diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc5202.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc5202.txt')
-rw-r--r-- | doc/rfc/rfc5202.txt | 1683 |
1 files changed, 1683 insertions, 0 deletions
diff --git a/doc/rfc/rfc5202.txt b/doc/rfc/rfc5202.txt new file mode 100644 index 0000000..b8bdbb3 --- /dev/null +++ b/doc/rfc/rfc5202.txt @@ -0,0 +1,1683 @@ + + + + + + +Network Working Group P. Jokela +Request for Comments: 5202 Ericsson Research NomadicLab +Category: Experimental R. Moskowitz + ICSAlabs + P. Nikander + Ericsson Research NomadicLab + April 2008 + + +Using the Encapsulating Security Payload (ESP) Transport Format with the + Host Identity Protocol (HIP) + +Status of This Memo + + This memo defines an Experimental Protocol for the Internet + community. It does not specify an Internet standard of any kind. + Discussion and suggestions for improvement are requested. + Distribution of this memo is unlimited. + +IESG Note + + The following issues describe IESG concerns about this document. The + IESG expects that these issues will be addressed when future versions + of HIP are designed. + + In case of complex Security Policy Databases (SPDs) and the co- + existence of HIP and security-related protocols such as IKE, + implementors may encounter conditions that are unspecified in these + documents. For example, when the SPD defines an IP address subnet to + be protected and a HIP host is residing in that IP address area, + there is a possibility that the communication is encrypted multiple + times. Readers are advised to pay special attention when running HIP + with complex SPD settings. Future specifications should clearly + define when multiple encryption is intended, and when it should be + avoided. + +Abstract + + This memo specifies an Encapsulated Security Payload (ESP) based + mechanism for transmission of user data packets, to be used with the + Host Identity Protocol (HIP). + + + + + + + + + + +Jokela, et al. Experimental [Page 1] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 + 3. Using ESP with HIP . . . . . . . . . . . . . . . . . . . . . . 4 + 3.1. ESP Packet Format . . . . . . . . . . . . . . . . . . . . 4 + 3.2. Conceptual ESP Packet Processing . . . . . . . . . . . . . 4 + 3.2.1. Semantics of the Security Parameter Index (SPI) . . . 5 + 3.3. Security Association Establishment and Maintenance . . . . 6 + 3.3.1. ESP Security Associations . . . . . . . . . . . . . . 6 + 3.3.2. Rekeying . . . . . . . . . . . . . . . . . . . . . . . 6 + 3.3.3. Security Association Management . . . . . . . . . . . 7 + 3.3.4. Security Parameter Index (SPI) . . . . . . . . . . . . 7 + 3.3.5. Supported Transforms . . . . . . . . . . . . . . . . . 7 + 3.3.6. Sequence Number . . . . . . . . . . . . . . . . . . . 8 + 3.3.7. Lifetimes and Timers . . . . . . . . . . . . . . . . . 8 + 3.4. IPsec and HIP ESP Implementation Considerations . . . . . 8 + 4. The Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 9 + 4.1. ESP in HIP . . . . . . . . . . . . . . . . . . . . . . . . 9 + 4.1.1. Setting Up an ESP Security Association . . . . . . . . 9 + 4.1.2. Updating an Existing ESP SA . . . . . . . . . . . . . 10 + 5. Parameter and Packet Formats . . . . . . . . . . . . . . . . . 10 + 5.1. New Parameters . . . . . . . . . . . . . . . . . . . . . . 11 + 5.1.1. ESP_INFO . . . . . . . . . . . . . . . . . . . . . . . 11 + 5.1.2. ESP_TRANSFORM . . . . . . . . . . . . . . . . . . . . 13 + 5.1.3. NOTIFY Parameter . . . . . . . . . . . . . . . . . . . 14 + 5.2. HIP ESP Security Association Setup . . . . . . . . . . . . 14 + 5.2.1. Setup During Base Exchange . . . . . . . . . . . . . . 14 + 5.3. HIP ESP Rekeying . . . . . . . . . . . . . . . . . . . . . 16 + 5.3.1. Initializing Rekeying . . . . . . . . . . . . . . . . 16 + 5.3.2. Responding to the Rekeying Initialization . . . . . . 17 + 5.4. ICMP Messages . . . . . . . . . . . . . . . . . . . . . . 17 + 5.4.1. Unknown SPI . . . . . . . . . . . . . . . . . . . . . 17 + 6. Packet Processing . . . . . . . . . . . . . . . . . . . . . . 18 + 6.1. Processing Outgoing Application Data . . . . . . . . . . . 18 + 6.2. Processing Incoming Application Data . . . . . . . . . . . 19 + 6.3. HMAC and SIGNATURE Calculation and Verification . . . . . 19 + 6.4. Processing Incoming ESP SA Initialization (R1) . . . . . . 19 + 6.5. Processing Incoming Initialization Reply (I2) . . . . . . 20 + 6.6. Processing Incoming ESP SA Setup Finalization (R2) . . . . 20 + 6.7. Dropping HIP Associations . . . . . . . . . . . . . . . . 20 + 6.8. Initiating ESP SA Rekeying . . . . . . . . . . . . . . . . 20 + 6.9. Processing Incoming UPDATE Packets . . . . . . . . . . . . 22 + 6.9.1. Processing UPDATE Packet: No Outstanding Rekeying + Request . . . . . . . . . . . . . . . . . . . . . . . 22 + 6.10. Finalizing Rekeying . . . . . . . . . . . . . . . . . . . 23 + 6.11. Processing NOTIFY Packets . . . . . . . . . . . . . . . . 24 + 7. Keying Material . . . . . . . . . . . . . . . . . . . . . . . 24 + + + +Jokela, et al. Experimental [Page 2] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 25 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 + 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 26 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 + 11.1. Normative references . . . . . . . . . . . . . . . . . . . 26 + 11.2. Informative references . . . . . . . . . . . . . . . . . . 26 + Appendix A. A Note on Implementation Options . . . . . . . . . . 28 + +1. Introduction + + In the Host Identity Protocol Architecture [RFC4423], hosts are + identified with public keys. The Host Identity Protocol [RFC5201] + base exchange allows any two HIP-supporting hosts to authenticate + each other and to create a HIP association between themselves. + During the base exchange, the hosts generate a piece of shared keying + material using an authenticated Diffie-Hellman exchange. + + The HIP base exchange specification [RFC5201] does not describe any + transport formats or methods for user data to be used during the + actual communication; it only defines that it is mandatory to + implement the Encapsulated Security Payload (ESP) [RFC4303] based + transport format and method. This document specifies how ESP is used + with HIP to carry actual user data. + + To be more specific, this document specifies a set of HIP protocol + extensions and their handling. Using these extensions, a pair of ESP + Security Associations (SAs) is created between the hosts during the + base exchange. The resulting ESP Security Associations use keys + drawn from the keying material (KEYMAT) generated during the base + exchange. After the HIP association and required ESP SAs have been + established between the hosts, the user data communication is + protected using ESP. In addition, this document specifies methods to + update an existing ESP Security Association. + + It should be noted that representations of Host Identity are not + carried explicitly in the headers of user data packets. Instead, the + ESP Security Parameter Index (SPI) is used to indicate the right host + context. The SPIs are selected during the HIP ESP setup exchange. + For user data packets, ESP SPIs (in possible combination with IP + addresses) are used indirectly to identify the host context, thereby + avoiding any additional explicit protocol headers. + +2. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + + + + +Jokela, et al. Experimental [Page 3] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +3. Using ESP with HIP + + The HIP base exchange is used to set up a HIP association between two + hosts. The base exchange provides two-way host authentication and + key material generation, but it does not provide any means for + protecting data communication between the hosts. In this document, + we specify the use of ESP for protecting user data traffic after the + HIP base exchange. Note that this use of ESP is intended only for + host-to-host traffic; security gateways are not supported. + + To support ESP use, the HIP base exchange messages require some minor + additions to the parameters transported. In the R1 packet, the + Responder adds the possible ESP transforms in a new ESP_TRANSFORM + parameter before sending it to the Initiator. The Initiator gets the + proposed transforms, selects one of those proposed transforms, and + adds it to the I2 packet in an ESP_TRANSFORM parameter. In this I2 + packet, the Initiator also sends the SPI value that it wants to be + used for ESP traffic flowing from the Responder to the Initiator. + This information is carried using the new ESP_INFO parameter. When + finalizing the ESP SA setup, the Responder sends its SPI value to the + Initiator in the R2 packet, again using ESP_INFO. + +3.1. ESP Packet Format + + The ESP specification [RFC4303] defines the ESP packet format for + IPsec. The HIP ESP packet looks exactly the same as the IPsec ESP + transport format packet. The semantics, however, are a bit different + and are described in more detail in the next subsection. + +3.2. Conceptual ESP Packet Processing + + ESP packet processing can be implemented in different ways in HIP. + It is possible to implement it in a way that a standards compliant, + unmodified IPsec implementation [RFC4303] can be used. + + When a standards compliant IPsec implementation that uses IP + addresses in the SPD and Security Association Database (SAD) is used, + the packet processing may take the following steps. For outgoing + packets, assuming that the upper-layer pseudoheader has been built + using IP addresses, the implementation recalculates upper-layer + checksums using Host Identity Tags (HITs) and, after that, changes + the packet source and destination addresses back to corresponding IP + addresses. The packet is sent to the IPsec ESP for transport mode + handling and from there the encrypted packet is sent to the network. + When an ESP packet is received, the packet is first put to the IPsec + ESP transport mode handling, and after decryption, the source and + + + + + +Jokela, et al. Experimental [Page 4] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + destination IP addresses are replaced with HITs and finally, upper- + layer checksums are verified before passing the packet to the upper + layer. + + An alternative way to implement packet processing is the BEET (Bound + End-to-End Tunnel) [ESP-BEET] mode. In BEET mode, the ESP packet is + formatted as a transport mode packet, but the semantics of the + connection are the same as for tunnel mode. The "outer" addresses of + the packet are the IP addresses and the "inner" addresses are the + HITs. For outgoing traffic, after the packet has been encrypted, the + packet's IP header is changed to a new one that contains IP addresses + instead of HITs, and the packet is sent to the network. When the ESP + packet is received, the SPI value, together with the integrity + protection, allow the packet to be securely associated with the right + HIT pair. The packet header is replaced with a new header containing + HITs, and the packet is decrypted. + +3.2.1. Semantics of the Security Parameter Index (SPI) + + SPIs are used in ESP to find the right Security Association for + received packets. The ESP SPIs have added significance when used + with HIP; they are a compressed representation of a pair of HITs. + Thus, SPIs MAY be used by intermediary systems in providing services + like address mapping. Note that since the SPI has significance at + the receiver, only the < DST, SPI >, where DST is a destination IP + address, uniquely identifies the receiver HIT at any given point of + time. The same SPI value may be used by several hosts. A single + < DST, SPI > value may denote different hosts and contexts at + different points of time, depending on the host that is currently + reachable at the DST. + + Each host selects for itself the SPI it wants to see in packets + received from its peer. This allows it to select different SPIs for + different peers. The SPI selection SHOULD be random; the rules of + Section 2.1 of the ESP specification [RFC4303] must be followed. A + different SPI SHOULD be used for each HIP exchange with a particular + host; this is to avoid a replay attack. Additionally, when a host + rekeys, the SPI MUST be changed. Furthermore, if a host changes over + to use a different IP address, it MAY change the SPI. + + One method for SPI creation that meets the above criteria would be to + concatenate the HIT with a 32-bit random or sequential number, hash + this (using SHA1), and then use the high-order 32 bits as the SPI. + + The selected SPI is communicated to the peer in the third (I2) and + fourth (R2) packets of the base HIP exchange. Changes in SPI are + signaled with ESP_INFO parameters. + + + + +Jokela, et al. Experimental [Page 5] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +3.3. Security Association Establishment and Maintenance + +3.3.1. ESP Security Associations + + In HIP, ESP Security Associations are setup between the HIP nodes + during the base exchange [RFC5201]. Existing ESP SAs can be updated + later using UPDATE messages. The reason for updating the ESP SA + later can be, for example, a need for rekeying the SA because of + sequence number rollover. + + Upon setting up a HIP association, each association is linked to two + ESP SAs, one for incoming packets and one for outgoing packets. The + Initiator's incoming SA corresponds with the Responder's outgoing + one, and vice versa. The Initiator defines the SPI for its incoming + association, as defined in Section 3.2.1. This SA is herein called + SA-RI, and the corresponding SPI is called SPI-RI. Respectively, the + Responder's incoming SA corresponds with the Initiator's outgoing SA + and is called SA-IR, with the SPI being called SPI-IR. + + The Initiator creates SA-RI as a part of R1 processing, before + sending out the I2, as explained in Section 6.4. The keys are + derived from KEYMAT, as defined in Section 7. The Responder creates + SA-RI as a part of I2 processing; see Section 6.5. + + The Responder creates SA-IR as a part of I2 processing, before + sending out R2; see Section 6.5. The Initiator creates SA-IR when + processing R2; see Section 6.6. + + The initial session keys are drawn from the generated keying + material, KEYMAT, after the HIP keys have been drawn as specified in + [RFC5201]. + + When the HIP association is removed, the related ESP SAs MUST also be + removed. + +3.3.2. Rekeying + + After the initial HIP base exchange and SA establishment, both hosts + are in the ESTABLISHED state. There are no longer Initiator and + Responder roles and the association is symmetric. In this + subsection, the party that initiates the rekey procedure is denoted + with I' and the peer with R'. + + An existing HIP-created ESP SA may need updating during the lifetime + of the HIP association. This document specifies the rekeying of an + existing HIP-created ESP SA, using the UPDATE message. The ESP_INFO + parameter introduced above is used for this purpose. + + + + +Jokela, et al. Experimental [Page 6] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + I' initiates the ESP SA updating process when needed (see + Section 6.8). It creates an UPDATE packet with required information + and sends it to the peer node. The old SAs are still in use, local + policy permitting. + + R', after receiving and processing the UPDATE (see Section 6.9), + generates new SAs: SA-I'R' and SA-R'I'. It does not take the new + outgoing SA into use, but still uses the old one, so there + temporarily exists two SA pairs towards the same peer host. The SPI + for the new outgoing SA, SPI-R'I', is specified in the received + ESP_INFO parameter in the UPDATE packet. For the new incoming SA, R' + generates the new SPI value, SPI-I'R', and includes it in the + response UPDATE packet. + + When I' receives a response UPDATE from R', it generates new SAs, as + described in Section 6.9: SA-I'R' and SA-R'I'. It starts using the + new outgoing SA immediately. + + R' starts using the new outgoing SA when it receives traffic on the + new incoming SA or when it receives the UPDATE ACK confirming + completion of rekeying. After this, R' can remove the old SAs. + Similarly, when the I' receives traffic from the new incoming SA, it + can safely remove the old SAs. + +3.3.3. Security Association Management + + An SA pair is indexed by the 2 SPIs and 2 HITs (both local and remote + HITs since a system can have more than one HIT). An inactivity timer + is RECOMMENDED for all SAs. If the state dictates the deletion of an + SA, a timer is set to allow for any late arriving packets. + +3.3.4. Security Parameter Index (SPI) + + The SPIs in ESP provide a simple compression of the HIP data from all + packets after the HIP exchange. This does require a per HIT-pair + Security Association (and SPI), and a decrease of policy granularity + over other Key Management Protocols like IKE. + + When a host updates the ESP SA, it provides a new inbound SPI to and + gets a new outbound SPI from its partner. + +3.3.5. Supported Transforms + + All HIP implementations MUST support AES-CBC [RFC3602] and HMAC-SHA- + 1-96 [RFC2404]. If the Initiator does not support any of the + transforms offered by the Responder, it should abandon the + negotiation and inform the peer with a NOTIFY message about a non- + supported transform. + + + +Jokela, et al. Experimental [Page 7] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + In addition to AES-CBC, all implementations MUST implement the ESP + NULL encryption algorithm. When the ESP NULL encryption is used, it + MUST be used together with SHA1 or MD5 authentication as specified in + Section 5.1.2 + +3.3.6. Sequence Number + + The Sequence Number field is MANDATORY when ESP is used with HIP. + Anti-replay protection MUST be used in an ESP SA established with + HIP. When ESP is used with HIP, a 64-bit sequence number MUST be + used. This means that each host MUST rekey before its sequence + number reaches 2^64. + + When using a 64-bit sequence number, the higher 32 bits are NOT + included in the ESP header, but are simply kept local to both peers. + See [RFC4301]. + +3.3.7. Lifetimes and Timers + + HIP does not negotiate any lifetimes. All ESP lifetimes are local + policy. The only lifetimes a HIP implementation MUST support are + sequence number rollover (for replay protection), and SHOULD support + timing out inactive ESP SAs. An SA times out if no packets are + received using that SA. The default timeout value is 15 minutes. + Implementations MAY support lifetimes for the various ESP transforms. + Each implementation SHOULD implement per-HIT configuration of the + inactivity timeout, allowing statically configured HIP associations + to stay alive for days, even when inactive. + +3.4. IPsec and HIP ESP Implementation Considerations + + When HIP is run on a node where a standards compliant IPsec is used, + some issues have to be considered. + + The HIP implementation must be able to co-exist with other IPsec + keying protocols. When the HIP implementation selects the SPI value, + it may lead to a collision if not implemented properly. To avoid the + possibility for a collision, the HIP implementation MUST ensure that + the SPI values used for HIP SAs are not used for IPsec or other SAs, + and vice versa. + + For outbound traffic, the SPD or (coordinated) SPDs if there are two + (one for HIP and one for IPsec) MUST ensure that packets intended for + HIP processing are given a HIP-enabled SA and that packets intended + for IPsec processing are given an IPsec-enabled SA. The SP then MUST + be bound to the matching SA and non-HIP packets will not be processed + by this SA. Data originating from a socket that is not using HIP + MUST NOT have checksum recalculated (as described in Section 3.2, + + + +Jokela, et al. Experimental [Page 8] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + paragraph 2) and data MUST NOT be passed to the SP or SA created by + the HIP. + + Incoming data packets using an SA that is not negotiated by HIP MUST + NOT be processed as described in Section 3.2, paragraph 2. The SPI + will identify the correct SA for packet decryption and MUST be used + to identify that the packet has an upper-layer checksum that is + calculated as specified in [RFC5201]. + +4. The Protocol + + In this section, the protocol for setting up an ESP association to be + used with HIP association is described. + +4.1. ESP in HIP + +4.1.1. Setting Up an ESP Security Association + + Setting up an ESP Security Association between hosts using HIP + consists of three messages passed between the hosts. The parameters + are included in R1, I2, and R2 messages during base exchange. + + Initiator Responder + + I1 + ----------------------------------> + + R1: ESP_TRANSFORM + <---------------------------------- + + I2: ESP_TRANSFORM, ESP_INFO + ----------------------------------> + + R2: ESP_INFO + <---------------------------------- + + Setting up an ESP Security Association between HIP hosts requires + three messages to exchange the information that is required during an + ESP communication. + + The R1 message contains the ESP_TRANSFORM parameter, in which the + sending host defines the possible ESP transforms it is willing to use + for the ESP SA. + + The I2 message contains the response to an ESP_TRANSFORM received in + the R1 message. The sender must select one of the proposed ESP + transforms from the ESP_TRANSFORM parameter in the R1 message and + include the selected one in the ESP_TRANSFORM parameter in the I2 + + + +Jokela, et al. Experimental [Page 9] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + packet. In addition to the transform, the host includes the ESP_INFO + parameter containing the SPI value to be used by the peer host. + + In the R2 message, the ESP SA setup is finalized. The packet + contains the SPI information required by the Initiator for the ESP + SA. + +4.1.2. Updating an Existing ESP SA + + The update process is accomplished using two messages. The HIP + UPDATE message is used to update the parameters of an existing ESP + SA. The UPDATE mechanism and message is defined in [RFC5201], and + the additional parameters for updating an existing ESP SA are + described here. + + The following picture shows a typical exchange when an existing ESP + SA is updated. Messages include SEQ and ACK parameters required by + the UPDATE mechanism. + + H1 H2 + UPDATE: SEQ, ESP_INFO [, DIFFIE_HELLMAN] + -----------------------------------------------------> + + UPDATE: SEQ, ACK, ESP_INFO [, DIFFIE_HELLMAN] + <----------------------------------------------------- + + UPDATE: ACK + -----------------------------------------------------> + + The host willing to update the ESP SA creates and sends an UPDATE + message. The message contains the ESP_INFO parameter containing the + old SPI value that was used, the new SPI value to be used, and the + index value for the keying material, giving the point from where the + next keys will be drawn. If new keying material must be generated, + the UPDATE message will also contain the DIFFIE_HELLMAN parameter + defined in [RFC5201]. + + The host receiving the UPDATE message requesting update of an + existing ESP SA MUST reply with an UPDATE message. In the reply + message, the host sends the ESP_INFO parameter containing the + corresponding values: old SPI, new SPI, and the keying material + index. If the incoming UPDATE contained a DIFFIE_HELLMAN parameter, + the reply packet MUST also contain a DIFFIE_HELLMAN parameter. + +5. Parameter and Packet Formats + + In this section, new and modified HIP parameters are presented, as + well as modified HIP packets. + + + +Jokela, et al. Experimental [Page 10] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +5.1. New Parameters + + Two new HIP parameters are defined for setting up ESP transport + format associations in HIP communication and for rekeying existing + ones. Also, the NOTIFY parameter, described in [RFC5201], has two + new error parameters. + + Parameter Type Length Data + + ESP_INFO 65 12 Remote's old SPI, + new SPI, and other info + ESP_TRANSFORM 4095 variable ESP Encryption and + Authentication Transform(s) + +5.1.1. ESP_INFO + + During the establishment and update of an ESP SA, the SPI value of + both hosts must be transmitted between the hosts. During the + establishment and update of an ESP SA, the SPI value of both hosts + must be transmitted between the hosts. In addition, hosts need the + index value to the KEYMAT when they are drawing keys from the + generated keying material. The ESP_INFO parameter is used to + transmit the SPI values and the KEYMAT index information between the + hosts. + + During the initial ESP SA setup, the hosts send the SPI value that + they want the peer to use when sending ESP data to them. The value + is set in the NEW SPI field of the ESP_INFO parameter. In the + initial setup, an old value for the SPI does not exist, thus the OLD + SPI value field is set to zero. The OLD SPI field value may also be + zero when additional SAs are set up between HIP hosts, e.g., in case + of multihomed HIP hosts [RFC5206]. However, such use is beyond the + scope of this specification. + + RFC 4301 [RFC4301] describes how to establish multiple SAs to + properly support QoS. If different classes of traffic (distinguished + by Differentiated Services Code Point (DSCP) bits [RFC3474], + [RFC3260]) are sent on the same SA, and if the receiver is employing + the optional anti-replay feature available in ESP, this could result + in inappropriate discarding of lower priority packets due to the + windowing mechanism used by this feature. Therefore, a sender SHOULD + put traffic of different classes but with the same selector values on + different SAs to support Quality of Service (QoS) appropriately. To + permit this, the implementation MUST permit establishment and + maintenance of multiple SAs between a given sender and receiver with + the same selectors. Distribution of traffic among these parallel SAs + to support QoS is locally determined by the sender and is not + negotiated by HIP. The receiver MUST process the packets from the + + + +Jokela, et al. Experimental [Page 11] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + different SAs without prejudice. It is possible that the DSCP value + changes en route, but this should not cause problems with respect to + IPsec processing since the value is not employed for SA selection and + MUST NOT be checked as part of SA/packet validation. + + The KEYMAT index value points to the place in the KEYMAT from where + the keying material for the ESP SAs is drawn. The KEYMAT index value + is zero only when the ESP_INFO is sent during a rekeying process and + new keying material is generated. + + During the life of an SA established by HIP, one of the hosts may + need to reset the Sequence Number to one and rekey. The reason for + rekeying might be an approaching sequence number wrap in ESP, or a + local policy on use of a key. Rekeying ends the current SAs and + starts new ones on both peers. + + During the rekeying process, the ESP_INFO parameter is used to + transmit the changed SPI values and the keying material index. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Reserved | KEYMAT Index | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | OLD SPI | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | NEW SPI | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type 65 + Length 12 + KEYMAT Index Index, in bytes, where to continue to draw ESP keys + from KEYMAT. If the packet includes a new + Diffie-Hellman key and the ESP_INFO is sent in an + UPDATE packet, the field MUST be zero. If the + ESP_INFO is included in base exchange messages, the + KEYMAT Index must have the index value of the point + from where the ESP SA keys are drawn. Note that the + length of this field limits the amount of + keying material that can be drawn from KEYMAT. If + that amount is exceeded, the packet MUST contain + a new Diffie-Hellman key. + OLD SPI old SPI for data sent to address(es) associated + with this SA. If this is an initial SA setup, the + OLD SPI value is zero. + + + + +Jokela, et al. Experimental [Page 12] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + NEW SPI new SPI for data sent to address(es) associated + with this SA. + +5.1.2. ESP_TRANSFORM + + The ESP_TRANSFORM parameter is used during ESP SA establishment. The + first party sends a selection of transform families in the + ESP_TRANSFORM parameter, and the peer must select one of the proposed + values and include it in the response ESP_TRANSFORM parameter. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Reserved | Suite ID #1 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Suite ID #2 | Suite ID #3 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Suite ID #n | Padding | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type 4095 + Length length in octets, excluding Type, Length, and + padding + Reserved zero when sent, ignored when received + Suite ID defines the ESP Suite to be used + + The following Suite IDs are defined in RFC 5201 [RFC5201]: + + Suite ID Value + + RESERVED 0 + AES-CBC with HMAC-SHA1 1 + 3DES-CBC with HMAC-SHA1 2 + 3DES-CBC with HMAC-MD5 3 + BLOWFISH-CBC with HMAC-SHA1 4 + NULL with HMAC-SHA1 5 + NULL with HMAC-MD5 6 + + The sender of an ESP transform parameter MUST make sure that there + are no more than six (6) Suite IDs in one ESP transform parameter. + Conversely, a recipient MUST be prepared to handle received transport + parameters that contain more than six Suite IDs. The limited number + of Suite IDs sets the maximum size of the ESP_TRANSFORM parameter. + As the default configuration, the ESP_TRANSFORM parameter MUST + + + + + +Jokela, et al. Experimental [Page 13] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + contain at least one of the mandatory Suite IDs. There MAY be a + configuration option that allows the administrator to override this + default. + + Mandatory implementations: AES-CBC with HMAC-SHA1 and NULL with HMAC- + SHA1. + + Under some conditions, it is possible to use Traffic Flow + Confidentiality (TFC) [RFC4303] with ESP in BEET mode. However, the + definition of such operation is future work and must be done in a + separate specification. + +5.1.3. NOTIFY Parameter + + The HIP base specification defines a set of NOTIFY error types. The + following error types are required for describing errors in ESP + Transform crypto suites during negotiation. + + NOTIFY PARAMETER - ERROR TYPES Value + ------------------------------ ----- + + NO_ESP_PROPOSAL_CHOSEN 18 + + None of the proposed ESP Transform crypto suites was + acceptable. + + INVALID_ESP_TRANSFORM_CHOSEN 19 + + The ESP Transform crypto suite does not correspond to + one offered by the Responder. + + +5.2. HIP ESP Security Association Setup + + The ESP Security Association is set up during the base exchange. The + following subsections define the ESP SA setup procedure using both + base exchange messages (R1, I2, R2) and UPDATE messages. + +5.2.1. Setup During Base Exchange + +5.2.1.1. Modifications in R1 + + The ESP_TRANSFORM contains the ESP modes supported by the sender, in + the order of preference. All implementations MUST support AES-CBC + [RFC3602] with HMAC-SHA-1-96 [RFC2404]. + + + + + + +Jokela, et al. Experimental [Page 14] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + The following figure shows the resulting R1 packet layout. + + The HIP parameters for the R1 packet: + + IP ( HIP ( [ R1_COUNTER, ] + PUZZLE, + DIFFIE_HELLMAN, + HIP_TRANSFORM, + ESP_TRANSFORM, + HOST_ID, + [ ECHO_REQUEST, ] + HIP_SIGNATURE_2 ) + [, ECHO_REQUEST ]) + +5.2.1.2. Modifications in I2 + + The ESP_INFO contains the sender's SPI for this association as well + as the KEYMAT index from where the ESP SA keys will be drawn. The + old SPI value is set to zero. + + The ESP_TRANSFORM contains the ESP mode selected by the sender of R1. + All implementations MUST support AES-CBC [RFC3602] with HMAC-SHA-1-96 + [RFC2404]. + + The following figure shows the resulting I2 packet layout. + + The HIP parameters for the I2 packet: + + IP ( HIP ( ESP_INFO, + [R1_COUNTER,] + SOLUTION, + DIFFIE_HELLMAN, + HIP_TRANSFORM, + ESP_TRANSFORM, + ENCRYPTED { HOST_ID }, + [ ECHO_RESPONSE ,] + HMAC, + HIP_SIGNATURE + [, ECHO_RESPONSE] ) ) + +5.2.1.3. Modifications in R2 + + The R2 contains an ESP_INFO parameter, which has the SPI value of the + sender of the R2 for this association. The ESP_INFO also has the + KEYMAT index value specifying where the ESP SA keys are drawn. + + + + + + +Jokela, et al. Experimental [Page 15] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + The following figure shows the resulting R2 packet layout. + + The HIP parameters for the R2 packet: + + IP ( HIP ( ESP_INFO, HMAC_2, HIP_SIGNATURE ) ) + +5.3. HIP ESP Rekeying + + In this section, the procedure for rekeying an existing ESP SA is + presented. + + Conceptually, the process can be represented by the following message + sequence using the host names I' and R' defined in Section 3.3.2. + For simplicity, HMAC and HIP_SIGNATURE are not depicted, and + DIFFIE_HELLMAN keys are optional. The UPDATE with ACK_I need not be + piggybacked with the UPDATE with SEQ_R; it may be ACKed separately + (in which case the sequence would include four packets). + + I' R' + + UPDATE(ESP_INFO, SEQ_I, [DIFFIE_HELLMAN]) + -----------------------------------> + UPDATE(ESP_INFO, SEQ_R, ACK_I, [DIFFIE_HELLMAN]) + <----------------------------------- + UPDATE(ACK_R) + -----------------------------------> + + Below, the first two packets in this figure are explained. + +5.3.1. Initializing Rekeying + + When HIP is used with ESP, the UPDATE packet is used to initiate + rekeying. The UPDATE packet MUST carry an ESP_INFO and MAY carry a + DIFFIE_HELLMAN parameter. + + Intermediate systems that use the SPI will have to inspect HIP + packets for those that carry rekeying information. The packet is + signed for the benefit of the intermediate systems. Since + intermediate systems may need the new SPI values, the contents cannot + be encrypted. + + + + + + + + + + + +Jokela, et al. Experimental [Page 16] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + The following figure shows the contents of a rekeying initialization + UPDATE packet. + + The HIP parameters for the UPDATE packet initiating rekeying: + + IP ( HIP ( ESP_INFO, + SEQ, + [DIFFIE_HELLMAN, ] + HMAC, + HIP_SIGNATURE ) ) + +5.3.2. Responding to the Rekeying Initialization + + The UPDATE ACK is used to acknowledge the received UPDATE rekeying + initialization. The acknowledgment UPDATE packet MUST carry an + ESP_INFO and MAY carry a DIFFIE_HELLMAN parameter. + + Intermediate systems that use the SPI will have to inspect HIP + packets for packets carrying rekeying information. The packet is + signed for the benefit of the intermediate systems. Since + intermediate systems may need the new SPI values, the contents cannot + be encrypted. + + The following figure shows the contents of a rekeying acknowledgment + UPDATE packet. + + The HIP parameters for the UPDATE packet: + + IP ( HIP ( ESP_INFO, + SEQ, + ACK, + [ DIFFIE_HELLMAN, ] + HMAC, + HIP_SIGNATURE ) ) + +5.4. ICMP Messages + + ICMP message handling is mainly described in the HIP base + specification [RFC5201]. In this section, we describe the actions + related to ESP security associations. + +5.4.1. Unknown SPI + + If a HIP implementation receives an ESP packet that has an + unrecognized SPI number, it MAY respond (subject to rate limiting the + responses) with an ICMP packet with type "Parameter Problem", with + the pointer pointing to the beginning of SPI field in the ESP header. + + + + +Jokela, et al. Experimental [Page 17] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +6. Packet Processing + + Packet processing is mainly defined in the HIP base specification + [RFC5201]. This section describes the changes and new requirements + for packet handling when the ESP transport format is used. Note that + all HIP packets (currently protocol 253) MUST bypass ESP processing. + +6.1. Processing Outgoing Application Data + + Outgoing application data handling is specified in the HIP base + specification [RFC5201]. When the ESP transport format is used, and + there is an active HIP session for the given < source, destination > + HIT pair, the outgoing datagram is protected using the ESP security + association. In a typical implementation, this will result in a + BEET-mode ESP packet being sent. BEET-mode [ESP-BEET] was introduced + above in Section 3.2. The following additional steps define the + conceptual processing rules for outgoing ESP protected datagrams. + + 1. Detect the proper ESP SA using the HITs in the packet header or + other information associated with the packet + + 2. Process the packet normally, as if the SA was a transport mode + SA. + + 3. Ensure that the outgoing ESP protected packet has proper IP + header format depending on the used IP address family, and proper + IP addresses in its IP header, e.g., by replacing HITs left by + the ESP processing. Note that this placement of proper IP + addresses MAY also be performed at some other point in the stack, + e.g., before ESP processing. + +6.2. Processing Incoming Application Data + + Incoming HIP user data packets arrive as ESP protected packets. In + the usual case, the receiving host has a corresponding ESP security + association, identified by the SPI and destination IP address in the + packet. However, if the host has crashed or otherwise lost its HIP + state, it may not have such an SA. + + The basic incoming data handling is specified in the HIP base + specification. Additional steps are required when ESP is used for + protecting the data traffic. The following steps define the + conceptual processing rules for incoming ESP protected datagrams + targeted to an ESP security association created with HIP. + + 1. Detect the proper ESP SA using the SPI. If the resulting SA is a + non-HIP ESP SA, process the packet according to standard IPsec + rules. If there are no SAs identified with the SPI, the host MAY + + + +Jokela, et al. Experimental [Page 18] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + send an ICMP packet as defined in Section 5.4. How to handle + lost state is an implementation issue. + + 2. If the SPI matches with an active HIP-based ESP SA, the IP + addresses in the datagram are replaced with the HITs associated + with the SPI. Note that this IP-address-to-HIT conversion step + MAY also be performed at some other point in the stack, e.g., + after ESP processing. Note also that if the incoming packet has + IPv4 addresses, the packet must be converted to IPv6 format + before replacing the addresses with HITs (such that the transport + checksum will pass if there are no errors). + + 3. The transformed packet is next processed normally by ESP, as if + the packet were a transport mode packet. The packet may be + dropped by ESP, as usual. In a typical implementation, the + result of successful ESP decryption and verification is a + datagram with the associated HITs as source and destination. + + 4. The datagram is delivered to the upper layer. Demultiplexing the + datagram to the right upper layer socket is performed as usual, + except that the HITs are used in place of IP addresses during the + demultiplexing. + +6.3. HMAC and SIGNATURE Calculation and Verification + + The new HIP parameters described in this document, ESP_INFO and + ESP_TRANSFORM, must be protected using HMAC and signature + calculations. In a typical implementation, they are included in R1, + I2, R2, and UPDATE packet HMAC and SIGNATURE calculations as + described in [RFC5201]. + +6.4. Processing Incoming ESP SA Initialization (R1) + + The ESP SA setup is initialized in the R1 message. The receiving + host (Initiator) selects one of the ESP transforms from the presented + values. If no suitable value is found, the negotiation is + terminated. The selected values are subsequently used when + generating and using encryption keys, and when sending the reply + packet. If the proposed alternatives are not acceptable to the + system, it may abandon the ESP SA establishment negotiation, or it + may resend the I1 message within the retry bounds. + + After selecting the ESP transform and performing other R1 processing, + the system prepares and creates an incoming ESP security association. + It may also prepare a security association for outgoing traffic, but + since it does not have the correct SPI value yet, it cannot activate + it. + + + + +Jokela, et al. Experimental [Page 19] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +6.5. Processing Incoming Initialization Reply (I2) + + The following steps are required to process the incoming ESP SA + initialization replies in I2. The steps below assume that the I2 has + been accepted for processing (e.g., has not been dropped due to HIT + comparisons as described in [RFC5201]). + + o The ESP_TRANSFORM parameter is verified and it MUST contain a + single value in the parameter, and it MUST match one of the values + offered in the initialization packet. + + o The ESP_INFO NEW SPI field is parsed to obtain the SPI that will + be used for the Security Association outbound from the Responder + and inbound to the Initiator. For this initial ESP SA + establishment, the old SPI value MUST be zero. The KEYMAT Index + field MUST contain the index value to the KEYMAT from where the + ESP SA keys are drawn. + + o The system prepares and creates both incoming and outgoing ESP + security associations. + + o Upon successful processing of the initialization reply message, + the possible old Security Associations (as left over from an + earlier incarnation of the HIP association) are dropped and the + new ones are installed, and a finalizing packet, R2, is sent. + Possible ongoing rekeying attempts are dropped. + +6.6. Processing Incoming ESP SA Setup Finalization (R2) + + Before the ESP SA can be finalized, the ESP_INFO NEW SPI field is + parsed to obtain the SPI that will be used for the ESP Security + Association inbound to the sender of the finalization message R2. + The system uses this SPI to create or activate the outgoing ESP + security association used for sending packets to the peer. + +6.7. Dropping HIP Associations + + When the system drops a HIP association, as described in the HIP base + specification, the associated ESP SAs MUST also be dropped. + +6.8. Initiating ESP SA Rekeying + + During ESP SA rekeying, the hosts draw new keys from the existing + keying material, or new keying material is generated from where the + new keys are drawn. + + A system may initiate the SA rekeying procedure at any time. It MUST + initiate a rekey if its incoming ESP sequence counter is about to + + + +Jokela, et al. Experimental [Page 20] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + overflow. The system MUST NOT replace its keying material until the + rekeying packet exchange successfully completes. + + Optionally, a system may include a new Diffie-Hellman key for use in + new KEYMAT generation. New KEYMAT generation occurs prior to drawing + the new keys. + + The rekeying procedure uses the UPDATE mechanism defined in + [RFC5201]. Because each peer must update its half of the security + association pair (including new SPI creation), the rekeying process + requires that each side both send and receive an UPDATE. A system + will then rekey the ESP SA when it has sent parameters to the peer + and has received both an ACK of the relevant UPDATE message and + corresponding peer's parameters. It may be that the ACK and the + required HIP parameters arrive in different UPDATE messages. This is + always true if a system does not initiate ESP SA update but responds + to an update request from the peer, and may also occur if two systems + initiate update nearly simultaneously. In such a case, if the system + has an outstanding update request, it saves the one parameter and + waits for the other before completing rekeying. + + The following steps define the processing rules for initiating an ESP + SA update: + + 1. The system decides whether to continue to use the existing KEYMAT + or to generate a new KEYMAT. In the latter case, the system MUST + generate a new Diffie-Hellman public key. + + 2. The system creates an UPDATE packet, which contains the ESP_INFO + parameter. In addition, the host may include the optional + DIFFIE_HELLMAN parameter. If the UPDATE contains the + DIFFIE_HELLMAN parameter, the KEYMAT Index in the ESP_INFO + parameter MUST be zero, and the Diffie-Hellman group ID must be + unchanged from that used in the initial handshake. If the UPDATE + does not contain DIFFIE_HELLMAN, the ESP_INFO KEYMAT Index MUST + be greater than or equal to the index of the next byte to be + drawn from the current KEYMAT. + + 3. The system sends the UPDATE packet. For reliability, the + underlying UPDATE retransmission mechanism MUST be used. + + 4. The system MUST NOT delete its existing SAs, but continue using + them if its policy still allows. The rekeying procedure SHOULD + be initiated early enough to make sure that the SA replay + counters do not overflow. + + 5. In case a protocol error occurs and the peer system acknowledges + the UPDATE but does not itself send an ESP_INFO, the system may + + + +Jokela, et al. Experimental [Page 21] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + not finalize the outstanding ESP SA update request. To guard + against this, a system MAY re-initiate the ESP SA update + procedure after some time waiting for the peer to respond, or it + MAY decide to abort the ESP SA after waiting for an + implementation-dependent time. The system MUST NOT keep an + outstanding ESP SA update request for an indefinite time. + + To simplify the state machine, a host MUST NOT generate new UPDATEs + while it has an outstanding ESP SA update request, unless it is + restarting the update process. + +6.9. Processing Incoming UPDATE Packets + + When a system receives an UPDATE packet, it must be processed if the + following conditions hold (in addition to the generic conditions + specified for UPDATE processing in Section 6.12 of [RFC5201]): + + 1. A corresponding HIP association must exist. This is usually + ensured by the underlying UPDATE mechanism. + + 2. The state of the HIP association is ESTABLISHED or R2-SENT. + + If the above conditions hold, the following steps define the + conceptual processing rules for handling the received UPDATE packet: + + 1. If the received UPDATE contains a DIFFIE_HELLMAN parameter, the + received KEYMAT Index MUST be zero and the Group ID must match + the Group ID in use on the association. If this test fails, the + packet SHOULD be dropped and the system SHOULD log an error + message. + + 2. If there is no outstanding rekeying request, the packet + processing continues as specified in Section 6.9.1. + + 3. If there is an outstanding rekeying request, the UPDATE MUST be + acknowledged, the received ESP_INFO (and possibly DIFFIE_HELLMAN) + parameters must be saved, and the packet processing continues as + specified in Section 6.10. + +6.9.1. Processing UPDATE Packet: No Outstanding Rekeying Request + + The following steps define the conceptual processing rules for + handling a received UPDATE packet with the ESP_INFO parameter: + + 1. The system consults its policy to see if it needs to generate a + new Diffie-Hellman key, and generates a new key (with same Group + ID) if needed. The system records any newly generated or + + + + +Jokela, et al. Experimental [Page 22] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + received Diffie-Hellman keys for use in KEYMAT generation upon + finalizing the ESP SA update. + + 2. If the system generated a new Diffie-Hellman key in the previous + step, or if it received a DIFFIE_HELLMAN parameter, it sets the + ESP_INFO KEYMAT Index to zero. Otherwise, the ESP_INFO KEYMAT + Index MUST be greater than or equal to the index of the next byte + to be drawn from the current KEYMAT. In this case, it is + RECOMMENDED that the host use the KEYMAT Index requested by the + peer in the received ESP_INFO. + + 3. The system creates an UPDATE packet, which contains an ESP_INFO + parameter and the optional DIFFIE_HELLMAN parameter. This UPDATE + would also typically acknowledge the peer's UPDATE with an ACK + parameter, although a separate UPDATE ACK may be sent. + + 4. The system sends the UPDATE packet and stores any received + ESP_INFO and DIFFIE_HELLMAN parameters. At this point, it only + needs to receive an acknowledgment for the newly sent UPDATE to + finish ESP SA update. In the usual case, the acknowledgment is + handled by the underlying UPDATE mechanism. + +6.10. Finalizing Rekeying + + A system finalizes rekeying when it has both received the + corresponding UPDATE acknowledgment packet from the peer and it has + successfully received the peer's UPDATE. The following steps are + taken: + + 1. If the received UPDATE messages contain a new Diffie-Hellman key, + the system has a new Diffie-Hellman key due to initiating ESP SA + update, or both, the system generates a new KEYMAT. If there is + only one new Diffie-Hellman key, the old existing key is used as + the other key. + + 2. If the system generated a new KEYMAT in the previous step, it + sets the KEYMAT Index to zero, independent of whether the + received UPDATE included a Diffie-Hellman key or not. If the + system did not generate a new KEYMAT, it uses the greater KEYMAT + Index of the two (sent and received) ESP_INFO parameters. + + 3. The system draws keys for new incoming and outgoing ESP SAs, + starting from the KEYMAT Index, and prepares new incoming and + outgoing ESP SAs. The SPI for the outgoing SA is the new SPI + value received in an ESP_INFO parameter. The SPI for the + incoming SA was generated when the ESP_INFO was sent to the peer. + The order of the keys retrieved from the KEYMAT during the + rekeying process is similar to that described in Section 7. + + + +Jokela, et al. Experimental [Page 23] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + Note, that only IPsec ESP keys are retrieved during the rekeying + process, not the HIP keys. + + 4. The system starts to send to the new outgoing SA and prepares to + start receiving data on the new incoming SA. Once the system + receives data on the new incoming SA, it may safely delete the + old SAs. + +6.11. Processing NOTIFY Packets + + The processing of NOTIFY packets is described in the HIP base + specification. + +7. Keying Material + + The keying material is generated as described in the HIP base + specification. During the base exchange, the initial keys are drawn + from the generated material. After the HIP association keys have + been drawn, the ESP keys are drawn in the following order: + + SA-gl ESP encryption key for HOST_g's outgoing traffic + + SA-gl ESP authentication key for HOST_g's outgoing traffic + + SA-lg ESP encryption key for HOST_l's outgoing traffic + + SA-lg ESP authentication key for HOST_l's outgoing traffic + + HOST_g denotes the host with the greater HIT value, and HOST_l + denotes the host with the lower HIT value. When HIT values are + compared, they are interpreted as positive (unsigned) 128-bit + integers in network byte order. + + The four HIP keys are only drawn from KEYMAT during a HIP I1->R2 + exchange. Subsequent rekeys using UPDATE will only draw the four ESP + keys from KEYMAT. Section 6.9 describes the rules for reusing or + regenerating KEYMAT based on the rekeying. + + The number of bits drawn for a given algorithm is the "natural" size + of the keys. For the mandatory algorithms, the following sizes + apply: + + AES 128 bits + + SHA-1 160 bits + + NULL 0 bits + + + + +Jokela, et al. Experimental [Page 24] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +8. Security Considerations + + In this document, the usage of ESP [RFC4303] between HIP hosts to + protect data traffic is introduced. The Security Considerations for + ESP are discussed in the ESP specification. + + There are different ways to establish an ESP Security Association + between two nodes. This can be done, e.g., using IKE [RFC4306]. + This document specifies how the Host Identity Protocol is used to + establish ESP Security Associations. + + The following issues are new or have changed from the standard ESP + usage: + + o Initial keying material generation + + o Updating the keying material + + The initial keying material is generated using the Host Identity + Protocol [RFC5201] using the Diffie-Hellman procedure. This document + extends the usage of the UPDATE packet, defined in the base + specification, to modify existing ESP SAs. The hosts may rekey, + i.e., force the generation of new keying material using the Diffie- + Hellman procedure. The initial setup of ESP SA between the hosts is + done during the base exchange, and the message exchange is protected + using methods provided by base exchange. Changes in connection + parameters means basically that the old ESP SA is removed and a new + one is generated once the UPDATE message exchange has been completed. + The message exchange is protected using the HIP association keys. + Both HMAC and signing of packets is used. + +9. IANA Considerations + + This document defines additional parameters and NOTIFY error types + for the Host Identity Protocol [RFC5201]. + + The new parameters and their type numbers are defined in + Section 5.1.1 and Section 5.1.2, and they have been added to the + Parameter Type namespace specified in [RFC5201]. + + The new NOTIFY error types and their values are defined in + Section 5.1.3, and they have been added to the Notify Message Type + namespace specified in [RFC5201]. + + + + + + + + +Jokela, et al. Experimental [Page 25] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +10. Acknowledgments + + This document was separated from the base "Host Identity Protocol" + specification in the beginning of 2005. Since then, a number of + people have contributed to the text by providing comments and + modification proposals. The list of people include Tom Henderson, + Jeff Ahrenholz, Jan Melen, Jukka Ylitalo, and Miika Komu. The + authors also want to thank Charlie Kaufman for reviewing the document + with his eye on the usage of crypto algorithms. + + Due to the history of this document, most of the ideas are inherited + from the base "Host Identity Protocol" specification. Thus, the list + of people in the Acknowledgments section of that specification is + also valid for this document. Many people have given valuable + feedback, and our apologies to anyone whose name is missing. + +11. References + +11.1. Normative references + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within + ESP and AH", RFC 2404, November 1998. + + [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher + Algorithm and Its Use with IPsec", RFC 3602, + September 2003. + + [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", + RFC 4303, December 2005. + + [RFC5201] Moskowitz, R., Nikander, P., Jokela, P., Ed., and T. + Henderson, "Host Identity Protocol", RFC 5201, + April 2008. + +11.2. Informative references + + [ESP-BEET] Nikander, P. and J. Melen, "A Bound End-to-End Tunnel + (BEET) mode for ESP", Work in Progress, November 2007. + + [RFC3260] Grossman, D., "New Terminology and Clarifications for + Diffserv", RFC 3260, April 2002. + + + + + + + +Jokela, et al. Experimental [Page 26] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + + [RFC3474] Lin, Z. and D. Pendarakis, "Documentation of IANA + assignments for Generalized MultiProtocol Label Switching + (GMPLS) Resource Reservation Protocol - Traffic + Engineering (RSVP-TE) Usage and Extensions for + Automatically Switched Optical Network (ASON)", RFC 3474, + March 2003. + + [RFC4301] Kent, S. and K. Seo, "Security Architecture for the + Internet Protocol", RFC 4301, December 2005. + + [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", + RFC 4306, December 2005. + + [RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol + (HIP) Architecture", RFC 4423, May 2006. + + [RFC5206] Henderson, T., Ed., "End-Host Mobility and Multihoming + with the Host Identity Protocol", RFC 5206, April 2008. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Jokela, et al. Experimental [Page 27] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +Appendix A. A Note on Implementation Options + + It is possible to implement this specification in multiple different + ways. As noted above, one possible way of implementing this is to + rewrite IP headers below IPsec. In such an implementation, IPsec is + used as if it was processing IPv6 transport mode packets, with the + IPv6 header containing HITs instead of IP addresses in the source and + destination address fields. In outgoing packets, after IPsec + processing, the HITs are replaced with actual IP addresses, based on + the HITs and the SPI. In incoming packets, before IPsec processing, + the IP addresses are replaced with HITs, based on the SPI in the + incoming packet. In such an implementation, all IPsec policies are + based on HITs and the upper layers only see packets with HITs in the + place of IP addresses. Consequently, support of HIP does not + conflict with other uses of IPsec as long as the SPI spaces are kept + separate. + + Another way to implement this specification is to use the proposed + BEET mode (A Bound End-to-End mode for ESP, [ESP-BEET]). The BEET + mode provides some features from both IPsec tunnel and transport + modes. The HIP uses HITs as the "inner" addresses and IP addresses + as "outer" addresses, like IP addresses are used in the tunnel mode. + Instead of tunneling packets between hosts, a conversion between + inner and outer addresses is made at end-hosts and the inner address + is never sent on the wire after the initial HIP negotiation. BEET + provides IPsec transport mode syntax (no inner headers) with limited + tunnel mode semantics (fixed logical inner addresses - the HITs - and + changeable outer IP addresses). + + Compared to the option of implementing the required address rewrites + outside of IPsec, BEET has one implementation level benefit. The + BEET-way of implementing the address rewriting keeps all the + configuration information in one place, at the SAD. On the other + hand, when address rewriting is implemented separately, the + implementation must make sure that the information in the SAD and the + separate address rewriting DB are kept in synchrony. As a result, + the BEET-mode-based way of implementing this specification is + RECOMMENDED over the separate implementation. + + + + + + + + + + + + + +Jokela, et al. Experimental [Page 28] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +Authors' Addresses + + Petri Jokela + Ericsson Research NomadicLab + JORVAS FIN-02420 + FINLAND + + Phone: +358 9 299 1 + EMail: petri.jokela@nomadiclab.com + + + Robert Moskowitz + ICSAlabs, An Independent Division of Verizon Business Systems + 1000 Bent Creek Blvd, Suite 200 + Mechanicsburg, PA + USA + + EMail: rgm@icsalabs.com + + + Pekka Nikander + Ericsson Research NomadicLab + JORVAS FIN-02420 + FINLAND + + Phone: +358 9 299 1 + EMail: pekka.nikander@nomadiclab.com + + + + + + + + + + + + + + + + + + + + + + + + +Jokela, et al. Experimental [Page 29] + +RFC 5202 Using the ESP Transport Format with HIP April 2008 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2008). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + + + + + + + + + + + +Jokela, et al. Experimental [Page 30] + |