Network Working Group Y. Nir Request for Comments: 4478 Check Point Category: Experimental April 2006 Repeated Authentication in Internet Key Exchange (IKEv2) Protocol Status of This Memo This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006).
AbstractThis document extends the Internet Key Exchange (IKEv2) Protocol document [IKEv2]. With some IPsec peers, particularly in the remote access scenario, it is desirable to repeat the mutual authentication periodically. The purpose of this is to limit the time that security associations (SAs) can be used by a third party who has gained control of the IPsec peer. This document describes a mechanism to perform this function.
Repeated authentication is not the same as IKE SA rekeying, and need not be tied to it. The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in [RFC2119]. Section 3. The original Responder that sends the AUTH_LIFETIME notification SHOULD send a DELETE notification soon after the end of the lifetime period, unless the IKE SA is deleted before the lifetime period elapses. If the IKE SA is rekeyed, then the time limit applies to the new SA. An Initiator that received an AUTH_LIFETIME notification SHOULD repeat the Initial exchange within the time indicated in the notification. The time is measured from the time that the original Initiator receives the notification.
A special case is where the notification is sent in an Informational exchange, and the lifetime is zero. In that case, the original responder SHOULD allow a reasonable time for the repeated authentication to occur. The AUTH_LIFETIME notification MUST be protected and MAY be sent by the original Responder at any time. If the policy changes, the original Responder MAY send it again in a new Informational. The new Initial exchange is not altered. The initiator SHOULD delete the old IKE SA within a reasonable time of the new Auth exchange.
Non-supporting Responders are not a problem because they will simply not send these notifications. In that case, there is no requirement that the original Initiator re-authenticate. [IKEv2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at firstname.lastname@example.org. Acknowledgement Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).