Tech-invite3GPPspaceIETF RFCsSIP
in Index   Prev   Next

RFC 4306

Internet Key Exchange (IKEv2) Protocol

Pages: 99
Obsoletes:  240724082409
Obsoleted by:  5996
Updated by:  5282
Part 2 of 5 – Pages 12 to 41
First   Prev   Next

ToP   noToC   RFC4306 - Page 12   prevText

2. IKE Protocol Details and Variations

IKE normally listens and sends on UDP port 500, though IKE messages may also be received on UDP port 4500 with a slightly different format (see section 2.23). Since UDP is a datagram (unreliable) protocol, IKE includes in its definition recovery from transmission errors, including packet loss, packet replay, and packet forgery. IKE is designed to function so long as (1) at least one of a series of retransmitted packets reaches its destination before timing out; and (2) the channel is not so full of forged and replayed packets so
ToP   noToC   RFC4306 - Page 13
   as to exhaust the network or CPU capacities of either endpoint.  Even
   in the absence of those minimum performance requirements, IKE is
   designed to fail cleanly (as though the network were broken).

   Although IKEv2 messages are intended to be short, they contain
   structures with no hard upper bound on size (in particular, X.509
   certificates), and IKEv2 itself does not have a mechanism for
   fragmenting large messages.  IP defines a mechanism for fragmentation
   of oversize UDP messages, but implementations vary in the maximum
   message size supported.  Furthermore, use of IP fragmentation opens
   an implementation to denial of service attacks [KPS03].  Finally,
   some NAT and/or firewall implementations may block IP fragments.

   All IKEv2 implementations MUST be able to send, receive, and process
   IKE messages that are up to 1280 bytes long, and they SHOULD be able
   to send, receive, and process messages that are up to 3000 bytes
   long.  IKEv2 implementations SHOULD be aware of the maximum UDP
   message size supported and MAY shorten messages by leaving out some
   certificates or cryptographic suite proposals if that will keep
   messages below the maximum.  Use of the "Hash and URL" formats rather
   than including certificates in exchanges where possible can avoid
   most problems.  Implementations and configuration should keep in
   mind, however, that if the URL lookups are possible only after the
   IPsec SA is established, recursion issues could prevent this
   technique from working.

2.1. Use of Retransmission Timers

All messages in IKE exist in pairs: a request and a response. The setup of an IKE_SA normally consists of two request/response pairs. Once the IKE_SA is set up, either end of the security association may initiate requests at any time, and there can be many requests and responses "in flight" at any given moment. But each message is labeled as either a request or a response, and for each request/response pair one end of the security association is the initiator and the other is the responder. For every pair of IKE messages, the initiator is responsible for retransmission in the event of a timeout. The responder MUST never retransmit a response unless it receives a retransmission of the request. In that event, the responder MUST ignore the retransmitted request except insofar as it triggers a retransmission of the response. The initiator MUST remember each request until it receives the corresponding response. The responder MUST remember each response until it receives a request whose sequence number is larger than the sequence number in the response plus its window size (see section 2.3).
ToP   noToC   RFC4306 - Page 14
   IKE is a reliable protocol, in the sense that the initiator MUST
   retransmit a request until either it receives a corresponding reply
   OR it deems the IKE security association to have failed and it
   discards all state associated with the IKE_SA and any CHILD_SAs
   negotiated using that IKE_SA.

2.2. Use of Sequence Numbers for Message ID

Every IKE message contains a Message ID as part of its fixed header. This Message ID is used to match up requests and responses, and to identify retransmissions of messages. The Message ID is a 32-bit quantity, which is zero for the first IKE request in each direction. The IKE_SA initial setup messages will always be numbered 0 and 1. Each endpoint in the IKE Security Association maintains two "current" Message IDs: the next one to be used for a request it initiates and the next one it expects to see in a request from the other end. These counters increment as requests are generated and received. Responses always contain the same message ID as the corresponding request. That means that after the initial exchange, each integer n may appear as the message ID in four distinct messages: the nth request from the original IKE initiator, the corresponding response, the nth request from the original IKE responder, and the corresponding response. If the two ends make very different numbers of requests, the Message IDs in the two directions can be very different. There is no ambiguity in the messages, however, because the (I)nitiator and (R)esponse bits in the message header specify which of the four messages a particular one is. Note that Message IDs are cryptographically protected and provide protection against message replays. In the unlikely event that Message IDs grow too large to fit in 32 bits, the IKE_SA MUST be closed. Rekeying an IKE_SA resets the sequence numbers.

2.3. Window Size for Overlapping Requests

In order to maximize IKE throughput, an IKE endpoint MAY issue multiple requests before getting a response to any of them if the other endpoint has indicated its ability to handle such requests. For simplicity, an IKE implementation MAY choose to process requests strictly in order and/or wait for a response to one request before issuing another. Certain rules must be followed to ensure interoperability between implementations using different strategies. After an IKE_SA is set up, either end can initiate one or more requests. These requests may pass one another over the network. An IKE endpoint MUST be prepared to accept and process a request while
ToP   noToC   RFC4306 - Page 15
   it has a request outstanding in order to avoid a deadlock in this
   situation.  An IKE endpoint SHOULD be prepared to accept and process
   multiple requests while it has a request outstanding.

   An IKE endpoint MUST wait for a response to each of its messages
   before sending a subsequent message unless it has received a
   SET_WINDOW_SIZE Notify message from its peer informing it that the
   peer is prepared to maintain state for multiple outstanding messages
   in order to allow greater throughput.

   An IKE endpoint MUST NOT exceed the peer's stated window size for
   transmitted IKE requests.  In other words, if the responder stated
   its window size is N, then when the initiator needs to make a request
   X, it MUST wait until it has received responses to all requests up
   through request X-N.  An IKE endpoint MUST keep a copy of (or be able
   to regenerate exactly) each request it has sent until it receives the
   corresponding response.  An IKE endpoint MUST keep a copy of (or be
   able to regenerate exactly) the number of previous responses equal to
   its declared window size in case its response was lost and the
   initiator requests its retransmission by retransmitting the request.

   An IKE endpoint supporting a window size greater than one SHOULD be
   capable of processing incoming requests out of order to maximize
   performance in the event of network failures or packet reordering.

2.4. State Synchronization and Connection Timeouts

An IKE endpoint is allowed to forget all of its state associated with an IKE_SA and the collection of corresponding CHILD_SAs at any time. This is the anticipated behavior in the event of an endpoint crash and restart. It is important when an endpoint either fails or reinitializes its state that the other endpoint detect those conditions and not continue to waste network bandwidth by sending packets over discarded SAs and having them fall into a black hole. Since IKE is designed to operate in spite of Denial of Service (DoS) attacks from the network, an endpoint MUST NOT conclude that the other endpoint has failed based on any routing information (e.g., ICMP messages) or IKE messages that arrive without cryptographic protection (e.g., Notify messages complaining about unknown SPIs). An endpoint MUST conclude that the other endpoint has failed only when repeated attempts to contact it have gone unanswered for a timeout period or when a cryptographically protected INITIAL_CONTACT notification is received on a different IKE_SA to the same authenticated identity. An endpoint SHOULD suspect that the other endpoint has failed based on routing information and initiate a request to see whether the other endpoint is alive. To check whether the other side is alive, IKE specifies an empty INFORMATIONAL message
ToP   noToC   RFC4306 - Page 16
   that (like all IKE requests) requires an acknowledgement (note that
   within the context of an IKE_SA, an "empty" message consists of an
   IKE header followed by an Encrypted payload that contains no
   payloads).  If a cryptographically protected message has been
   received from the other side recently, unprotected notifications MAY
   be ignored.  Implementations MUST limit the rate at which they take
   actions based on unprotected messages.

   Numbers of retries and lengths of timeouts are not covered in this
   specification because they do not affect interoperability.  It is
   suggested that messages be retransmitted at least a dozen times over
   a period of at least several minutes before giving up on an SA, but
   different environments may require different rules.  To be a good
   network citizen, retranmission times MUST increase exponentially to
   avoid flooding the network and making an existing congestion
   situation worse.  If there has only been outgoing traffic on all of
   the SAs associated with an IKE_SA, it is essential to confirm
   liveness of the other endpoint to avoid black holes.  If no
   cryptographically protected messages have been received on an IKE_SA
   or any of its CHILD_SAs recently, the system needs to perform a
   liveness check in order to prevent sending messages to a dead peer.
   Receipt of a fresh cryptographically protected message on an IKE_SA
   or any of its CHILD_SAs ensures liveness of the IKE_SA and all of its
   CHILD_SAs.  Note that this places requirements on the failure modes
   of an IKE endpoint.  An implementation MUST NOT continue sending on
   any SA if some failure prevents it from receiving on all of the
   associated SAs.  If CHILD_SAs can fail independently from one another
   without the associated IKE_SA being able to send a delete message,
   then they MUST be negotiated by separate IKE_SAs.

   There is a Denial of Service attack on the initiator of an IKE_SA
   that can be avoided if the initiator takes the proper care.  Since
   the first two messages of an SA setup are not cryptographically
   protected, an attacker could respond to the initiator's message
   before the genuine responder and poison the connection setup attempt.
   To prevent this, the initiator MAY be willing to accept multiple
   responses to its first message, treat each as potentially legitimate,
   respond to it, and then discard all the invalid half-open connections
   when it receives a valid cryptographically protected response to any
   one of its requests.  Once a cryptographically valid response is
   received, all subsequent responses should be ignored whether or not
   they are cryptographically valid.

   Note that with these rules, there is no reason to negotiate and agree
   upon an SA lifetime.  If IKE presumes the partner is dead, based on
   repeated lack of acknowledgement to an IKE message, then the IKE SA
   and all CHILD_SAs set up through that IKE_SA are deleted.
ToP   noToC   RFC4306 - Page 17
   An IKE endpoint may at any time delete inactive CHILD_SAs to recover
   resources used to hold their state.  If an IKE endpoint chooses to
   delete CHILD_SAs, it MUST send Delete payloads to the other end
   notifying it of the deletion.  It MAY similarly time out the IKE_SA.
   Closing the IKE_SA implicitly closes all associated CHILD_SAs.  In
   this case, an IKE endpoint SHOULD send a Delete payload indicating
   that it has closed the IKE_SA.

2.5. Version Numbers and Forward Compatibility

This document describes version 2.0 of IKE, meaning the major version number is 2 and the minor version number is zero. It is likely that some implementations will want to support both version 1.0 and version 2.0, and in the future, other versions. The major version number should be incremented only if the packet formats or required actions have changed so dramatically that an older version node would not be able to interoperate with a newer version node if it simply ignored the fields it did not understand and took the actions specified in the older specification. The minor version number indicates new capabilities, and MUST be ignored by a node with a smaller minor version number, but used for informational purposes by the node with the larger minor version number. For example, it might indicate the ability to process a newly defined notification message. The node with the larger minor version number would simply note that its correspondent would not be able to understand that message and therefore would not send it. If an endpoint receives a message with a higher major version number, it MUST drop the message and SHOULD send an unauthenticated notification message containing the highest version number it supports. If an endpoint supports major version n, and major version m, it MUST support all versions between n and m. If it receives a message with a major version that it supports, it MUST respond with that version number. In order to prevent two nodes from being tricked into corresponding with a lower major version number than the maximum that they both support, IKE has a flag that indicates that the node is capable of speaking a higher major version number. Thus, the major version number in the IKE header indicates the version number of the message, not the highest version number that the transmitter supports. If the initiator is capable of speaking versions n, n+1, and n+2, and the responder is capable of speaking versions n and n+1, then they will negotiate speaking n+1, where the initiator will set the flag indicating its ability to speak a higher version. If they mistakenly (perhaps through an active attacker
ToP   noToC   RFC4306 - Page 18
   sending error messages) negotiate to version n, then both will notice
   that the other side can support a higher version number, and they
   MUST break the connection and reconnect using version n+1.

   Note that IKEv1 does not follow these rules, because there is no way
   in v1 of noting that you are capable of speaking a higher version
   number.  So an active attacker can trick two v2-capable nodes into
   speaking v1.  When a v2-capable node negotiates down to v1, it SHOULD
   note that fact in its logs.

   Also for forward compatibility, all fields marked RESERVED MUST be
   set to zero by a version 2.0 implementation and their content MUST be
   ignored by a version 2.0 implementation ("Be conservative in what you
   send and liberal in what you receive").  In this way, future versions
   of the protocol can use those fields in a way that is guaranteed to
   be ignored by implementations that do not understand them.
   Similarly, payload types that are not defined are reserved for future
   use; implementations of version 2.0 MUST skip over those payloads and
   ignore their contents.

   IKEv2 adds a "critical" flag to each payload header for further
   flexibility for forward compatibility.  If the critical flag is set
   and the payload type is unrecognized, the message MUST be rejected
   and the response to the IKE request containing that payload MUST
   include a Notify payload UNSUPPORTED_CRITICAL_PAYLOAD, indicating an
   unsupported critical payload was included.  If the critical flag is
   not set and the payload type is unsupported, that payload MUST be

   Although new payload types may be added in the future and may appear
   interleaved with the fields defined in this specification,
   implementations MUST send the payloads defined in this specification
   in the order shown in the figures in section 2 and implementations
   SHOULD reject as invalid a message with those payloads in any other

2.6. Cookies

The term "cookies" originates with Karn and Simpson [RFC2522] in Photuris, an early proposal for key management with IPsec, and it has persisted. The Internet Security Association and Key Management Protocol (ISAKMP) [MSST98] fixed message header includes two eight- octet fields titled "cookies", and that syntax is used by both IKEv1 and IKEv2 though in IKEv2 they are referred to as the IKE SPI and there is a new separate field in a Notify payload holding the cookie. The initial two eight-octet fields in the header are used as a connection identifier at the beginning of IKE packets. Each endpoint
ToP   noToC   RFC4306 - Page 19
   chooses one of the two SPIs and SHOULD choose them so as to be unique
   identifiers of an IKE_SA.  An SPI value of zero is special and
   indicates that the remote SPI value is not yet known by the sender.

   Unlike ESP and AH where only the recipient's SPI appears in the
   header of a message, in IKE the sender's SPI is also sent in every
   message.  Since the SPI chosen by the original initiator of the
   IKE_SA is always sent first, an endpoint with multiple IKE_SAs open
   that wants to find the appropriate IKE_SA using the SPI it assigned
   must look at the I(nitiator) Flag bit in the header to determine
   whether it assigned the first or the second eight octets.

   In the first message of an initial IKE exchange, the initiator will
   not know the responder's SPI value and will therefore set that field
   to zero.

   An expected attack against IKE is state and CPU exhaustion, where the
   target is flooded with session initiation requests from forged IP
   addresses.  This attack can be made less effective if an
   implementation of a responder uses minimal CPU and commits no state
   to an SA until it knows the initiator can receive packets at the
   address from which it claims to be sending them.  To accomplish this,
   a responder SHOULD -- when it detects a large number of half-open
   IKE_SAs -- reject initial IKE messages unless they contain a Notify
   payload of type COOKIE.  It SHOULD instead send an unprotected IKE
   message as a response and include COOKIE Notify payload with the
   cookie data to be returned.  Initiators who receive such responses
   MUST retry the IKE_SA_INIT with a Notify payload of type COOKIE
   containing the responder supplied cookie data as the first payload
   and all other payloads unchanged.  The initial exchange will then be
   as follows:

       Initiator                          Responder
       -----------                        -----------
       HDR(A,0), SAi1, KEi, Ni   -->

                                 <-- HDR(A,0), N(COOKIE)

       HDR(A,0), N(COOKIE), SAi1, KEi, Ni   -->

                                 <-- HDR(A,B), SAr1, KEr, Nr, [CERTREQ]

       HDR(A,B), SK {IDi, [CERT,] [CERTREQ,] [IDr,]
           AUTH, SAi2, TSi, TSr} -->

                                 <-- HDR(A,B), SK {IDr, [CERT,] AUTH,
                                                SAr2, TSi, TSr}
ToP   noToC   RFC4306 - Page 20
   The first two messages do not affect any initiator or responder state
   except for communicating the cookie.  In particular, the message
   sequence numbers in the first four messages will all be zero and the
   message sequence numbers in the last two messages will be one. 'A' is
   the SPI assigned by the initiator, while 'B' is the SPI assigned by
   the responder.

   An IKE implementation SHOULD implement its responder cookie
   generation in such a way as to not require any saved state to
   recognize its valid cookie when the second IKE_SA_INIT message
   arrives.  The exact algorithms and syntax they use to generate
   cookies do not affect interoperability and hence are not specified
   here.  The following is an example of how an endpoint could use
   cookies to implement limited DOS protection.

   A good way to do this is to set the responder cookie to be:

      Cookie = <VersionIDofSecret> | Hash(Ni | IPi | SPIi | <secret>)

   where <secret> is a randomly generated secret known only to the
   responder and periodically changed and | indicates concatenation.
   <VersionIDofSecret> should be changed whenever <secret> is
   regenerated.  The cookie can be recomputed when the IKE_SA_INIT
   arrives the second time and compared to the cookie in the received
   message.  If it matches, the responder knows that the cookie was
   generated since the last change to <secret> and that IPi must be the
   same as the source address it saw the first time.  Incorporating SPIi
   into the calculation ensures that if multiple IKE_SAs are being set
   up in parallel they will all get different cookies (assuming the
   initiator chooses unique SPIi's).  Incorporating Ni into the hash
   ensures that an attacker who sees only message 2 can't successfully
   forge a message 3.

   If a new value for <secret> is chosen while there are connections in
   the process of being initialized, an IKE_SA_INIT might be returned
   with other than the current <VersionIDofSecret>.  The responder in
   that case MAY reject the message by sending another response with a
   new cookie or it MAY keep the old value of <secret> around for a
   short time and accept cookies computed from either one.  The
   responder SHOULD NOT accept cookies indefinitely after <secret> is
   changed, since that would defeat part of the denial of service
   protection.  The responder SHOULD change the value of <secret>
   frequently, especially if under attack.
ToP   noToC   RFC4306 - Page 21

2.7. Cryptographic Algorithm Negotiation

The payload type known as "SA" indicates a proposal for a set of choices of IPsec protocols (IKE, ESP, and/or AH) for the SA as well as cryptographic algorithms associated with each protocol. An SA payload consists of one or more proposals. Each proposal includes one or more protocols (usually one). Each protocol contains one or more transforms -- each specifying a cryptographic algorithm. Each transform contains zero or more attributes (attributes are needed only if the transform identifier does not completely specify the cryptographic algorithm). This hierarchical structure was designed to efficiently encode proposals for cryptographic suites when the number of supported suites is large because multiple values are acceptable for multiple transforms. The responder MUST choose a single suite, which MAY be any subset of the SA proposal following the rules below: Each proposal contains one or more protocols. If a proposal is accepted, the SA response MUST contain the same protocols in the same order as the proposal. The responder MUST accept a single proposal or reject them all and return an error. (Example: if a single proposal contains ESP and AH and that proposal is accepted, both ESP and AH MUST be accepted. If ESP and AH are included in separate proposals, the responder MUST accept only one of them). Each IPsec protocol proposal contains one or more transforms. Each transform contains a transform type. The accepted cryptographic suite MUST contain exactly one transform of each type included in the proposal. For example: if an ESP proposal includes transforms ENCR_3DES, ENCR_AES w/keysize 128, ENCR_AES w/keysize 256, AUTH_HMAC_MD5, and AUTH_HMAC_SHA, the accepted suite MUST contain one of the ENCR_ transforms and one of the AUTH_ transforms. Thus, six combinations are acceptable. Since the initiator sends its Diffie-Hellman value in the IKE_SA_INIT, it must guess the Diffie-Hellman group that the responder will select from its list of supported groups. If the initiator guesses wrong, the responder will respond with a Notify payload of type INVALID_KE_PAYLOAD indicating the selected group. In this case, the initiator MUST retry the IKE_SA_INIT with the corrected Diffie-Hellman group. The initiator MUST again propose its full set of acceptable cryptographic suites because the rejection message was unauthenticated and otherwise an active attacker could trick the endpoints into negotiating a weaker suite than a stronger one that they both prefer.
ToP   noToC   RFC4306 - Page 22

2.8. Rekeying

IKE, ESP, and AH security associations use secret keys that SHOULD be used only for a limited amount of time and to protect a limited amount of data. This limits the lifetime of the entire security association. When the lifetime of a security association expires, the security association MUST NOT be used. If there is demand, new security associations MAY be established. Reestablishment of security associations to take the place of ones that expire is referred to as "rekeying". To allow for minimal IPsec implementations, the ability to rekey SAs without restarting the entire IKE_SA is optional. An implementation MAY refuse all CREATE_CHILD_SA requests within an IKE_SA. If an SA has expired or is about to expire and rekeying attempts using the mechanisms described here fail, an implementation MUST close the IKE_SA and any associated CHILD_SAs and then MAY start new ones. Implementations SHOULD support in-place rekeying of SAs, since doing so offers better performance and is likely to reduce the number of packets lost during the transition. To rekey a CHILD_SA within an existing IKE_SA, create a new, equivalent SA (see section 2.17 below), and when the new one is established, delete the old one. To rekey an IKE_SA, establish a new equivalent IKE_SA (see section 2.18 below) with the peer to whom the old IKE_SA is shared using a CREATE_CHILD_SA within the existing IKE_SA. An IKE_SA so created inherits all of the original IKE_SA's CHILD_SAs. Use the new IKE_SA for all control messages needed to maintain the CHILD_SAs created by the old IKE_SA, and delete the old IKE_SA. The Delete payload to delete itself MUST be the last request sent over an IKE_SA. SAs SHOULD be rekeyed proactively, i.e., the new SA should be established before the old one expires and becomes unusable. Enough time should elapse between the time the new SA is established and the old one becomes unusable so that traffic can be switched over to the new SA. A difference between IKEv1 and IKEv2 is that in IKEv1 SA lifetimes were negotiated. In IKEv2, each end of the SA is responsible for enforcing its own lifetime policy on the SA and rekeying the SA when necessary. If the two ends have different lifetime policies, the end with the shorter lifetime will end up always being the one to request the rekeying. If an SA bundle has been inactive for a long time and if an endpoint would not initiate the SA in the absence of traffic, the endpoint MAY choose to close the SA instead of rekeying it when its lifetime expires. It SHOULD do so if there has been no traffic since the last time the SA was rekeyed.
ToP   noToC   RFC4306 - Page 23
   If the two ends have the same lifetime policies, it is possible that
   both will initiate a rekeying at the same time (which will result in
   redundant SAs).  To reduce the probability of this happening, the
   timing of rekeying requests SHOULD be jittered (delayed by a random
   amount of time after the need for rekeying is noticed).

   This form of rekeying may temporarily result in multiple similar SAs
   between the same pairs of nodes.  When there are two SAs eligible to
   receive packets, a node MUST accept incoming packets through either
   SA.  If redundant SAs are created though such a collision, the SA
   created with the lowest of the four nonces used in the two exchanges
   SHOULD be closed by the endpoint that created it.

   Note that IKEv2 deliberately allows parallel SAs with the same
   traffic selectors between common endpoints.  One of the purposes of
   this is to support traffic quality of service (QoS) differences among
   the SAs (see [RFC2474], [RFC2475], and section 4.1 of [RFC2983]).
   Hence unlike IKEv1, the combination of the endpoints and the traffic
   selectors may not uniquely identify an SA between those endpoints, so
   the IKEv1 rekeying heuristic of deleting SAs on the basis of
   duplicate traffic selectors SHOULD NOT be used.

   The node that initiated the surviving rekeyed SA SHOULD delete the
   replaced SA after the new one is established.

   There are timing windows -- particularly in the presence of lost
   packets -- where endpoints may not agree on the state of an SA.  The
   responder to a CREATE_CHILD_SA MUST be prepared to accept messages on
   an SA before sending its response to the creation request, so there
   is no ambiguity for the initiator.  The initiator MAY begin sending
   on an SA as soon as it processes the response.  The initiator,
   however, cannot receive on a newly created SA until it receives and
   processes the response to its CREATE_CHILD_SA request.  How, then, is
   the responder to know when it is OK to send on the newly created SA?

   From a technical correctness and interoperability perspective, the
   responder MAY begin sending on an SA as soon as it sends its response
   to the CREATE_CHILD_SA request.  In some situations, however, this
   could result in packets unnecessarily being dropped, so an
   implementation MAY want to defer such sending.

   The responder can be assured that the initiator is prepared to
   receive messages on an SA if either (1) it has received a
   cryptographically valid message on the new SA, or (2) the new SA
   rekeys an existing SA and it receives an IKE request to close the
   replaced SA.  When rekeying an SA, the responder SHOULD continue to
   send messages on the old SA until one of those events occurs.  When
   establishing a new SA, the responder MAY defer sending messages on a
ToP   noToC   RFC4306 - Page 24
   new SA until either it receives one or a timeout has occurred.  If an
   initiator receives a message on an SA for which it has not received a
   response to its CREATE_CHILD_SA request, it SHOULD interpret that as
   a likely packet loss and retransmit the CREATE_CHILD_SA request.  An
   initiator MAY send a dummy message on a newly created SA if it has no
   messages queued in order to assure the responder that the initiator
   is ready to receive messages.

2.9. Traffic Selector Negotiation

When an IP packet is received by an RFC4301-compliant IPsec subsystem and matches a "protect" selector in its Security Policy Database (SPD), the subsystem MUST protect that packet with IPsec. When no SA exists yet, it is the task of IKE to create it. Maintenance of a system's SPD is outside the scope of IKE (see [PFKEY] for an example protocol), though some implementations might update their SPD in connection with the running of IKE (for an example scenario, see section 1.1.3). Traffic Selector (TS) payloads allow endpoints to communicate some of the information from their SPD to their peers. TS payloads specify the selection criteria for packets that will be forwarded over the newly set up SA. This can serve as a consistency check in some scenarios to assure that the SPDs are consistent. In others, it guides the dynamic update of the SPD. Two TS payloads appear in each of the messages in the exchange that creates a CHILD_SA pair. Each TS payload contains one or more Traffic Selectors. Each Traffic Selector consists of an address range (IPv4 or IPv6), a port range, and an IP protocol ID. In support of the scenario described in section 1.1.3, an initiator may request that the responder assign an IP address and tell the initiator what it is. IKEv2 allows the responder to choose a subset of the traffic proposed by the initiator. This could happen when the configurations of the two endpoints are being updated but only one end has received the new information. Since the two endpoints may be configured by different people, the incompatibility may persist for an extended period even in the absence of errors. It also allows for intentionally different configurations, as when one end is configured to tunnel all addresses and depends on the other end to have the up-to-date list. The first of the two TS payloads is known as TSi (Traffic Selector- initiator). The second is known as TSr (Traffic Selector-responder). TSi specifies the source address of traffic forwarded from (or the destination address of traffic forwarded to) the initiator of the CHILD_SA pair. TSr specifies the destination address of the traffic
ToP   noToC   RFC4306 - Page 25
   forwarded to (or the source address of the traffic forwarded from)
   the responder of the CHILD_SA pair.  For example, if the original
   initiator request the creation of a CHILD_SA pair, and wishes to
   tunnel all traffic from subnet 192.0.1.* on the initiator's side to
   subnet 192.0.2.* on the responder's side, the initiator would include
   a single traffic selector in each TS payload.  TSi would specify the
   address range ( - and TSr would specify the
   address range ( -  Assuming that proposal was
   acceptable to the responder, it would send identical TS payloads
   back.  (Note: The IP address range 192.0.2.* has been reserved for
   use in examples in RFCs and similar documents.  This document needed
   two such ranges, and so also used 192.0.1.*. This should not be
   confused with any actual address.)

   The responder is allowed to narrow the choices by selecting a subset
   of the traffic, for instance by eliminating or narrowing the range of
   one or more members of the set of traffic selectors, provided the set
   does not become the NULL set.

   It is possible for the responder's policy to contain multiple smaller
   ranges, all encompassed by the initiator's traffic selector, and with
   the responder's policy being that each of those ranges should be sent
   over a different SA.  Continuing the example above, the responder
   might have a policy of being willing to tunnel those addresses to and
   from the initiator, but might require that each address pair be on a
   separately negotiated CHILD_SA.  If the initiator generated its
   request in response to an incoming packet from to, there would be no way for the responder to determine
   which pair of addresses should be included in this tunnel, and it
   would have to make a guess or reject the request with a status of

   To enable the responder to choose the appropriate range in this case,
   if the initiator has requested the SA due to a data packet, the
   initiator SHOULD include as the first traffic selector in each of TSi
   and TSr a very specific traffic selector including the addresses in
   the packet triggering the request.  In the example, the initiator
   would include in TSi two traffic selectors: the first containing the
   address range ( - and the source port and IP
   protocol from the packet and the second containing ( - with all ports and IP protocols.  The initiator would
   similarly include two traffic selectors in TSr.

   If the responder's policy does not allow it to accept the entire set
   of traffic selectors in the initiator's request, but does allow him
   to accept the first selector of TSi and TSr, then the responder MUST
   narrow the traffic selectors to a subset that includes the
ToP   noToC   RFC4306 - Page 26
   initiator's first choices.  In this example, the responder might
   respond with TSi being ( - with all ports and
   IP protocols.

   If the initiator creates the CHILD_SA pair not in response to an
   arriving packet, but rather, say, upon startup, then there may be no
   specific addresses the initiator prefers for the initial tunnel over
   any other.  In that case, the first values in TSi and TSr MAY be
   ranges rather than specific values, and the responder chooses a
   subset of the initiator's TSi and TSr that are acceptable.  If more
   than one subset is acceptable but their union is not, the responder
   MUST accept some subset and MAY include a Notify payload of type
   ADDITIONAL_TS_POSSIBLE to indicate that the initiator might want to
   try again.  This case will occur only when the initiator and
   responder are configured differently from one another.  If the
   initiator and responder agree on the granularity of tunnels, the
   initiator will never request a tunnel wider than the responder will
   accept.  Such misconfigurations SHOULD be recorded in error logs.

2.10. Nonces

The IKE_SA_INIT messages each contain a nonce. These nonces are used as inputs to cryptographic functions. The CREATE_CHILD_SA request and the CREATE_CHILD_SA response also contain nonces. These nonces are used to add freshness to the key derivation technique used to obtain keys for CHILD_SA, and to ensure creation of strong pseudo- random bits from the Diffie-Hellman key. Nonces used in IKEv2 MUST be randomly chosen, MUST be at least 128 bits in size, and MUST be at least half the key size of the negotiated prf. ("prf" refers to "pseudo-random function", one of the cryptographic algorithms negotiated in the IKE exchange.) If the same random number source is used for both keys and nonces, care must be taken to ensure that the latter use does not compromise the former.

2.11. Address and Port Agility

IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and AH associations for the same IP addresses it runs over. The IP addresses and ports in the outer header are, however, not themselves cryptographically protected, and IKE is designed to work even through Network Address Translation (NAT) boxes. An implementation MUST accept incoming requests even if the source port is not 500 or 4500, and MUST respond to the address and port from which the request was received. It MUST specify the address and port at which the request was received as the source address and port in the response. IKE functions identically over IPv4 or IPv6.
ToP   noToC   RFC4306 - Page 27

2.12. Reuse of Diffie-Hellman Exponentials

IKE generates keying material using an ephemeral Diffie-Hellman exchange in order to gain the property of "perfect forward secrecy". This means that once a connection is closed and its corresponding keys are forgotten, even someone who has recorded all of the data from the connection and gets access to all of the long-term keys of the two endpoints cannot reconstruct the keys used to protect the conversation without doing a brute force search of the session key space. Achieving perfect forward secrecy requires that when a connection is closed, each endpoint MUST forget not only the keys used by the connection but also any information that could be used to recompute those keys. In particular, it MUST forget the secrets used in the Diffie-Hellman calculation and any state that may persist in the state of a pseudo-random number generator that could be used to recompute the Diffie-Hellman secrets. Since the computing of Diffie-Hellman exponentials is computationally expensive, an endpoint may find it advantageous to reuse those exponentials for multiple connection setups. There are several reasonable strategies for doing this. An endpoint could choose a new exponential only periodically though this could result in less-than- perfect forward secrecy if some connection lasts for less than the lifetime of the exponential. Or it could keep track of which exponential was used for each connection and delete the information associated with the exponential only when some corresponding connection was closed. This would allow the exponential to be reused without losing perfect forward secrecy at the cost of maintaining more state. Decisions as to whether and when to reuse Diffie-Hellman exponentials is a private decision in the sense that it will not affect interoperability. An implementation that reuses exponentials MAY choose to remember the exponential used by the other endpoint on past exchanges and if one is reused to avoid the second half of the calculation.

2.13. Generating Keying Material

In the context of the IKE_SA, four cryptographic algorithms are negotiated: an encryption algorithm, an integrity protection algorithm, a Diffie-Hellman group, and a pseudo-random function (prf). The pseudo-random function is used for the construction of keying material for all of the cryptographic algorithms used in both the IKE_SA and the CHILD_SAs.
ToP   noToC   RFC4306 - Page 28
   We assume that each encryption algorithm and integrity protection
   algorithm uses a fixed-size key and that any randomly chosen value of
   that fixed size can serve as an appropriate key.  For algorithms that
   accept a variable length key, a fixed key size MUST be specified as
   part of the cryptographic transform negotiated.  For algorithms for
   which not all values are valid keys (such as DES or 3DES with key
   parity), the algorithm by which keys are derived from arbitrary
   values MUST be specified by the cryptographic transform.  For
   integrity protection functions based on Hashed Message Authentication
   Code (HMAC), the fixed key size is the size of the output of the
   underlying hash function.  When the prf function takes a variable
   length key, variable length data, and produces a fixed-length output
   (e.g., when using HMAC), the formulas in this document apply.  When
   the key for the prf function has fixed length, the data provided as a
   key is truncated or padded with zeros as necessary unless exceptional
   processing is explained following the formula.

   Keying material will always be derived as the output of the
   negotiated prf algorithm.  Since the amount of keying material needed
   may be greater than the size of the output of the prf algorithm, we
   will use the prf iteratively.  We will use the terminology prf+ to
   describe the function that outputs a pseudo-random stream based on
   the inputs to a prf as follows: (where | indicates concatenation)

   prf+ (K,S) = T1 | T2 | T3 | T4 | ...

   T1 = prf (K, S | 0x01)
   T2 = prf (K, T1 | S | 0x02)
   T3 = prf (K, T2 | S | 0x03)
   T4 = prf (K, T3 | S | 0x04)

   continuing as needed to compute all required keys.  The keys are
   taken from the output string without regard to boundaries (e.g., if
   the required keys are a 256-bit Advanced Encryption Standard (AES)
   key and a 160-bit HMAC key, and the prf function generates 160 bits,
   the AES key will come from T1 and the beginning of T2, while the HMAC
   key will come from the rest of T2 and the beginning of T3).

   The constant concatenated to the end of each string feeding the prf
   is a single octet. prf+ in this document is not defined beyond 255
   times the size of the prf output.

2.14. Generating Keying Material for the IKE_SA

The shared keys are computed as follows. A quantity called SKEYSEED is calculated from the nonces exchanged during the IKE_SA_INIT exchange and the Diffie-Hellman shared secret established during that
ToP   noToC   RFC4306 - Page 29
   exchange.  SKEYSEED is used to calculate seven other secrets: SK_d
   used for deriving new keys for the CHILD_SAs established with this
   IKE_SA; SK_ai and SK_ar used as a key to the integrity protection
   algorithm for authenticating the component messages of subsequent
   exchanges; SK_ei and SK_er used for encrypting (and of course
   decrypting) all subsequent exchanges; and SK_pi and SK_pr, which are
   used when generating an AUTH payload.

   SKEYSEED and its derivatives are computed as follows:

       SKEYSEED = prf(Ni | Nr, g^ir)

       {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = prf+
                 (SKEYSEED, Ni | Nr | SPIi | SPIr )

   (indicating that the quantities SK_d, SK_ai, SK_ar, SK_ei, SK_er,
   SK_pi, and SK_pr are taken in order from the generated bits of the
   prf+).  g^ir is the shared secret from the ephemeral Diffie-Hellman
   exchange.  g^ir is represented as a string of octets in big endian
   order padded with zeros if necessary to make it the length of the
   modulus.  Ni and Nr are the nonces, stripped of any headers.  If the
   negotiated prf takes a fixed-length key and the lengths of Ni and Nr
   do not add up to that length, half the bits must come from Ni and
   half from Nr, taking the first bits of each.

   The two directions of traffic flow use different keys.  The keys used
   to protect messages from the original initiator are SK_ai and SK_ei.
   The keys used to protect messages in the other direction are SK_ar
   and SK_er.  Each algorithm takes a fixed number of bits of keying
   material, which is specified as part of the algorithm.  For integrity
   algorithms based on a keyed hash, the key size is always equal to the
   length of the output of the underlying hash function.

2.15. Authentication of the IKE_SA

When not using extensible authentication (see section 2.16), the peers are authenticated by having each sign (or MAC using a shared secret as the key) a block of data. For the responder, the octets to be signed start with the first octet of the first SPI in the header of the second message and end with the last octet of the last payload in the second message. Appended to this (for purposes of computing the signature) are the initiator's nonce Ni (just the value, not the payload containing it), and the value prf(SK_pr,IDr') where IDr' is the responder's ID payload excluding the fixed header. Note that neither the nonce Ni nor the value prf(SK_pr,IDr') are transmitted. Similarly, the initiator signs the first message, starting with the first octet of the first SPI in the header and ending with the last octet of the last payload. Appended to this (for purposes of
ToP   noToC   RFC4306 - Page 30
   computing the signature) are the responder's nonce Nr, and the value
   prf(SK_pi,IDi').  In the above calculation, IDi' and IDr' are the
   entire ID payloads excluding the fixed header.  It is critical to the
   security of the exchange that each side sign the other side's nonce.

   Note that all of the payloads are included under the signature,
   including any payload types not defined in this document.  If the
   first message of the exchange is sent twice (the second time with a
   responder cookie and/or a different Diffie-Hellman group), it is the
   second version of the message that is signed.

   Optionally, messages 3 and 4 MAY include a certificate, or
   certificate chain providing evidence that the key used to compute a
   digital signature belongs to the name in the ID payload.  The
   signature or MAC will be computed using algorithms dictated by the
   type of key used by the signer, and specified by the Auth Method
   field in the Authentication payload.  There is no requirement that
   the initiator and responder sign with the same cryptographic
   algorithms.  The choice of cryptographic algorithms depends on the
   type of key each has.  In particular, the initiator may be using a
   shared key while the responder may have a public signature key and
   certificate.  It will commonly be the case (but it is not required)
   that if a shared secret is used for authentication that the same key
   is used in both directions.  Note that it is a common but typically
   insecure practice to have a shared key derived solely from a user-
   chosen password without incorporating another source of randomness.

   This is typically insecure because user-chosen passwords are unlikely
   to have sufficient unpredictability to resist dictionary attacks and
   these attacks are not prevented in this authentication method.
   (Applications using password-based authentication for bootstrapping
   and IKE_SA should use the authentication method in section 2.16,
   which is designed to prevent off-line dictionary attacks.)  The pre-
   shared key SHOULD contain as much unpredictability as the strongest
   key being negotiated.  In the case of a pre-shared key, the AUTH
   value is computed as:

      AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>)

   where the string "Key Pad for IKEv2" is 17 ASCII characters without
   null termination.  The shared secret can be variable length.  The pad
   string is added so that if the shared secret is derived from a
   password, the IKE implementation need not store the password in
   cleartext, but rather can store the value prf(Shared Secret,"Key Pad
   for IKEv2"), which could not be used as a password equivalent for
   protocols other than IKEv2.  As noted above, deriving the shared
   secret from a password is not secure.  This construction is used
   because it is anticipated that people will do it anyway.  The
ToP   noToC   RFC4306 - Page 31
   management interface by which the Shared Secret is provided MUST
   accept ASCII strings of at least 64 octets and MUST NOT add a null
   terminator before using them as shared secrets.  It MUST also accept
   a HEX encoding of the Shared Secret.  The management interface MAY
   accept other encodings if the algorithm for translating the encoding
   to a binary string is specified.  If the negotiated prf takes a
   fixed-size key, the shared secret MUST be of that fixed size.

2.16. Extensible Authentication Protocol Methods

In addition to authentication using public key signatures and shared secrets, IKE supports authentication using methods defined in RFC 3748 [EAP]. Typically, these methods are asymmetric (designed for a user authenticating to a server), and they may not be mutual. For this reason, these protocols are typically used to authenticate the initiator to the responder and MUST be used in conjunction with a public key signature based authentication of the responder to the initiator. These methods are often associated with mechanisms referred to as "Legacy Authentication" mechanisms. While this memo references [EAP] with the intent that new methods can be added in the future without updating this specification, some simpler variations are documented here and in section 3.16. [EAP] defines an authentication protocol requiring a variable number of messages. Extensible Authentication is implemented in IKE as additional IKE_AUTH exchanges that MUST be completed in order to initialize the IKE_SA. An initiator indicates a desire to use extensible authentication by leaving out the AUTH payload from message 3. By including an IDi payload but not an AUTH payload, the initiator has declared an identity but has not proven it. If the responder is willing to use an extensible authentication method, it will place an Extensible Authentication Protocol (EAP) payload in message 4 and defer sending SAr2, TSi, and TSr until initiator authentication is complete in a subsequent IKE_AUTH exchange. In the case of a minimal extensible authentication, the initial SA establishment will appear as follows:
ToP   noToC   RFC4306 - Page 32
       Initiator                          Responder
      -----------                        -----------
       HDR, SAi1, KEi, Ni         -->

                                  <--    HDR, SAr1, KEr, Nr, [CERTREQ]

       HDR, SK {IDi, [CERTREQ,] [IDr,]
                SAi2, TSi, TSr}   -->

                                  <--    HDR, SK {IDr, [CERT,] AUTH,
                                                EAP }

       HDR, SK {EAP}              -->

                                  <--    HDR, SK {EAP (success)}

       HDR, SK {AUTH}             -->

                                  <--    HDR, SK {AUTH, SAr2, TSi, TSr }

   For EAP methods that create a shared key as a side effect of
   authentication, that shared key MUST be used by both the initiator
   and responder to generate AUTH payloads in messages 7 and 8 using the
   syntax for shared secrets specified in section 2.15.  The shared key
   from EAP is the field from the EAP specification named MSK.  The
   shared key generated during an IKE exchange MUST NOT be used for any
   other purpose.

   EAP methods that do not establish a shared key SHOULD NOT be used, as
   they are subject to a number of man-in-the-middle attacks [EAPMITM]
   if these EAP methods are used in other protocols that do not use a
   server-authenticated tunnel.  Please see the Security Considerations
   section for more details.  If EAP methods that do not generate a
   shared key are used, the AUTH payloads in messages 7 and 8 MUST be
   generated using SK_pi and SK_pr, respectively.

   The initiator of an IKE_SA using EAP SHOULD be capable of extending
   the initial protocol exchange to at least ten IKE_AUTH exchanges in
   the event the responder sends notification messages and/or retries
   the authentication prompt.  Once the protocol exchange defined by the
   chosen EAP authentication method has successfully terminated, the
   responder MUST send an EAP payload containing the Success message.
   Similarly, if the authentication method has failed, the responder
   MUST send an EAP payload containing the Failure message.  The
   responder MAY at any time terminate the IKE exchange by sending an
   EAP payload containing the Failure message.
ToP   noToC   RFC4306 - Page 33
   Following such an extended exchange, the EAP AUTH payloads MUST be
   included in the two messages following the one containing the EAP
   Success message.

2.17. Generating Keying Material for CHILD_SAs

A single CHILD_SA is created by the IKE_AUTH exchange, and additional CHILD_SAs can optionally be created in CREATE_CHILD_SA exchanges. Keying material for them is generated as follows: KEYMAT = prf+(SK_d, Ni | Nr) Where Ni and Nr are the nonces from the IKE_SA_INIT exchange if this request is the first CHILD_SA created or the fresh Ni and Nr from the CREATE_CHILD_SA exchange if this is a subsequent creation. For CREATE_CHILD_SA exchanges including an optional Diffie-Hellman exchange, the keying material is defined as: KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ) where g^ir (new) is the shared secret from the ephemeral Diffie- Hellman exchange of this CREATE_CHILD_SA exchange (represented as an octet string in big endian order padded with zeros in the high-order bits if necessary to make it the length of the modulus). A single CHILD_SA negotiation may result in multiple security associations. ESP and AH SAs exist in pairs (one in each direction), and four SAs could be created in a single CHILD_SA negotiation if a combination of ESP and AH is being negotiated. Keying material MUST be taken from the expanded KEYMAT in the following order: All keys for SAs carrying data from the initiator to the responder are taken before SAs going in the reverse direction. If multiple IPsec protocols are negotiated, keying material is taken in the order in which the protocol headers will appear in the encapsulated packet. If a single protocol has both encryption and authentication keys, the encryption key is taken from the first octets of KEYMAT and the authentication key is taken from the next octets. Each cryptographic algorithm takes a fixed number of bits of keying material specified as part of the algorithm.
ToP   noToC   RFC4306 - Page 34

2.18. Rekeying IKE_SAs Using a CREATE_CHILD_SA exchange

The CREATE_CHILD_SA exchange can be used to rekey an existing IKE_SA (see section 2.8). New initiator and responder SPIs are supplied in the SPI fields. The TS payloads are omitted when rekeying an IKE_SA. SKEYSEED for the new IKE_SA is computed using SK_d from the existing IKE_SA as follows: SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr) where g^ir (new) is the shared secret from the ephemeral Diffie- Hellman exchange of this CREATE_CHILD_SA exchange (represented as an octet string in big endian order padded with zeros if necessary to make it the length of the modulus) and Ni and Nr are the two nonces stripped of any headers. The new IKE_SA MUST reset its message counters to 0. SK_d, SK_ai, SK_ar, SK_ei, and SK_er are computed from SKEYSEED as specified in section 2.14.

2.19. Requesting an Internal Address on a Remote Network

Most commonly occurring in the endpoint-to-security-gateway scenario, an endpoint may need an IP address in the network protected by the security gateway and may need to have that address dynamically assigned. A request for such a temporary address can be included in any request to create a CHILD_SA (including the implicit request in message 3) by including a CP payload. This function provides address allocation to an IPsec Remote Access Client (IRAC) trying to tunnel into a network protected by an IPsec Remote Access Server (IRAS). Since the IKE_AUTH exchange creates an IKE_SA and a CHILD_SA, the IRAC MUST request the IRAS-controlled address (and optionally other information concerning the protected network) in the IKE_AUTH exchange. The IRAS may procure an address for the IRAC from any number of sources such as a DHCP/BOOTP server or its own address pool. Initiator Responder ----------------------------- --------------------------- HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, CP(CFG_REQUEST), SAi2, TSi, TSr} --> <-- HDR, SK {IDr, [CERT,] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr}
ToP   noToC   RFC4306 - Page 35
   In all cases, the CP payload MUST be inserted before the SA payload.
   In variations of the protocol where there are multiple IKE_AUTH
   exchanges, the CP payloads MUST be inserted in the messages
   containing the SA payloads.

   CP(CFG_REQUEST) MUST contain at least an INTERNAL_ADDRESS attribute
   (either IPv4 or IPv6) but MAY contain any number of additional
   attributes the initiator wants returned in the response.

   For example, message from initiator to responder:
      TSi = (0, 0-65535,
      TSr = (0, 0-65535,

   NOTE: Traffic Selectors contain (protocol, port range, address

   Message from responder to initiator:

      TSi = (0, 0-65535,
      TSr = (0, 0-65535,

   All returned values will be implementation dependent.  As can be seen
   in the above example, the IRAS MAY also send other attributes that
   were not included in CP(CFG_REQUEST) and MAY ignore the non-mandatory
   attributes that it does not support.

   The responder MUST NOT send a CFG_REPLY without having first received
   a CP(CFG_REQUEST) from the initiator, because we do not want the IRAS
   to perform an unnecessary configuration lookup if the IRAC cannot
   process the REPLY.  In the case where the IRAS's configuration
   requires that CP be used for a given identity IDi, but IRAC has
   failed to send a CP(CFG_REQUEST), IRAS MUST fail the request, and
   terminate the IKE exchange with a FAILED_CP_REQUIRED error.

2.20. Requesting the Peer's Version

An IKE peer wishing to inquire about the other peer's IKE software version information MAY use the method below. This is an example of a configuration request within an INFORMATIONAL exchange, after the IKE_SA and first CHILD_SA have been created.
ToP   noToC   RFC4306 - Page 36
   An IKE implementation MAY decline to give out version information
   prior to authentication or even after authentication to prevent
   trolling in case some implementation is known to have some security
   weakness.  In that case, it MUST either return an empty string or no
   CP payload if CP is not supported.

       Initiator                           Responder
      -----------------------------       --------------------------
      HDR, SK{CP(CFG_REQUEST)}      -->
                                    <--    HDR, SK{CP(CFG_REPLY)}


      CP(CFG_REPLY) APPLICATION_VERSION("foobar v1.3beta, (c) Foo Bar

2.21. Error Handling

There are many kinds of errors that can occur during IKE processing. If a request is received that is badly formatted or unacceptable for reasons of policy (e.g., no matching cryptographic algorithms), the response MUST contain a Notify payload indicating the error. If an error occurs outside the context of an IKE request (e.g., the node is getting ESP messages on a nonexistent SPI), the node SHOULD initiate an INFORMATIONAL exchange with a Notify payload describing the problem. Errors that occur before a cryptographically protected IKE_SA is established must be handled very carefully. There is a trade-off between wanting to be helpful in diagnosing a problem and responding to it and wanting to avoid being a dupe in a denial of service attack based on forged messages. If a node receives a message on UDP port 500 or 4500 outside the context of an IKE_SA known to it (and not a request to start one), it may be the result of a recent crash of the node. If the message is marked as a response, the node MAY audit the suspicious event but MUST NOT respond. If the message is marked as a request, the node MAY audit the suspicious event and MAY send a response. If a response is sent, the response MUST be sent to the IP address and port from whence it came with the same IKE SPIs and the Message ID copied. The response MUST NOT be cryptographically protected and MUST contain a Notify payload indicating INVALID_IKE_SPI. A node receiving such an unprotected Notify payload MUST NOT respond and MUST NOT change the state of any existing SAs. The message might be a forgery or might be a response the genuine correspondent was
ToP   noToC   RFC4306 - Page 37
   tricked into sending.  A node SHOULD treat such a message (and also a
   network message like ICMP destination unreachable) as a hint that
   there might be problems with SAs to that IP address and SHOULD
   initiate a liveness test for any such IKE_SA.  An implementation
   SHOULD limit the frequency of such tests to avoid being tricked into
   participating in a denial of service attack.

   A node receiving a suspicious message from an IP address with which
   it has an IKE_SA MAY send an IKE Notify payload in an IKE
   INFORMATIONAL exchange over that SA.  The recipient MUST NOT change
   the state of any SA's as a result but SHOULD audit the event to aid
   in diagnosing malfunctions.  A node MUST limit the rate at which it
   will send messages in response to unprotected messages.

2.22. IPComp

Use of IP compression [IPCOMP] can be negotiated as part of the setup of a CHILD_SA. While IP compression involves an extra header in each packet and a compression parameter index (CPI), the virtual "compression association" has no life outside the ESP or AH SA that contains it. Compression associations disappear when the corresponding ESP or AH SA goes away. It is not explicitly mentioned in any DELETE payload. Negotiation of IP compression is separate from the negotiation of cryptographic parameters associated with a CHILD_SA. A node requesting a CHILD_SA MAY advertise its support for one or more compression algorithms through one or more Notify payloads of type IPCOMP_SUPPORTED. The response MAY indicate acceptance of a single compression algorithm with a Notify payload of type IPCOMP_SUPPORTED. These payloads MUST NOT occur in messages that do not contain SA payloads. Although there has been discussion of allowing multiple compression algorithms to be accepted and to have different compression algorithms available for the two directions of a CHILD_SA, implementations of this specification MUST NOT accept an IPComp algorithm that was not proposed, MUST NOT accept more than one, and MUST NOT compress using an algorithm other than one proposed and accepted in the setup of the CHILD_SA. A side effect of separating the negotiation of IPComp from cryptographic parameters is that it is not possible to propose multiple cryptographic suites and propose IP compression with some of them but not others.
ToP   noToC   RFC4306 - Page 38

2.23. NAT Traversal

Network Address Translation (NAT) gateways are a controversial subject. This section briefly describes what they are and how they are likely to act on IKE traffic. Many people believe that NATs are evil and that we should not design our protocols so as to make them work better. IKEv2 does specify some unintuitive processing rules in order that NATs are more likely to work. NATs exist primarily because of the shortage of IPv4 addresses, though there are other rationales. IP nodes that are "behind" a NAT have IP addresses that are not globally unique, but rather are assigned from some space that is unique within the network behind the NAT but that are likely to be reused by nodes behind other NATs. Generally, nodes behind NATs can communicate with other nodes behind the same NAT and with nodes with globally unique addresses, but not with nodes behind other NATs. There are exceptions to that rule. When those nodes make connections to nodes on the real Internet, the NAT gateway "translates" the IP source address to an address that will be routed back to the gateway. Messages to the gateway from the Internet have their destination addresses "translated" to the internal address that will route the packet to the correct endnode. NATs are designed to be "transparent" to endnodes. Neither software on the node behind the NAT nor the node on the Internet requires modification to communicate through the NAT. Achieving this transparency is more difficult with some protocols than with others. Protocols that include IP addresses of the endpoints within the payloads of the packet will fail unless the NAT gateway understands the protocol and modifies the internal references as well as those in the headers. Such knowledge is inherently unreliable, is a network layer violation, and often results in subtle problems. Opening an IPsec connection through a NAT introduces special problems. If the connection runs in transport mode, changing the IP addresses on packets will cause the checksums to fail and the NAT cannot correct the checksums because they are cryptographically protected. Even in tunnel mode, there are routing problems because transparently translating the addresses of AH and ESP packets requires special logic in the NAT and that logic is heuristic and unreliable in nature. For that reason, IKEv2 can negotiate UDP encapsulation of IKE and ESP packets. This encoding is slightly less efficient but is easier for NATs to process. In addition, firewalls may be configured to pass IPsec traffic over UDP but not ESP/AH or vice versa.
ToP   noToC   RFC4306 - Page 39
   It is a common practice of NATs to translate TCP and UDP port numbers
   as well as addresses and use the port numbers of inbound packets to
   decide which internal node should get a given packet.  For this
   reason, even though IKE packets MUST be sent from and to UDP port
   500, they MUST be accepted coming from any port and responses MUST be
   sent to the port from whence they came.  This is because the ports
   may be modified as the packets pass through NATs.  Similarly, IP
   addresses of the IKE endpoints are generally not included in the IKE
   payloads because the payloads are cryptographically protected and
   could not be transparently modified by NATs.

   Port 4500 is reserved for UDP-encapsulated ESP and IKE.  When working
   through a NAT, it is generally better to pass IKE packets over port
   4500 because some older NATs handle IKE traffic on port 500 cleverly
   in an attempt to transparently establish IPsec connections between
   endpoints that don't handle NAT traversal themselves.  Such NATs may
   interfere with the straightforward NAT traversal envisioned by this
   document, so an IPsec endpoint that discovers a NAT between it and
   its correspondent MUST send all subsequent traffic to and from port
   4500, which NATs should not treat specially (as they might with port

   The specific requirements for supporting NAT traversal [RFC3715] are
   listed below.  Support for NAT traversal is optional.  In this
   section only, requirements listed as MUST apply only to
   implementations supporting NAT traversal.

      IKE MUST listen on port 4500 as well as port 500.  IKE MUST
      respond to the IP address and port from which packets arrived.

      Both IKE initiator and responder MUST include in their IKE_SA_INIT
      packets Notify payloads of type NAT_DETECTION_SOURCE_IP and
      NAT_DETECTION_DESTINATION_IP.  Those payloads can be used to
      detect if there is NAT between the hosts, and which end is behind
      the NAT.  The location of the payloads in the IKE_SA_INIT packets
      are just after the Ni and Nr payloads (before the optional CERTREQ

      If none of the NAT_DETECTION_SOURCE_IP payload(s) received matches
      the hash of the source IP and port found from the IP header of the
      packet containing the payload, it means that the other end is
      behind NAT (i.e., someone along the route changed the source
      address of the original packet to match the address of the NAT
      box).  In this case, this end should allow dynamic update of the
      other ends IP address, as described later.
ToP   noToC   RFC4306 - Page 40
      If the NAT_DETECTION_DESTINATION_IP payload received does not
      match the hash of the destination IP and port found from the IP
      header of the packet containing the payload, it means that this
      end is behind a NAT.  In this case, this end SHOULD start sending
      keepalive packets as explained in [Hutt05].

      The IKE initiator MUST check these payloads if present and if they
      do not match the addresses in the outer packet MUST tunnel all
      future IKE and ESP packets associated with this IKE_SA over UDP
      port 4500.

      To tunnel IKE packets over UDP port 4500, the IKE header has four
      octets of zero prepended and the result immediately follows the
      UDP header.  To tunnel ESP packets over UDP port 4500, the ESP
      header immediately follows the UDP header.  Since the first four
      bytes of the ESP header contain the SPI, and the SPI cannot
      validly be zero, it is always possible to distinguish ESP and IKE

      The original source and destination IP address required for the
      transport mode TCP and UDP packet checksum fixup (see [Hutt05])
      are obtained from the Traffic Selectors associated with the
      exchange.  In the case of NAT traversal, the Traffic Selectors
      MUST contain exactly one IP address, which is then used as the
      original IP address.

      There are cases where a NAT box decides to remove mappings that
      are still alive (for example, the keepalive interval is too long,
      or the NAT box is rebooted).  To recover in these cases, hosts
      that are not behind a NAT SHOULD send all packets (including
      retransmission packets) to the IP address and port from the last
      valid authenticated packet from the other end (i.e., dynamically
      update the address).  A host behind a NAT SHOULD NOT do this
      because it opens a DoS attack possibility.  Any authenticated IKE
      packet or any authenticated UDP-encapsulated ESP packet can be
      used to detect that the IP address or the port has changed.

      Note that similar but probably not identical actions will likely
      be needed to make IKE work with Mobile IP, but such processing is
      not addressed by this document.

2.24. Explicit Congestion Notification (ECN)

When IPsec tunnels behave as originally specified in [RFC2401], ECN usage is not appropriate for the outer IP headers because tunnel decapsulation processing discards ECN congestion indications to the detriment of the network. ECN support for IPsec tunnels for IKEv1- based IPsec requires multiple operating modes and negotiation (see
ToP   noToC   RFC4306 - Page 41
   [RFC3168]).  IKEv2 simplifies this situation by requiring that ECN be
   usable in the outer IP headers of all tunnel-mode IPsec SAs created
   by IKEv2.  Specifically, tunnel encapsulators and decapsulators for
   all tunnel-mode SAs created by IKEv2 MUST support the ECN full-
   functionality option for tunnels specified in [RFC3168] and MUST
   implement the tunnel encapsulation and decapsulation processing
   specified in [RFC4301] to prevent discarding of ECN congestion

(page 41 continued on part 3)

Next Section