( Name = ESNs )
+-- Transform ESN ( Name = No ESNs )
Figure 4: Security Association Payload Structure
A Security Association is defined by various parameters such as
Encryption (ENCR) or Integrity (INTEG), Pseudorandom Function (PRF),
Diffie-Hellman group (D-H) or Extended Sequence Numbers (ESN). These
parameters are defined through Transforms and each parameter is a
Transform Type.
A Security Association is negotiated through the SA Payload which
contains one or more Proposals Payloads. Each Proposal contains one
or multiple acceptable "values" for each Transformed Type. These
"values" can be seen as an OR. The Proposal is accepted if for each
Transform Type one of the proposed "value" is accepted by the
responder. If the responder cannot choose an acceptable "value" for
each Transform Type, the proposition is rejected. A "value" is
composed of a Transform ID, like the name of the encryption
algorithm, and eventually one or more Attributes, like the key length
Migault (Ed) Expires August 19, 2013 [Page 9]
Internet-Draft Alternate Outer IP Address Extension February 2013
for example.
In our case, we consider a new Transform Type OADD. This Transform
Type has two Transform ID (INIT or RESP) that designates the
initiator outer IP address (INIT) or the responder outer IP address
(RESP). The Attributes associated to each Transform ID is the IP
Attribute that can be an IPv4 address, an IPv6 address or a specific
value.
5.2. Initiator: Sending OADD Transforms in Proposals
In Section 5.2 and Section 5.3 we suppose that both the initiator and
the responder support the alternate outer IP address extension, that
no USE_TRANSPORT_MODE Notify Payload is sent in conjunction of the SA
Payload, and that the Proposal Payload as defined in [RFC5996]
Section 3.3.1 has its Protocol ID set to AH or ESP. Other cases are
discussed in Section 5.4
If the initiator wants to propose the Security Gateway to choose
among a set of the initiator's interfaces IP_init_0, ..., IP_init_k
for the VPN outer IP address, it MUST include k+1 Transforms with
Transform Type OADD and Transform ID set to INIT. The Transform is
associated to the Attribute of Type IP. Transform Attributes are
defined in [RFC5996] 3.3.5.
Similarly, if the initiator wants to select on the Security Gateway
one interface among a set of interface IP_resp_0, ..., IP_resp_l, it
MUST include l+1 OADD Transform with Transform ID set to RESP, and an
Attribute of Type IP.
If the initiator does not know the interface that the responder may
choose, it may indicate the responder to define the most appropriated
interface with a OADD Transform with Transform ID set to RESP and an
Attribute of Type with the specific value ANY_IP.
If no OADD Transform with Transform ID set to INIT (Respectively
RESP) are provided in the Proposal, the default value for the outer
IP address is the one used by the IKEv2 channel. More specifically,
if the initiator considers the interface used for the IKEv2 channel
as an alternative to other IP addresses, a OADD Transform with this
IP address MUST explicitly be in the Proposal.
Note that a Proposal does not need to have both OADD Transform with
Transform ID INIT and RESP. The initiator can choose to have only
OADD Transforms with Transform ID INIT (respectively RESP).
Migault (Ed) Expires August 19, 2013 [Page 10]
Internet-Draft Alternate Outer IP Address Extension February 2013
5.3. Responder: Receiving OADD Transforms in Proposals
As mentioned in Section 5.2, we suppose the responder supports the
alternate outer IP address extension. If a Proposal contains one or
multiple OADD with a Transform ID set to INIT (respectively RESP),
the responder choose one of these. If selected OADD Transform (INIT
or RESP) with an IP Attribute, the responder returns the Transform
without modification. Otherwise, if selected OADD Transform is with
an ANY_IP Attribute, the responder returns a IP Attribute with the
correct value.
If the responder has no OADD Transform with Transform ID INIT
(respectively RESP), then by default the outer IP address of the VPN
is equal to the IP address used by the IKEv2 channel.
5.4. Incompatible Proposal with OADD Transforms
The alternate outer IP address extension only makes sense for the
IPsec tunnel mode. The SA Payload with Proposals that contains one
or more OADD Transforms MUST NOT be used with a USE_TRANSPORT_MODE
Notify Payload. Responder MUST reject these Proposals.
Similarly, Proposals with a Protocol other than AH or ESP, (that is
to say IKE), MUST NOT be used with OADD Transforms. Responder MUST
reject these Proposals.
As mentioned in [RFC5996] Section 3.3.6, a responder that does not
support the alternate outer IP address extension MUST reject any
Proposal that contains a Transform with a Transform Type OADD. If
the responder rejects all Proposals, it MUST send a
NO_PROPOSAL_CHOSEN Notify Payload.
5.5. Supporting alternate outer IP address exchange
This section describes an informational exchange where each peer
informs the other that it supports the alternate outer IP address
extension. This exchange is not mandatory, but is recommended as it
MAY ease to format the Proposals for the Security Association
negotiation.
In fact the negotiation of the alternate outer IP address is included
in SA negotiation. As described in Section 5.1, this introduces new
Transform Type and new Attributes. [RFC5996] Section 3.3.6 mentions
that a peer does not understand the new Transform Type or the new
Attributes, it MUST reject the Proposal. As a result, if the
initiator does not know if the responder supports the alternate outer
IP address extension, it SHOULD include proposals without the
associated Transform Type and Attributes to avoid that all Proposals
Migault (Ed) Expires August 19, 2013 [Page 11]
Internet-Draft Alternate Outer IP Address Extension February 2013
are rejected by the responder and receives a NO_PROPOSAL_CHOSEN
Notify Payload.
To limit the number of proposals to be sent by the initiator during
the SA negotiation, we define the supporting alternate outer IP
address exchange where the initiator can advertise it supports the
alternate outer IP address extension by sending a
ALTERNATE_OUTER_IP_ADDRESS_SUPPORTED Notify Payload. When a node
receives this Notify Payload and support the alternate outer IP
address extension, it MUST send back the same Notify Payload.
5.6. Basic Exchange
Figure 5 provides a basic exchange. The initiator and the responder
agree on supporting the alternate outer IP address extension. This
exchange is optional but recommended. In Figure 5 this exchange
occurs during the IKE_INIT exchange, but it MAY occur anytime.
The SA negotiation consists in sending multiple Proposals. In figure
5, the OADD Transform specify the initiator and responder's IP
address. The responder choose one of the proposed transformed.
Migault (Ed) Expires August 19, 2013 [Page 12]
Internet-Draft Alternate Outer IP Address Extension February 2013
Initiator Responder
-------------------------------------------------------------------
HDR, SAi1, KEi, Ni -->
N(ALTERNATE_OUTER_IP_ADDRESS_SUPPORTED)
N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP)
<-- HDR, SAr1, KEr, Nr, [CERTREQ]
N(ALTERNATE_OUTER_IP_ADDRESS_SUPPORTED)
N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP)
==== From this exchange:
- the Initiator and the Responder support the alternate
outer IP address extension
- no NAT has been detected =====
HDR, SK {IDi, [CERT,] [CERTREQ,]
[IDr,] AUTH, TSi, TSr
SAi2( Proposal(ENCR, INTEG, ESN, < proposes IP1, IP2 for
OADD(INIT, IP1), the init., ANY IP for
OADD(INIT, IP2), the resp.
OADD(RESP, ANY_IP))
Proposal(ENCR, INTEG, ESN))) < proposes to use IKEv2 IP
} --> for the VPN outer IP
<-- HDR, SK {IDr, [CERT,] AUTH, TSi, TSr,
SAr2(Proposal(ENCR, INTEG, ESN,
OADD(INIT, IP1),
OADD(RESP, IPr)))
}
Figure 5: Basic Exchange for VPN alternate outer
IP addresses negotiation
6. Payload Formats
As mentioned in Section 5 this document introduces a new Transform of
Transform Type OADD. The associated Transform ID are INIT for the
initiator outer IP address and RESP for the responder's IP address.
These Transforms are associated a Attributes that are either carrying
an IP address (IPv4 or IPv6) or associated to a specific value like
ANY_IP.
This document also introduces the
ALTERNATE_OUTER_IP_ADDRESS_SUPPORTED Notify Payload, so peers can
Migault (Ed) Expires August 19, 2013 [Page 13]
Internet-Draft Alternate Outer IP Address Extension February 2013
inform the other they support the alternate outer IP address
extension.
This section describes the format of all new payload introduced for
the outer IP address extension.
6.1. Outer IP address Transform OADD
This section specifies the Transform structure as defined in
[RFC5996] Section 3.3.2.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 (last) or 3 | RESERVED | Transform Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Transform Type | RESERVED | Transform ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Transform Attributes ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: OADD Transform Substructure
- 0 (last) or 3 (more) (1 octet): Specifies whether this is the last
Transform Substructure in the Proposal.
- RESERVED (1 octet): MUST be sent as zero; MUST be ignored on
receipt.
- Transform Length (2 octets): The length (in octets) of the
Transform Substructure including Header and Attributes.
- Transform Type (2 octets): The type of transform being specified
in this transform. Set to OADD in this document.
- Transform ID (2 octets): he specific instance of the Transform
Type being proposed. Set to INIT or RESP in this document.
- Transform Attributes (variable length): The IP Attribute in this
document.
Migault (Ed) Expires August 19, 2013 [Page 14]
Internet-Draft Alternate Outer IP Address Extension February 2013
6.2. IP Attribute with IP addresses
This section specifies the Attribute structure as defined in
[RFC5996] Section 3.3.5.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|A| Attribute Type | AF=0 Attribute Length |
|F| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ IP Address ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: IP Attribute with IP address
- Attribute Format (AF) (1 bit): Set to 0, indicating a TLV format.
- Attribute Type (15 bits): Set to IP in this document.
- Attribute Length (16 bits): The length is either 8 to designate
the length of an IPv4 or 20 to designate the length of on IPv6
address. The length includes the headers of 4 octets.
6.3. IP Attribute indicating ANY_IP
This section specifies the Attribute structure as defined in
[RFC5996] Section 3.3.5.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|A| Attribute Type | AF=1 Attribute Value |
|F| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 8: IP Attribute set to ANY_ IP
- Attribute Format (AF) (1 bit): Set to 1, Attribute Value.
- Attribute Value (15 bits): Set to ANY_IP in this document.
Migault (Ed) Expires August 19, 2013 [Page 15]
Internet-Draft Alternate Outer IP Address Extension February 2013
6.4. Alternate Outer IP Address Notify Payload
This section presents the Notify Payload as defined in [RFC5996]
Section 3.10.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol ID | SPI Size = 0 | Notify Message Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9: Alternate Outer IP Address Notify Payload
- Next Payload (1 octet): Identifier for the payload type of the
next payload in the message. If the current payload is the
last in the message, then this field will be 0.
- Critical (1 bit): MUST be set to zero for payload types defined in
this document.
- RESERVED (7 bits): MUST be sent as zero; MUST be ignored on
receipt.
- Payload Length (2 octets, unsigned integer): Length in octets of
the current payload, including the generic payload header. Set
to 16 in this document.
- Protocol ID (1 octet): This field MUST be sent as zero and MUST
be ignored on receipt.
- Notify Message Type (2 octets): Set to
ALTERNATE_OUTER_IP_ADDRESS_SUPPORTED in this document.
7. NAT considerations
In the document we assumed that there were no NAT between the VPN End
User and the Security Gateway. This means that the VPN End User and
the Security Gateway know 1) the interface they are receiving data on
is the interface used as a destination by the other peer and 2) the
interface set as destination is the interface used by the other peer
to receive the data. As a result, if the VPN End User (respectively
the Security Gateway) is behind a NAT, the VPN End User may be seen
by the Security Gateway (respectively the VPN End User) with another
IP address unknown to the VPN End User (respectively the Security
Gateway).
Migault (Ed) Expires August 19, 2013 [Page 16]
Internet-Draft Alternate Outer IP Address Extension February 2013
NATs impact the alternate outer IP address extensions in two ways:
- IPsec configuration: The alternate outer IP addresses the two
peers are negotiating may not be the ones in the Security
Associations. More specifically, suppose the VPN End User and
the Security Gateway depicted in figure 10 have negotiated the
alternate outer IP addresses src_0, dst_1. src_0 is NATted with
NAT_0, and may be unreachable, the outer IP address in the
Security Gateway SA should be src_nat_0 instead.
- NAT traversal: NATs may make an IP address behind it reachable
only if this IP address has initiated a connection. More
specifically, suppose the VPN End User and the Security Gateway
depicted in figure 10 have established an IKEv2 channel between
src_0 and dst_1 and are MOBIKE enabled. Suppose the VPN End
User sends the Security Gateway an ADDITIONAL_IP*_ADDRESS with
src_1 or eventually with src_nat_1. Unless NAT_1 has been
configured to forward the traffic from the Security Gateway to
the VPN End User, this traffic will most likely be discarded by
NAT_1. Similarly, if the Security Gateway moves the VPN from
dst_0 to dst_1, the VPN may be broken. Note that we use MOBIKE
to illustrate the problems of reachability through NATs, but
these operations are discussed more in depth in [RFC4555].
This section does not intend to discussed all NATs configuration as
described in [RFC5389]. Instead the only NAT scenario we consider is
a single NAT and the VPN End User behind that NAT initiates the
alternate outer IP address exchange. The architecture this section
considers is depicted in figure 10. Furthermore, this section does
not consider the NAT traversal aspect. We assume that the VPN End
User is NAT aware and perform the necessary actions to make/configure
the NATs so that they do not block the traffic.
Section 7.1 defines how the End User MAY prohibit the alternate outer
IP address extension if a NAT is detected. Then, in Section 7.2 how
the VPN End User can detect the presence of NAT. Section 7.3
discusses the case where the VPN End User does not know the values of
the NATted IP addresses and Section 7.4 discusses the case where the
VPN End User knows all NATted IP addresses values.
Migault (Ed) Expires August 19, 2013 [Page 17]
Internet-Draft Alternate Outer IP Address Extension February 2013
+---+
+------------+ | I | +------------+
| | src_0 +-------+ src_nat_0 | N | dst_0 | |
| =========| NAT_0 |===========| T |=======| Security |
| VPN | +-------+ | E | | Gateway |
| End User | src_1 +-------+ src_nat_1 | R | dst_1 | |
| =========| NAT_1 |===========| N |=======| |
| | +-------+ | E | | |
+------------+ | T | +------------+
+---+
Figure 10: VPN End User behind a NAT scenario
7.1. Prohibiting NAT
This section considers that the VPN End User does not want to use the
alternate outer IP address extension if a NAT is detected. This
section differs from the NAT detection because it both detects the
existence of a NAT and provide an indication that some supported
functionalities like MOBIKE SHOULD NOT be used if a NAT is detected.
The NO_NATS_ALLOWED Notify Payload is defined in [RFC4555]. If the
VPN End User supports MOBIKE, it MAY send a NO_NATS_ALLOWED Notify
Payload with the original IP addresses and ports. When the Notify
Payload is received by the Security Gateway, it checks the IP
addresses values in the IP header and in the Payload, in case of
mismatch, a UNEXPECTED_NAT_DETECTED Notify Payload is returned.
In our case, the NO_NATS_ALLOWED MAY be used by the VPN End User if
both the VPN End User and the Security Gateway support MOBIKE. When
the Security Gateway receives the NO_NATS_ALLOWED Notify Payload, it
MUST NOT use MOBIKE and SHOULD NOT use the alternate outer IP address
extension.
There are corner cases that are not considered by this policy.
First, a VPN End User or a Security Gateway that do not support
MOBIKE cannot use the NO_NATS_ALLOWED Notify Payload. However, it
seems hardly possible that peers supporting the alternate outer IP
address extension support MOBIKE. Second, a VPN End User using the
NO_NATS_ALLOWED applies the same policy for MOBIKE and the alternate
outer address extension. Here again, it seems unlikely that NAT
policies differ. Furthermore, the NO_NATS_ALLOWED exchange only
prevent the Security Gateway to initiate a MOBIKE or alternate outer
IP address negotiation. The VPN End User can still use one or the
other extension. From our experience, this constraint seems
acceptable.
Migault (Ed) Expires August 19, 2013 [Page 18]
Internet-Draft Alternate Outer IP Address Extension February 2013
7.2. NAT detection
This section details how NAT can be detailed with IKEv2 extensions.
We do not consider here other mechanisms like ICE described in
[RFC5768] or STUN [RFC5389].
The VPN End User can detect the NAT by using the
NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP Notify
Payload as described in [RFC5996]. These Notify Payloads carry the
SHA-1 of the source (respectively the destination) IP address. At
the reception, the Security Gateway can compare their contend with
the SHA-1 of the IP addresses in the IP header. A mismatch between
the two values indicates the presence of a NAT, but do not provide
the value of the original IP address. Usually, this exchange is
performed during the IKE_INIT exchange to decide whether or not IKEv2
should proceed to UDP encapsulation.
Note that with the NAT detection exchange, the NAT is detected on the
IKEv2 channel. If the IKEv2 channel is using src_0, the NAT
detection exchange will detect NAT_0. To detect NAT_1 using IKEv2,
the VPN End User SHOULD move the IKEv2 channel on src_1 with MOBIKE
for example. Since the UPDATE_SA Notify Payload is initiated by the
VPN End User, NAT_1 is expected to accept the traffic from the
Security Gateway. Note also that the NAT detection exchange does not
provide the value of the src_nat* IP addresses.
7.3. The VPN End User does not know the NATted IP addresses
This section analyses how the alternate outer IP address extension
can be used when the VPN End User does not know the values of the
NATted IP addresses, i.e. src_nat_0 and src_nat_1.
In that case, the VPN End User MAY only select the destination outer
IP address corresponding to the Security Gateway IP addresses. How
the VPN End User gets these IP addresses is out of scope of the
document, however, if the VPN End User and the Security Gateway
support MOBIKE, the MOBIKE ADDITIONAL_IP*_ADDRESS Notify Payload MAY
be used for that purpose. It is recommended that the VPN End User
does not provide the outer source IP, in which case, the one from the
IKEv2 channel will be considered by default. More specifically, the
VPN End User cannot provide the Security Gateway its alternate IP
addresses.
The VPN End User MAY use the ANY_IP IP Attribute for the source outer
IP address. This would enable the Security Gateway to select an
alternate IP address that differs from the one used by the IKEv2
channel. In order to select the IP addresses associated to the VPN
End User, the Security Gateway has to be aware of the NATted IP
Migault (Ed) Expires August 19, 2013 [Page 19]
Internet-Draft Alternate Outer IP Address Extension February 2013
addresses depicted as src_nat_0 and src_nat_1. One possibility is
that the Security Gateway log the IP addresses used by the VPN End
User when it moves from src_0 to src_1. This also means that the VPN
is being negotiated with a CREATE_CHILD_SA exchange after the initial
IKE_INIT exchange.
7.4. The VPN End User does know the NATted IP addresses
In this section the VPN End User knows the NATted IP addresses
src_nat_0 and src_nat_1. How the End User get these values is out of
scope of the document. This case should be considered only if the
VPN End User exactly know what it is doing.
In this case, the VPN End User can proceed as if no NAT exist. The
VPN End User considers in the alternate outer IP address negotiation
that its IP addresses are the NATted IP addresses that is src_nat_0
and src_nat_1. On the other hand, the VPN End User MUST configure
properly its SAs with src_0 if src_nat_0 is selected or with src_1 if
src_nat_1 is selected.
The VPN End User is also responsible to make the NAT Traversal
possible.
8. IANA Considerations
The new fields and number are the following:
IKEv2 Notify Message Types - Status Types
-----------------------------------------
ALTERNATE_OUTER_IP_ADDRESS_SUPPORTED TBD
Transform Attribute Types
-------------------------
OADD TBD
Transform Type OADD IDs
-----------------------
INIT TBD
RESP TBD
Attribute Type
--------------
IP TBD
IP Attribute Type Values
------------------------
Migault (Ed) Expires August 19, 2013 [Page 20]
Internet-Draft Alternate Outer IP Address Extension February 2013
ANY_IP TBD
9. Security Considerations
The exchange described in this document is protected by the IKEv2
channel.
10. Acknowledgment
The author would like to thank Yoav Nir for its helpful comments.
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol
(MOBIKE)", RFC 4555, June 2006.
[RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
"Session Traversal Utilities for NAT (STUN)", RFC 5389,
October 2008.
[RFC5768] Rosenberg, J., "Indicating Support for Interactive
Connectivity Establishment (ICE) in the Session Initiation
Protocol (SIP)", RFC 5768, April 2010.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 5996, September 2010.
[RFC6027] Nir, Y., "IPsec Cluster Problem Statement", RFC 6027,
October 2010.
11.2. Informational References
[I-D.arora-ipsecme-ikev2-alt-tunnel-addresses]
Arora, J. and P. Kumar, "Alternate Tunnel Addresses for
IKEv2", draft-arora-ipsecme-ikev2-alt-tunnel-addresses-00
(work in progress), April 2010.
Migault (Ed) Expires August 19, 2013 [Page 21]
Internet-Draft Alternate Outer IP Address Extension February 2013
[I-D.mglt-ipsecme-security-gateway-discovery]
Migault, D. and K. Pentikousis, "IKEv2 Security Gateway
Discovery",
draft-mglt-ipsecme-security-gateway-discovery-00 (work in
progress), February 2013.
[I-D.mglt-mif-security-requirements]
Migault, D. and C. Williams, "IPsec Multiple Interfaces
Problem Statement",
draft-mglt-mif-security-requirements-03 (work in
progress), November 2012.
Appendix A. Document Change Log
[RFC Editor: This section is to be removed before publication]
-00: First version published.
Author's Address
Daniel Migault
Francetelecom - Orange
38 rue du General Leclerc
92794 Issy-les-Moulineaux Cedex 9
France
Phone: +33 1 45 29 60 52
Email: mglt.ietf@gmail.com
Migault (Ed) Expires August 19, 2013 [Page 22]