Clarifications and Implementation Guidelines for using TCP Encapsulation in IKEv2
draft-smyslov-ipsecme-tcp-guidelines-00

Document Type Active Internet-Draft (individual)
Last updated 2018-09-07
Replaces draft-smyslov-ipsec-tcp-guidelines
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         V. Smyslov
Internet-Draft                                                ELVIS-PLUS
Intended status: Informational                         September 7, 2018
Expires: March 11, 2019

Clarifications and Implementation Guidelines for using TCP Encapsulation
                                in IKEv2
                draft-smyslov-ipsecme-tcp-guidelines-00

Abstract

   The Internet Key Exchange Protocol version 2 (IKEv2) defined in
   [RFC7296] uses UDP transport for its messages.  [RFC8229] specifies a
   way to encapsulate IKEv2 and ESP (Encapsulating Security Payload)
   messages in TCP, thus making possible to use them in network
   environments that block UDP traffic.  However, some nuances of using
   TCP in IKEv2 are not covered by that specification.  This document
   provides clarifications and implementation guidelines for [RFC8229].

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 11, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must

Smyslov                  Expires March 11, 2019                 [Page 1]
Internet-Draft     IKEv2 TCP Encapsulation Guidelines     September 2018

   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology and Notation  . . . . . . . . . . . . . . . . . .   3
   3.  Retransmissions . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Using Cookies and Puzzles . . . . . . . . . . . . . . . . . .   4
   5.  Error Handling in the IKE_SA_INIT . . . . . . . . . . . . . .   5
   6.  Interaction with MOBIKE Protocol  . . . . . . . . . . . . . .   5
   7.  Using TCP Encapsulation with High Availability Cluster  . . .   6
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   The Internet Key Exchange version 2 (IKEv2) as it is defined in
   [RFC7296] uses UDP as a transport protocol.  As time passed the
   network environment has been evolved and sometimes this evolution has
   resulted in situations when UDP messages are dropped by network
   infrastructure.  This may happen either by incapability of network
   devices to properly handle them (e.g. non-initial fragments of UDP
   messages) of by deliberate configuration of network devices that
   blocks UDP traffic.

   Several standard solutions have been developed to deal with such
   situations.  In particular, [RFC7383] defines a way to avoid IP
   fragmentation of large IKE messages and [RFC8229] specifies a way to
   transfer IKEv2 and ESP (Encapsulated Security Payload) messages over
   a stream protocol like TCP.  This document focuses on the latter
   specification and its goal is to give implementers guidelines how to
   properly use reliable connection-oriented stream transport in IKEv2.

   Since originally IKEv2 relied on unreliable transport, it was
   designed to deal with this unreliability.  IKEv2 has its own
   retransmission timers, replay detection logic etc.  Using reliable
   transport makes many of such things unnecessary.  On the other hand,
   connection-oriented transport require IKEv2 to keep the connection
   alive and to restore it in case it is broken, the tasks that were not
   needed before.  [RFC8229] gives recommendations how peers must behave
   in different situations to keep the connection.  However,
Show full document text