Announcing Supported Authentication Methods in IKEv2
draft-smyslov-ipsecme-ikev2-auth-announce-02
|
Document |
Type |
|
Active Internet-Draft (individual)
|
|
Author |
|
Valery Smyslov
|
|
Last updated |
|
2020-09-09
|
|
Stream |
|
(None)
|
|
Intended RFC status |
|
(None)
|
|
Formats |
|
plain text
pdf
htmlized (tools)
htmlized
bibtex
|
Stream |
Stream state |
|
(No stream defined) |
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
IESG |
IESG state |
|
I-D Exists
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
Network Working Group V. Smyslov
Internet-Draft ELVIS-PLUS
Intended status: Standards Track September 9, 2020
Expires: March 13, 2021
Announcing Supported Authentication Methods in IKEv2
draft-smyslov-ipsecme-ikev2-auth-announce-02
Abstract
This specification defines a mechanism that allows the Internet Key
Exchange version 2 (IKEv2) implementations to indicate the list of
supported authentication methods to their peers while establishing
IKEv2 Security Association (SA). This mechanism improves
interoperability when IKEv2 partners are configured with multiple
different credentials to authenticate each other.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 13, 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Smyslov Expires March 13, 2021 [Page 1]
Internet-Draft Announcing Supported Auth Methods September 2020
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology and Notation . . . . . . . . . . . . . . . . . . 3
3. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Exchanges . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2. SUPPORTED_AUTH_METHODS Notify . . . . . . . . . . . . . . 4
3.2.1. 2-octet Announcement . . . . . . . . . . . . . . . . 5
3.2.2. 3-octet Announcement . . . . . . . . . . . . . . . . 6
3.2.3. Multi-octet Announcement . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Normative References . . . . . . . . . . . . . . . . . . 8
6.2. Informative References . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
The Internet Key Exchange version 2 (IKEv2) protocol, defined in
[RFC7296], performs authenticated key exchange in IPsec. IKEv2,
unlike its predecessor IKEv1, defined in [RFC2409], doesn't include a
mechanism to negotiate an authentication method that the peers would
use to authenticate each other. It is assumed that each peer selects
whatever authentication method it thinks is appropriate, depending on
authentication credentials it has.
This approach generally works well when there is no ambiguity in
selecting authentication credentials. The problem may arise when
there are several credentials of different type configured on one
peer, while only some of them are supported on the other peer.
Another problem situation is when a single credential may be used to
produce different types of authentication tokens (e.g. signatures of
different formats). Emerging post-quantum signature algorithms may
bring additional challenges for implementations, especially if so
called hybrid schemes are used (e.g. see
[I-D.ounsworth-pq-composite-sigs]).
This specification defines an extension to the IKEv2 protocol that
allows peers to announce their supported authentication methods, thus
decreasing risks of SA establishment failure in situations when there
are several ways for the peers to authenticate themselves.
Smyslov Expires March 13, 2021 [Page 2]
Internet-Draft Announcing Supported Auth Methods September 2020
Show full document text