datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

Internet Key Exchange (IKEv2) Protocol
RFC 4306

Document type: RFC - Proposed Standard (December 2005; Errata)
Obsoleted by RFC 5996
Updated by RFC 5282
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4306 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: No addresses provided

Network Working Group                                    C. Kaufman, Ed.
Request for Comments: 4306                                     Microsoft
Obsoletes: 2407, 2408, 2409                                December 2005
Category: Standards Track

                 Internet Key Exchange (IKEv2) Protocol

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes version 2 of the Internet Key Exchange (IKE)
   protocol.  IKE is a component of IPsec used for performing mutual
   authentication and establishing and maintaining security associations
   (SAs).

   This version of the IKE specification combines the contents of what
   were previously separate documents, including Internet Security
   Association and Key Management Protocol (ISAKMP, RFC 2408), IKE (RFC
   2409), the Internet Domain of Interpretation (DOI, RFC 2407), Network
   Address Translation (NAT) Traversal, Legacy authentication, and
   remote address acquisition.

   Version 2 of IKE does not interoperate with version 1, but it has
   enough of the header format in common that both versions can
   unambiguously run over the same UDP port.

Kaufman                     Standards Track                     [Page 1]
RFC 4306                         IKEv2                     December 2005

Table of Contents

   1. Introduction ....................................................3
      1.1. Usage Scenarios ............................................5
      1.2. The Initial Exchanges ......................................7
      1.3. The CREATE_CHILD_SA Exchange ...............................9
      1.4. The INFORMATIONAL Exchange ................................11
      1.5. Informational Messages outside of an IKE_SA ...............12
   2. IKE Protocol Details and Variations ............................12
      2.1. Use of Retransmission Timers ..............................13
      2.2. Use of Sequence Numbers for Message ID ....................14
      2.3. Window Size for Overlapping Requests ......................14
      2.4. State Synchronization and Connection Timeouts .............15
      2.5. Version Numbers and Forward Compatibility .................17
      2.6. Cookies ...................................................18
      2.7. Cryptographic Algorithm Negotiation .......................21
      2.8. Rekeying ..................................................22
      2.9. Traffic Selector Negotiation ..............................24
      2.10. Nonces ...................................................26
      2.11. Address and Port Agility .................................26
      2.12. Reuse of Diffie-Hellman Exponentials .....................27
      2.13. Generating Keying Material ...............................27
      2.14. Generating Keying Material for the IKE_SA ................28
      2.15. Authentication of the IKE_SA .............................29
      2.16. Extensible Authentication Protocol Methods ...............31
      2.17. Generating Keying Material for CHILD_SAs .................33
      2.18. Rekeying IKE_SAs Using a CREATE_CHILD_SA exchange ........34
      2.19. Requesting an Internal Address on a Remote Network .......34
      2.20. Requesting the Peer's Version ............................35
      2.21. Error Handling ...........................................36
      2.22. IPComp ...................................................37
      2.23. NAT Traversal ............................................38
      2.24. Explicit Congestion Notification (ECN) ...................40
   3. Header and Payload Formats .....................................41
      3.1. The IKE Header ............................................41
      3.2. Generic Payload Header ....................................44
      3.3. Security Association Payload ..............................46
      3.4. Key Exchange Payload ......................................56
      3.5. Identification Payloads ...................................56
      3.6. Certificate Payload .......................................59
      3.7. Certificate Request Payload ...............................61
      3.8. Authentication Payload ....................................63
      3.9. Nonce Payload .............................................64
      3.10. Notify Payload ...........................................64
      3.11. Delete Payload ...........................................72

[include full document text]