IKEv2 Fragmentation
draft-ietf-ipsecme-ikev2-fragmentation-04
| The information below is for an old version of the document |
| Document |
Type |
|
Active Internet-Draft (ipsecme WG)
|
|
Last updated |
|
2013-10-18
|
|
Stream |
|
IETF
|
|
Intended RFC status |
|
(None)
|
|
Formats |
|
pdf
htmlized
bibtex
|
|
Reviews |
|
|
| Stream |
WG state
|
|
WG Document
|
|
Document shepherd |
|
None
|
| IESG |
IESG state |
|
I-D Exists
|
|
Consensus Boilerplate |
|
Unknown
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
Network Working Group V. Smyslov
Internet-Draft ELVIS-PLUS
Intended status: Standards Track October 18, 2013
Expires: April 21, 2014
IKEv2 Fragmentation
draft-ietf-ipsecme-ikev2-fragmentation-04
Abstract
This document describes the way to avoid IP fragmentation of large
IKEv2 messages. This allows IKEv2 messages to traverse network
devices that don't allow IP fragments to pass through.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Smyslov Expires April 21, 2014 [Page 1]
Internet-Draft IKEv2 Fragmentation October 2013
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions Used in This Document . . . . . . . . . . . . 3
2. Protocol details . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Limitations . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. Negotiation . . . . . . . . . . . . . . . . . . . . . . . 4
2.4. Using IKE Fragmentation . . . . . . . . . . . . . . . . . 5
2.5. Fragmenting Message . . . . . . . . . . . . . . . . . . . 6
2.5.1. Selecting Fragment Size . . . . . . . . . . . . . . . 8
2.5.2. PMTU Discovery . . . . . . . . . . . . . . . . . . . . 8
2.5.3. Fragmenting Messages containing unencrypted
Payloads . . . . . . . . . . . . . . . . . . . . . . . 9
2.6. Receiving IKE Fragment Message . . . . . . . . . . . . . . 10
2.6.1. Changes in Replay Protection Logic . . . . . . . . . . 11
3. Interaction with other IKE extensions . . . . . . . . . . . . 13
4. Transport Considerations . . . . . . . . . . . . . . . . . . . 14
5. Security Considerations . . . . . . . . . . . . . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1. Normative References . . . . . . . . . . . . . . . . . . . 18
8.2. Informative References . . . . . . . . . . . . . . . . . . 18
Appendix A. Design rationale . . . . . . . . . . . . . . . . . . 19
Appendix B. Correlation between IP Datagram size and
Encrypted Payload content size . . . . . . . . . . . 20
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 21
Smyslov Expires April 21, 2014 [Page 2]
Internet-Draft IKEv2 Fragmentation October 2013
1. Introduction
The Internet Key Exchange Protocol version 2 (IKEv2), specified in
[RFC5996], uses UDP as a transport for its messages. When IKE
message size exceeds path MTU, it gets fragmented by IP level. The
problem is that some network devices, specifically some NAT boxes,
don't allow IP fragments to pass through. This apparently blocks IKE
communication and, therefore, prevents peers from establishing IPsec
SA.
The solution to the problem described in this document is to perform
fragmentation of large messages by IKE itself, replacing them by
series of smaller messages. In this case the resulting IP Datagrams
will be small enough so that no fragmentation on IP level will take
Show full document text