datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)
RFC 5202

Document type: RFC - Experimental (April 2008; Errata)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5202 (Experimental)
Responsible AD: Mark Townsley
Send notices to: hip-chairs@tools.ietf.org

Network Working Group                                          P. Jokela
Request for Comments: 5202                  Ericsson Research NomadicLab
Category: Experimental                                      R. Moskowitz
                                                                ICSAlabs
                                                             P. Nikander
                                            Ericsson Research NomadicLab
                                                              April 2008

Using the Encapsulating Security Payload (ESP) Transport Format with the
                      Host Identity Protocol (HIP)

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

IESG Note

   The following issues describe IESG concerns about this document.  The
   IESG expects that these issues will be addressed when future versions
   of HIP are designed.

   In case of complex Security Policy Databases (SPDs) and the co-
   existence of HIP and security-related protocols such as IKE,
   implementors may encounter conditions that are unspecified in these
   documents.  For example, when the SPD defines an IP address subnet to
   be protected and a HIP host is residing in that IP address area,
   there is a possibility that the communication is encrypted multiple
   times.  Readers are advised to pay special attention when running HIP
   with complex SPD settings.  Future specifications should clearly
   define when multiple encryption is intended, and when it should be
   avoided.

Abstract

   This memo specifies an Encapsulated Security Payload (ESP) based
   mechanism for transmission of user data packets, to be used with the
   Host Identity Protocol (HIP).

Jokela, et al.                Experimental                      [Page 1]
RFC 5202        Using the ESP Transport Format with HIP       April 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Conventions Used in This Document  . . . . . . . . . . . . . .  3
   3.  Using ESP with HIP . . . . . . . . . . . . . . . . . . . . . .  4
     3.1.  ESP Packet Format  . . . . . . . . . . . . . . . . . . . .  4
     3.2.  Conceptual ESP Packet Processing . . . . . . . . . . . . .  4
       3.2.1.  Semantics of the Security Parameter Index (SPI)  . . .  5
     3.3.  Security Association Establishment and Maintenance . . . .  6
       3.3.1.  ESP Security Associations  . . . . . . . . . . . . . .  6
       3.3.2.  Rekeying . . . . . . . . . . . . . . . . . . . . . . .  6
       3.3.3.  Security Association Management  . . . . . . . . . . .  7
       3.3.4.  Security Parameter Index (SPI) . . . . . . . . . . . .  7
       3.3.5.  Supported Transforms . . . . . . . . . . . . . . . . .  7
       3.3.6.  Sequence Number  . . . . . . . . . . . . . . . . . . .  8
       3.3.7.  Lifetimes and Timers . . . . . . . . . . . . . . . . .  8
     3.4.  IPsec and HIP ESP Implementation Considerations  . . . . .  8
   4.  The Protocol  . . . . . . . . . . . . . . . . . . . . . . . . . 9
     4.1.  ESP in HIP  . . . . . . . . . . . . . . . . . . . . . . . . 9
       4.1.1.  Setting Up an ESP Security Association  . . . . . . . . 9
       4.1.2.  Updating an Existing ESP SA  . . . . . . . . . . . . . 10
   5.  Parameter and Packet Formats . . . . . . . . . . . . . . . . . 10
     5.1.  New Parameters . . . . . . . . . . . . . . . . . . . . . . 11
       5.1.1.  ESP_INFO . . . . . . . . . . . . . . . . . . . . . . . 11
       5.1.2.  ESP_TRANSFORM  . . . . . . . . . . . . . . . . . . . . 13
       5.1.3.  NOTIFY Parameter . . . . . . . . . . . . . . . . . . . 14
     5.2.  HIP ESP Security Association Setup . . . . . . . . . . . . 14
       5.2.1.  Setup During Base Exchange . . . . . . . . . . . . . . 14
     5.3.  HIP ESP Rekeying . . . . . . . . . . . . . . . . . . . . . 16
       5.3.1.  Initializing Rekeying  . . . . . . . . . . . . . . . . 16
       5.3.2.  Responding to the Rekeying Initialization  . . . . . . 17
     5.4.  ICMP Messages  . . . . . . . . . . . . . . . . . . . . . . 17
       5.4.1.  Unknown SPI  . . . . . . . . . . . . . . . . . . . . . 17
   6.  Packet Processing  . . . . . . . . . . . . . . . . . . . . . . 18
     6.1.  Processing Outgoing Application Data . . . . . . . . . . . 18
     6.2.  Processing Incoming Application Data . . . . . . . . . . . 19
     6.3.  HMAC and SIGNATURE Calculation and Verification  . . . . . 19
     6.4.  Processing Incoming ESP SA Initialization (R1) . . . . . . 19
     6.5.  Processing Incoming Initialization Reply (I2)  . . . . . . 20
     6.6.  Processing Incoming ESP SA Setup Finalization (R2) . . . . 20
     6.7.  Dropping HIP Associations  . . . . . . . . . . . . . . . . 20

[include full document text]