diff options
Diffstat (limited to 'doc/rfc/rfc4945.txt')
-rw-r--r-- | doc/rfc/rfc4945.txt | 2411 |
1 files changed, 2411 insertions, 0 deletions
diff --git a/doc/rfc/rfc4945.txt b/doc/rfc/rfc4945.txt new file mode 100644 index 0000000..4a95ab4 --- /dev/null +++ b/doc/rfc/rfc4945.txt @@ -0,0 +1,2411 @@ + + + + + + +Network Working Group B. Korver +Request for Comments: 4945 Network Resonance, Inc. +Category: Standards Track August 2007 + + + The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The IETF Trust (2007). + +Abstract + + The Internet Key Exchange (IKE) and Public Key Infrastructure for + X.509 (PKIX) certificate profile both provide frameworks that must be + profiled for use in a given application. This document provides a + profile of IKE and PKIX that defines the requirements for using PKI + technology in the context of IKE/IPsec. The document complements + protocol specifications such as IKEv1 and IKEv2, which assume the + existence of public key certificates and related keying materials, + but which do not address PKI issues explicitly. This document + addresses those issues. The intended audience is implementers of PKI + for IPsec. + + + + + + + + + + + + + + + + + + + + +Korver Standards Track [Page 1] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +Table of Contents + + 1. Introduction ....................................................4 + 2. Terms and Definitions ...........................................4 + 3. Use of Certificates in RFC 2401 and IKEv1/ISAKMP ................5 + 3.1. Identification Payload .....................................5 + 3.1.1. ID_IPV4_ADDR and ID_IPV6_ADDR .......................7 + 3.1.2. ID_FQDN .............................................9 + 3.1.3. ID_USER_FQDN .......................................10 + 3.1.4. ID_IPV4_ADDR_SUBNET, ID_IPV6_ADDR_SUBNET, + ID_IPV4_ADDR_RANGE, ID_IPV6_ADDR_RANGE .............11 + 3.1.5. ID_DER_ASN1_DN .....................................11 + 3.1.6. ID_DER_ASN1_GN .....................................12 + 3.1.7. ID_KEY_ID ..........................................12 + 3.1.8. Selecting an Identity from a Certificate ...........12 + 3.1.9. Subject for DN Only ................................12 + 3.1.10. Binding Identity to Policy ........................13 + 3.2. Certificate Request Payload ...............................13 + 3.2.1. Certificate Type ...................................14 + 3.2.2. X.509 Certificate - Signature ......................14 + 3.2.3. Revocation Lists (CRL and ARL) .....................14 + 3.2.4. PKCS #7 wrapped X.509 certificate ..................15 + 3.2.5. Location of Certificate Request Payloads ...........15 + 3.2.6. Presence or Absence of Certificate Request + Payloads ...........................................15 + 3.2.7. Certificate Requests ...............................15 + 3.2.8. Robustness .........................................18 + 3.2.9. Optimizations ......................................18 + 3.3. Certificate Payload .......................................19 + 3.3.1. Certificate Type ...................................20 + 3.3.2. X.509 Certificate - Signature ......................20 + 3.3.3. Revocation Lists (CRL and ARL) .....................20 + 3.3.4. PKCS #7 Wrapped X.509 Certificate ..................20 + 3.3.5. Location of Certificate Payloads ...................21 + 3.3.6. Certificate Payloads Not Mandatory .................21 + 3.3.7. Response to Multiple Certification + Authority Proposals ................................21 + 3.3.8. Using Local Keying Materials .......................21 + 3.3.9. Multiple End-Entity Certificates ...................22 + 3.3.10. Robustness ........................................22 + 3.3.11. Optimizations .....................................23 + 4. Use of Certificates in RFC 4301 and IKEv2 ......................24 + 4.1. Identification Payload ....................................24 + 4.2. Certificate Request Payload ...............................24 + 4.2.1. Revocation Lists (CRL and ARL) .....................24 + 4.3. Certificate Payload .......................................25 + 4.3.1. IKEv2's Hash and URL of X.509 Certificate ..........25 + 4.3.2. Location of Certificate Payloads ...................25 + + + +Korver Standards Track [Page 2] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + 4.3.3. Ordering of Certificate Payloads ...................25 + 5. Certificate Profile for IKEv1/ISAKMP and IKEv2 .................26 + 5.1. X.509 Certificates ........................................26 + 5.1.1. Versions ...........................................26 + 5.1.2. Subject ............................................26 + 5.1.3. X.509 Certificate Extensions .......................27 + 5.2. X.509 Certificate Revocation Lists ........................33 + 5.2.1. Multiple Sources of Certificate Revocation + Information ........................................34 + 5.2.2. X.509 Certificate Revocation List Extensions .......34 + 5.3. Strength of Signature Hashing Algorithms ..................35 + 6. Configuration Data Exchange Conventions ........................36 + 6.1. Certificates ..............................................36 + 6.2. CRLs and ARLs .............................................37 + 6.3. Public Keys ...............................................37 + 6.4. PKCS#10 Certificate Signing Requests ......................37 + 7. Security Considerations ........................................37 + 7.1. Certificate Request Payload ...............................37 + 7.2. IKEv1 Main Mode ...........................................37 + 7.3. Disabling Certificate Checks ..............................38 + 8. Acknowledgements ...............................................38 + 9. References .....................................................38 + 9.1. Normative References ......................................38 + 9.2. Informative References ....................................39 + Appendix A. The Possible Dangers of Delta CRLs ....................40 + Appendix B. More on Empty CERTREQs ................................40 + + + + + + + + + + + + + + + + + + + + + + + + + +Korver Standards Track [Page 3] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +1. Introduction + + IKE [1], ISAKMP [2], and IKEv2 [3] provide a secure key exchange + mechanism for use with IPsec [4] [14]. In many cases, the peers + authenticate using digital certificates as specified in PKIX [5]. + Unfortunately, the combination of these standards leads to an + underspecified set of requirements for the use of certificates in the + context of IPsec. + + ISAKMP references the PKIX certificate profile but, in many cases, + merely specifies the contents of various messages without specifying + their syntax or semantics. Meanwhile, the PKIX certificate profile + provides a large set of certificate mechanisms that are generally + applicable for Internet protocols, but little specific guidance for + IPsec. Given the numerous underspecified choices, interoperability + is hampered if all implementers do not make similar choices, or at + least fail to account for implementations that have chosen + differently. + + This profile of the IKE and PKIX frameworks is intended to provide an + agreed-upon standard for using PKI technology in the context of IPsec + by profiling the PKIX framework for use with IKE and IPsec, and by + documenting the contents of the relevant IKE payloads and further + specifying their semantics. + + In addition to providing a profile of IKE and PKIX, this document + attempts to incorporate lessons learned from recent experience with + both implementation and deployment, as well as the current state of + related protocols and technologies. + + Material from ISAKMP, IKEv1, IKEv2, or PKIX is not repeated here, and + readers of this document are assumed to have read and understood + those documents. The requirements and security aspects of those + documents are fully relevant to this document as well. + + This document is organized as follows. Section 2 defines special + terminology used in the rest of this document, Section 3 provides the + profile of IKEv1/ISAKMP, Section 4 provides a profile of IKEv2, and + Section 5 provides the profile of PKIX. Section 6 covers conventions + for the out-of-band exchange of keying materials for configuration + purposes. + +2. Terms and Definitions + + Except for those terms that are defined immediately below, all terms + used in this document are defined in either the PKIX [5], ISAKMP [2], + IKEv1 [1], IKEv2 [3], or Domain of Interpretation (DOI) [6] + documents. + + + +Korver Standards Track [Page 4] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + o Peer source address: The source address in packets from a peer. + This address may be different from any addresses asserted as the + "identity" of the peer. + + o FQDN: Fully qualified domain name. + + o ID_USER_FQDN: IKEv2 renamed ID_USER_FQDN to ID_RFC822_ADDR. Both + are referred to as ID_USER_FQDN in this document. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [7]. + +3. Use of Certificates in RFC 2401 and IKEv1/ISAKMP + +3.1. Identification Payload + + The Identification (ID) Payload indicates the identity claimed by the + sender. The recipient can then use the ID as a lookup key for policy + and for certificate lookup in whatever certificate store or directory + that it has available. Our primary concern in this section is to + profile the ID payload so that it can be safely used to generate or + lookup policy. IKE mandates the use of the ID payload in Phase 1. + + The DOI [6] defines the 11 types of Identification Data that can be + used and specifies the syntax for these types. These are discussed + below in detail. + + The ID payload requirements in this document cover only the portion + of the explicit policy checks that deal with the Identification + Payload specifically. For instance, in the case where ID does not + contain an IP address, checks such as verifying that the peer source + address is permitted by the relevant policy are not addressed here, + as they are out of the scope of this document. + + Implementations SHOULD populate ID with identity information that is + contained within the end-entity certificate. Populating ID with + identity information from the end-entity certificate enables + recipients to use ID as a lookup key to find the peer end-entity + certificate. The only case where implementations may populate ID + with information that is not contained in the end-entity certificate + is when ID contains the peer source address (a single address, not a + subnet or range). + + Because implementations may use ID as a lookup key to determine which + policy to use, all implementations MUST be especially careful to + verify the truthfulness of the contents by verifying that they + correspond to some keying material demonstrably held by the peer. + + + +Korver Standards Track [Page 5] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + Failure to do so may result in the use of an inappropriate or + insecure policy. The following sections describe the methods for + performing this binding. + + The following table summarizes the binding of the Identification + Payload to the contents of end-entity certificates and of identity + information to policy. Each ID type is covered more thoroughly in + the following sections. + + ID type | Support | Correspond | Cert | SPD lookup + | for send | PKIX Attrib | matching | rules + ------------------------------------------------------------------- + | | | | + IP*_ADDR | MUST [a] | SubjAltName | MUST [b] | [c], [d] + | | iPAddress | | + | | | | + FQDN | MUST [a] | SubjAltName | MUST [b] | [c], [d] + | | dNSName | | + | | | | + USER_FQDN| MUST [a] | SubjAltName | MUST [b] | [c], [d] + | | rfc822Name | | + | | | | + IP range | MUST NOT | n/a | n/a | n/a + | | | | + DN | MUST [a] | Entire | MUST [b] | MUST support lookup + | | Subject, | | on any combination + | | bitwise | | of C, CN, O, or OU + | | compare | | + | | | | + GN | MUST NOT | n/a | n/a | n/a + | | | | + KEY_ID | MUST NOT | n/a | n/a | n/a + | | | | + + [a] = Implementation MUST have the configuration option to send this + ID type in the ID payload. Whether or not the ID type is used + is a matter of local configuration. + + [b] = The ID in the ID payload MUST match the contents of the + corresponding field (listed) in the certificate exactly, with + no other lookup. The matched ID MAY be used for Security + Policy Database (SPD) lookup, but is not required to be used + for this. + + [c] = At a minimum, Implementation MUST be capable of being + configured to perform exact matching of the ID payload contents + to an entry in the local SPD. + + + + +Korver Standards Track [Page 6] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + [d] = In addition, the implementation MAY also be configurable to + perform substring or wildcard matches of ID payload contents to + entries in the local SPD. (More on this in Section 3.1.5.) + + When sending an IPV4_ADDR, IPV6_ADDR, FQDN, or USER_FQDN, + implementations MUST be able to be configured to send the same string + as it appears in the corresponding SubjectAltName extension. This + document RECOMMENDS that deployers use this configuration option. + All these ID types are treated the same: as strings that can be + compared easily and quickly to a corresponding string in an explicit + value in the certificate. Of these types, FQDN and USER_FQDN are + RECOMMENDED over IP addresses (see discussion in Section 3.1.1). + + When sending a Distinguished Name (DN) as ID, implementations MUST + send the entire DN in ID. Also, implementations MUST support at + least the C, CN, O, and OU attributes for SPD matching. See Section + 3.1.5 for more details about DN, including SPD matching. + + Recipients MUST be able to perform SPD matching on the exact contents + of the ID, and this SHOULD be the default setting. In addition, + implementations MAY use substrings or wildcards in local policy + configuration to do the SPD matching against the ID contents. In + other words, implementations MUST be able to do exact matches of ID + to SPD, but MAY also be configurable to do substring or wildcard + matches of ID to SPD. + +3.1.1. ID_IPV4_ADDR and ID_IPV6_ADDR + + Implementations MUST support at least the ID_IPV4_ADDR or + ID_IPV6_ADDR ID type, depending on whether the implementation + supports IPv4, IPv6, or both. These addresses MUST be encoded in + "network byte order", as specified in IP [8]: The least significant + bit (LSB) of each octet is the LSB of the corresponding byte in the + network address. For the ID_IPV4_ADDR type, the payload MUST contain + exactly four octets [8]. For the ID_IPV6_ADDR type, the payload MUST + contain exactly sixteen octets [10]. + + Implementations SHOULD NOT populate ID payload with IP addresses due + to interoperability issues such as problems with Network Address + Translator (NAT) traversal, and problems with IP verification + behavior. + + Deployments may only want to consider using the IP address as ID if + all of the following are true: + + o the peer's IP address is static, not dynamically changing + + o the peer is NOT behind a NAT'ing device + + + +Korver Standards Track [Page 7] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + o the administrator intends the implementation to verify that the + peer source address matches the IP address in the ID received, and + that in the iPAddress field in the peer certificate's + SubjectAltName extension. + + Implementations MUST be capable of verifying that the IP address + presented in ID matches via bitwise comparison the IP address present + in the certificate's iPAddress field of the SubjectAltName extension. + Implementations MUST perform this verification by default. When + comparing the contents of ID with the iPAddress field in the + SubjectAltName extension for equality, binary comparison MUST be + performed. Note that certificates may contain multiple address + identity types -- in which case, at least one must match the source + IP. If the default is enabled, then a mismatch between the two + addresses MUST be treated as an error, and security association setup + MUST be aborted. This event SHOULD be auditable. Implementations + MAY provide a configuration option to (i.e., local policy + configuration can enable) skip that verification step, but that + option MUST be off by default. We include the "option-to-skip- + validation" in order to permit better interoperability as current + implementations vary greatly in how they behave on this topic. + + In addition, implementations MUST be capable of verifying that the + address contained in the ID is the same as the address contained in + the IP header. Implementations SHOULD be able to check the address + in either the outermost or innermost IP header and MAY provide a + configuration option for specifying which is to be checked. If there + is no configuration option provided, an implementation SHOULD check + the peer source address contained in the outermost header (as is the + practice of most of today's implementations). If ID is one of the IP + address types, then implementations MUST perform this verification by + default. If this default is enabled, then a mismatch MUST be treated + as an error, and security association setup MUST be aborted. This + event SHOULD be auditable. Implementations MAY provide a + configuration option to (i.e. local policy configuration can enable) + skip that verification step, but that option MUST be off by default. + We include the "option-to-skip-validation" in order to permit better + interoperability, as current implementations vary greatly in how they + behave on the topic of verification of source IP. + + If the default for both the verifications above are enabled, then, by + transitive property, the implementation will also be verifying that + the peer source IP address matches via a bitwise comparison the + contents of the iPAddress field in the SubjectAltName extension in + the certificate. In addition, implementations MAY allow + administrators to configure a local policy that explicitly requires + that the peer source IP address match via a bitwise comparison the + contents of the iPAddress field in the SubjectAltName extension in + + + +Korver Standards Track [Page 8] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + the certificate. Implementations SHOULD allow administrators to + configure a local policy that skips this validation check. + + Implementations MAY support substring, wildcard, or regular + expression matching of the contents of ID to look up the policy in + the SPD, and such would be a matter of local security policy + configuration. + + Implementations MAY use the IP address found in the header of packets + received from the peer to look up the policy, but such + implementations MUST still perform verification of the ID payload. + Although packet IP addresses are inherently untrustworthy and must + therefore be independently verified, it is often useful to use the + apparent IP address of the peer to locate a general class of policies + that will be used until the mandatory identity-based policy lookup + can be performed. + + For instance, if the IP address of the peer is unrecognized, a VPN + gateway device might load a general "road warrior" policy that + specifies a particular Certification Authority (CA) that is trusted + to issue certificates that contain a valid rfc822Name, which can be + used by that implementation to perform authorization based on access + control lists (ACLs) after the peer's certificate has been validated. + The rfc822Name can then be used to determine the policy that provides + specific authorization to access resources (such as IP addresses, + ports, and so forth). + + As another example, if the IP address of the peer is recognized to be + a known peer VPN endpoint, policy may be determined using that + address, but until the identity (address) is validated by validating + the peer certificate, the policy MUST NOT be used to authorize any + IPsec traffic. + +3.1.2. ID_FQDN + + Implementations MUST support the ID_FQDN ID type, generally to + support host-based access control lists for hosts without fixed IP + addresses. However, implementations SHOULD NOT use the DNS to map + the FQDN to IP addresses for input into any policy decisions, unless + that mapping is known to be secure, for example, if DNSSEC [11] were + employed for that FQDN. + + If ID contains an ID_FQDN, implementations MUST be capable of + verifying that the identity contained in the ID payload matches + identity information contained in the peer end-entity certificate, in + the dNSName field in the SubjectAltName extension. Implementations + MUST perform this verification by default. When comparing the + contents of ID with the dNSName field in the SubjectAltName extension + + + +Korver Standards Track [Page 9] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + for equality, case-insensitive string comparison MUST be performed. + Note that case-insensitive string comparison works on + internationalized domain names (IDNs) as well (See IDN [12]). + Substring, wildcard, or regular expression matching MUST NOT be + performed for this comparison. If this default is enabled, then a + mismatch MUST be treated as an error, and security association setup + MUST be aborted. This event SHOULD be auditable. Implementations + MAY provide a configuration option to (i.e., local policy + configuration can enable) skip that verification step, but that + option MUST be off by default. We include the "option-to-skip- + validation" in order to permit better interoperability, as current + implementations vary greatly in how they behave on this topic. + + Implementations MAY support substring, wildcard, or regular + expression matching of the contents of ID to look up the policy in + the SPD, and such would be a matter of local security policy + configuration. + +3.1.3. ID_USER_FQDN + + Implementations MUST support the ID_USER_FQDN ID type, generally to + support user-based access control lists for users without fixed IP + addresses. However, implementations SHOULD NOT use the DNS to map + the FQDN portion to IP addresses for input into any policy decisions, + unless that mapping is known to be secure, for example, if DNSSEC + [11] were employed for that FQDN. + + Implementations MUST be capable of verifying that the identity + contained in the ID payload matches identity information contained in + the peer end-entity certificate, in the rfc822Name field in the + SubjectAltName extension. Implementations MUST perform this + verification by default. When comparing the contents of ID with the + rfc822Name field in the SubjectAltName extension for equality, case- + insensitive string comparison MUST be performed. Note that case- + insensitive string comparison works on internationalized domain names + (IDNs) as well (See IDN [12]). Substring, wildcard, or regular + expression matching MUST NOT be performed for this comparison. If + this default is enabled, then a mismatch MUST be treated as an error, + and security association setup MUST be aborted. This event SHOULD be + auditable. Implementations MAY provide a configuration option to + (i.e., local policy configuration can enable) skip that verification + step, but that option MUST be off by default. We include the + "option-to-skip-validation" in order to permit better + interoperability, as current implementations vary greatly in how they + behave on this topic. + + + + + + +Korver Standards Track [Page 10] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + Implementations MAY support substring, wildcard, or regular + expression matching of the contents of ID to look up policy in the + SPD, and such would be a matter of local security policy + configuration. + +3.1.4. ID_IPV4_ADDR_SUBNET, ID_IPV6_ADDR_SUBNET, ID_IPV4_ADDR_RANGE, + ID_IPV6_ADDR_RANGE + + Note that RFC 3779 [13] defines blocks of addresses using the + certificate extension identified by: + + id-pe-ipAddrBlock OBJECT IDENTIFIER ::= { id-pe 7 } + + although use of this extension in IKE is considered experimental at + this time. + +3.1.5. ID_DER_ASN1_DN + + Implementations MUST support receiving the ID_DER_ASN1_DN ID type. + Implementations MUST be capable of generating this type, and the + decision to do so will be a matter of local security policy + configuration. When generating this type, implementations MUST + populate the contents of ID with the Subject field from the end- + entity certificate, and MUST do so such that a binary comparison of + the two will succeed. If there is not a match, this MUST be treated + as an error, and security association setup MUST be aborted. This + event SHOULD be auditable. + + Implementations MUST NOT populate ID with the Subject from the end- + entity certificate if it is empty, even though an empty certificate + Subject is explicitly allowed in the "Subject" section of the PKIX + certificate profile. + + Regarding SPD matching, implementations MUST be able to perform + matching based on a bitwise comparison of the entire DN in ID to its + entry in the SPD. However, operational experience has shown that + using the entire DN in local configuration is difficult, especially + in large-scale deployments. Therefore, implementations also MUST be + able to perform SPD matches of any combination of one or more of the + C, CN, O, OU attributes within Subject DN in the ID to the same in + the SPD. Implementations MAY support matching using additional DN + attributes in any combination, although interoperability is far from + certain and is dubious. Implementations MAY also support performing + substring, wildcard, or regular expression matches for any of its + supported DN attributes from ID, in any combination, to the SPD. + Such flexibility allows deployers to create one SPD entry on the + gateway for an entire department of a company (e.g., O=Foobar Inc., + OU=Engineering) while still allowing them to draw out other details + + + +Korver Standards Track [Page 11] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + from the DN (e.g., CN=John Doe) for auditing purposes. All the above + is a matter of local implementation and local policy definition and + enforcement capability, not bits on the wire, but will have a great + impact on interoperability. + +3.1.6. ID_DER_ASN1_GN + + Implementations MUST NOT generate this type, because the recipient + will be unlikely to know how to use it. + +3.1.7. ID_KEY_ID + + The ID_KEY_ID type used to specify pre-shared keys and thus is out of + scope. + +3.1.8. Selecting an Identity from a Certificate + + Implementations MUST support certificates that contain more than a + single identity, such as when the Subject field and the + SubjectAltName extension are both populated, or the SubjectAltName + extension contains multiple identities irrespective of whether or not + the Subject is empty. In many cases, a certificate will contain an + identity, such as an IP address, in the SubjectAltName extension in + addition to a non-empty Subject. + + Implementations should populate ID with whichever identity is likely + to be named in the peer's policy. In practice, this generally means + FQDN, or USER_FQDN, but this information may also be available to the + administrator through some out-of-band means. In the absence of such + out-of-band configuration information, the identity with which an + implementation chooses to populate the ID payload is a local matter. + +3.1.9. Subject for DN Only + + If an FQDN is intended to be processed as an identity for the + purposes of ID matching, it MUST be placed in the dNSName field of + the SubjectAltName extension. Implementations MUST NOT populate the + Subject with an FQDN in place of populating the dNSName field of the + SubjectAltName extension. + + While nothing prevents an FQDN, USER_FQDN, or IP address information + from appearing somewhere in the Subject contents, such entries MUST + NOT be interpreted as identity information for the purposes of + matching with ID or for policy lookup. + + + + + + + +Korver Standards Track [Page 12] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +3.1.10. Binding Identity to Policy + + In the presence of certificates that contain multiple identities, + implementations should select the most appropriate identity from the + certificate and populate the ID with that. The recipient MUST use + the identity sent as a first key when selecting the policy. The + recipient MUST also use the most specific policy from that database + if there are overlapping policies caused by wildcards (or the + implementation can de-correlate the policy database so there will not + be overlapping entries, or it can also forbid creation of overlapping + policies and leave the de-correlation process to the administrator, + but, as this moves the problem to the administrator, it is NOT + RECOMMENDED). + + For example, imagine that an implementation is configured with a + certificate that contains both a non-empty Subject and a dNSName. + The sender's policy may specify which of those to use, and it + indicates the policy to the other end by sending that ID. If the + recipient has both a specific policy for the dNSName for this host + and generic wildcard rule for some attributes present in the Subject + field, it will match a different policy depending on which ID is + sent. As the sender knows why it wanted to connect the peer, it also + knows what identity it should use to match the policy it needs to the + operation it tries to perform; it is the only party who can select + the ID adequately. + + In the event that the policy cannot be found in the recipient's SPD + using the ID sent, then the recipient MAY use the other identities in + the certificate when attempting to match a suitable policy. For + example, say the certificate contains a non-empty Subject field, a + dNSName and an iPAddress. If an iPAddress is sent in ID but no + specific entry exists for the address in the policy database, the + recipient MAY search in the policy database based on the Subject or + the dNSName contained in the certificate. + +3.2. Certificate Request Payload + + The Certificate Request (CERTREQ) Payload allows an implementation to + request that a peer provide some set of certificates or certificate + revocation lists (CRLs). It is not clear from ISAKMP exactly how + that set should be specified or how the peer should respond. We + describe the semantics on both sides. + + + + + + + + + +Korver Standards Track [Page 13] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +3.2.1. Certificate Type + + The Certificate Type field identifies to the peer the type of + certificate keying materials that are desired. ISAKMP defines 10 + types of Certificate Data that can be requested and specifies the + syntax for these types. For the purposes of this document, only the + following types are relevant: + + o X.509 Certificate - Signature + o Revocation Lists (CRL and ARL) + o PKCS #7 wrapped X.509 certificate + + The use of the other types are out of the scope of this document: + + o X.509 Certificate - Key Exchange + o PGP (Pretty Good Privacy) Certificate + o DNS Signed Key + o Kerberos Tokens + o SPKI (Simple Public Key Infrastructure) Certificate + o X.509 Certificate Attribute + +3.2.2. X.509 Certificate - Signature + + This type requests that the end-entity certificate be a certificate + used for signing. + +3.2.3. Revocation Lists (CRL and ARL) + + ISAKMP does not support Certificate Payload sizes over approximately + 64K, which is too small for many CRLs, and UDP fragmentation is + likely to occur at sizes much smaller than that. Therefore, the + acquisition of revocation material is to be dealt with out-of-band of + IKE. For this and other reasons, implementations SHOULD NOT generate + CERTREQs where the Certificate Type is "Certificate Revocation List + (CRL)" or "Authority Revocation List (ARL)". Implementations that do + generate such CERTREQs MUST NOT require the recipient to respond with + a CRL or ARL, and MUST NOT fail when not receiving any. Upon receipt + of such a CERTREQ, implementations MAY ignore the request. + + In lieu of exchanging revocation lists in-band, a pointer to + revocation checking SHOULD be listed in either the + CRLDistributionPoints (CDP) or the AuthorityInfoAccess (AIA) + certificate extensions (see Section 5 for details). Unless other + methods for obtaining revocation information are available, + implementations SHOULD be able to process these attributes, and from + them be able to identify cached revocation material, or retrieve the + relevant revocation material from a URL, for validation processing. + In addition, implementations MUST have the ability to configure + + + +Korver Standards Track [Page 14] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + validation checking information for each certification authority. + Regardless of the method (CDP, AIA, or static configuration), the + acquisition of revocation material SHOULD occur out-of-band of IKE. + Note, however, that an inability to access revocation status data + through out-of-band means provides a potential security vulnerability + that could potentially be exploited by an attacker. + +3.2.4. PKCS #7 wrapped X.509 certificate + + This ID type defines a particular encoding (not a particular + certificate type); some current implementations may ignore CERTREQs + they receive that contain this ID type, and the editors are unaware + of any implementations that generate such CERTREQ messages. + Therefore, the use of this type is deprecated. Implementations + SHOULD NOT require CERTREQs that contain this Certificate Type. + Implementations that receive CERTREQs that contain this ID type MAY + treat such payloads as synonymous with "X.509 Certificate - + Signature". + +3.2.5. Location of Certificate Request Payloads + + In IKEv1 Main Mode, the CERTREQ payload MUST be in messages 4 and 5. + +3.2.6. Presence or Absence of Certificate Request Payloads + + When in-band exchange of certificate keying materials is desired, + implementations MUST inform the peer of this by sending at least one + CERTREQ. In other words, an implementation that does not send any + CERTREQs during an exchange SHOULD NOT expect to receive any CERT + payloads. + +3.2.7. Certificate Requests + +3.2.7.1. Specifying Certification Authorities + + When requesting in-band exchange of keying materials, implementations + SHOULD generate CERTREQs for every peer trust anchor that local + policy explicitly deems trusted during a given exchange. + Implementations SHOULD populate the Certification Authority field + with the Subject field of the trust anchor, populated such that + binary comparison of the Subject and the Certification Authority will + succeed. + + + + + + + + + +Korver Standards Track [Page 15] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + Upon receipt of a CERTREQ, implementations MUST respond by sending at + least the end-entity certificate corresponding to the Certification + Authority listed in the CERTREQ unless local security policy + configuration specifies that keying materials must be exchanged out- + of-band. Implementations MAY send certificates other than the end- + entity certificate (see Section 3.3 for discussion). + + Note that, in the case where multiple end-entity certificates may be + available that chain to different trust anchors, implementations + SHOULD resort to local heuristics to determine which trust anchor is + most appropriate to use for generating the CERTREQ. Such heuristics + are out of the scope of this document. + +3.2.7.2. Empty Certification Authority Field + + Implementations SHOULD generate CERTREQs where the Certificate Type + is "X.509 Certificate - Signature" and where the Certification + Authority field is not empty. However, implementations MAY generate + CERTREQs with an empty Certification Authority field under special + conditions. Although PKIX prohibits certificates with an empty + Issuer field, there does exist a use case where doing so is + appropriate, and carries special meaning in the IKE context. This + has become a convention within the IKE interoperability tests and + usage space, and so its use is specified, explained here for the sake + of interoperability. + + USE CASE: Consider the rare case where you have a gateway with + multiple policies for a large number of IKE peers: some of these + peers are business partners, some are remote-access employees, some + are teleworkers, some are branch offices, and/or the gateway may be + simultaneously serving many customers (e.g., Virtual Routers). The + total number of certificates, and corresponding trust anchors, is + very high -- say, hundreds. Each of these policies is configured + with one or more acceptable trust anchors, so that in total, the + gateway has one hundred (100) trust anchors that could possibly used + to authenticate an incoming connection. Assume that many of those + connections originate from hosts/gateways with dynamically assigned + IP addresses, so that the source IP of the IKE initiator is not known + to the gateway, nor is the identity of the initiator (until it is + revealed in Main Mode message 5). In IKE main mode message 4, the + responder gateway will need to send a CERTREQ to the initiator. + Given this example, the gateway will have no idea which of the + hundred possible Certification Authorities to send in the CERTREQ. + Sending all possible Certification Authorities will cause significant + processing delays, bandwidth consumption, and UDP fragmentation, so + this tactic is ruled out. + + + + + +Korver Standards Track [Page 16] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + In such a deployment, the responder gateway implementation should be + able to do all it can to indicate a Certification Authority in the + CERTREQ. This means the responder SHOULD first check SPD to see if + it can match the source IP, and find some indication of which CA is + associated with that IP. If this fails (because the source IP is not + familiar, as in the case above), then the responder SHOULD have a + configuration option specifying which CAs are the default CAs to + indicate in CERTREQ during such ambiguous connections (e.g., send + CERTREQ with these N CAs if there is an unknown source IP). If such + a fall-back is not configured or impractical in a certain deployment + scenario, then the responder implementation SHOULD have both of the + following configuration options: + + o send a CERTREQ payload with an empty Certification Authority + field, or + + o terminate the negotiation with an appropriate error message and + audit log entry. + + Receiving a CERTREQ payload with an empty Certification Authority + field indicates that the recipient should send all/any end-entity + certificates it has, regardless of the trust anchor. The initiator + should be aware of what policy and which identity it will use, as it + initiated the connection on a matched policy to begin with, and can + thus respond with the appropriate certificate. + + If, after sending an empty CERTREQ in Main Mode message 4, a + responder receives a certificate in message 5 that chains to a trust + anchor that the responder either (a) does NOT support, or (b) was not + configured for the policy (that policy was now able to be matched due + to having the initiator's certificate present), this MUST be treated + as an error, and security association setup MUST be aborted. This + event SHOULD be auditable. + + Instead of sending an empty CERTREQ, the responder implementation MAY + be configured to terminate the negotiation on the grounds of a + conflict with locally configured security policy. + + The decision of which to configure is a matter of local security + policy; this document RECOMMENDS that both options be presented to + administrators. + + More examples and explanation of this issue are included in "More on + Empty CERTREQs" (Appendix B). + + + + + + + +Korver Standards Track [Page 17] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +3.2.8. Robustness + +3.2.8.1. Unrecognized or Unsupported Certificate Types + + Implementations MUST be able to deal with receiving CERTREQs with + unsupported Certificate Types. Absent any recognized and supported + CERTREQ types, implementations MAY treat them as if they are of a + supported type with the Certification Authority field left empty, + depending on local policy. ISAKMP [2] Section 5.10, "Certificate + Request Payload Processing", specifies additional processing. + +3.2.8.2. Undecodable Certification Authority Fields + + Implementations MUST be able to deal with receiving CERTREQs with + undecodable Certification Authority fields. Implementations MAY + ignore such payloads, depending on local policy. ISAKMP specifies + other actions which may be taken. + +3.2.8.3. Ordering of Certificate Request Payloads + + Implementations MUST NOT assume that CERTREQs are ordered in any way. + +3.2.9. Optimizations + +3.2.9.1. Duplicate Certificate Request Payloads + + Implementations SHOULD NOT send duplicate CERTREQs during an + exchange. + +3.2.9.2. Name Lowest 'Common' Certification Authorities + + When a peer's certificate keying material has been cached, an + implementation can send a hint to the peer to elide some of the + certificates the peer would normally include in the response. In + addition to the normal set of CERTREQs that are sent specifying the + trust anchors, an implementation MAY send CERTREQs specifying the + relevant cached end-entity certificates. When sending these hints, + it is still necessary to send the normal set of trust anchor CERTREQs + because the hints do not sufficiently convey all of the information + required by the peer. Specifically, either the peer may not support + this optimization or there may be additional chains that could be + used in this context but will not be if only the end-entity + certificate is specified. + + No special processing is required on the part of the recipient of + such a CERTREQ, and the end-entity certificates will still be sent. + On the other hand, the recipient MAY elect to elide certificates + based on receipt of such hints. + + + +Korver Standards Track [Page 18] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + CERTREQs must contain information that identifies a Certification + Authority certificate, which results in the peer always sending at + least the end-entity certificate. Always sending the end-entity + certificate allows implementations to determine unambiguously when a + new certificate is being used by a peer (perhaps because the previous + certificate has just expired), which may result in a failure because + a new intermediate CA certificate might not be available to validate + the new end-entity certificate). Implementations that implement this + optimization MUST recognize when the end-entity certificate has + changed and respond to it by not performing this optimization if the + exchange must be retried so that any missing keying materials will be + sent during retry. + +3.2.9.3. Example + + Imagine that an IKEv1 implementation has previously received and + cached the peer certificate chain TA->CA1->CA2->EE. If, during a + subsequent exchange, this implementation sends a CERTREQ containing + the Subject field in certificate TA, this implementation is + requesting that the peer send at least three certificates: CA1, CA2, + and EE. On the other hand, if this implementation also sends a + CERTREQ containing the Subject field of CA2, the implementation is + providing a hint that only one certificate needs to be sent: EE. + Note that in this example, the fact that TA is a trust anchor should + not be construed to imply that TA is a self-signed certificate. + +3.3. Certificate Payload + + The Certificate (CERT) Payload allows the peer to transmit a single + certificate or CRL. Multiple certificates should be transmitted in + multiple payloads. For backwards-compatibility reasons, + implementations MAY send intermediate CA certificates in addition to + the appropriate end-entity certificate(s), but SHOULD NOT send any + CRLs, ARLs, or trust anchors. Exchanging trust anchors and + especially CRLs and ARLs in IKE would increase the likelihood of UDP + fragmentation, make the IKE exchange more complex, and consume + additional network bandwidth. + + Note, however, that while the sender of the CERT payloads SHOULD NOT + send any certificates it considers trust anchors, it's possible that + the recipient may consider any given intermediate CA certificate to + be a trust anchor. For instance, imagine the sender has the + certificate chain TA1->CA1->EE1 while the recipient has the + certificate chain TA2->EE2 where TA2=CA1. The sender is merely + including an intermediate CA certificate, while the recipient + receives a trust anchor. + + + + + +Korver Standards Track [Page 19] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + However, not all certificate forms that are legal in the PKIX + certificate profile make sense in the context of IPsec. The issue of + how to represent IKE-meaningful name-forms in a certificate is + especially problematic. This document provides a profile for a + subset of the PKIX certificate profile that makes sense for IKEv1/ + ISAKMP. + +3.3.1. Certificate Type + + The Certificate Type field identifies to the peer the type of + certificate keying materials that are included. ISAKMP defines 10 + types of Certificate Data that can be sent and specifies the syntax + for these types. For the purposes of this document, only the + following types are relevant: + + o X.509 Certificate - Signature + o Revocation Lists (CRL and ARL) + o PKCS #7 wrapped X.509 certificate + + The use of the other types are out of the scope of this document: + + o X.509 Certificate - Key Exchange + o PGP Certificate + o DNS Signed Key + o Kerberos Tokens + o SPKI Certificate + o X.509 Certificate Attribute + +3.3.2. X.509 Certificate - Signature + + This type specifies that Certificate Data contains a certificate used + for signing. + +3.3.3. Revocation Lists (CRL and ARL) + + These types specify that Certificate Data contains an X.509 CRL or + ARL. These types SHOULD NOT be sent in IKE. See Section 3.2.3 for + discussion. + +3.3.4. PKCS #7 Wrapped X.509 Certificate + + This type defines a particular encoding, not a particular certificate + type. Implementations SHOULD NOT generate CERTs that contain this + Certificate Type. Implementations SHOULD accept CERTs that contain + this Certificate Type because several implementations are known to + generate them. Note that those implementations sometimes include + + + + + +Korver Standards Track [Page 20] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + entire certificate hierarchies inside a single CERT PKCS #7 payload, + which violates the requirement specified in ISAKMP that this payload + contain a single certificate. + +3.3.5. Location of Certificate Payloads + + In IKEv1 Main Mode, the CERT payload MUST be in messages 5 and 6. + +3.3.6. Certificate Payloads Not Mandatory + + An implementation that does not receive any CERTREQs during an + exchange SHOULD NOT send any CERT payloads, except when explicitly + configured to proactively send CERT payloads in order to interoperate + with non-compliant implementations that fail to send CERTREQs even + when certificates are desired. In this case, an implementation MAY + send the certificate chain (not including the trust anchor) + associated with the end-entity certificate. This MUST NOT be the + default behavior of implementations. + + Implementations whose local security policy configuration expects + that a peer must receive certificates through out-of-band means + SHOULD ignore any CERTREQ messages that are received. Such a + condition has been known to occur due to non-compliant or buggy + implementations. + + Implementations that receive CERTREQs from a peer that contain only + unrecognized Certification Authorities MAY elect to terminate the + exchange, in order to avoid unnecessary and potentially expensive + cryptographic processing, denial-of-service (resource starvation) + attacks. + +3.3.7. Response to Multiple Certification Authority Proposals + + In response to multiple CERTREQs that contain different Certification + Authority identities, implementations MAY respond using an end-entity + certificate which chains to a CA that matches any of the identities + provided by the peer. + +3.3.8. Using Local Keying Materials + + Implementations MAY elect to skip parsing or otherwise decoding a + given set of CERTs if those same keying materials are available via + some preferable means, such as the case where certificates from a + previous exchange have been cached. + + + + + + + +Korver Standards Track [Page 21] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +3.3.9. Multiple End-Entity Certificates + + Implementations SHOULD NOT send multiple end-entity certificates and + recipients SHOULD NOT be expected to iterate over multiple end-entity + certificates. + + If multiple end-entity certificates are sent, they MUST have the same + public key; otherwise, the responder does not know which key was used + in the Main Mode message 5. + +3.3.10. Robustness + +3.3.10.1. Unrecognized or Unsupported Certificate Types + + Implementations MUST be able to deal with receiving CERTs with + unrecognized or unsupported Certificate Types. Implementations MAY + discard such payloads, depending on local policy. ISAKMP [2] Section + 5.10, "Certificate Request Payload Processing", specifies additional + processing. + +3.3.10.2. Undecodable Certificate Data Fields + + Implementations MUST be able to deal with receiving CERTs with + undecodable Certificate Data fields. Implementations MAY discard + such payloads, depending on local policy. ISAKMP specifies other + actions that may be taken. + +3.3.10.3. Ordering of Certificate Payloads + + Implementations MUST NOT assume that CERTs are ordered in any way. + +3.3.10.4. Duplicate Certificate Payloads + + Implementations MUST support receiving multiple identical CERTs + during an exchange. + +3.3.10.5. Irrelevant Certificates + + Implementations MUST be prepared to receive certificates and CRLs + that are not relevant to the current exchange. Implementations MAY + discard such extraneous certificates and CRLs. + + Implementations MAY send certificates that are irrelevant to an + exchange. One reason for including certificates that are irrelevant + to an exchange is to minimize the threat of leaking identifying + information in exchanges where CERT is not encrypted in IKEv1. It + should be noted, however, that this probably provides rather poor + protection against leaking the identity. + + + +Korver Standards Track [Page 22] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + Another reason for including certificates that seem irrelevant to an + exchange is that there may be two chains from the Certification + Authority to the end entity, each of which is only valid with certain + validation parameters (such as acceptable policies). Since the end- + entity doesn't know which parameters the relying party is using, it + should send the certificates needed for both chains (even if there's + only one CERTREQ). + + Implementations SHOULD NOT send multiple end-entity certificates and + recipients SHOULD NOT be expected to iterate over multiple end-entity + certificates. + +3.3.11. Optimizations + +3.3.11.1. Duplicate Certificate Payloads + + Implementations SHOULD NOT send duplicate CERTs during an exchange. + Such payloads should be suppressed. + +3.3.11.2. Send Lowest 'Common' Certificates + + When multiple CERTREQs are received that specify certification + authorities within the end-entity certificate chain, implementations + MAY send the shortest chain possible. However, implementations + SHOULD always send the end-entity certificate. See Section 3.2.9.2 + for more discussion of this optimization. + +3.3.11.3. Ignore Duplicate Certificate Payloads + + Implementations MAY employ local means to recognize CERTs that have + already been received and SHOULD discard these duplicate CERTs. + +3.3.11.4. Hash Payload + + IKEv1 specifies the optional use of the Hash Payload to carry a + pointer to a certificate in either of the Phase 1 public key + encryption modes. This pointer is used by an implementation to + locate the end-entity certificate that contains the public key that a + peer should use for encrypting payloads during the exchange. + + Implementations SHOULD include this payload whenever the public + portion of the keypair has been placed in a certificate. + + + + + + + + + +Korver Standards Track [Page 23] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +4. Use of Certificates in RFC 4301 and IKEv2 + +4.1. Identification Payload + + The Peer Authorization Database (PAD) as described in RFC 4301 [14] + describes the use of the ID payload in IKEv2 and provides a formal + model for the binding of identity to policy in addition to providing + services that deal more specifically with the details of policy + enforcement, which are generally out of scope of this document. The + PAD is intended to provide a link between the SPD and the security + association management in protocols such as IKE. See RFC 4301 [14], + Section 4.4.3 for more details. + + Note that IKEv2 adds an optional IDr payload in the second exchange + that the initiator may send to the responder in order to specify + which of the responder's multiple identities should be used. The + responder MAY choose to send an IDr in the third exchange that + differs in type or content from the initiator-generated IDr. The + initiator MUST be able to receive a responder-generated IDr that is a + different type from the one the initiator generated. + +4.2. Certificate Request Payload + +4.2.1. Revocation Lists (CRL and ARL) + + IKEv2 does not support Certificate Payload sizes over approximately + 64K. See Section 3.2.3 for the problems this can cause. + +4.2.1.1. IKEv2's Hash and URL of X.509 certificate + + This ID type defines a request for the peer to send a hash and URL of + its X.509 certificate, instead of the actual certificate itself. + This is a particularly useful mechanism when the peer is a device + with little memory and lower bandwidth, e.g., a mobile handset or + consumer electronics device. + + If the IKEv2 implementation supports URL lookups, and prefers such a + URL to receiving actual certificates, then the implementation will + want to send a notify of type HTTP_CERT_LOOKUP_SUPPORTED. From IKEv2 + [3], Section 3.10.1, "This notification MAY be included in any + message that can include a CERTREQ payload and indicates that the + sender is capable of looking up certificates based on an HTTP-based + URL (and hence presumably would prefer to receive certificate + specifications in that format)". If an HTTP_CERT_LOOKUP_SUPPORTED + notification is sent, the sender MUST support the http scheme. See + Section 4.3.1 for more discussion of HTTP_CERT_LOOKUP_SUPPORTED. + + + + + +Korver Standards Track [Page 24] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +4.2.1.2. Location of Certificate Request Payloads + + In IKEv2, the CERTREQ payload must be in messages 2 and 3. Note that + in IKEv2, it is possible to have one side authenticating with + certificates while the other side authenticates with pre-shared keys. + +4.3. Certificate Payload + +4.3.1. IKEv2's Hash and URL of X.509 Certificate + + This type specifies that Certificate Data contains a hash and the URL + to a repository where an X.509 certificate can be retrieved. + + An implementation that sends an HTTP_CERT_LOOKUP_SUPPORTED + notification MUST support the http scheme and MAY support the ftp + scheme, and MUST NOT require any specific form of the url-path, and + it SHOULD support having user-name, password, and port parts in the + URL. The following are examples of mandatory forms: + + o http://certs.example.com/certificate.cer + o http://certs.example.com/certs/cert.pl?u=foo;a=pw;valid-to=+86400 + o http://certs.example.com/%0a/../foo/bar/zappa + + while the following is an example of a form that SHOULD be supported: + + o http://user:password@certs.example.com:8888/certificate.cer + + FTP MAY be supported, and if it is, the following is an example of + the ftp scheme that MUST be supported: + + o ftp://ftp.example.com/pub/certificate.cer + +4.3.2. Location of Certificate Payloads + + In IKEv2, the CERT payload MUST be in messages 3 and 4. Note that in + IKEv2, it is possible to have one side authenticating with + certificates while the other side authenticates with pre-shared keys. + +4.3.3. Ordering of Certificate Payloads + + For IKEv2, implementations MUST NOT assume that any but the first + CERT is ordered in any way. IKEv2 specifies that the first CERT + contain an end-entity certificate that can be used to authenticate + the peer. + + + + + + + +Korver Standards Track [Page 25] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +5. Certificate Profile for IKEv1/ISAKMP and IKEv2 + + Except where specifically stated in this document, implementations + MUST conform to the requirements of the PKIX [5] certificate profile. + +5.1. X.509 Certificates + + Users deploying IKE and IPsec with certificates have often had little + control over the capabilities of CAs available to them. + Implementations of this specification may include configuration knobs + to disable checks required by this specification in order to permit + use with inflexible and/or noncompliant CAs. However, all checks on + certificates exist for a specific reason involving the security of + the entire system. Therefore, all checks MUST be enabled by default. + Administrators and users ought to understand the security purpose for + the various checks, and be clear on what security will be lost by + disabling the check. + +5.1.1. Versions + + Although PKIX states that "implementations SHOULD be prepared to + accept any version certificate", in practice, this profile requires + certain extensions that necessitate the use of Version 3 certificates + for all but self-signed certificates used as trust anchors. + Implementations that conform to this document MAY therefore reject + Version 1 and Version 2 certificates in all other cases. + +5.1.2. Subject + + Certification Authority implementations MUST be able to create + certificates with Subject fields with at least the following four + attributes: CN, C, O, and OU. Implementations MAY support other + Subject attributes as well. The contents of these attributes SHOULD + be configurable on a certificate-by-certificate basis, as these + fields will likely be used by IKE implementations to match SPD + policy. + + See Section 3.1.5 for details on how IKE implementations need to be + able to process Subject field attributes for SPD policy lookup. + +5.1.2.1. Empty Subject Name + + IKE Implementations MUST accept certificates that contain an empty + Subject field, as specified in the PKIX certificate profile. + Identity information in such certificates will be contained entirely + in the SubjectAltName extension. + + + + + +Korver Standards Track [Page 26] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +5.1.2.2. Specifying Hosts and not FQDN in the Subject Name + + Implementations that desire to place host names that are not intended + to be processed by recipients as FQDNs (for instance "Gateway + Router") in the Subject MUST use the commonName attribute. + +5.1.2.3. EmailAddress + + As specified in the PKIX certificate profile, implementations MUST + NOT populate X.500 distinguished names with the emailAddress + attribute. + +5.1.3. X.509 Certificate Extensions + + Conforming IKE implementations MUST recognize extensions that must or + may be marked critical according to this specification. These + extensions are: KeyUsage, SubjectAltName, and BasicConstraints. + + Certification Authority implementations SHOULD generate certificates + such that the extension criticality bits are set in accordance with + the PKIX certificate profile and this document. With respect to + compliance with the PKIX certificate profile, IKE implementations + processing certificates MAY ignore the value of the criticality bit + for extensions that are supported by that implementation, but MUST + support the criticality bit for extensions that are not supported by + that implementation. That is, a relying party SHOULD processes all + the extensions it is aware of whether the bit is true or false -- the + bit says what happens when a relying party cannot process an + extension. + + implements bit in cert PKIX mandate behavior + ------------------------------------------------------ + yes true true ok + yes true false ok or reject + yes false true ok or reject + yes false false ok + no true true reject + no true false reject + no false true reject + no false false ok + +5.1.3.1. AuthorityKeyIdentifier and SubjectKeyIdentifier + + Implementations SHOULD NOT assume support for the + AuthorityKeyIdentifier or SubjectKeyIdentifier extensions. Thus, + Certification Authority implementations should not generate + certificate hierarchies that are overly complex to process in the + absence of these extensions, such as those that require possibly + + + +Korver Standards Track [Page 27] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + verifying a signature against a large number of similarly named CA + certificates in order to find the CA certificate that contains the + key that was used to generate the signature. + +5.1.3.2. KeyUsage + + IKE uses an end-entity certificate in the authentication process. + The end-entity certificate may be used for multiple applications. As + such, the CA can impose some constraints on the manner that a public + key ought to be used. The KeyUsage (KU) and ExtendedKeyUsage (EKU) + extensions apply in this situation. + + Since we are talking about using the public key to validate a + signature, if the KeyUsage extension is present, then at least one of + the digitalSignature or the nonRepudiation bits in the KeyUsage + extension MUST be set (both can be set as well). It is also fine if + other KeyUsage bits are set. + + A summary of the logic flow for peer cert validation follows: + + o If no KU extension, continue. + + o If KU present and doesn't mention digitalSignature or + nonRepudiation (both, in addition to other KUs, is also fine), + reject cert. + + o If none of the above, continue. + +5.1.3.3. PrivateKeyUsagePeriod + + The PKIX certificate profile recommends against the use of this + extension. The PrivateKeyUsageExtension is intended to be used when + signatures will need to be verified long past the time when + signatures using the private keypair may be generated. Since IKE + security associations (SAs) are short-lived relative to the intended + use of this extension in addition to the fact that each signature is + validated only a single time, the usefulness of this extension in the + context of IKE is unclear. Therefore, Certification Authority + implementations MUST NOT generate certificates that contain the + PrivateKeyUsagePeriod extension. If an IKE implementation receives a + certificate with this set, it SHOULD ignore it. + + + + + + + + + + +Korver Standards Track [Page 28] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +5.1.3.4. CertificatePolicies + + Many IKE implementations do not currently provide support for the + CertificatePolicies extension. Therefore, Certification Authority + implementations that generate certificates that contain this + extension SHOULD NOT mark the extension as critical. As is the case + with all certificate extensions, a relying party receiving this + extension but who can process the extension SHOULD NOT reject the + certificate because it contains the extension. + +5.1.3.5. PolicyMappings + + Many IKE implementations do not support the PolicyMappings extension. + Therefore, implementations that generate certificates that contain + this extension SHOULD NOT mark the extension as critical. + +5.1.3.6. SubjectAltName + + Deployments that intend to use an ID of FQDN, USER_FQDN, IPV4_ADDR, + or IPV6_ADDR MUST issue certificates with the corresponding + SubjectAltName fields populated with the same data. Implementations + SHOULD generate only the following GeneralName choices in the + SubjectAltName extension, as these choices map to legal IKEv1/ISAKMP/ + IKEv2 Identification Payload types: rfc822Name, dNSName, or + iPAddress. Although it is possible to specify any GeneralName choice + in the Identification Payload by using the ID_DER_ASN1_GN ID type, + implementations SHOULD NOT assume support for such functionality, and + SHOULD NOT generate certificates that do so. + +5.1.3.6.1. dNSName + + If the IKE ID type is FQDN, then this field MUST contain a fully + qualified domain name. If the IKE ID type is FQDN, then the dNSName + field MUST match its contents. Implementations MUST NOT generate + names that contain wildcards. Implementations MAY treat certificates + that contain wildcards in this field as syntactically invalid. + + Although this field is in the form of an FQDN, IKE implementations + SHOULD NOT assume that this field contains an FQDN that will resolve + via the DNS, unless this is known by way of some out-of-band + mechanism. Such a mechanism is out of the scope of this document. + Implementations SHOULD NOT treat the failure to resolve as an error. + + + + + + + + + +Korver Standards Track [Page 29] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +5.1.3.6.2. iPAddress + + If the IKE ID type is IPV4_ADDR or IPV6_ADDR, then the iPAddress + field MUST match its contents. Note that although PKIX permits CIDR + [15] notation in the "Name Constraints" extension, the PKIX + certificate profile explicitly prohibits using CIDR notation for + conveying identity information. In other words, the CIDR notation + MUST NOT be used in the SubjectAltName extension. + +5.1.3.6.3. rfc822Name + + If the IKE ID type is USER_FQDN, then the rfc822Name field MUST match + its contents. Although this field is in the form of an Internet mail + address, IKE implementations SHOULD NOT assume that this field + contains a valid email address, unless this is known by way of some + out-of-band mechanism. Such a mechanism is out of the scope of this + document. + +5.1.3.7. IssuerAltName + + Certification Authority implementations SHOULD NOT assume that other + implementations support the IssuerAltName extension, and especially + should not assume that information contained in this extension will + be displayed to end users. + +5.1.3.8. SubjectDirectoryAttributes + + The SubjectDirectoryAttributes extension is intended to convey + identification attributes of the subject. IKE implementations MAY + ignore this extension when it is marked non-critical, as the PKIX + certificate profile mandates. + +5.1.3.9. BasicConstraints + + The PKIX certificate profile mandates that CA certificates contain + this extension and that it be marked critical. IKE implementations + SHOULD reject CA certificates that do not contain this extension. + For backwards compatibility, implementations may accept such + certificates if explicitly configured to do so, but the default for + this setting MUST be to reject such certificates. + +5.1.3.10. NameConstraints + + Many IKE implementations do not support the NameConstraints + extension. Since the PKIX certificate profile mandates that this + extension be marked critical when present, Certification Authority + implementations that are interested in maximal interoperability for + IKE SHOULD NOT generate certificates that contain this extension. + + + +Korver Standards Track [Page 30] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +5.1.3.11. PolicyConstraints + + Many IKE implementations do not support the PolicyConstraints + extension. Since the PKIX certificate profile mandates that this + extension be marked critical when present, Certification Authority + implementations that are interested in maximal interoperability for + IKE SHOULD NOT generate certificates that contain this extension. + +5.1.3.12. ExtendedKeyUsage + + The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in + certificates for use with IKE. Note that there were three IPsec- + related object identifiers in EKU that were assigned in 1999. The + semantics of these values were never clearly defined. The use of + these three EKU values in IKE/IPsec is obsolete and explicitly + deprecated by this specification. CAs SHOULD NOT issue certificates + for use in IKE with them. (For historical reference only, those + values were id-kp-ipsecEndSystem, id-kp-ipsecTunnel, and id-kp- + ipsecUser.) + + The CA SHOULD NOT mark the EKU extension in certificates for use with + IKE and one or more other applications. Nevertheless, this document + defines an ExtendedKeyUsage keyPurposeID that MAY be used to limit a + certificate's use: + + id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 } + + where id-kp is defined in RFC 3280 [5]. If a certificate is intended + to be used with both IKE and other applications, and one of the other + applications requires use of an EKU value, then such certificates + MUST contain either the keyPurposeID id-kp-ipsecIKE or + anyExtendedKeyUsage [5], as well as the keyPurposeID values + associated with the other applications. Similarly, if a CA issues + multiple otherwise-similar certificates for multiple applications + including IKE, and it is intended that the IKE certificate NOT be + used with another application, the IKE certificate MAY contain an EKU + extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its + use with the other application. Recall, however, that EKU extensions + in certificates meant for use in IKE are NOT RECOMMENDED. + + Conforming IKE implementations are not required to support EKU. If a + critical EKU extension appears in a certificate and EKU is not + supported by the implementation, then RFC 3280 requires that the + certificate be rejected. Implementations that do support EKU MUST + support the following logic for certificate validation: + + + + + + +Korver Standards Track [Page 31] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + o If no EKU extension, continue. + + o If EKU present AND contains either id-kp-ipsecIKE or + anyExtendedKeyUsage, continue. + + o Otherwise, reject cert. + +5.1.3.13. CRLDistributionPoints + + Because this document deprecates the sending of CRLs in-band, the use + of CRLDistributionPoints (CDP) becomes very important if CRLs are + used for revocation checking (as opposed to, say, Online Certificate + Status Protocol - OCSP [16]). The IPsec peer either needs to have a + URL for a CRL written into its local configuration, or it needs to + learn it from CDP. Therefore, Certification Authority + implementations SHOULD issue certificates with a populated CDP. + + Failure to validate the CRLDistributionPoints/ + IssuingDistributionPoint pair can result in CRL substitution where an + entity knowingly substitutes a known good CRL from a different + distribution point for the CRL that is supposed to be used, which + would show the entity as revoked. IKE implementations MUST support + validating that the contents of CRLDistributionPoints match those of + the IssuingDistributionPoint to prevent CRL substitution when the + issuing CA is using them. At least one CA is known to default to + this type of CRL use. See Section 5.2.2.5 for more information. + + CDPs SHOULD be "resolvable". Several non-compliant Certification + Authority implementations are well known for including unresolvable + CDPs like http://localhost/path_to_CRL and http:///path_to_CRL that + are equivalent to failing to include the CDP extension in the + certificate. + + See the IETF IPR Web page for CRLDistributionPoints intellectual + property rights (IPR) information. Note that both the + CRLDistributionPoints and IssuingDistributionPoint extensions are + RECOMMENDED but not REQUIRED by the PKIX certificate profile, so + there is no requirement to license any IPR. + +5.1.3.14. InhibitAnyPolicy + + Many IKE implementations do not support the InhibitAnyPolicy + extension. Since the PKIX certificate profile mandates that this + extension be marked critical when present, Certification Authority + implementations that are interested in maximal interoperability for + IKE SHOULD NOT generate certificates that contain this extension. + + + + + +Korver Standards Track [Page 32] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +5.1.3.15. FreshestCRL + + IKE implementations MUST NOT assume that the FreshestCRL extension + will exist in peer certificates. Note that most IKE implementations + do not support delta CRLs. + +5.1.3.16. AuthorityInfoAccess + + The PKIX certificate profile defines the AuthorityInfoAccess + extension, which is used to indicate "how to access CA information + and services for the issuer of the certificate in which the extension + appears". Because this document deprecates the sending of CRLs in- + band, the use of AuthorityInfoAccess (AIA) becomes very important if + OCSP [16] is to be used for revocation checking (as opposed to CRLs). + The IPsec peer either needs to have a URI for the OCSP query written + into its local configuration, or it needs to learn it from AIA. + Therefore, implementations SHOULD support this extension, especially + if OCSP will be used. + +5.1.3.17. SubjectInfoAccess + + The PKIX certificate profile defines the SubjectInfoAccess + certificate extension, which is used to indicate "how to access + information and services for the subject of the certificate in which + the extension appears". This extension has no known use in the + context of IPsec. Conformant IKE implementations SHOULD ignore this + extension when present. + +5.2. X.509 Certificate Revocation Lists + + When validating certificates, IKE implementations MUST make use of + certificate revocation information, and SHOULD support such + revocation information in the form of CRLs, unless non-CRL revocation + information is known to be the only method for transmitting this + information. Deployments that intend to use CRLs for revocation + SHOULD populate the CRLDistributionPoints extension. Therefore, + Certification Authority implementations MUST support issuing + certificates with this field populated. IKE implementations MAY + provide a configuration option to disable use of certain types of + revocation information, but that option MUST be off by default. Such + an option is often valuable in lab testing environments. + + + + + + + + + + +Korver Standards Track [Page 33] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +5.2.1. Multiple Sources of Certificate Revocation Information + + IKE implementations that support multiple sources of obtaining + certificate revocation information MUST act conservatively when the + information provided by these sources is inconsistent: when a + certificate is reported as revoked by one trusted source, the + certificate MUST be considered revoked. + +5.2.2. X.509 Certificate Revocation List Extensions + +5.2.2.1. AuthorityKeyIdentifier + + Certification Authority implementations SHOULD NOT assume that IKE + implementations support the AuthorityKeyIdentifier extension, and + thus should not generate certificate hierarchies which are overly + complex to process in the absence of this extension, such as those + that require possibly verifying a signature against a large number of + similarly named CA certificates in order to find the CA certificate + which contains the key that was used to generate the signature. + +5.2.2.2. IssuerAltName + + Certification Authority implementations SHOULD NOT assume that IKE + implementations support the IssuerAltName extension, and especially + should not assume that information contained in this extension will + be displayed to end users. + +5.2.2.3. CRLNumber + + As stated in the PKIX certificate profile, all issuers MUST include + this extension in all CRLs. + +5.2.2.4. DeltaCRLIndicator + +5.2.2.4.1. If Delta CRLs Are Unsupported + + IKE implementations that do not support delta CRLs MUST reject CRLs + that contain the DeltaCRLIndicator (which MUST be marked critical + according to the PKIX certificate profile) and MUST make use of a + base CRL if it is available. Such implementations MUST ensure that a + delta CRL does not "overwrite" a base CRL, for instance, in the + keying material database. + + + + + + + + + +Korver Standards Track [Page 34] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +5.2.2.4.2. Delta CRL Recommendations + + Since some IKE implementations that do not support delta CRLs may + behave incorrectly or insecurely when presented with delta CRLs, + administrators and deployers should consider whether issuing delta + CRLs increases security before issuing such CRLs. And, if all the + elements in the VPN and PKI systems do not adequately support Delta + CRLs, then their use should be questioned. + + The editors are aware of several implementations that behave in an + incorrect or insecure manner when presented with delta CRLs. See + Appendix A for a description of the issue. Therefore, this + specification RECOMMENDS NOT issuing delta CRLs at this time. On the + other hand, failure to issue delta CRLs may expose a larger window of + vulnerability if a full CRL is not issued as often as delta CRLs + would be. See the Security Considerations section of the PKIX [5] + certificate profile for additional discussion. Implementers as well + as administrators are encouraged to consider these issues. + +5.2.2.5. IssuingDistributionPoint + + A CA that is using CRLDistributionPoints may do so to provide many + "small" CRLs, each only valid for a particular set of certificates + issued by that CA. To associate a CRL with a certificate, the CA + places the CRLDistributionPoints extension in the certificate, and + places the IssuingDistributionPoint in the CRL. The + distributionPointName field in the CRLDistributionPoints extension + MUST be identical to the distributionPoint field in the + IssuingDistributionPoint extension. At least one CA is known to + default to this type of CRL use. See Section 5.1.3.13 for more + information. + +5.2.2.6. FreshestCRL + + Given the recommendations against Certification Authority + implementations generating delta CRLs, this specification RECOMMENDS + that implementations do not populate CRLs with the FreshestCRL + extension, which is used to obtain delta CRLs. + +5.3. Strength of Signature Hashing Algorithms + + At the time that this document is being written, popular + certification authorities and CA software issue certificates using + the RSA-with-SHA1 and RSA-with-MD5 signature algorithms. + Implementations MUST be able to validate certificates with either of + those algorithms. + + + + + +Korver Standards Track [Page 35] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + As described in [17], both the MD5 and SHA-1 hash algorithms are + weaker than originally expected with respect to hash collisions. + Certificates that use these hash algorithms as part of their + signature algorithms could conceivably be subject to an attack where + a CA issues a certificate with a particular identity, and the + recipient of that certificate can create a different valid + certificate with a different identity. So far, such an attack is + only theoretical, even with the weaknesses found in the hash + algorithms. + + Because of the recent attacks, there has been a heightened interest + in having widespread deployment of additional signature algorithms. + The algorithm that has been mentioned most often is RSA-with-SHA256, + two types of which are described in detail in [18]. It is widely + expected that this signature algorithm will be much more resilient to + collision-based attacks than the current RSA-with-SHA1 and RSA-with- + MD5, although no proof of that has been shown. There is active + discussion in the cryptographic community of better hash functions + that could be used in signature algorithms. + + In order to interoperate, all implementations need to be able to + validate signatures for all algorithms that the implementations will + encounter. Therefore, implementations SHOULD be able to use + signatures that use the sha256WithRSAEncryption signature algorithm + (PKCS#1 version 1.5) as soon as possible. At the time that this + document is being written, there is at least one CA that supports + generating certificates with sha256WithRSAEncryption signature + algorithm, and it is expected that there will be significant + deployment of this algorithm by the end of 2007. + +6. Configuration Data Exchange Conventions + + Below, we present a common format for exchanging configuration data. + Implementations MUST support these formats, MUST support receiving + arbitrary whitespace at the beginning and end of any line, MUST + support receiving arbitrary line lengths although they SHOULD + generate lines less than 76 characters, and MUST support receiving + the following three line-termination disciplines: LF (US-ASCII 10), + CR (US-ASCII 13), and CRLF. + +6.1. Certificates + + Certificates MUST be Base64 [19] encoded and appear between the + following delimiters: + + -----BEGIN CERTIFICATE----- + -----END CERTIFICATE----- + + + + +Korver Standards Track [Page 36] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +6.2. CRLs and ARLs + + CRLs and ARLs MUST be Base64 encoded and appear between the following + delimiters: + + -----BEGIN CRL----- + -----END CRL----- + +6.3. Public Keys + + IKE implementations MUST support two forms of public keys: + certificates and so-called "raw" keys. Certificates should be + transferred in the same form as Section 6.1. A raw key is only the + SubjectPublicKeyInfo portion of the certificate, and MUST be Base64 + encoded and appear between the following delimiters: + + -----BEGIN PUBLIC KEY----- + -----END PUBLIC KEY----- + +6.4. PKCS#10 Certificate Signing Requests + + A PKCS#10 [9] Certificate Signing Request MUST be Base64 encoded and + appear between the following delimiters: + + -----BEGIN CERTIFICATE REQUEST----- + -----END CERTIFICATE REQUEST----- + +7. Security Considerations + +7.1. Certificate Request Payload + + The Contents of CERTREQ are not encrypted in IKE. In some + environments, this may leak private information. Administrators in + some environments may wish to use the empty Certification Authority + option to prevent such information from leaking, at the cost of + performance. + +7.2. IKEv1 Main Mode + + Certificates may be included in any message, and therefore + implementations may wish to respond with CERTs in a message that + offers privacy protection in Main Mode messages 5 and 6. + + Implementations may not wish to respond with CERTs in the second + message, thereby violating the identity protection feature of Main + Mode in IKEv1. + + + + + +Korver Standards Track [Page 37] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +7.3. Disabling Certificate Checks + + It is important to note that anywhere this document suggests + implementers provide users with the configuration option to simplify, + modify, or disable a feature or verification step, there may be + security consequences for doing so. Deployment experience has shown + that such flexibility may be required in some environments, but + making use of such flexibility can be inappropriate in others. Such + configuration options MUST default to "enabled" and it is appropriate + to provide warnings to users when disabling such features. + +8. Acknowledgements + + The authors would like to acknowledge the expired document "A PKIX + Profile for IKE" (July 2000) for providing valuable materials for + this document. + + The authors would like to especially thank Eric Rescorla, one of its + original authors, in addition to Greg Carter, Steve Hanna, Russ + Housley, Charlie Kaufman, Tero Kivinen, Pekka Savola, Paul Hoffman, + and Gregory Lebovitz for their valuable comments, some of which have + been incorporated verbatim into this document. Paul Knight performed + the arduous task of converting the text to XML format. + +9. References + +9.1. Normative References + + [1] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", + RFC 2409, November 1998. + + [2] Maughan, D., Schneider, M., and M. Schertler, "Internet + Security Association and Key Management Protocol (ISAKMP)", RFC + 2408, November 1998. + + [3] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC + 4306, December 2005. + + [4] Kent, S. and R. Atkinson, "Security Architecture for the + Internet Protocol", RFC 2401, November 1998. + + [5] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 + Public Key Infrastructure Certificate and Certificate + Revocation List (CRL) Profile", RFC 3280, April 2002. + + [6] Piper, D., "The Internet IP Security Domain of Interpretation + for ISAKMP", RFC 2407, November 1998. + + + + +Korver Standards Track [Page 38] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + [7] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [8] Postel, J., "Internet Protocol", STD 5, RFC 791, September + 1981. + + [9] Nystrom, M. and B. Kaliski, "PKCS #10: Certification Request + Syntax Specification Version 1.7", RFC 2986, November 2000. + +9.2. Informative References + + [10] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) + Specification", RFC 2460, December 1998. + + [11] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "DNS Security Introduction and Requirements", RFC 4033, March + 2005. + + [12] Faltstrom, P., Hoffman, P., and A. Costello, + "Internationalizing Domain Names in Applications (IDNA)", RFC + 3490, March 2003. + + [13] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP + Addresses and AS Identifiers", RFC 3779, June 2004. + + [14] Kent, S. and K. Seo, "Security Architecture for the Internet + Protocol", RFC 4301, December 2005. + + [15] Fuller, V. and T. Li, "Classless Inter-domain Routing (CIDR): + The Internet Address Assignment and Aggregation Plan", BCP 122, + RFC 4632, August 2006. + + [16] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams, + "X.509 Internet Public Key Infrastructure Online Certificate + Status Protocol - OCSP", RFC 2560, June 1999. + + [17] Hoffman, P. and B. Schneier, "Attacks on Cryptographic Hashes + in Internet Protocols", RFC 4270, November 2005. + + [18] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms + and Identifiers for RSA Cryptography for use in the Internet + X.509 Public Key Infrastructure Certificate and Certificate + Revocation List (CRL) Profile", RFC 4055, June 2005. + + [19] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", + RFC 4648, October 2006. + + + + + +Korver Standards Track [Page 39] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +Appendix A. The Possible Dangers of Delta CRLs + + The problem is that the CRL processing algorithm is sometimes written + incorrectly with the assumption that all CRLs are base CRLs and it is + assumed that CRLs will pass content validity tests. Specifically, + such implementations fail to check the certificate against all + possible CRLs: if the first CRL that is obtained from the keying + material database fails to decode, no further revocation checks are + performed for the relevant certificate. This problem is compounded + by the fact that implementations that do not understand delta CRLs + may fail to decode such CRLs due to the critical DeltaCRLIndicator + extension. The algorithm that is implemented in this case is + approximately: + + o fetch newest CRL + + o check validity of CRL signature + + o if CRL signature is valid, then + + o if CRL does not contain unrecognized critical extensions and + certificate is on CRL, then set certificate status to revoked + + The authors note that a number of PKI toolkits do not even provide a + method for obtaining anything but the newest CRL, which in the + presence of delta CRLs may in fact be a delta CRL, not a base CRL. + + Note that the above algorithm is dangerous in many ways. See the + PKIX [5] certificate profile for the correct algorithm. + +Appendix B. More on Empty CERTREQs + + Sending empty certificate requests is commonly used in + implementations, and in the IPsec interop meetings, vendors have + generally agreed that it means that send all/any end-entity + certificates you have (if multiple end-entity certificates are sent, + they must have same public key, as otherwise, the other end does not + know which key was used). For 99% of cases, the client has exactly + one certificate and public key, so it really doesn't matter, but the + server might have multiple; thus, it simply needs to say to the + client, use any certificate you have. If we are talking about + corporate VPNs, etc., even if the client has multiple certificates or + keys, all of them would be usable when authenticating to the server, + so the client can simply pick one. + + If there is some real difference on which certificate to use (like + ones giving different permissions), then the client must be + configured anyway, or it might even ask the user which one to use + + + +Korver Standards Track [Page 40] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + (the user is the only one who knows whether he needs admin + privileges, thus needs to use admin cert, or if the normal email + privileges are ok, thus uses email only cert). + + In 99% of the cases, the client has exactly one certificate, so it + will send it. In 90% of the rest of the cases, any of the + certificates is ok, as they are simply different certificates from + the same CA, or from different CAs for the same corporate VPN, thus + any of them is ok. + + Sending empty certificate requests has been agreed there to mean + "give me your cert, any cert". + + Justification: + + o Responder first does all it can to send a CERTREQ with a CA, check + for IP match in SPD, have a default set of CAs to use in ambiguous + cases, etc. + + o Sending empty CERTREQs is fairly common in implementations today, + and is generally accepted to mean "send me a certificate, any + certificate that works for you". + + o Saves responder sending potentially hundreds of certs, the + fragmentation problems that follow, etc. + + o In +90% of use cases, Initiators have exactly one certificate. + + o In +90% of the remaining use cases, the multiple certificates it + has are issued by the same CA. + + o In the remaining use case(s) -- if not all the others above -- the + Initiator will be configured explicitly with which certificate to + send, so responding to an empty CERTREQ is easy. + + The following example shows why initiators need to have sufficient + policy definition to know which certificate to use for a given + connection it initiates. + + EXAMPLE: Your client (initiator) is configured with VPN policies for + gateways A and B (representing perhaps corporate partners). + + + + + + + + + + +Korver Standards Track [Page 41] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + + The policies for the two gateways look something like: + + Acme Company policy (gateway A) + Engineering can access 10.1.1.0 + Trusted CA: CA-A, Trusted Users: OU=Engineering + Partners can access 20.1.1.0 + Trusted CA: CA-B, Trusted Users: OU=AcmePartners + + Bizco Company policy (gateway B) + Sales can access 30.1.1.0 + Trusted CA: CA-C, Trusted Users: OU=Sales + Partners can access 40.1.1.0 + Trusted CA: CA-B, Trusted Users: OU=BizcoPartners + + You are an employee of Acme and you are issued the following + certificates: + + o From CA-A: CN=JoeUser,OU=Engineering + o From CA-B: CN=JoePartner,OU=BizcoPartners + + The client MUST be configured locally to know which CA to use when + connecting to either gateway. If your client is not configured to + know the local credential to use for the remote gateway, this + scenario will not work either. If you attempt to connect to Bizco, + everything will work... as you are presented with responding with a + certificate signed by CA-B or CA-C... as you only have a certificate + from CA-B you are OK. If you attempt to connect to Acme, you have an + issue because you are presented with an ambiguous policy selection. + As the initiator, you will be presented with certificate requests + from both CA-A and CA-B. You have certificates issued by both CAs, + but only one of the certificates will be usable. How does the client + know which certificate it should present? It must have sufficiently + clear local policy specifying which one credential to present for the + connection it initiates. + +Author's Address + + Brian Korver + Network Resonance, Inc. + 2483 E. Bayshore Rd. + Palo Alto, CA 94303 + US + + Phone: +1 650 812 7705 + EMail: briank@networkresonance.com + + + + + + +Korver Standards Track [Page 42] + +RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2007). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + +Korver Standards Track [Page 43] + |