Opportunistic Encryption using the Internet Key Exchange (IKE)
RFC 4322

 
Document Type RFC - Informational (December 2005; Errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4322 (Informational)
Telechat date
Responsible AD (None)
Send notices to mcr@sandelman.ottawa.on.ca, hugh@mimosa.com
Network Working Group                                      M. Richardson
Request for Comments: 4322                                           SSW
Category: Informational                                  D.H. Redelmeier
                                                                  Mimosa
                                                           December 2005

     Opportunistic Encryption using the Internet Key Exchange (IKE)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes opportunistic encryption (OE) as designed and
   implemented by the Linux FreeS/WAN project.  OE uses the Internet Key
   Exchange (IKE) and IPsec protocols.  The objective is to allow
   encryption for secure communication without any pre-arrangement
   specific to the pair of systems involved.  DNS is used to distribute
   the public keys of each system involved.  This is resistant to
   passive attacks.  The use of DNS Security (DNSSEC) secures this
   system against active attackers as well.

   As a result, the administrative overhead is reduced from the square
   of the number of systems to a linear dependence, and it becomes
   possible to make secure communication the default even when the
   partner is not known in advance.

Table of Contents

   1. Introduction ....................................................3
      1.1. Motivation .................................................3
      1.2. Encryption Regimes .........................................4
      1.3. Peer Authentication in Opportunistic Encryption ............4
      1.4. Use of RFC 2119 Terms ......................................5
   2. Overview ........................................................6
      2.1. Reference Diagram ..........................................6
      2.2. Terminology ................................................6
      2.3. Model of Operation .........................................8

Richardson & Redelmeier      Informational                      [Page 1]
RFC 4322           Opportunistic Encryption using IKE      December 2005

   3. Protocol Specification ..........................................9
      3.1. Forwarding Plane State Machine .............................9
      3.2. Keying Daemon -- Initiator ................................12
      3.3. Keying Daemon -- Responder ................................20
      3.4. Renewal and Teardown ......................................22
   4. Impacts on IKE .................................................24
      4.1. ISAKMP/IKE Protocol .......................................24
      4.2. Gateway Discovery Process .................................24
      4.3. Self Identification .......................................24
      4.4. Public Key Retrieval Process ..............................25
      4.5. Interactions with DNSSEC ..................................25
      4.6. Required Proposal Types ...................................25
   5. DNS Issues .....................................................26
      5.1. Use of KEY Record .........................................26
      5.2. Use of TXT Delegation Record ..............................27
      5.3. Use of FQDN IDs ...........................................29
      5.4. Key Roll-Over .............................................29
   6. Network Address Translation Interaction ........................30
      6.1. Co-Located NAT/NAPT .......................................30
      6.2. Security Gateway behind a NAT/NAPT ........................30
      6.3. End System behind a NAT/NAPT ..............................31
   7. Host Implementations ...........................................31
   8. Multi-Homing ...................................................31
   9. Failure Modes ..................................................33
      9.1. DNS Failures ..............................................33
      9.2. DNS Configured, IKE Failures ..............................33
      9.3. System Reboots ............................................34
   10. Unresolved Issues .............................................34
      10.1. Control of Reverse DNS ...................................34
   11. Examples ......................................................34
      11.1. Clear-Text Usage (Permit Policy) .........................34
      11.2. Opportunistic Encryption .................................36
   12. Security Considerations .......................................39
      12.1. Configured versus Opportunistic Tunnels ..................39
      12.2. Firewalls versus Opportunistic Tunnels ...................40
Show full document text