Cloning the IKE Security Association in the Internet Key Exchange Protocol Version 2 (IKEv2)
RFC 7791

Document Type RFC - Proposed Standard (March 2016; No errata)
Last updated 2016-03-03
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd Tero Kivinen
Shepherd write-up Show (last changed 2015-09-29)
IESG IESG state RFC 7791 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Kathleen Moriarty
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                   D. Migault, Ed.
Request for Comments: 7791                                      Ericsson
Category: Standards Track                                     V. Smyslov
ISSN: 2070-1721                                               ELVIS-PLUS
                                                              March 2016

                  Cloning the IKE Security Association
        in the Internet Key Exchange Protocol Version 2 (IKEv2)

Abstract

   This document considers a VPN end user establishing an IPsec Security
   Association (SA) with a Security Gateway using the Internet Key
   Exchange Protocol version 2 (IKEv2), where at least one of the peers
   has multiple interfaces or where Security Gateway is a cluster with
   each node having its own IP address.

   The protocol described allows a peer to clone an IKEv2 SA, where an
   additional SA is derived from an existing one.  The newly created IKE
   SA is set without the IKEv2 authentication exchange.  This IKE SA can
   later be assigned to another interface or moved to another cluster
   node.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7791.

Migault & Smyslov            Standards Track                    [Page 1]
RFC 7791                     Cloning IKE SA                   March 2016

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   5
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Protocol Overview . . . . . . . . . . . . . . . . . . . . . .   6
   5.  Protocol Details  . . . . . . . . . . . . . . . . . . . . . .   6
     5.1.  Support Negotiation . . . . . . . . . . . . . . . . . . .   6
     5.2.  Cloning the IKE SA  . . . . . . . . . . . . . . . . . . .   7
     5.3.  Error Handling  . . . . . . . . . . . . . . . . . . . . .   7
   6.  Payload Description . . . . . . . . . . . . . . . . . . . . .   8
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Appendix A.  Setting a VPN on Multiple Interfaces . . . . . . . .  11
     A.1.  Setting VPN_0 . . . . . . . . . . . . . . . . . . . . . .  11
     A.2.  Creating an Additional IKE SA . . . . . . . . . . . . . .  12
     A.3.  Creating the Child SA for VPN_1 . . . . . . . . . . . . .  12
     A.4.  Moving VPN_1 on Interface_1 . . . . . . . . . . . . . . .  13
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  14

Migault & Smyslov            Standards Track                    [Page 2]
RFC 7791                     Cloning IKE SA                   March 2016

1.  Introduction

   The main scenario that motivated this document is a VPN end user
   establishing a VPN with a Security Gateway when at least one of the
   peers has multiple interfaces.  Figure 1 represents the case when the
   VPN end user has multiple interfaces, Figure 2 represents the case
   when the Security Gateway has multiple interfaces, and Figure 3
   represents the case when both the VPN end user and the Security
   Gateway have multiple interfaces.  With Figure 1 and Figure 2, one of
   the peers has n = 2 interfaces and the other has a single interface.
Show full document text