Tech-invite   3GPPspecs   RFCs   SIP   Search in Tech-invite

in Index   Prev   Next

RFC 7296

Internet Key Exchange Protocol Version 2 (IKEv2)

Pages: 142
STD 79
Obsoletes:  5996
Updated by:  742776708247
Part 3 of 6 – Pages 46 to 72
First   Prev   Next

Top   ToC   RFC7296 - Page 46   prevText
2.10.  Nonces

   The IKE_SA_INIT messages each contain a nonce.  These nonces are used
   as inputs to cryptographic functions.  The CREATE_CHILD_SA request
   and the CREATE_CHILD_SA response also contain nonces.  These nonces
   are used to add freshness to the key derivation technique used to
   obtain keys for Child SA, and to ensure creation of strong
   pseudorandom bits from the Diffie-Hellman key.  Nonces used in IKEv2
   MUST be randomly chosen, MUST be at least 128 bits in size, and MUST
   be at least half the key size of the negotiated pseudorandom function
   (PRF).  However, the initiator chooses the nonce before the outcome
   of the negotiation is known.  Because of that, the nonce has to be
   long enough for all the PRFs being proposed.  If the same random
   number source is used for both keys and nonces, care must be taken to
   ensure that the latter use does not compromise the former.
Top   ToC   RFC7296 - Page 47
2.11.  Address and Port Agility

   IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and
   AH associations for the same IP addresses over which it runs.  The IP
   addresses and ports in the outer header are, however, not themselves
   cryptographically protected, and IKE is designed to work even through
   Network Address Translation (NAT) boxes.  An implementation MUST
   accept incoming requests even if the source port is not 500 or 4500,
   and MUST respond to the address and port from which the request was
   received.  It MUST specify the address and port at which the request
   was received as the source address and port in the response.  IKE
   functions identically over IPv4 or IPv6.

2.12.  Reuse of Diffie-Hellman Exponentials

   IKE generates keying material using an ephemeral Diffie-Hellman
   exchange in order to gain the property of "perfect forward secrecy".
   This means that once a connection is closed and its corresponding
   keys are forgotten, even someone who has recorded all of the data
   from the connection and gets access to all of the long-term keys of
   the two endpoints cannot reconstruct the keys used to protect the
   conversation without doing a brute force search of the session key

   Achieving perfect forward secrecy requires that when a connection is
   closed, each endpoint MUST forget not only the keys used by the
   connection but also any information that could be used to recompute
   those keys.

   Because computing Diffie-Hellman exponentials is computationally
   expensive, an endpoint may find it advantageous to reuse those
   exponentials for multiple connection setups.  There are several
   reasonable strategies for doing this.  An endpoint could choose a new
   exponential only periodically though this could result in less-than-
   perfect forward secrecy if some connection lasts for less than the
   lifetime of the exponential.  Or it could keep track of which
   exponential was used for each connection and delete the information
   associated with the exponential only when some corresponding
   connection was closed.  This would allow the exponential to be reused
   without losing perfect forward secrecy at the cost of maintaining
   more state.

   Whether and when to reuse Diffie-Hellman exponentials are private
   decisions in the sense that they will not affect interoperability.
   An implementation that reuses exponentials MAY choose to remember the
   exponential used by the other endpoint on past exchanges and if one
   is reused to avoid the second half of the calculation.  See [REUSE]
Top   ToC   RFC7296 - Page 48
   and [RFC6989] for a security analysis of this practice and for
   additional security considerations when reusing ephemeral
   Diffie-Hellman keys.

2.13.  Generating Keying Material

   In the context of the IKE SA, four cryptographic algorithms are
   negotiated: an encryption algorithm, an integrity protection
   algorithm, a Diffie-Hellman group, and a pseudorandom function (PRF).
   The PRF is used for the construction of keying material for all of
   the cryptographic algorithms used in both the IKE SA and the
   Child SAs.

   We assume that each encryption algorithm and integrity protection
   algorithm uses a fixed-size key and that any randomly chosen value of
   that fixed size can serve as an appropriate key.  For algorithms that
   accept a variable-length key, a fixed key size MUST be specified as
   part of the cryptographic transform negotiated (see Section 3.3.5 for
   the definition of the Key Length transform attribute).  For
   algorithms for which not all values are valid keys (such as DES or
   3DES with key parity), the algorithm by which keys are derived from
   arbitrary values MUST be specified by the cryptographic transform.
   For integrity protection functions based on Hashed Message
   Authentication Code (HMAC), the fixed key size is the size of the
   output of the underlying hash function.

   It is assumed that PRFs accept keys of any length, but have a
   preferred key size.  The preferred key size MUST be used as the
   length of SK_d, SK_pi, and SK_pr (see Section 2.14).  For PRFs based
   on the HMAC construction, the preferred key size is equal to the
   length of the output of the underlying hash function.  Other types of
   PRFs MUST specify their preferred key size.

   Keying material will always be derived as the output of the
   negotiated PRF algorithm.  Since the amount of keying material needed
   may be greater than the size of the output of the PRF, the PRF is
   used iteratively.  The term "prf+" describes a function that outputs
   a pseudorandom stream based on the inputs to a pseudorandom function
   called "prf".
Top   ToC   RFC7296 - Page 49
   In the following, | indicates concatenation.  prf+ is defined as:

   prf+ (K,S) = T1 | T2 | T3 | T4 | ...

   T1 = prf (K, S | 0x01)
   T2 = prf (K, T1 | S | 0x02)
   T3 = prf (K, T2 | S | 0x03)
   T4 = prf (K, T3 | S | 0x04)

   This continues until all the material needed to compute all required
   keys has been output from prf+.  The keys are taken from the output
   string without regard to boundaries (e.g., if the required keys are a
   256-bit Advanced Encryption Standard (AES) key and a 160-bit HMAC
   key, and the prf function generates 160 bits, the AES key will come
   from T1 and the beginning of T2, while the HMAC key will come from
   the rest of T2 and the beginning of T3).

   The constant concatenated to the end of each prf function is a single
   octet.  The prf+ function is not defined beyond 255 times the size of
   the prf function output.

2.14.  Generating Keying Material for the IKE SA

   The shared keys are computed as follows.  A quantity called SKEYSEED
   is calculated from the nonces exchanged during the IKE_SA_INIT
   exchange and the Diffie-Hellman shared secret established during that
   exchange.  SKEYSEED is used to calculate seven other secrets: SK_d
   used for deriving new keys for the Child SAs established with this
   IKE SA; SK_ai and SK_ar used as a key to the integrity protection
   algorithm for authenticating the component messages of subsequent
   exchanges; SK_ei and SK_er used for encrypting (and of course
   decrypting) all subsequent exchanges; and SK_pi and SK_pr, which are
   used when generating an AUTH payload.  The lengths of SK_d, SK_pi,
   and SK_pr MUST be the preferred key length of the PRF agreed upon.

   SKEYSEED and its derivatives are computed as follows:

   SKEYSEED = prf(Ni | Nr, g^ir)

   {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr}
                   = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)

   (indicating that the quantities SK_d, SK_ai, SK_ar, SK_ei, SK_er,
   SK_pi, and SK_pr are taken in order from the generated bits of the
   prf+).  g^ir is the shared secret from the ephemeral Diffie-Hellman
   exchange.  g^ir is represented as a string of octets in big endian
Top   ToC   RFC7296 - Page 50
   order padded with zeros if necessary to make it the length of the
   modulus.  Ni and Nr are the nonces, stripped of any headers.  For
   historical backward-compatibility reasons, there are two PRFs that
   are treated specially in this calculation.  If the negotiated PRF is
   only the first 64 bits of Ni and the first 64 bits of Nr are used in
   calculating SKEYSEED, but all the bits are used for input to the prf+

   The two directions of traffic flow use different keys.  The keys used
   to protect messages from the original initiator are SK_ai and SK_ei.
   The keys used to protect messages in the other direction are SK_ar
   and SK_er.

2.15.  Authentication of the IKE SA

   When not using extensible authentication (see Section 2.16), the
   peers are authenticated by having each sign (or MAC using a padded
   shared secret as the key, as described later in this section) a block
   of data.  In these calculations, IDi' and IDr' are the entire ID
   payloads excluding the fixed header.  For the responder, the octets
   to be signed start with the first octet of the first SPI in the
   header of the second message (IKE_SA_INIT response) and end with the
   last octet of the last payload in the second message.  Appended to
   this (for the purposes of computing the signature) are the
   initiator's nonce Ni (just the value, not the payload containing it),
   and the value prf(SK_pr, IDr').  Note that neither the nonce Ni nor
   the value prf(SK_pr, IDr') are transmitted.  Similarly, the initiator
   signs the first message (IKE_SA_INIT request), starting with the
   first octet of the first SPI in the header and ending with the last
   octet of the last payload.  Appended to this (for purposes of
   computing the signature) are the responder's nonce Nr, and the value
   prf(SK_pi, IDi').  It is critical to the security of the exchange
   that each side sign the other side's nonce.

   The initiator's signed octets can be described as:

   InitiatorSignedOctets = RealMessage1 | NonceRData | MACedIDForI
   GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR
   RealIKEHDR =  SPIi | SPIr |  . . . | Length
   RealMessage1 = RealIKEHDR | RestOfMessage1
   NonceRPayload = PayloadHeader | NonceRData
   InitiatorIDPayload = PayloadHeader | RestOfInitIDPayload
   RestOfInitIDPayload = IDType | RESERVED | InitIDData
   MACedIDForI = prf(SK_pi, RestOfInitIDPayload)
Top   ToC   RFC7296 - Page 51
   The responder's signed octets can be described as:

   ResponderSignedOctets = RealMessage2 | NonceIData | MACedIDForR
   GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR
   RealIKEHDR =  SPIi | SPIr |  . . . | Length
   RealMessage2 = RealIKEHDR | RestOfMessage2
   NonceIPayload = PayloadHeader | NonceIData
   ResponderIDPayload = PayloadHeader | RestOfRespIDPayload
   RestOfRespIDPayload = IDType | RESERVED | RespIDData
   MACedIDForR = prf(SK_pr, RestOfRespIDPayload)

   Note that all of the payloads are included under the signature,
   including any payload types not defined in this document.  If the
   first message of the exchange is sent multiple times (such as with a
   responder cookie and/or a different Diffie-Hellman group), it is the
   latest version of the message that is signed.

   Optionally, messages 3 and 4 MAY include a certificate, or
   certificate chain providing evidence that the key used to compute a
   digital signature belongs to the name in the ID payload.  The
   signature or MAC will be computed using algorithms dictated by the
   type of key used by the signer, and specified by the Auth Method
   field in the Authentication payload.  There is no requirement that
   the initiator and responder sign with the same cryptographic
   algorithms.  The choice of cryptographic algorithms depends on the
   type of key each has.  In particular, the initiator may be using a
   shared key while the responder may have a public signature key and
   certificate.  It will commonly be the case (but it is not required)
   that, if a shared secret is used for authentication, the same key is
   used in both directions.

   Note that it is a common but typically insecure practice to have a
   shared key derived solely from a user-chosen password without
   incorporating another source of randomness.  This is typically
   insecure because user-chosen passwords are unlikely to have
   sufficient unpredictability to resist dictionary attacks and these
   attacks are not prevented in this authentication method.
   (Applications using password-based authentication for bootstrapping
   and IKE SA should use the authentication method in Section 2.16,
   which is designed to prevent off-line dictionary attacks.)  The
   pre-shared key needs to contain as much unpredictability as the
   strongest key being negotiated.  In the case of a pre-shared key, the
   AUTH value is computed as:

   For the initiator:
      AUTH = prf( prf(Shared Secret, "Key Pad for IKEv2"),
Top   ToC   RFC7296 - Page 52
   For the responder:
      AUTH = prf( prf(Shared Secret, "Key Pad for IKEv2"),

   where the string "Key Pad for IKEv2" is 17 ASCII characters without
   null termination.  The shared secret can be variable length.  The pad
   string is added so that if the shared secret is derived from a
   password, the IKE implementation need not store the password in
   cleartext, but rather can store the value prf(Shared Secret,"Key Pad
   for IKEv2"), which could not be used as a password equivalent for
   protocols other than IKEv2.  As noted above, deriving the shared
   secret from a password is not secure.  This construction is used
   because it is anticipated that people will do it anyway.  The
   management interface by which the shared secret is provided MUST
   accept ASCII strings of at least 64 octets and MUST NOT add a null
   terminator before using them as shared secrets.  It MUST also accept
   a hex encoding of the shared secret.  The management interface MAY
   accept other encodings if the algorithm for translating the encoding
   to a binary string is specified.

   There are two types of EAP authentication (described in
   Section 2.16), and each type uses different values in the AUTH
   computations shown above.  If the EAP method is key-generating,
   substitute master session key (MSK) for the shared secret in the
   computation.  For non-key-generating methods, substitute SK_pi and
   SK_pr, respectively, for the shared secret in the two AUTH

2.16.  Extensible Authentication Protocol Methods

   In addition to authentication using public key signatures and shared
   secrets, IKE supports authentication using methods defined in
   RFC 3748 [EAP].  Typically, these methods are asymmetric (designed
   for a user authenticating to a server), and they may not be mutual.
   For this reason, these protocols are typically used to authenticate
   the initiator to the responder and MUST be used in conjunction with a
   public-key-signature-based authentication of the responder to the
   initiator.  These methods are often associated with mechanisms
   referred to as "Legacy Authentication" mechanisms.

   While this document references [EAP] with the intent that new methods
   can be added in the future without updating this specification, some
   simpler variations are documented here.  [EAP] defines an
   authentication protocol requiring a variable number of messages.
   Extensible authentication is implemented in IKE as additional
   IKE_AUTH exchanges that MUST be completed in order to initialize the
   IKE SA.
Top   ToC   RFC7296 - Page 53
   An initiator indicates a desire to use EAP by leaving out the AUTH
   payload from the first message in the IKE_AUTH exchange.  (Note that
   the AUTH payload is required for non-EAP authentication, and is thus
   not marked as optional in the rest of this document.)  By including
   an IDi payload but not an AUTH payload, the initiator has declared an
   identity but has not proven it.  If the responder is willing to use
   an EAP method, it will place an Extensible Authentication Protocol
   (EAP) payload in the response of the IKE_AUTH exchange and defer
   sending SAr2, TSi, and TSr until initiator authentication is complete
   in a subsequent IKE_AUTH exchange.  In the case of a minimal EAP
   method, the initial SA establishment will appear as follows:

   Initiator                         Responder
   HDR, SAi1, KEi, Ni  -->
                                <--  HDR, SAr1, KEr, Nr, [CERTREQ]
       [IDr,] SAi2,
       TSi, TSr}  -->
                                <--  HDR, SK {IDr, [CERT,] AUTH,
   HDR, SK {EAP}  -->
                                <--  HDR, SK {EAP (success)}
   HDR, SK {AUTH}  -->
                                <--  HDR, SK {AUTH, SAr2, TSi, TSr}

   As described in Section 2.2, when EAP is used, each pair of IKE SA
   initial setup messages will have their message numbers incremented;
   the first pair of IKE_AUTH messages will have an ID of 1, the second
   will be 2, and so on.

   For EAP methods that create a shared key as a side effect of
   authentication, that shared key MUST be used by both the initiator
   and responder to generate AUTH payloads in messages 7 and 8 using the
   syntax for shared secrets specified in Section 2.15.  The shared key
   from EAP is the field from the EAP specification named MSK.  This
   shared key generated during an IKE exchange MUST NOT be used for any
   other purpose.

   EAP methods that do not establish a shared key SHOULD NOT be used, as
   they are subject to a number of man-in-the-middle attacks [EAPMITM]
   if these EAP methods are used in other protocols that do not use a
   server-authenticated tunnel.  Please see the Security Considerations
   section for more details.  If EAP methods that do not generate a
   shared key are used, the AUTH payloads in messages 7 and 8 MUST be
   generated using SK_pi and SK_pr, respectively.
Top   ToC   RFC7296 - Page 54
   The initiator of an IKE SA using EAP needs to be capable of extending
   the initial protocol exchange to at least ten IKE_AUTH exchanges in
   the event the responder sends notification messages and/or retries
   the authentication prompt.  Once the protocol exchange defined by the
   chosen EAP authentication method has successfully terminated, the
   responder MUST send an EAP payload containing the Success message.
   Similarly, if the authentication method has failed, the responder
   MUST send an EAP payload containing the Failure message.  The
   responder MAY at any time terminate the IKE exchange by sending an
   EAP payload containing the Failure message.

   Following such an extended exchange, the EAP AUTH payloads MUST be
   included in the two messages following the one containing the EAP
   Success message.

   When the initiator authentication uses EAP, it is possible that the
   contents of the IDi payload is used only for Authentication,
   Authorization, and Accounting (AAA) routing purposes and selecting
   which EAP method to use.  This value may be different from the
   identity authenticated by the EAP method.  It is important that
   policy lookups and access control decisions use the actual
   authenticated identity.  Often the EAP server is implemented in a
   separate AAA server that communicates with the IKEv2 responder.  In
   this case, the authenticated identity, if different from that in the
   IDi payload, has to be sent from the AAA server to the IKEv2

2.17.  Generating Keying Material for Child SAs

   A single Child SA is created by the IKE_AUTH exchange, and additional
   Child SAs can optionally be created in CREATE_CHILD_SA exchanges.
   Keying material for them is generated as follows:

   KEYMAT = prf+(SK_d, Ni | Nr)

   Where Ni and Nr are the nonces from the IKE_SA_INIT exchange if this
   request is the first Child SA created or the fresh Ni and Nr from the
   CREATE_CHILD_SA exchange if this is a subsequent creation.

   For CREATE_CHILD_SA exchanges including an optional Diffie-Hellman
   exchange, the keying material is defined as:

   KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr)

   where g^ir (new) is the shared secret from the ephemeral Diffie-
   Hellman exchange of this CREATE_CHILD_SA exchange (represented as an
   octet string in big endian order padded with zeros in the high-order
   bits if necessary to make it the length of the modulus).
Top   ToC   RFC7296 - Page 55
   A single CREATE_CHILD_SA negotiation may result in multiple Security
   Associations.  ESP and AH SAs exist in pairs (one in each direction),
   so two SAs are created in a single Child SA negotiation for them.
   Furthermore, Child SA negotiation may include some future IPsec
   protocol(s) in addition to, or instead of, ESP or AH (for example,
   ROHC_INTEG as described in [ROHCV2]).  In any case, keying material
   for each Child SA MUST be taken from the expanded KEYMAT using the
   following rules:

   o  All keys for SAs carrying data from the initiator to the responder
      are taken before SAs going from the responder to the initiator.

   o  If multiple IPsec protocols are negotiated, keying material for
      each Child SA is taken in the order in which the protocol headers
      will appear in the encapsulated packet.

   o  If an IPsec protocol requires multiple keys, the order in which
      they are taken from the SA's keying material needs to be described
      in the protocol's specification.  For ESP and AH, [IPSECARCH]
      defines the order, namely: the encryption key (if any) MUST be
      taken from the first bits and the integrity key (if any) MUST be
      taken from the remaining bits.

   Each cryptographic algorithm takes a fixed number of bits of keying
   material specified as part of the algorithm, or negotiated in SA
   payloads (see Section 2.13 for description of key lengths, and
   Section 3.3.5 for the definition of the Key Length transform

2.18.  Rekeying IKE SAs Using a CREATE_CHILD_SA Exchange

   The CREATE_CHILD_SA exchange can be used to rekey an existing IKE SA
   (see Sections 1.3.2 and 2.8).  New initiator and responder SPIs are
   supplied in the SPI fields in the Proposal structures inside the
   Security Association (SA) payloads (not the SPI fields in the IKE
   header).  The TS payloads are omitted when rekeying an IKE SA.
   SKEYSEED for the new IKE SA is computed using SK_d from the existing
   IKE SA as follows:

   SKEYSEED = prf(SK_d (old), g^ir (new) | Ni | Nr)

   where g^ir (new) is the shared secret from the ephemeral Diffie-
   Hellman exchange of this CREATE_CHILD_SA exchange (represented as an
   octet string in big endian order padded with zeros if necessary to
   make it the length of the modulus) and Ni and Nr are the two nonces
   stripped of any headers.
Top   ToC   RFC7296 - Page 56
   The old and new IKE SA may have selected a different PRF.  Because
   the rekeying exchange belongs to the old IKE SA, it is the old IKE
   SA's PRF that is used to generate SKEYSEED.

   The main reason for rekeying the IKE SA is to ensure that the
   compromise of old keying material does not provide information about
   the current keys, or vice versa.  Therefore, implementations MUST
   perform a new Diffie-Hellman exchange when rekeying the IKE SA.  In
   other words, an initiator MUST NOT propose the value "NONE" for the
   Diffie-Hellman transform, and a responder MUST NOT accept such a
   proposal.  This means that a successful exchange rekeying the IKE SA
   always includes the KEi/KEr payloads.

   The new IKE SA MUST reset its message counters to 0.

   SK_d, SK_ai, SK_ar, SK_ei, and SK_er are computed from SKEYSEED as
   specified in Section 2.14, using SPIi, SPIr, Ni, and Nr from the new
   exchange, and using the new IKE SA's PRF.

2.19.  Requesting an Internal Address on a Remote Network

   Most commonly occurring in the endpoint-to-security-gateway scenario,
   an endpoint may need an IP address in the network protected by the
   security gateway and may need to have that address dynamically
   assigned.  A request for such a temporary address can be included in
   any request to create a Child SA (including the implicit request in
   message 3) by including a CP payload.  Note, however, it is usual to
   only assign one IP address during the IKE_AUTH exchange.  That
   address persists at least until the deletion of the IKE SA.

   This function provides address allocation to an IPsec Remote Access
   Client (IRAC) trying to tunnel into a network protected by an IPsec
   Remote Access Server (IRAS).  Since the IKE_AUTH exchange creates an
   IKE SA and a Child SA, the IRAC MUST request the IRAS-controlled
   address (and optionally other information concerning the protected
   network) in the IKE_AUTH exchange.  The IRAS may procure an address
   for the IRAC from any number of sources such as a DHCP/BOOTP
   (Bootstrap Protocol) server or its own address pool.

   Initiator                         Responder
    HDR, SK {IDi, [CERT,]
       [CERTREQ,] [IDr,] AUTH,
       CP(CFG_REQUEST), SAi2,
       TSi, TSr}  -->
                                <--  HDR, SK {IDr, [CERT,] AUTH,
                                         CP(CFG_REPLY), SAr2,
                                         TSi, TSr}
Top   ToC   RFC7296 - Page 57
   In all cases, the CP payload MUST be inserted before the SA payload.
   In variations of the protocol where there are multiple IKE_AUTH
   exchanges, the CP payloads MUST be inserted in the messages
   containing the SA payloads.

   CP(CFG_REQUEST) MUST contain at least an INTERNAL_ADDRESS attribute
   (either IPv4 or IPv6) but MAY contain any number of additional
   attributes the initiator wants returned in the response.

   For example, message from initiator to responder:

   TSi = (0, 0-65535,
   TSr = (0, 0-65535,

   NOTE: Traffic Selectors contain (protocol, port range, address

   Message from responder to initiator:

   TSi = (0, 0-65535,
   TSr = (0, 0-65535,

   All returned values will be implementation dependent.  As can be seen
   in the above example, the IRAS MAY also send other attributes that
   were not included in CP(CFG_REQUEST) and MAY ignore the non-mandatory
   attributes that it does not support.

   The responder MUST NOT send a CFG_REPLY without having first received
   a CP(CFG_REQUEST) from the initiator, because we do not want the IRAS
   to perform an unnecessary configuration lookup if the IRAC cannot
   process the REPLY.

   In the case where the IRAS's configuration requires that CP be used
   for a given identity IDi, but IRAC has failed to send a
   CP(CFG_REQUEST), IRAS MUST fail the request, and terminate the Child
   SA creation with a FAILED_CP_REQUIRED error.  The FAILED_CP_REQUIRED
   is not fatal to the IKE SA; it simply causes the Child SA creation to
   fail.  The initiator can fix this by later starting a new
   Configuration payload request.  There is no associated data in the
Top   ToC   RFC7296 - Page 58
2.20.  Requesting the Peer's Version

   An IKE peer wishing to inquire about the other peer's IKE software
   version information MAY use the method below.  This is an example of
   a configuration request within an INFORMATIONAL exchange, after the
   IKE SA and first Child SA have been created.

   An IKE implementation MAY decline to give out version information
   prior to authentication or even after authentication in case some
   implementation is known to have some security weakness.  In that
   case, it MUST either return an empty string or no CP payload if CP is
   not supported.

   Initiator                          Responder
                                 <--  HDR, SK {CP(CFG_REPLY)}


   CP(CFG_REPLY) APPLICATION_VERSION("foobar v1.3beta, (c) Foo Bar

2.21.  Error Handling

   There are many kinds of errors that can occur during IKE processing.
   The general rule is that if a request is received that is badly
   formatted, or unacceptable for reasons of policy (such as no matching
   cryptographic algorithms), the response contains a Notify payload
   indicating the error.  The decision whether or not to send such a
   response depends whether or not there is an authenticated IKE SA.

   If there is an error parsing or processing a response packet, the
   general rule is to not send back any error message because responses
   should not generate new requests (and a new request would be the only
   way to send back an error message).  Such errors in parsing or
   processing response packets should still cause the recipient to clean
   up the IKE state (for example, by sending a Delete for a bad SA).

   Only authentication failures (AUTHENTICATION_FAILED and EAP failure)
   and malformed messages (INVALID_SYNTAX) lead to a deletion of the IKE
   SA without requiring an explicit INFORMATIONAL exchange carrying a
   Delete payload.  Other error conditions MAY require such an exchange
   if policy dictates that this is needed.  If the exchange is
   terminated with EAP Failure, an AUTHENTICATION_FAILED notification is
   not sent.
Top   ToC   RFC7296 - Page 59
2.21.1.  Error Handling in IKE_SA_INIT

   Errors that occur before a cryptographically protected IKE SA is
   established need to be handled very carefully.  There is a trade-off
   between wanting to help the peer to diagnose a problem and thus
   responding to the error and wanting to avoid being part of a DoS
   attack based on forged messages.

   In an IKE_SA_INIT exchange, any error notification causes the
   exchange to fail.  Note that some error notifications such as COOKIE,
   INVALID_KE_PAYLOAD or INVALID_MAJOR_VERSION may lead to a subsequent
   successful exchange.  Because all error notifications are completely
   unauthenticated, the recipient should continue trying for some time
   before giving up.  The recipient should not immediately act based on
   the error notification unless corrective actions are defined in this
   specification, such as for COOKIE, INVALID_KE_PAYLOAD, and

2.21.2.  Error Handling in IKE_AUTH

   All errors that occur in an IKE_AUTH exchange, causing the
   authentication to fail for whatever reason (invalid shared secret,
   invalid ID, untrusted certificate issuer, revoked or expired
   certificate, etc.) SHOULD result in an AUTHENTICATION_FAILED
   notification.  If the error occurred on the responder, the
   notification is returned in the protected response, and is usually
   the only payload in that response.  Although the IKE_AUTH messages
   are encrypted and integrity protected, if the peer receiving this
   notification has not authenticated the other end yet, that peer needs
   to treat the information with caution.

   If the error occurs on the initiator, the notification MAY be
   returned in a separate INFORMATIONAL exchange, usually with no other
   payloads.  This is an exception for the general rule of not starting
   new exchanges based on errors in responses.

   Note, however, that request messages that contain an unsupported
   critical payload, or where the whole message is malformed (rather
   than just bad payload contents), MUST be rejected in their entirety,
   INVALID_SYNTAX Notification sent as a response.  The receiver should
   not verify the payloads related to authentication in this case.

   If authentication has succeeded in the IKE_AUTH exchange, the IKE SA
   is established; however, establishing the Child SA or requesting
   configuration information may still fail.  This failure does not
   automatically cause the IKE SA to be deleted.  Specifically, a
   responder may include all the payloads associated with authentication
Top   ToC   RFC7296 - Page 60
   (IDr, CERT, and AUTH) while sending error notifications for the
   piggybacked exchanges (FAILED_CP_REQUIRED, NO_PROPOSAL_CHOSEN, and so
   on), and the initiator MUST NOT fail the authentication because of
   this.  The initiator MAY, of course, for reasons of policy later
   delete such an IKE SA.

   In an IKE_AUTH exchange, or in the INFORMATIONAL exchange immediately
   following it (in case an error happened when processing a response to
   AUTHENTICATION_FAILED notifications are the only ones to cause the
   IKE SA to be deleted or not created, without a Delete payload.
   Extension documents may define new error notifications with these
   semantics, but MUST NOT use them unless the peer has been shown to
   understand them, such as by using the Vendor ID payload.

2.21.3.  Error Handling after IKE SA is Authenticated

   After the IKE SA is authenticated, all requests having errors MUST
   result in a response notifying the other end of the error.

   In normal situations, there should not be cases where a valid
   response from one peer results in an error situation in the other
   peer, so there should not be any reason for a peer to send error
   messages to the other end except as a response.  Because sending such
   error messages as an INFORMATIONAL exchange might lead to further
   errors that could cause loops, such errors SHOULD NOT be sent.  If
   errors are seen that indicate that the peers do not have the same
   state, it might be good to delete the IKE SA to clean up state and
   start over.

   If a peer parsing a request notices that it is badly formatted (after
   it has passed the message authentication code checks and window
   checks) and it returns an INVALID_SYNTAX notification, then this
   error notification is considered fatal in both peers, meaning that
   the IKE SA is deleted without needing an explicit Delete payload.

2.21.4.  Error Handling Outside IKE SA

   A node needs to limit the rate at which it will send messages in
   response to unprotected messages.

   If a node receives a message on UDP port 500 or 4500 outside the
   context of an IKE SA known to it (and the message is not a request to
   start an IKE SA), this may be the result of a recent crash of the
   node.  If the message is marked as a response, the node can audit the
   suspicious event but MUST NOT respond.  If the message is marked as a
   request, the node can audit the suspicious event and MAY send a
   response.  If a response is sent, the response MUST be sent to the IP
Top   ToC   RFC7296 - Page 61
   address and port from where it came with the same IKE SPIs and the
   Message ID copied.  The response MUST NOT be cryptographically
   protected and MUST contain an INVALID_IKE_SPI Notify payload.  The
   INVALID_IKE_SPI notification indicates an IKE message was received
   with an unrecognized destination SPI; this usually indicates that the
   recipient has rebooted and forgotten the existence of an IKE SA.

   A peer receiving such an unprotected Notify payload MUST NOT respond
   and MUST NOT change the state of any existing SAs.  The message might
   be a forgery or might be a response that a genuine correspondent was
   tricked into sending.  A node should treat such a message (and also a
   network message like ICMP destination unreachable) as a hint that
   there might be problems with SAs to that IP address and should
   initiate a liveness check for any such IKE SA.  An implementation
   SHOULD limit the frequency of such tests to avoid being tricked into
   participating in a DoS attack.

   If an error occurs outside the context of an IKE request (e.g., the
   node is getting ESP messages on a nonexistent SPI), the node SHOULD
   initiate an INFORMATIONAL exchange with a Notify payload describing
   the problem.

   A node receiving a suspicious message from an IP address (and port,
   if NAT traversal is used) with which it has an IKE SA SHOULD send an
   IKE Notify payload in an IKE INFORMATIONAL exchange over that SA.
   The recipient MUST NOT change the state of any SAs as a result, but
   may wish to audit the event to aid in diagnosing malfunctions.

2.22.  IPComp

   Use of IP Compression [IP-COMP] can be negotiated as part of the
   setup of a Child SA.  While IP Compression involves an extra header
   in each packet and a compression parameter index (CPI), the virtual
   "compression association" has no life outside the ESP or AH SA that
   contains it.  Compression associations disappear when the
   corresponding ESP or AH SA goes away.  It is not explicitly mentioned
   in any Delete payload.

   Negotiation of IP Compression is separate from the negotiation of
   cryptographic parameters associated with a Child SA.  A node
   requesting a Child SA MAY advertise its support for one or more
   compression algorithms through one or more Notify payloads of type
   IPCOMP_SUPPORTED.  This Notify message may be included only in a
   message containing an SA payload negotiating a Child SA and indicates
   a willingness by its sender to use IPComp on this SA.  The response
   MAY indicate acceptance of a single compression algorithm with a
   Notify payload of type IPCOMP_SUPPORTED.  These payloads MUST NOT
   occur in messages that do not contain SA payloads.
Top   ToC   RFC7296 - Page 62
   The data associated with this Notify message includes a two-octet
   IPComp CPI followed by a one-octet Transform ID optionally followed
   by attributes whose length and format are defined by that Transform
   ID.  A message proposing an SA may contain multiple IPCOMP_SUPPORTED
   notifications to indicate multiple supported algorithms.  A message
   accepting an SA may contain at most one.

   The Transform IDs are listed here.  The values in the following table
   are only current as of the publication date of RFC 4306.  Other
   values may have been added since then or will be added after the
   publication of this document.  Readers should refer to [IKEV2IANA]
   for the latest values.

   Name              Number   Defined In
   IPCOMP_OUI        1        (UNSPECIFIED)
   IPCOMP_DEFLATE    2        RFC 2394
   IPCOMP_LZS        3        RFC 2395
   IPCOMP_LZJH       4        RFC 3051

   Although there has been discussion of allowing multiple compression
   algorithms to be accepted and to have different compression
   algorithms available for the two directions of a Child SA,
   implementations of this specification MUST NOT accept an IPComp
   algorithm that was not proposed, MUST NOT accept more than one, and
   MUST NOT compress using an algorithm other than one proposed and
   accepted in the setup of the Child SA.

   A side effect of separating the negotiation of IPComp from
   cryptographic parameters is that it is not possible to propose
   multiple cryptographic suites and propose IP Compression with some of
   them but not others.

   In some cases, Robust Header Compression (ROHC) may be more
   appropriate than IP Compression.  [ROHCV2] defines the use of ROHC
   with IKEv2 and IPsec.

2.23.  NAT Traversal

   Network Address Translation (NAT) gateways are a controversial
   subject.  This section briefly describes what they are and how they
   are likely to act on IKE traffic.  Many people believe that NATs are
   evil and that we should not design our protocols so as to make them
   work better.  IKEv2 does indeed specify some unintuitive processing
   rules so that NATs are more likely to work.
Top   ToC   RFC7296 - Page 63
   NATs exist primarily because of the shortage of IPv4 addresses,
   though there are other rationales.  IP nodes that are "behind" a NAT
   have IP addresses that are not globally unique, but rather are
   assigned from some space that is unique within the network behind the
   NAT but that are likely to be reused by nodes behind other NATs.
   Generally, nodes behind NATs can communicate with other nodes behind
   the same NAT and with nodes with globally unique addresses, but not
   with nodes behind other NATs.  There are exceptions to that rule.
   When those nodes make connections to nodes on the real Internet, the
   NAT gateway "translates" the IP source address to an address that
   will be routed back to the gateway.  Messages to the gateway from the
   Internet have their destination addresses "translated" to the
   internal address that will route the packet to the correct endnode.

   NATs are designed to be "transparent" to endnodes.  Neither software
   on the node behind the NAT nor the node on the Internet requires
   modification to communicate through the NAT.  Achieving this
   transparency is more difficult with some protocols than with others.
   Protocols that include IP addresses of the endpoints within the
   payloads of the packet will fail unless the NAT gateway understands
   the protocol and modifies the internal references as well as those in
   the headers.  Such knowledge is inherently unreliable, is a network
   layer violation, and often results in subtle problems.

   Opening an IPsec connection through a NAT introduces special
   problems.  If the connection runs in transport mode, changing the IP
   addresses on packets will cause the checksums to fail and the NAT
   cannot correct the checksums because they are cryptographically
   protected.  Even in tunnel mode, there are routing problems because
   transparently translating the addresses of AH and ESP packets
   requires special logic in the NAT and that logic is heuristic and
   unreliable in nature.  For that reason, IKEv2 will use UDP
   encapsulation of IKE and ESP packets.  This encoding is slightly less
   efficient but is easier for NATs to process.  In addition, firewalls
   may be configured to pass UDP-encapsulated IPsec traffic but not
   plain, unencapsulated ESP/AH or vice versa.

   It is a common practice of NATs to translate TCP and UDP port numbers
   as well as addresses and use the port numbers of inbound packets to
   decide which internal node should get a given packet.  For this
   reason, even though IKE packets MUST be sent to and from UDP port 500
   or 4500, they MUST be accepted coming from any port and responses
   MUST be sent to the port from whence they came.  This is because the
   ports may be modified as the packets pass through NATs.  Similarly,
   IP addresses of the IKE endpoints are generally not included in the
   IKE payloads because the payloads are cryptographically protected and
   could not be transparently modified by NATs.
Top   ToC   RFC7296 - Page 64
   Port 4500 is reserved for UDP-encapsulated ESP and IKE.  An IPsec
   endpoint that discovers a NAT between it and its correspondent (as
   described below) MUST send all subsequent traffic from port 4500,
   which NATs should not treat specially (as they might with port 500).

   An initiator can use port 4500 for both IKE and ESP, regardless of
   whether or not there is a NAT, even at the beginning of IKE.  When
   either side is using port 4500, sending ESP with UDP encapsulation is
   not required, but understanding received UDP-encapsulated ESP packets
   is required.  UDP encapsulation MUST NOT be done on port 500.  If
   Network Address Translation Traversal (NAT-T) is supported (that is,
   if NAT_DETECTION_*_IP payloads were exchanged during IKE_SA_INIT),
   all devices MUST be able to receive and process both UDP-encapsulated
   ESP and non-UDP-encapsulated ESP packets at any time.  Either side
   can decide whether or not to use UDP encapsulation for ESP
   irrespective of the choice made by the other side.  However, if a NAT
   is detected, both devices MUST use UDP encapsulation for ESP.

   The specific requirements for supporting NAT traversal [NATREQ] are
   listed below.  Support for NAT traversal is optional.  In this
   section only, requirements listed as MUST apply only to
   implementations supporting NAT traversal.

   o  Both the IKE initiator and responder MUST include in their
      IKE_SA_INIT packets Notify payloads of type
      payloads can be used to detect if there is NAT between the hosts,
      and which end is behind the NAT.  The location of the payloads in
      the IKE_SA_INIT packets is just after the Ni and Nr payloads
      (before the optional CERTREQ payload).

   o  The data associated with the NAT_DETECTION_SOURCE_IP notification
      is a SHA-1 digest of the SPIs (in the order they appear in the
      header), IP address, and port from which this packet was sent.

      There MAY be multiple NAT_DETECTION_SOURCE_IP payloads in a
      message if the sender does not know which of several network
      attachments will be used to send the packet.

   o  The data associated with the NAT_DETECTION_DESTINATION_IP
      notification is a SHA-1 digest of the SPIs (in the order they
      appear in the header), IP address, and port to which this packet
      was sent.

   o  The recipient of either the NAT_DETECTION_SOURCE_IP or
      NAT_DETECTION_DESTINATION_IP notification MAY compare the supplied
      value to a SHA-1 hash of the SPIs, source or recipient IP address,
      and port (respectively), and if they don't match, it SHOULD enable
Top   ToC   RFC7296 - Page 65
      NAT traversal.  In the case there is a mismatch of the
      NAT_DETECTION_SOURCE_IP hash with all of the
      NAT_DETECTION_SOURCE_IP payloads received, the recipient MAY
      reject the connection attempt if NAT traversal is not supported.
      In the case of a mismatching NAT_DETECTION_DESTINATION_IP hash, it
      means that the system receiving the NAT_DETECTION_DESTINATION_IP
      payload is behind a NAT and that system SHOULD start sending
      keepalive packets as defined in [UDPENCAPS]; alternately, it MAY
      reject the connection attempt if NAT traversal is not supported.

   o  If none of the NAT_DETECTION_SOURCE_IP payload(s) received matches
      the expected value of the source IP and port found from the IP
      header of the packet containing the payload, it means that the
      system sending those payloads is behind a NAT (i.e., someone along
      the route changed the source address of the original packet to
      match the address of the NAT box).  In this case, the system
      receiving the payloads should allow dynamic updates of the other
      system's IP address, as described later.

   o  The IKE initiator MUST check the NAT_DETECTION_SOURCE_IP or
      NAT_DETECTION_DESTINATION_IP payloads if present, and if they do
      not match the addresses in the outer packet, MUST tunnel all
      future IKE and ESP packets associated with this IKE SA over UDP
      port 4500.

   o  To tunnel IKE packets over UDP port 4500, the IKE header has
      four octets of zeros prepended and the result immediately follows
      the UDP header.  To tunnel ESP packets over UDP port 4500, the ESP
      header immediately follows the UDP header.  Since the first
      four octets of the ESP header contain the SPI, and the SPI cannot
      validly be zero, it is always possible to distinguish ESP and IKE

   o  Implementations MUST process received UDP-encapsulated ESP packets
      even when no NAT was detected.

   o  The original source and destination IP address required for the
      transport mode TCP and UDP packet checksum fixup (see [UDPENCAPS])
      are obtained from the Traffic Selectors associated with the
      exchange.  In the case of transport mode NAT traversal, the
      Traffic Selectors MUST contain exactly one IP address, which is
      then used as the original IP address.  This is covered in greater
      detail in Section 2.23.1.

   o  There are cases where a NAT box decides to remove mappings that
      are still alive (for example, the keepalive interval is too long,
      or the NAT box is rebooted).  This will be apparent to a host if
      it receives a packet whose integrity protection validates, but has
Top   ToC   RFC7296 - Page 66
      a different port, address, or both from the one that was
      associated with the SA in the validated packet.  When such a
      validated packet is found, a host that does not support other
      methods of recovery such as IKEv2 Mobility and Multihoming
      (MOBIKE) [MOBIKE], and that is not behind a NAT, SHOULD send all
      packets (including retransmission packets) to the IP address and
      port in the validated packet, and SHOULD store this as the new
      address and port combination for the SA (that is, they SHOULD
      dynamically update the address).  A host behind a NAT SHOULD NOT
      do this type of dynamic address update if a validated packet has
      different port and/or address values because it opens a possible
      DoS attack (such as allowing an attacker to break the connection
      with a single packet).  Also, dynamic address update should only
      be done in response to a new packet; otherwise, an attacker can
      revert the addresses with old replayed packets.  Because of this,
      dynamic updates can only be done safely if replay protection is
      enabled.  When IKEv2 is used with MOBIKE, dynamically updating the
      addresses described above interferes with MOBIKE's way of
      recovering from the same situation.  See Section 3.8 of [MOBIKE]
      for more information.

2.23.1.  Transport Mode NAT Traversal

   Transport mode used with NAT traversal requires special handling of
   the Traffic Selectors used in the IKEv2.  The complete scenario looks

   +------+        +------+            +------+         +------+
   |Client| IP1    | NAT  | IPN1  IPN2 | NAT  |     IP2 |Server|
   |node  |<------>|  A   |<---------->|  B   |<------->|      |
   +------+        +------+            +------+         +------+

   (Other scenarios are simplifications of this complex case, so this
   discussion uses the complete scenario.)

   In this scenario, there are two address translating NATs: NAT A and
   NAT B.  NAT A is a dynamic NAT that maps the client's source address
   IP1 to IPN1.  NAT B is a static NAT configured so that connections
   coming to IPN2 address are mapped to the gateway's address IP2, that
   is, IPN2 destination address is mapped to IP2.  This allows the
   client to connect to a server by connecting to the IPN2.  NAT B does
   not necessarily need to be a static NAT, but the client needs to know
   how to connect to the server, and it can only do that if it somehow
   knows the outer address of the NAT B, that is, the IPN2 address.  If
   NAT B is a static NAT, then its address can be configured to the
   client's configuration.  Another option would be to find it using
   some other protocol (like DNS), but that is outside of scope of
Top   ToC   RFC7296 - Page 67
   In this scenario, both the client and server are configured to use
   transport mode for the traffic originating from the client node and
   destined to the server.

   When the client starts creating the IKEv2 SA and Child SA for sending
   traffic to the server, it may have a triggering packet with source IP
   address of IP1, and a destination IP address of IPN2.  Its Peer
   Authorization Database (PAD) and SPD needs to have a configuration
   matching those addresses (or wildcard entries covering them).
   Because this is transport mode, it uses exactly same addresses as the
   Traffic Selectors and outer IP address of the IKE packets.  For
   transport mode, it MUST use exactly one IP address in the TSi and TSr
   payloads.  It can have multiple Traffic Selectors if it has, for
   example, multiple port ranges that it wants to negotiate, but all TSi
   entries must use the IP1-IP1 range as the IP addresses, and all TSr
   entries must have the IPN2-IPN2 range as IP addresses.  The first
   Traffic Selector of TSi and TSr SHOULD have very specific Traffic
   Selectors including protocol and port numbers, such as from the
   packet triggering the request.

   NAT A will then replace the source address of the IKE packet from IP1
   to IPN1, and NAT B will replace the destination address of the IKE
   packet from IPN2 to IP2, so when the packet arrives to the server it
   will still have the exactly same Traffic Selectors that were sent by
   the client, but the IP address of the IKE packet has been replaced by
   IPN1 and IP2.

   When the server receives this packet, it normally looks in the Peer
   Authorization Database (PAD) described in RFC 4301 [IPSECARCH] based
   on the ID and then searches the SPD based on the Traffic Selectors.
   Because IP1 does not really mean anything to the server (it is the
   address client has behind the NAT), it is useless to do a lookup
   based on that if transport mode is used.  On the other hand, the
   server cannot know whether transport mode is allowed by its policy
   before it finds the matching SPD entry.

   In this case, the server should first check that the initiator
   requested transport mode, and then do address substitution on the
   Traffic Selectors.  It needs to first store the old Traffic Selector
   IP addresses to be used later for the incremental checksum fixup (the
   IP address in the TSi can be stored as the original source address
   and the IP address in the TSr can be stored as the original
   destination address).  After that, if the other end was detected as
   being behind a NAT, the server replaces the IP address in TSi
   payloads with the IP address obtained from the source address of the
   IKE packet received (that is, it replaces IP1 in TSi with IPN1).  If
   the server's end was detected to be behind NAT, it replaces the IP
Top   ToC   RFC7296 - Page 68
   address in the TSr payloads with the IP address obtained from the
   destination address of the IKE packet received (that is, it replaces
   IPN2 in TSr with IP2).

   After this address substitution, both the Traffic Selectors and the
   IKE UDP source/destination addresses look the same, and the server
   does SPD lookup based on those new Traffic Selectors.  If an entry is
   found and it allows transport mode, then that entry is used.  If an
   entry is found but it does not allow transport mode, then the server
   MAY undo the address substitution and redo the SPD lookup using the
   original Traffic Selectors.  If the second lookup succeeds, the
   server will create an SA in tunnel mode using real Traffic Selectors
   sent by the other end.

   This address substitution in transport mode is needed because the SPD
   is looked up using the addresses that will be seen by the local host.
   This will also ensure that the Security Association Database (SAD)
   entries for the tunnel exit checks and return packets are added using
   the addresses as seen by the local operating system stack.

   The most common case is that the server's SPD will contain wildcard
   entries matching any addresses, but this also allows making different
   SPD entries, for example, for different known NATs' outer addresses.

   After the SPD lookup, the server will do Traffic Selector narrowing
   based on the SPD entry it found.  It will again use the already
   substituted Traffic Selectors, and it will thus send back Traffic
   Selectors having IPN1 and IP2 as their IP addresses; it can still
   narrow down the protocol number or port ranges used by the Traffic
   Selectors.  The SAD entry created for the Child SA will have the
   addresses as seen by the server, namely IPN1 and IP2.

   When the client receives the server's response to the Child SA, it
   will do similar processing.  If the transport mode SA was created,
   the client can store the original returned Traffic Selectors as
   original source and destination addresses.  It will replace the IP
   addresses in the Traffic Selectors with the ones from the IP header
   of the IKE packet: it will replace IPN1 with IP1 and IP2 with IPN2.
   Then, it will use those Traffic Selectors when verifying the SA
   against sent Traffic Selectors, and when installing the SAD entry.
Top   ToC   RFC7296 - Page 69
   A summary of the rules for NAT traversal in transport mode is:

   For the client proposing transport mode:

   - The TSi entries MUST have exactly one IP address, and that MUST
     match the source address of the IKE SA.

   - The TSr entries MUST have exactly one IP address, and that MUST
     match the destination address of the IKE SA.

   - The first TSi and TSr Traffic Selectors SHOULD have very specific
     Traffic Selectors including protocol and port numbers, such as
     from the packet triggering the request.

   - There MAY be multiple TSi and TSr entries.

   - If transport mode for the SA was selected (that is, if the server
     included USE_TRANSPORT_MODE notification in its response):

     - Store the original Traffic Selectors as the received source and
       destination address.

     - If the server is behind a NAT, substitute the IP address in the
       TSr entries with the remote address of the IKE SA.

     - If the client is behind a NAT, substitute the IP address in the
       TSi entries with the local address of the IKE SA.

     - Do address substitution before using those Traffic Selectors
       for anything other than storing original content of them.
       This includes verification that Traffic Selectors were narrowed
       correctly by the other end, creation of the SAD entry, and so on.

   For the responder, when transport mode is proposed by client:

   - Store the original Traffic Selector IP addresses as received source
     and destination address, in case undo address substitution is
     needed, to use as the "real source and destination address"
     specified by [UDPENCAPS], and for TCP/UDP checksum fixup.

   - If the client is behind a NAT, substitute the IP address in the
     TSi entries with the remote address of the IKE SA.

   - If the server is behind a NAT, substitute the IP address in the
     TSr entries with the local address of the IKE SA.

   - Do PAD and SPD lookup using the ID and substituted Traffic
Top   ToC   RFC7296 - Page 70
   - If no SPD entry was found, or (if found) the SPD entry does not
     allow transport mode, undo the Traffic Selector substitutions.
     Do PAD and SPD lookup again using the ID and original Traffic
     Selectors, but also searching for tunnel mode SPD entry (that
     is, fall back to tunnel mode).

   - However, if a transport mode SPD entry was found, do normal
     traffic selection narrowing based on the substituted Traffic
     Selectors and SPD entry.  Use the resulting Traffic Selectors when
     creating SAD entries, and when sending Traffic Selectors back to
     the client.

2.24.  Explicit Congestion Notification (ECN)

   When IPsec tunnels behave as originally specified in [IPSECARCH-OLD],
   ECN usage is not appropriate for the outer IP headers because tunnel
   decapsulation processing discards ECN congestion indications to the
   detriment of the network.  ECN support for IPsec tunnels for
   IKEv1-based IPsec requires multiple operating modes and negotiation
   (see [ECN]).  IKEv2 simplifies this situation by requiring that ECN
   be usable in the outer IP headers of all tunnel mode Child SAs
   created by IKEv2.  Specifically, tunnel encapsulators and
   decapsulators for all tunnel mode SAs created by IKEv2 MUST support
   the ECN full-functionality option for tunnels specified in [ECN] and
   MUST implement the tunnel encapsulation and decapsulation processing
   specified in [IPSECARCH] to prevent discarding of ECN congestion

2.25.  Exchange Collisions

   Because IKEv2 exchanges can be initiated by either peer, it is
   possible that two exchanges affecting the same SA partly overlap.
   This can lead to a situation where the SA state information is
   temporarily not synchronized, and a peer can receive a request that
   it cannot process in a normal fashion.

   Obviously, using a window size greater than 1 leads to more complex
   situations, especially if requests are processed out of order.  This
   section concentrates on problems that can arise even with a window
   size of 1, and recommends solutions.

   A TEMPORARY_FAILURE notification SHOULD be sent when a peer receives
   a request that cannot be completed due to a temporary condition such
   as a rekeying operation.  When a peer receives a TEMPORARY_FAILURE
   notification, it MUST NOT immediately retry the operation; it MUST
   wait so that the sender may complete whatever operation caused the
   temporary condition.  The recipient MAY retry the request one or more
   times over a period of several minutes.  If a peer continues to
Top   ToC   RFC7296 - Page 71
   receive TEMPORARY_FAILURE on the same IKE SA after several minutes,
   it SHOULD conclude that the state information is out of sync and
   close the IKE SA.

   A CHILD_SA_NOT_FOUND notification SHOULD be sent when a peer receives
   a request to rekey a Child SA that does not exist.  The SA that the
   initiator attempted to rekey is indicated by the SPI field in the
   Notify payload, which is copied from the SPI field in the REKEY_SA
   notification.  A peer that receives a CHILD_SA_NOT_FOUND notification
   SHOULD silently delete the Child SA (if it still exists) and send a
   request to create a new Child SA from scratch (if the Child SA does
   not yet exist).

2.25.1.  Collisions while Rekeying or Closing Child SAs

   If a peer receives a request to rekey a Child SA that it is currently
   trying to close, it SHOULD reply with TEMPORARY_FAILURE.  If a peer
   receives a request to rekey a Child SA that it is currently rekeying,
   it SHOULD reply as usual, and SHOULD prepare to close redundant SAs
   later based on the nonces (see Section 2.8.1).  If a peer receives a
   request to rekey a Child SA that does not exist, it SHOULD reply with

   If a peer receives a request to close a Child SA that it is currently
   trying to close, it SHOULD reply without a Delete payload (see
   Section 1.4.1).  If a peer receives a request to close a Child SA
   that it is currently rekeying, it SHOULD reply as usual, with a
   Delete payload.  If a peer receives a request to close a Child SA
   that does not exist, it SHOULD reply without a Delete payload.

   If a peer receives a request to rekey the IKE SA, and it is currently
   creating, rekeying, or closing a Child SA of that IKE SA, it SHOULD
   reply with TEMPORARY_FAILURE.

2.25.2.  Collisions while Rekeying or Closing IKE SAs

   If a peer receives a request to rekey an IKE SA that it is currently
   rekeying, it SHOULD reply as usual, and SHOULD prepare to close
   redundant SAs and move inherited Child SAs later based on the nonces
   (see Section 2.8.2).  If a peer receives a request to rekey an IKE SA
   that it is currently trying to close, it SHOULD reply with

   If a peer receives a request to close an IKE SA that it is currently
   rekeying, it SHOULD reply as usual, and forget about its own rekeying
   request.  If a peer receives a request to close an IKE SA that it is
   currently trying to close, it SHOULD reply as usual, and forget about
   its own close request.
Top   ToC   RFC7296 - Page 72
   If a peer receives a request to create or rekey a Child SA when it is
   currently rekeying the IKE SA, it SHOULD reply with
   TEMPORARY_FAILURE.  If a peer receives a request to delete a Child SA
   when it is currently rekeying the IKE SA, it SHOULD reply as usual,
   with a Delete payload.

(page 72 continued on part 4)

Next Section