datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

IKEv2 Clarifications and Implementation Guidelines
RFC 4718

Document type: RFC - Informational (October 2006; Errata)
Obsoleted by RFC 5996
Was draft-eronen-ipsec-ikev2-clarifications (individual in sec area)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4718 (Informational)
Responsible AD: Russ Housley
Send notices to: paul.hoffman@vpnc.org, pasi.eronen@nokia.com

Network Working Group                                          P. Eronen
Request for Comments: 4718                                         Nokia
Category: Informational                                       P. Hoffman
                                                          VPN Consortium
                                                            October 2006

           IKEv2 Clarifications and Implementation Guidelines

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document clarifies many areas of the IKEv2 specification.  It
   does not to introduce any changes to the protocol, but rather
   provides descriptions that are less prone to ambiguous
   interpretations.  The purpose of this document is to encourage the
   development of interoperable implementations.

Eronen & Hoffman             Informational                      [Page 1]
RFC 4718                  IKEv2 Clarifications              October 2006

Table of Contents

   1. Introduction ....................................................4
   2. Creating the IKE_SA .............................................4
      2.1. SPI Values in IKE_SA_INIT Exchange .........................4
      2.2. Message IDs for IKE_SA_INIT Messages .......................5
      2.3. Retransmissions of IKE_SA_INIT Requests ....................5
      2.4. Interaction of COOKIE and INVALID_KE_PAYLOAD ...............6
      2.5. Invalid Cookies ............................................8
   3. Authentication ..................................................9
      3.1. Data Included in AUTH Payload Calculation ..................9
      3.2. Hash Function for RSA Signatures ...........................9
      3.3. Encoding Method for RSA Signatures ........................10
      3.4. Identification Type for EAP ...............................11
      3.5. Identity for Policy Lookups When Using EAP ................11
      3.6. Certificate Encoding Types ................................12
      3.7. Shared Key Authentication and Fixed PRF Key Size ..........12
      3.8. EAP Authentication and Fixed PRF Key Size .................13
      3.9. Matching ID Payloads to Certificate Contents ..............13
      3.10. Message IDs for IKE_AUTH Messages ........................14
   4. Creating CHILD_SAs .............................................14
      4.1. Creating SAs with the CREATE_CHILD_SA Exchange ............14
      4.2. Creating an IKE_SA without a CHILD_SA .....................16
      4.3. Diffie-Hellman for First CHILD_SA .........................16
      4.4. Extended Sequence Numbers (ESN) Transform .................17
      4.5. Negotiation of ESP_TFC_PADDING_NOT_SUPPORTED ..............17
      4.6. Negotiation of NON_FIRST_FRAGMENTS_ALSO ...................18
      4.7. Semantics of Complex Traffic Selector Payloads ............18
      4.8. ICMP Type/Code in Traffic Selector Payloads ...............19
      4.9. Mobility Header in Traffic Selector Payloads ..............20
      4.10. Narrowing the Traffic Selectors ..........................20
      4.11. SINGLE_PAIR_REQUIRED .....................................21
      4.12. Traffic Selectors Violating Own Policy ...................21
      4.13. Traffic Selector Authorization ...........................22
   5. Rekeying and Deleting SAs ......................................23
      5.1. Rekeying SAs with the CREATE_CHILD_SA Exchange ............23
      5.2. Rekeying the IKE_SA vs. Reauthentication ..................24
      5.3. SPIs When Rekeying the IKE_SA .............................25
      5.4. SPI When Rekeying a CHILD_SA ..............................25
      5.5. Changing PRFs When Rekeying the IKE_SA ....................26
      5.6. Deleting vs. Closing SAs ..................................26
      5.7. Deleting a CHILD_SA Pair ..................................26
      5.8. Deleting an IKE_SA ........................................27
      5.9. Who is the original initiator of IKE_SA ...................27
      5.10. Comparing Nonces .........................................27
      5.11. Exchange Collisions ......................................28
      5.12. Diffie-Hellman and Rekeying the IKE_SA ...................36

Eronen & Hoffman             Informational                      [Page 2]
RFC 4718                  IKEv2 Clarifications              October 2006

   6. Configuration Payloads .........................................37
      6.1. Assigning IP Addresses ....................................37
      6.2. Requesting any INTERNAL_IP4/IP6_ADDRESS ...................38

[include full document text]