TCP Encapsulation of IKE and IPsec Packets
RFC 8229
Internet Engineering Task Force (IETF) T. Pauly
Request for Comments: 8229 Apple Inc.
Category: Standards Track S. Touati
ISSN: 2070-1721 Ericsson
R. Mantha
Cisco Systems
August 2017
TCP Encapsulation of IKE and IPsec Packets
Abstract
This document describes a method to transport Internet Key Exchange
Protocol (IKE) and IPsec packets over a TCP connection for traversing
network middleboxes that may block IKE negotiation over UDP. This
method, referred to as "TCP encapsulation", involves sending both IKE
packets for Security Association establishment and Encapsulating
Security Payload (ESP) packets over a TCP connection. This method is
intended to be used as a fallback option when IKE cannot be
negotiated over UDP.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8229.
Pauly, et al. Standards Track [Page 1]
RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Prior Work and Motivation ..................................4
1.2. Terminology and Notation ...................................5
2. Configuration ...................................................5
3. TCP-Encapsulated Header Formats .................................6
3.1. TCP-Encapsulated IKE Header Format .........................6
3.2. TCP-Encapsulated ESP Header Format .........................7
4. TCP-Encapsulated Stream Prefix ..................................7
5. Applicability ...................................................8
5.1. Recommended Fallback from UDP ..............................8
6. Connection Establishment and Teardown ...........................9
7. Interaction with NAT Detection Payloads ........................11
8. Using MOBIKE with TCP Encapsulation ............................11
9. Using IKE Message Fragmentation with TCP Encapsulation .........12
10. Considerations for Keep-Alives and Dead Peer Detection ........12
11. Middlebox Considerations ......................................12
12. Performance Considerations ....................................13
12.1. TCP-in-TCP ...............................................13
12.2. Added Reliability for Unreliable Protocols ...............14
12.3. Quality-of-Service Markings ..............................14
12.4. Maximum Segment Size .....................................14
12.5. Tunneling ECN in TCP .....................................14
13. Security Considerations .......................................15
14. IANA Considerations ...........................................16
15. References ....................................................16
15.1. Normative References .....................................16
15.2. Informative References ...................................17
Pauly, et al. Standards Track [Page 2]
RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017
Appendix A. Using TCP Encapsulation with TLS ......................18
Appendix B. Example Exchanges of TCP Encapsulation with TLS .......19
B.1. Establishing an IKE Session ................................19
B.2. Deleting an IKE Session ....................................21
B.3. Re-establishing an IKE Session .............................22
Show full document text