summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7402.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7402.txt')
-rw-r--r--doc/rfc/rfc7402.txt2243
1 files changed, 2243 insertions, 0 deletions
diff --git a/doc/rfc/rfc7402.txt b/doc/rfc/rfc7402.txt
new file mode 100644
index 0000000..0aaeac2
--- /dev/null
+++ b/doc/rfc/rfc7402.txt
@@ -0,0 +1,2243 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) P. Jokela
+Request for Comments: 7402 Ericsson Research NomadicLab
+Obsoletes: 5202 R. Moskowitz
+Category: Standards Track HTT Consulting
+ISSN: 2070-1721 J. Melen
+ Ericsson Research NomadicLab
+ April 2015
+
+
+ Using the Encapsulating Security Payload (ESP) Transport Format
+ with the Host Identity Protocol (HIP)
+
+Abstract
+
+ This memo specifies an Encapsulating Security Payload (ESP) based
+ mechanism for transmission of user data packets, to be used with the
+ Host Identity Protocol (HIP). This document obsoletes RFC 5202.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7402.
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+Jokela, et al. Standards Track [Page 1]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Conventions Used in This Document ...............................4
+ 3. Using ESP with HIP ..............................................4
+ 3.1. ESP Packet Format ..........................................5
+ 3.2. Conceptual ESP Packet Processing ...........................5
+ 3.2.1. Semantics of the Security Parameter Index (SPI) .....6
+ 3.3. Security Association Establishment and Maintenance .........6
+ 3.3.1. ESP Security Associations ...........................6
+ 3.3.2. Rekeying ............................................7
+ 3.3.3. Security Association Management .....................8
+ 3.3.4. Security Parameter Index (SPI) ......................8
+ 3.3.5. Supported Ciphers ...................................8
+ 3.3.6. Sequence Number .....................................9
+ 3.3.7. Lifetimes and Timers ................................9
+ 3.4. IPsec and HIP ESP Implementation Considerations ............9
+ 3.4.1. Data Packet Processing Considerations ..............10
+ 3.4.2. HIP Signaling Packet Considerations ................10
+ 4. The Protocol ...................................................11
+ 4.1. ESP in HIP ................................................11
+ 4.1.1. IPsec ESP Transport Format Type ....................11
+ 4.1.2. Setting Up an ESP Security Association .............11
+ 4.1.3. Updating an Existing ESP SA ........................12
+ 5. Parameter and Packet Formats ...................................13
+ 5.1. New Parameters ............................................13
+ 5.1.1. ESP_INFO ...........................................13
+ 5.1.2. ESP_TRANSFORM ......................................15
+ 5.1.3. NOTIFICATION Parameter .............................16
+ 5.2. HIP ESP Security Association Setup ........................17
+ 5.2.1. Setup during Base Exchange .........................17
+ 5.3. HIP ESP Rekeying ..........................................18
+ 5.3.1. Initializing Rekeying ..............................19
+ 5.3.2. Responding to the Rekeying Initialization ..........19
+ 5.4. ICMP Messages .............................................20
+ 5.4.1. Unknown SPI ........................................20
+ 6. Packet Processing ..............................................20
+ 6.1. Processing Outgoing Application Data ......................20
+ 6.2. Processing Incoming Application Data ......................21
+ 6.3. HMAC and SIGNATURE Calculation and Verification ...........21
+ 6.4. Processing Incoming ESP SA Initialization (R1) ............22
+ 6.5. Processing Incoming Initialization Reply (I2) .............22
+ 6.6. Processing Incoming ESP SA Setup Finalization (R2) ........23
+ 6.7. Dropping HIP Associations .................................23
+ 6.8. Initiating ESP SA Rekeying ................................23
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 2]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ 6.9. Processing Incoming UPDATE Packets ........................24
+ 6.9.1. Processing UPDATE Packet: No Outstanding
+ Rekeying Request ...................................25
+ 6.10. Finalizing Rekeying ......................................26
+ 6.11. Processing NOTIFY Packets ................................26
+ 7. Keying Material ................................................27
+ 8. Security Considerations ........................................27
+ 9. IANA Considerations ............................................28
+ 10. References ....................................................29
+ 10.1. Normative References .....................................29
+ 10.2. Informative References ...................................30
+ Appendix A. A Note on Implementation Options ......................32
+ Appendix B. Bound End-to-End Tunnel Mode for ESP ..................32
+ B.1. Protocol Definition ........................................33
+ B.1.1. Changes to Security Association Data Structures .....33
+ B.1.2. Packet Format .......................................34
+ B.1.3. Cryptographic Processing ............................36
+ B.1.4. IP Header Processing ................................36
+ B.1.5. Handling of Outgoing Packets ........................37
+ B.1.6. Handling of Incoming Packets ........................38
+ B.1.7. Handling of IPv4 Options ............................39
+ Acknowledgments ...................................................40
+ Authors' Addresses ................................................40
+
+1. Introduction
+
+ In the Host Identity Protocol Architecture [HIP-ARCH], hosts are
+ identified with public keys. The Host Identity Protocol (HIP)
+ [RFC7401] base exchange allows any two HIP-supporting hosts to
+ authenticate each other and to create a HIP association between
+ themselves. During the base exchange, the hosts generate a piece of
+ shared keying material using an authenticated Diffie-Hellman
+ exchange.
+
+ The HIP base exchange specification [RFC7401] does not describe any
+ transport formats or methods for user data to be used during the
+ actual communication; it only defines that it is mandatory to
+ implement the Encapsulating Security Payload (ESP) [RFC4303] based
+ transport format and method. This document specifies how ESP is used
+ with HIP to carry actual user data.
+
+ To be more specific, this document specifies a set of HIP protocol
+ extensions and their handling. Using these extensions, a pair of ESP
+ Security Associations (SAs) is created between the hosts during the
+ base exchange. The resulting ESP Security Associations use keys
+ drawn from the keying material (KEYMAT) generated during the base
+ exchange. After the HIP association and required ESP SAs have been
+
+
+
+
+Jokela, et al. Standards Track [Page 3]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ established between the hosts, the user data communication is
+ protected using ESP. In addition, this document specifies methods to
+ update an existing ESP Security Association.
+
+ It should be noted that representations of Host Identity are not
+ carried explicitly in the headers of user data packets. Instead, the
+ ESP Security Parameter Index (SPI) is used to indicate the right host
+ context. The SPIs are selected during the HIP ESP setup exchange.
+ For user data packets, ESP SPIs (in possible combination with IP
+ addresses) are used indirectly to identify the host context, thereby
+ avoiding any additional explicit protocol headers.
+
+ HIP and ESP traffic have known issues with middlebox traversal (RFC
+ 5207 [RFC5207]). Other specifications exist for operating HIP and
+ ESP over UDP. (RFC 5770 [RFC5770] is an experimental specification,
+ and others are being developed.) Middlebox traversal is out of scope
+ for this document.
+
+ This document obsoletes RFC 5202.
+
+2. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+3. Using ESP with HIP
+
+ The HIP base exchange is used to set up a HIP association between two
+ hosts. The base exchange provides two-way host authentication and
+ key material generation, but it does not provide any means for
+ protecting data communication between the hosts. In this document,
+ we specify the use of ESP for protecting user data traffic after the
+ HIP base exchange. Note that this use of ESP is intended only for
+ host-to-host traffic; security gateways are not supported.
+
+ To support ESP use, the HIP base exchange messages require some minor
+ additions to the parameters transported. In the R1 packet, the
+ Responder adds the possible ESP transforms in an ESP_TRANSFORM
+ parameter before sending it to the Initiator. The Initiator gets the
+ proposed transforms, selects one of those proposed transforms, and
+ adds it to the I2 packet in an ESP_TRANSFORM parameter. In this I2
+ packet, the Initiator also sends the SPI value that it wants to be
+ used for ESP traffic flowing from the Responder to the Initiator.
+ This information is carried using the ESP_INFO parameter. When
+ finalizing the ESP SA setup, the Responder sends its SPI value to the
+ Initiator in the R2 packet, again using ESP_INFO.
+
+
+
+
+Jokela, et al. Standards Track [Page 4]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+3.1. ESP Packet Format
+
+ The ESP specification [RFC4303] defines the ESP packet format for
+ IPsec. The HIP ESP packet looks exactly the same as the IPsec ESP
+ transport format packet. The semantics, however, are a bit different
+ and are described in more detail in the next subsection.
+
+3.2. Conceptual ESP Packet Processing
+
+ ESP packet processing can be implemented in different ways in HIP.
+ It is possible to implement it in a way that a standards compliant,
+ unmodified IPsec implementation [RFC4303] can be used in conjunction
+ with some additional transport checksum processing above it, and if
+ IP addresses are used as indexes to the right host context.
+
+ When a standards compliant IPsec implementation that uses IP
+ addresses in the Security Policy Database (SPD) and Security
+ Association Database (SAD) is used, the packet processing may take
+ the following steps. For outgoing packets, assuming that the
+ upper-layer pseudo header has been built using IP addresses, the
+ implementation recalculates upper-layer checksums using Host Identity
+ Tags (HITs) and, after that, changes the packet source and
+ destination addresses back to corresponding IP addresses. The packet
+ is sent to the IPsec ESP for transport mode handling, and from there
+ the encrypted packet is sent to the network. When an ESP packet is
+ received, the packet is first put through the IPsec ESP transport
+ mode handling, and after decryption, the source and destination IP
+ addresses are replaced with HITs, and finally, upper-layer checksums
+ are verified before passing the packet to the upper layer.
+
+ An alternative way to implement packet processing is the BEET (Bound
+ End-to-End Tunnel) mode (see Appendix B). In BEET mode, the ESP
+ packet is formatted as a transport mode packet, but the semantics of
+ the connection are the same as for tunnel mode. The "outer"
+ addresses of the packet are the IP addresses, and the "inner"
+ addresses are the HITs. For outgoing traffic, after the packet has
+ been encrypted, the packet's IP header is changed to a new one that
+ contains IP addresses instead of HITs, and the packet is sent to the
+ network. When the ESP packet is received, the SPI value, together
+ with the integrity protection, allow the packet to be securely
+ associated with the right HIT pair. The packet header is replaced
+ with a new header containing HITs, and the packet is decrypted. BEET
+ mode is completely internal for a host and doesn't require that the
+ corresponding host implement it; instead, the corresponding host can
+ have ESP transport mode and do HIT IP conversions outside ESP.
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 5]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+3.2.1. Semantics of the Security Parameter Index (SPI)
+
+ SPIs are used in ESP to find the right Security Association for
+ received packets. The ESP SPIs have added significance when used
+ with HIP; they are a compressed representation of a pair of HITs.
+ Thus, SPIs MAY be used by intermediary systems in providing services
+ like address mapping. Note that since the SPI has significance at
+ the receiver, only the < DST, SPI >, where DST is a destination IP
+ address, uniquely identifies the receiver HIT at any given point of
+ time. The same SPI value may be used by several hosts. A single
+ < DST, SPI > value may denote different hosts and contexts at
+ different points of time, depending on the host that is currently
+ reachable at the DST.
+
+ Each host selects for itself the SPI it wants to see in packets
+ received from its peer. This allows it to select different SPIs for
+ different peers. The SPI selection SHOULD be random; the rules of
+ Section 2.1 of the ESP specification [RFC4303] must be followed. A
+ different SPI SHOULD be used for each HIP exchange with a particular
+ host; this is to avoid a replay attack. Additionally, when a host
+ rekeys, the SPI MUST be changed. Furthermore, if a host changes over
+ to use a different IP address, it MAY change the SPI.
+
+ One method for SPI creation that meets the above criteria would be to
+ concatenate the HIT with a 32-bit random or sequential number, hash
+ this (using SHA1), and then use the high-order 32 bits as the SPI.
+
+ The selected SPI is communicated to the peer in the third (I2) and
+ fourth (R2) packets of the base HIP exchange. Changes in SPI are
+ signaled with ESP_INFO parameters.
+
+3.3. Security Association Establishment and Maintenance
+
+3.3.1. ESP Security Associations
+
+ In HIP, ESP Security Associations are set up between the HIP nodes
+ during the base exchange [RFC7401]. Existing ESP SAs can be updated
+ later using UPDATE messages. The reason for updating the ESP SA
+ later can be, for example, a need for rekeying the SA because of
+ sequence number rollover.
+
+ Upon setting up a HIP association, each association is linked to two
+ ESP SAs, one for incoming packets and one for outgoing packets. The
+ Initiator's incoming SA corresponds with the Responder's outgoing
+ one, and vice versa. The Initiator defines the SPI for its incoming
+ association, as defined in Section 3.2.1. This SA is herein called
+
+
+
+
+
+Jokela, et al. Standards Track [Page 6]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ SA-RI, and the corresponding SPI is called SPI-RI. Respectively, the
+ Responder's incoming SA corresponds with the Initiator's outgoing SA
+ and is called SA-IR, with the SPI being called SPI-IR.
+
+ The Initiator creates SA-RI as a part of R1 processing, before
+ sending out the I2, as explained in Section 6.4. The keys are
+ derived from KEYMAT, as defined in Section 7. The Responder creates
+ SA-RI as a part of I2 processing; see Section 6.5.
+
+ The Responder creates SA-IR as a part of I2 processing, before
+ sending out R2; see Section 6.5. The Initiator creates SA-IR when
+ processing R2; see Section 6.6.
+
+ The initial session keys are drawn from the generated keying
+ material, KEYMAT, after the HIP keys have been drawn as specified in
+ [RFC7401].
+
+ When the HIP association is removed, the related ESP SAs MUST also be
+ removed.
+
+3.3.2. Rekeying
+
+ After the initial HIP base exchange and SA establishment, both hosts
+ are in the ESTABLISHED state. There are no longer Initiator and
+ Responder roles, and the association is symmetric. In this
+ subsection, the party that initiates the rekey procedure is denoted
+ with I' and the peer with R'.
+
+ An existing HIP-created ESP SA may need updating during the lifetime
+ of the HIP association. This document specifies the rekeying of an
+ existing HIP-created ESP SA, using the UPDATE message. The ESP_INFO
+ parameter introduced above is used for this purpose.
+
+ I' initiates the ESP SA updating process when needed (see
+ Section 6.8). It creates an UPDATE packet with required information
+ and sends it to the peer node. The old SAs are still in use, local
+ policy permitting.
+
+ R', after receiving and processing the UPDATE (see Section 6.9),
+ generates new SAs: SA-I'R' and SA-R'I'. It does not take the new
+ outgoing SA into use, but still uses the old one, so there
+ temporarily exist two SA pairs towards the same peer host. The SPI
+ for the new outgoing SA, SPI-R'I', is specified in the received
+ ESP_INFO parameter in the UPDATE packet. For the new incoming SA, R'
+ generates the new SPI value, SPI-I'R', and includes it in the
+ response UPDATE packet.
+
+
+
+
+
+Jokela, et al. Standards Track [Page 7]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ When I' receives a response UPDATE from R', it generates new SAs, as
+ described in Section 6.9: SA-I'R' and SA-R'I'. It starts using the
+ new outgoing SA immediately.
+
+ R' starts using the new outgoing SA when it receives traffic on the
+ new incoming SA or when it receives the UPDATE ACK confirming
+ completion of rekeying. After this, R' can remove the old SAs.
+ Similarly, when the I' receives traffic from the new incoming SA, it
+ can safely remove the old SAs.
+
+3.3.3. Security Association Management
+
+ An SA pair is indexed by the 2 SPIs and 2 HITs (both local and remote
+ HITs since a system can have more than one HIT). An inactivity timer
+ is RECOMMENDED for all SAs. If the state dictates the deletion of an
+ SA, a timer is set to allow for any late arriving packets.
+
+3.3.4. Security Parameter Index (SPI)
+
+ The SPIs in ESP provide a simple compression of the HIP data from all
+ packets after the HIP exchange. This does require a per HIT-pair
+ Security Association (and SPI), and a decrease of policy granularity
+ over other Key Management Protocols like Internet Key Exchange (IKE)
+ [RFC7296].
+
+ When a host updates the ESP SA, it provides a new inbound SPI to and
+ gets a new outbound SPI from its peer.
+
+3.3.5. Supported Ciphers
+
+ All HIP implementations MUST support AES-128-CBC and AES-256-CBC
+ [RFC3602]. If the Initiator does not support any of the transforms
+ offered by the Responder, it should abandon the negotiation and
+ inform the peer with a NOTIFY message about a non-supported
+ transform.
+
+ In addition to AES-128-CBC, all implementations SHOULD implement the
+ ESP NULL encryption algorithm. When the ESP NULL encryption is used,
+ it MUST be used together with SHA-256 authentication as specified in
+ Section 5.1.2.
+
+ When an authentication-only suite is used (NULL, AES-CMAC-96, and
+ AES-GMAC are examples), the suite MUST NOT be accepted if offered by
+ the peer unless the local policy configuration regarding the peer
+ host is explicitly set to allow an authentication-only mode. This is
+ to prevent sessions from being downgraded to an authentication-only
+ mode when one side's policy requests privacy for the session.
+
+
+
+
+Jokela, et al. Standards Track [Page 8]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+3.3.6. Sequence Number
+
+ The Sequence Number field is MANDATORY when ESP is used with HIP.
+ Anti-replay protection MUST be used in an ESP SA established with
+ HIP. When ESP is used with HIP, a 64-bit sequence number MUST be
+ used. This means that each host MUST rekey before its sequence
+ number reaches 2^64.
+
+ When using a 64-bit sequence number, the higher 32 bits are NOT
+ included in the ESP header, but are simply kept local to both peers.
+ See [RFC4301].
+
+3.3.7. Lifetimes and Timers
+
+ HIP does not negotiate any lifetimes. All ESP lifetimes are local
+ policy. The only lifetimes a HIP implementation MUST support are
+ sequence number rollover (for replay protection), and SHOULD support
+ timing out inactive ESP SAs. An SA times out if no packets are
+ received using that SA. Implementations SHOULD support a
+ configurable SA timeout value. Implementations MAY support lifetimes
+ for the various ESP transforms. Each implementation SHOULD implement
+ per-HIT configuration of the inactivity timeout, allowing statically
+ configured HIP associations to stay alive for days, even when
+ inactive.
+
+3.4. IPsec and HIP ESP Implementation Considerations
+
+ When HIP is run on a node where a standards compliant IPsec is used,
+ some issues have to be considered.
+
+ The HIP implementation must be able to co-exist with other IPsec
+ keying protocols. When the HIP implementation selects the SPI value,
+ it may lead to a collision if not implemented properly. To avoid the
+ possibility for a collision, the HIP implementation MUST ensure that
+ the SPI values used for HIP SAs are not used for IPsec or other SAs,
+ and vice versa.
+
+ Incoming packets using an SA that is not negotiated by HIP MUST NOT
+ be processed as described in Section 3.2, paragraph 2. The SPI will
+ identify the correct SA for packet decryption and MUST be used to
+ identify that the packet has an upper-layer checksum that is
+ calculated as specified in [RFC7401].
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 9]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+3.4.1. Data Packet Processing Considerations
+
+ For outbound traffic, the SPD (or coordinated SPDs, if there are two
+ -- one for HIP and one for IPsec) MUST ensure that packets intended
+ for HIP processing are given a HIP-enabled SA and that packets
+ intended for IPsec processing are given an IPsec-enabled SA. The SP
+ then MUST be bound to the matching SA, and non-HIP packets will not
+ be processed by this SA. Data originating from a socket that is not
+ using HIP MUST NOT have the checksum recalculated (as described in
+ Section 3.2, paragraph 2), and data MUST NOT be passed to the SP or
+ SA created by HIP.
+
+ It is possible that in the case of overlapping policies, the outgoing
+ packet would be handled by both IPsec and HIP. In this case, it is
+ possible that the HIP association is end to end, while the IPsec SA
+ is for encryption between the HIP host and a security gateway. In
+ the case of a security gateway ESP association, the ESP always uses
+ tunnel mode.
+
+ In the case of IPsec tunnel mode, it is hard to see during the HIP SA
+ processing if the IPsec ESP SA has the same final destination. Thus,
+ traffic MUST be encrypted with both the HIP ESP SA and the IPsec SA
+ when the IPsec ESP SA is used in tunnel mode.
+
+ In the case of IPsec transport mode, the connection endpoints are the
+ same. However, for HIP data packets it is not possible to avoid HIP
+ SA processing, while mapping the HIP data packet's IP addresses to
+ the corresponding HITs requires SPI values from the ESP header. In
+ the case of a transport mode IPsec SA, the IPsec encryption MAY be
+ skipped to avoid double encryption, if the local policy allows.
+
+3.4.2. HIP Signaling Packet Considerations
+
+ In general, HIP signaling packets should follow the same processing
+ as HIP data packets.
+
+ In the case of IPsec tunnel mode, the HIP signaling packets are
+ always encrypted using an IPsec ESP SA. Note that this hides the HIP
+ signaling packets from the eventual HIP middleboxes on the path
+ between the originating host and the security gateway.
+
+ In the case of IPsec transport mode, the HIP signaling packets MAY
+ skip the IPsec ESP SA encryption if the local policy allows. This
+ allows the eventual HIP middleboxes to handle the passing HIP
+ signaling packets.
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 10]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+4. The Protocol
+
+ In this section, the protocol for setting up an ESP association to be
+ used with a HIP association is described.
+
+4.1. ESP in HIP
+
+4.1.1. IPsec ESP Transport Format Type
+
+ The HIP handshake signals the TRANSPORT_FORMAT_LIST parameter in the
+ R1 and I2 messages. This parameter contains a list of the supported
+ HIP transport formats of the sending host, in the order of
+ preference. The transport format type for IPsec ESP is the type
+ number of the ESP_TRANSFORM parameter, i.e., 4095.
+
+4.1.2. Setting Up an ESP Security Association
+
+ Setting up an ESP Security Association between hosts using HIP is
+ performed by including parameters in the last three messages (R1, I2,
+ and R2 messages) of the four-message HIP base exchange.
+
+ Initiator Responder
+
+ I1
+ ---------------------------------->
+
+ R1: ESP_TRANSFORM
+ <----------------------------------
+
+ I2: ESP_TRANSFORM, ESP_INFO
+ ---------------------------------->
+
+ R2: ESP_INFO
+ <----------------------------------
+
+ The R1 message contains the ESP_TRANSFORM parameter, in which the
+ sending host defines the possible ESP transforms it is willing to use
+ for the ESP SA.
+
+ Including the ESP_TRANSFORM parameter in the R1 message adds clarity
+ to the TRANSPORT_FORMAT_LIST but may initiate negotiations for
+ possibly unselected transforms. However, resource-constrained
+ devices will most likely restrict support to a single transform for
+ the sake of minimizing ROM overhead, and the additional parameter
+ adds negligible overhead with unconstrained devices.
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 11]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ The I2 message contains the response to an ESP_TRANSFORM received in
+ the R1 message. The sender must select one of the proposed ESP
+ transforms from the ESP_TRANSFORM parameter in the R1 message and
+ include the selected one in the ESP_TRANSFORM parameter in the I2
+ packet. In addition to the transform, the host includes the ESP_INFO
+ parameter containing the SPI value to be used by the peer host.
+
+ In the R2 message, the ESP SA setup is finalized. The packet
+ contains the SPI information required by the Initiator for the
+ ESP SA.
+
+4.1.3. Updating an Existing ESP SA
+
+ The update process is accomplished using three messages. The HIP
+ UPDATE message is used to update the parameters of an existing ESP
+ SA. The UPDATE mechanism and message are defined in [RFC7401], and
+ the additional parameters for updating an existing ESP SA are
+ described here.
+
+ The following picture shows a typical exchange when an existing ESP
+ SA is updated. Messages include SEQ and ACK parameters required by
+ the UPDATE mechanism.
+
+ H1 H2
+ UPDATE: SEQ, ESP_INFO [, DIFFIE_HELLMAN]
+ ----------------------------------------------------->
+
+ UPDATE: SEQ, ACK, ESP_INFO [, DIFFIE_HELLMAN]
+ <-----------------------------------------------------
+
+ UPDATE: ACK
+ ----------------------------------------------------->
+
+ The host willing to update the ESP SA creates and sends an UPDATE
+ message. The message contains the ESP_INFO parameter containing the
+ old SPI value that was used, the new SPI value to be used, and the
+ index value for the keying material, giving the point from where the
+ next keys will be drawn. If new keying material must be generated,
+ the UPDATE message will also contain the DIFFIE_HELLMAN parameter
+ defined in [RFC7401].
+
+ The host receiving the UPDATE message requesting update of an
+ existing ESP SA MUST reply with an UPDATE message. In the reply
+ message, the host sends the ESP_INFO parameter containing the
+ corresponding values: old SPI, new SPI, and the keying material
+ index. If the incoming UPDATE contained a DIFFIE_HELLMAN parameter,
+ the reply packet MUST also contain a DIFFIE_HELLMAN parameter.
+
+
+
+
+Jokela, et al. Standards Track [Page 12]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+5. Parameter and Packet Formats
+
+ In this section, new and modified HIP parameters are presented, as
+ well as modified HIP packets.
+
+5.1. New Parameters
+
+ Two HIP parameters are defined for setting up ESP transport format
+ associations in HIP communication and for rekeying existing ones.
+ Also, the NOTIFICATION parameter, described in [RFC7401], has two
+ error values defined for this specification.
+
+ Parameter Type Length Data
+
+ ESP_INFO 65 12 Remote's old SPI,
+ new SPI, and other info
+ ESP_TRANSFORM 4095 variable ESP Encryption and
+ Authentication Transform(s)
+
+5.1.1. ESP_INFO
+
+ During the establishment and update of an ESP SA, the SPI value of
+ both hosts must be transmitted between the hosts. In addition, hosts
+ need the index value to the KEYMAT when they are drawing keys from
+ the generated keying material. The ESP_INFO parameter is used to
+ transmit the SPI values and the KEYMAT index information between the
+ hosts.
+
+ During the initial ESP SA setup, the hosts send the SPI value that
+ they want the peer to use when sending ESP data to them. The value
+ is set in the NEW SPI field of the ESP_INFO parameter. In the
+ initial setup, an old value for the SPI does not exist; thus, the OLD
+ SPI field value is set to zero. The OLD SPI field value may also be
+ zero when additional SAs are set up between HIP hosts, e.g., in the
+ case of multihomed HIP hosts [RFC5206]. However, such use is beyond
+ the scope of this specification.
+
+ The KEYMAT index value points to the place in the KEYMAT from where
+ the keying material for the ESP SAs is drawn. The KEYMAT index value
+ is zero only when the ESP_INFO is sent during a rekeying process and
+ new keying material is generated.
+
+ During the life of an SA established by HIP, one of the hosts may
+ need to reset the Sequence Number to one and rekey. The reason for
+ rekeying might be an approaching sequence number wrap in ESP, or a
+ local policy on the use of a key. Rekeying ends the current SAs and
+ starts new ones on both peers.
+
+
+
+
+Jokela, et al. Standards Track [Page 13]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ During the rekeying process, the ESP_INFO parameter is used to
+ transmit the changed SPI values and the keying material index.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Reserved | KEYMAT Index |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | OLD SPI |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | NEW SPI |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type 65
+ Length 12
+ KEYMAT Index index, in bytes, where to continue to draw ESP keys
+ from KEYMAT. If the packet includes a new
+ Diffie-Hellman key and the ESP_INFO is sent in an
+ UPDATE packet, the field MUST be zero. If the
+ ESP_INFO is included in base exchange messages, the
+ KEYMAT Index must have the index value of the point
+ from where the ESP SA keys are drawn. Note that
+ the length of this field limits the amount of
+ keying material that can be drawn from KEYMAT. If
+ that amount is exceeded, the packet MUST contain
+ a new Diffie-Hellman key.
+ OLD SPI old SPI for data sent to address(es) associated
+ with this SA. If this is an initial SA setup, the
+ OLD SPI value is zero.
+ NEW SPI new SPI for data sent to address(es) associated
+ with this SA.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 14]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+5.1.2. ESP_TRANSFORM
+
+ The ESP_TRANSFORM parameter is used during ESP SA establishment. The
+ first party sends a selection of transform families in the
+ ESP_TRANSFORM parameter, and the peer must select one of the proposed
+ values and include it in the response ESP_TRANSFORM parameter.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Reserved | Suite ID #1 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Suite ID #2 | Suite ID #3 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Suite ID #n | Padding |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type 4095
+ Length length in octets, excluding Type, Length, and
+ padding.
+ Reserved zero when sent, ignored when received.
+ Suite ID defines the ESP Suite to be used.
+
+ The following Suite IDs can be used:
+
+ Suite ID Value
+
+ RESERVED 0 [RFC7402]
+ AES-128-CBC with HMAC-SHA1 1 [RFC3602], [RFC2404]
+ DEPRECATED 2 [RFC7402]
+ DEPRECATED 3 [RFC7402]
+ DEPRECATED 4 [RFC7402]
+ DEPRECATED 5 [RFC7402]
+ DEPRECATED 6 [RFC7402]
+ NULL with HMAC-SHA-256 7 [RFC2410], [RFC4868]
+ AES-128-CBC with HMAC-SHA-256 8 [RFC3602], [RFC4868]
+ AES-256-CBC with HMAC-SHA-256 9 [RFC3602], [RFC4868]
+ AES-CCM-8 10 [RFC4309]
+ AES-CCM-16 11 [RFC4309]
+ AES-GCM with an 8-octet ICV 12 [RFC4106]
+ AES-GCM with a 16-octet ICV 13 [RFC4106]
+ AES-CMAC-96 14 [RFC4493], [RFC4494]
+ AES-GMAC 15 [RFC4543]
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 15]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ The sender of an ESP transform parameter MUST make sure that there
+ are no more than six (6) Suite IDs in one ESP transform parameter.
+ Conversely, a recipient MUST be prepared to handle received transform
+ parameters that contain more than six Suite IDs. The limited number
+ of Suite IDs sets the maximum size of the ESP_TRANSFORM parameter.
+ As the default configuration, the ESP_TRANSFORM parameter MUST
+ contain at least one of the mandatory Suite IDs. There MAY be a
+ configuration option that allows the administrator to override this
+ default.
+
+ Mandatory implementations: AES-128-CBC with HMAC-SHA-256. NULL with
+ HMAC-SHA-256 SHOULD also be supported (see also Section 3.3.5).
+
+ Under some conditions, it is possible to use Traffic Flow
+ Confidentiality (TFC) [RFC4303] with ESP in BEET mode. However, the
+ definition of such an operation is left for future work and must be
+ done in a separate specification.
+
+5.1.3. NOTIFICATION Parameter
+
+ The HIP base specification defines a set of NOTIFICATION error types.
+ The following error types are required for describing errors in ESP
+ Transform crypto suites during negotiation.
+
+ NOTIFICATION PARAMETER - ERROR TYPES Value
+ ------------------------------------ -----
+
+ NO_ESP_PROPOSAL_CHOSEN 18
+
+ None of the proposed ESP Transform crypto suites was
+ acceptable.
+
+ INVALID_ESP_TRANSFORM_CHOSEN 19
+
+ The ESP Transform crypto suite does not correspond to
+ one offered by the Responder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 16]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+5.2. HIP ESP Security Association Setup
+
+ The ESP Security Association is set up during the base exchange. The
+ following subsections define the ESP SA setup procedure using both
+ base exchange messages (R1, I2, R2) and UPDATE messages.
+
+5.2.1. Setup during Base Exchange
+
+5.2.1.1. Modifications in R1
+
+ The ESP_TRANSFORM contains the ESP modes supported by the sender,
+ in the order of preference. All implementations MUST support
+ AES-128-CBC [RFC3602] with HMAC-SHA-256 [RFC4868].
+
+ The following figure shows the resulting R1 packet layout.
+
+ The HIP parameters for the R1 packet:
+
+ IP ( HIP ( [ R1_COUNTER, ]
+ PUZZLE,
+ DIFFIE_HELLMAN,
+ HIP_CIPHER,
+ ESP_TRANSFORM,
+ HOST_ID,
+ [ ECHO_REQUEST, ]
+ HIP_SIGNATURE_2 )
+ [, ECHO_REQUEST ])
+
+5.2.1.2. Modifications in I2
+
+ The ESP_INFO contains the sender's SPI for this association as well
+ as the KEYMAT index from where the ESP SA keys will be drawn. The
+ old SPI value is set to zero.
+
+ The ESP_TRANSFORM contains the ESP mode selected by the sender of R1.
+ All implementations MUST support AES-128-CBC [RFC3602] with
+ HMAC-SHA-256 [RFC4868].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 17]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ The following figure shows the resulting I2 packet layout.
+
+ The HIP parameters for the I2 packet:
+
+ IP ( HIP ( ESP_INFO,
+ [R1_COUNTER,]
+ SOLUTION,
+ DIFFIE_HELLMAN,
+ HIP_CIPHER,
+ ESP_TRANSFORM,
+ ENCRYPTED { HOST_ID },
+ [ ECHO_RESPONSE ,]
+ HMAC,
+ HIP_SIGNATURE
+ [, ECHO_RESPONSE] ) )
+
+5.2.1.3. Modifications in R2
+
+ The R2 contains an ESP_INFO parameter, which has the SPI value of the
+ sender of the R2 for this association. The ESP_INFO also has the
+ KEYMAT index value specifying where the ESP SA keys are drawn.
+
+ The following figure shows the resulting R2 packet layout.
+
+ The HIP parameters for the R2 packet:
+
+ IP ( HIP ( ESP_INFO, HMAC_2, HIP_SIGNATURE ) )
+
+5.3. HIP ESP Rekeying
+
+ In this section, the procedure for rekeying an existing ESP SA is
+ presented.
+
+ Conceptually, the process can be represented by the following message
+ sequence using the host names I' and R' defined in Section 3.3.2.
+ For simplicity, HMAC and HIP_SIGNATURE are not depicted, and
+ DIFFIE_HELLMAN keys are optional. The UPDATE with ACK_I need not be
+ piggybacked with the UPDATE with SEQ_R; it may be ACKed separately
+ (in which case the sequence would include four packets).
+
+ I' R'
+
+ UPDATE(ESP_INFO, SEQ_I, [DIFFIE_HELLMAN])
+ ----------------------------------->
+ UPDATE(ESP_INFO, SEQ_R, ACK_I, [DIFFIE_HELLMAN])
+ <-----------------------------------
+ UPDATE(ACK_R)
+ ----------------------------------->
+
+
+
+Jokela, et al. Standards Track [Page 18]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ Below, the first two packets in this figure are explained.
+
+5.3.1. Initializing Rekeying
+
+ When HIP is used with ESP, the UPDATE packet is used to initiate
+ rekeying. The UPDATE packet MUST carry an ESP_INFO and MAY carry a
+ DIFFIE_HELLMAN parameter.
+
+ Intermediate systems that use the SPI will have to inspect HIP
+ packets for those that carry rekeying information. The packet is
+ signed for the benefit of the intermediate systems. Since
+ intermediate systems may need the new SPI values, the contents cannot
+ be encrypted.
+
+ The following figure shows the contents of a rekeying initialization
+ UPDATE packet.
+
+ The HIP parameters for the UPDATE packet initiating rekeying:
+
+ IP ( HIP ( ESP_INFO,
+ SEQ,
+ [DIFFIE_HELLMAN, ]
+ HMAC,
+ HIP_SIGNATURE ) )
+
+5.3.2. Responding to the Rekeying Initialization
+
+ The UPDATE ACK is used to acknowledge the received UPDATE rekeying
+ initialization. The acknowledgment UPDATE packet MUST carry an
+ ESP_INFO and MAY carry a DIFFIE_HELLMAN parameter.
+
+ Intermediate systems that use the SPI will have to inspect HIP
+ packets for packets carrying rekeying information. The packet is
+ signed for the benefit of the intermediate systems. Since
+ intermediate systems may need the new SPI values, the contents cannot
+ be encrypted.
+
+ The following figure shows the contents of a rekeying acknowledgment
+ UPDATE packet.
+
+ The HIP parameters for the UPDATE packet:
+
+ IP ( HIP ( ESP_INFO,
+ SEQ,
+ ACK,
+ [ DIFFIE_HELLMAN, ]
+ HMAC,
+ HIP_SIGNATURE ) )
+
+
+
+Jokela, et al. Standards Track [Page 19]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+5.4. ICMP Messages
+
+ ICMP message handling is mainly described in the HIP base
+ specification [RFC7401]. In this section, we describe the actions
+ related to ESP security associations.
+
+5.4.1. Unknown SPI
+
+ If a HIP implementation receives an ESP packet that has an
+ unrecognized SPI number, it MAY respond (subject to rate limiting the
+ responses) with an ICMP packet with type "Parameter Problem", with
+ the pointer pointing to the beginning of the SPI field in the ESP
+ header.
+
+6. Packet Processing
+
+ Packet processing is mainly defined in the HIP base specification
+ [RFC7401]. This section describes the changes and new requirements
+ for packet handling when the ESP transport format is used. Note that
+ all HIP packets (currently protocol 139) MUST bypass ESP processing.
+
+6.1. Processing Outgoing Application Data
+
+ Outgoing application data handling is specified in the HIP base
+ specification [RFC7401]. When the ESP transport format is used, and
+ there is an active HIP session for the given < source, destination >
+ HIT pair, the outgoing datagram is protected using the ESP security
+ association. The following additional steps define the conceptual
+ processing rules for outgoing ESP protected datagrams.
+
+ 1. Detect the proper ESP SA using the HITs in the packet header or
+ other information associated with the packet.
+
+ 2. Process the packet normally, as if the SA was a transport
+ mode SA.
+
+ 3. Ensure that the outgoing ESP protected packet has proper IP
+ header format, depending on the used IP address family, and
+ proper IP addresses in its IP header, e.g., by replacing HITs
+ left by the ESP processing. Note that this placement of proper
+ IP addresses MAY also be performed at some other point in the
+ stack, e.g., before ESP processing.
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 20]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+6.2. Processing Incoming Application Data
+
+ Incoming HIP user data packets arrive as ESP protected packets. In
+ the usual case, the receiving host has a corresponding ESP security
+ association, identified by the SPI and destination IP address in the
+ packet. However, if the host has crashed or otherwise lost its HIP
+ state, it may not have such an SA.
+
+ The basic incoming data handling is specified in the HIP base
+ specification. Additional steps are required when ESP is used for
+ protecting the data traffic. The following steps define the
+ conceptual processing rules for incoming ESP protected datagrams
+ targeted to an ESP security association created with HIP.
+
+ 1. Detect the proper ESP SA using the SPI. If the resulting SA is a
+ non-HIP ESP SA, process the packet according to standard IPsec
+ rules. If there are no SAs identified with the SPI, the host MAY
+ send an ICMP packet as defined in Section 5.4. How to handle
+ lost state is an implementation issue.
+
+ 2. If the SPI matches with an active HIP-based ESP SA, the IP
+ addresses in the datagram are replaced with the HITs associated
+ with the SPI. Note that this IP-address-to-HIT conversion step
+ MAY also be performed at some other point in the stack, e.g.,
+ after ESP processing. Note also that if the incoming packet has
+ IPv4 addresses, the packet must be converted to IPv6 format
+ before replacing the addresses with HITs (such that the transport
+ checksum will pass if there are no errors).
+
+ 3. The transformed packet is next processed normally by ESP, as if
+ the packet were a transport mode packet. The packet may be
+ dropped by ESP, as usual. In a typical implementation, the
+ result of successful ESP decryption and verification is a
+ datagram with the associated HITs as source and destination.
+
+ 4. The datagram is delivered to the upper layer. Demultiplexing the
+ datagram to the right upper-layer socket is performed as usual,
+ except that the HITs are used in place of IP addresses during the
+ demultiplexing.
+
+6.3. HMAC and SIGNATURE Calculation and Verification
+
+ The new HIP parameters described in this document, ESP_INFO and
+ ESP_TRANSFORM, must be protected using HMAC and signature
+ calculations. In a typical implementation, they are included in R1,
+ I2, R2, and UPDATE packet HMAC and SIGNATURE calculations as
+ described in [RFC7401].
+
+
+
+
+Jokela, et al. Standards Track [Page 21]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+6.4. Processing Incoming ESP SA Initialization (R1)
+
+ The ESP SA setup is initialized in the R1 message. The receiving
+ host (Initiator) selects one of the ESP transforms from the presented
+ values. If no suitable value is found, the negotiation is
+ terminated. The selected values are subsequently used when
+ generating and using encryption keys, and when sending the reply
+ packet. If the proposed alternatives are not acceptable to the
+ system, it may abandon the ESP SA establishment negotiation, or it
+ may resend the I1 message within the retry bounds.
+
+ After selecting the ESP transform and performing other R1
+ processing, the system prepares and creates an incoming ESP security
+ association. It may also prepare a security association for outgoing
+ traffic, but since it does not have the correct SPI value yet, it
+ cannot activate it.
+
+6.5. Processing Incoming Initialization Reply (I2)
+
+ The following steps are required to process the incoming ESP SA
+ initialization replies in I2. The steps below assume that the I2 has
+ been accepted for processing (e.g., has not been dropped due to HIT
+ comparisons as described in [RFC7401]).
+
+ o The ESP_TRANSFORM parameter is verified, and it MUST contain a
+ single value in the parameter; and it MUST match one of the values
+ offered in the initialization packet.
+
+ o The ESP_INFO NEW SPI field is parsed to obtain the SPI that will
+ be used for the Security Association outbound from the Responder
+ and inbound to the Initiator. For this initial ESP SA
+ establishment, the old SPI value MUST be zero. The KEYMAT Index
+ field MUST contain the index value to the KEYMAT from where the
+ ESP SA keys are drawn.
+
+ o The system prepares and creates both incoming and outgoing ESP
+ security associations.
+
+ o Upon successful processing of the initialization reply message,
+ the possible old Security Associations (as left over from an
+ earlier incarnation of the HIP association) are dropped and the
+ new ones are installed, and a finalizing packet, R2, is sent.
+ Possible ongoing rekeying attempts are dropped.
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 22]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+6.6. Processing Incoming ESP SA Setup Finalization (R2)
+
+ Before the ESP SA can be finalized, the ESP_INFO NEW SPI field is
+ parsed to obtain the SPI that will be used for the ESP Security
+ Association inbound to the sender of the finalization message R2.
+ The system uses this SPI to create or activate the outgoing ESP
+ security association used for sending packets to the peer.
+
+6.7. Dropping HIP Associations
+
+ When the system drops a HIP association, as described in the HIP base
+ specification, the associated ESP SAs MUST also be dropped.
+
+6.8. Initiating ESP SA Rekeying
+
+ During ESP SA rekeying, the hosts draw new keys from the existing
+ keying material, or new keying material is generated from where the
+ new keys are drawn.
+
+ A system may initiate the SA rekeying procedure at any time. It MUST
+ initiate a rekey if its incoming ESP sequence counter is about to
+ overflow. The system MUST NOT replace its keying material until the
+ rekeying packet exchange successfully completes.
+
+ Optionally, a system may include a new Diffie-Hellman key for use in
+ new KEYMAT generation. New KEYMAT generation occurs prior to drawing
+ the new keys.
+
+ The rekeying procedure uses the UPDATE mechanism defined in
+ [RFC7401]. Because each peer must update its half of the security
+ association pair (including new SPI creation), the rekeying process
+ requires that each side both send and receive an UPDATE. A system
+ will then rekey the ESP SA when it has sent parameters to the peer
+ and has received both an ACK of the relevant UPDATE message and
+ corresponding peer's parameters. It may be that the ACK and the
+ required HIP parameters arrive in different UPDATE messages. This is
+ always true if a system does not initiate an ESP SA update but
+ responds to an update request from the peer, and may also occur if
+ two systems initiate update nearly simultaneously. In such a case,
+ if the system has an outstanding update request, it saves the one
+ parameter and waits for the other before completing rekeying.
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 23]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ The following steps define the processing rules for initiating an ESP
+ SA update:
+
+ 1. The system decides whether to continue to use the existing KEYMAT
+ or to generate a new KEYMAT. In the latter case, the system MUST
+ generate a new Diffie-Hellman public key.
+
+ 2. The system creates an UPDATE packet, which contains the ESP_INFO
+ parameter. In addition, the host may include the optional
+ DIFFIE_HELLMAN parameter. If the UPDATE contains the
+ DIFFIE_HELLMAN parameter, the KEYMAT Index in the ESP_INFO
+ parameter MUST be zero, and the Diffie-Hellman Group ID must be
+ unchanged from that used in the initial handshake. If the UPDATE
+ does not contain DIFFIE_HELLMAN, the ESP_INFO KEYMAT Index MUST
+ be greater than or equal to the index of the next byte to be
+ drawn from the current KEYMAT.
+
+ 3. The system sends the UPDATE packet. For reliability, the
+ underlying UPDATE retransmission mechanism MUST be used.
+
+ 4. The system MUST NOT delete its existing SAs, but continue using
+ them if its policy still allows. The rekeying procedure SHOULD
+ be initiated early enough to make sure that the SA replay
+ counters do not overflow.
+
+ 5. In case a protocol error occurs and the peer system acknowledges
+ the UPDATE but does not itself send an ESP_INFO, the system may
+ not finalize the outstanding ESP SA update request. To guard
+ against this, a system MAY re-initiate the ESP SA update
+ procedure after some time waiting for the peer to respond, or it
+ MAY decide to abort the ESP SA after waiting for an
+ implementation-dependent time. The system MUST NOT keep an
+ outstanding ESP SA update request for an indefinite time.
+
+ To simplify the state machine, a host MUST NOT generate new UPDATEs
+ while it has an outstanding ESP SA update request, unless it is
+ restarting the update process.
+
+6.9. Processing Incoming UPDATE Packets
+
+ When a system receives an UPDATE packet, it must be processed if the
+ following conditions hold (in addition to the generic conditions
+ specified for UPDATE processing in Section 6.12 of [RFC7401]):
+
+ 1. A corresponding HIP association must exist. This is usually
+ ensured by the underlying UPDATE mechanism.
+
+ 2. The state of the HIP association is ESTABLISHED or R2-SENT.
+
+
+
+Jokela, et al. Standards Track [Page 24]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ If the above conditions hold, the following steps define the
+ conceptual processing rules for handling the received UPDATE packet:
+
+ 1. If the received UPDATE contains a DIFFIE_HELLMAN parameter, the
+ received KEYMAT Index MUST be zero and the Group ID must match
+ the Group ID in use on the association. If this test fails, the
+ packet SHOULD be dropped and the system SHOULD log an error
+ message.
+
+ 2. If there is no outstanding rekeying request, the packet
+ processing continues as specified in Section 6.9.1.
+
+ 3. If there is an outstanding rekeying request, the UPDATE MUST be
+ acknowledged, the received ESP_INFO (and possibly DIFFIE_HELLMAN)
+ parameters must be saved, and the packet processing continues as
+ specified in Section 6.10.
+
+6.9.1. Processing UPDATE Packet: No Outstanding Rekeying Request
+
+ The following steps define the conceptual processing rules for
+ handling a received UPDATE packet with the ESP_INFO parameter:
+
+ 1. The system consults its policy to see if it needs to generate a
+ new Diffie-Hellman key, and generates a new key (with same
+ Group ID) if needed. The system records any newly generated or
+ received Diffie-Hellman keys for use in KEYMAT generation upon
+ finalizing the ESP SA update.
+
+ 2. If the system generated a new Diffie-Hellman key in the previous
+ step, or if it received a DIFFIE_HELLMAN parameter, it sets the
+ ESP_INFO KEYMAT Index to zero. Otherwise, the ESP_INFO KEYMAT
+ Index MUST be greater than or equal to the index of the next byte
+ to be drawn from the current KEYMAT. In this case, it is
+ RECOMMENDED that the host use the KEYMAT Index requested by the
+ peer in the received ESP_INFO.
+
+ 3. The system creates an UPDATE packet, which contains an ESP_INFO
+ parameter and the optional DIFFIE_HELLMAN parameter. This UPDATE
+ would also typically acknowledge the peer's UPDATE with an ACK
+ parameter, although a separate UPDATE ACK may be sent.
+
+ 4. The system sends the UPDATE packet and stores any received
+ ESP_INFO and DIFFIE_HELLMAN parameters. At this point, it only
+ needs to receive an acknowledgment for the newly sent UPDATE to
+ finish the ESP SA update. In the usual case, the acknowledgment
+ is handled by the underlying UPDATE mechanism.
+
+
+
+
+
+Jokela, et al. Standards Track [Page 25]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+6.10. Finalizing Rekeying
+
+ A system finalizes rekeying when it has both received the
+ corresponding UPDATE acknowledgment packet from the peer and
+ successfully received the peer's UPDATE. The following steps
+ are taken:
+
+ 1. If the received UPDATE messages contain a new Diffie-Hellman key,
+ the system has a new Diffie-Hellman key due to initiating an ESP
+ SA update, or both, the system generates a new KEYMAT. If there
+ is only one new Diffie-Hellman key, the old existing key is used
+ as the other key.
+
+ 2. If the system generated a new KEYMAT in the previous step, it
+ sets the KEYMAT Index to zero, independent of whether the
+ received UPDATE included a Diffie-Hellman key or not. If the
+ system did not generate a new KEYMAT, it uses the greater KEYMAT
+ Index of the two (sent and received) ESP_INFO parameters.
+
+ 3. The system draws keys for new incoming and outgoing ESP SAs,
+ starting from the KEYMAT Index, and prepares new incoming and
+ outgoing ESP SAs. The SPI for the outgoing SA is the new SPI
+ value received in an ESP_INFO parameter. The SPI for the
+ incoming SA was generated when the ESP_INFO was sent to the peer.
+ The order of the keys retrieved from the KEYMAT during the
+ rekeying process is similar to that described in Section 7. Note
+ that only IPsec ESP keys are retrieved during the rekeying
+ process, not the HIP keys.
+
+ 4. The system starts to send to the new outgoing SA and prepares to
+ start receiving data on the new incoming SA. Once the system
+ receives data on the new incoming SA, it may safely delete the
+ old SAs.
+
+6.11. Processing NOTIFY Packets
+
+ The processing of NOTIFY packets is described in the HIP base
+ specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 26]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+7. Keying Material
+
+ The keying material is generated as described in the HIP base
+ specification. During the base exchange, the initial keys are drawn
+ from the generated material. After the HIP association keys have
+ been drawn, the ESP keys are drawn in the following order:
+
+ SA-gl ESP encryption key for HOST_g's outgoing traffic
+
+ SA-gl ESP authentication key for HOST_g's outgoing traffic
+
+ SA-lg ESP encryption key for HOST_l's outgoing traffic
+
+ SA-lg ESP authentication key for HOST_l's outgoing traffic
+
+ HOST_g denotes the host with the greater HIT value, and HOST_l
+ denotes the host with the lower HIT value. When HIT values are
+ compared, they are interpreted as positive (unsigned) 128-bit
+ integers in network byte order.
+
+ The four HIP keys are only drawn from KEYMAT during a HIP I1->R2
+ exchange. Subsequent rekeys using UPDATE will only draw the four ESP
+ keys from KEYMAT. Section 6.9 describes the rules for reusing or
+ regenerating KEYMAT based on the rekeying.
+
+ The number of bits drawn for a given algorithm is the "natural" size
+ of the keys, as specified in Section 6.5 of [RFC7401].
+
+8. Security Considerations
+
+ In this document, the usage of ESP [RFC4303] between HIP hosts to
+ protect data traffic is introduced. The security considerations for
+ ESP are discussed in the ESP specification.
+
+ There are different ways to establish an ESP Security Association
+ between two nodes. This can be done, e.g., using IKE [RFC7296].
+ This document specifies how the Host Identity Protocol is used to
+ establish ESP Security Associations.
+
+ The following issues are new or have changed from the standard ESP
+ usage:
+
+ o Initial keying material generation
+
+ o Updating the keying material
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 27]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ The initial keying material is generated using the Host Identity
+ Protocol [RFC7401] using the Diffie-Hellman procedure. This document
+ extends the usage of the UPDATE packet, defined in the base
+ specification, to modify existing ESP SAs. The hosts may rekey,
+ i.e., force the generation of new keying material using the
+ Diffie-Hellman procedure. The initial setup of ESP SAs between the
+ hosts is done during the base exchange, and the message exchange is
+ protected using methods provided by the base exchange. Changes in
+ connection parameters basically mean that the old ESP SA is removed
+ and a new one is generated once the UPDATE message exchange has been
+ completed. The message exchange is protected using the HIP
+ association keys. Both HMAC and signing of packets are used.
+
+9. IANA Considerations
+
+ The following changes to the "Host Identity Protocol (HIP)
+ Parameters" registries have been made. In all cases, the changes
+ updated the reference from [RFC5202] to this specification.
+
+ This document defines two Parameter Types and two NOTIFY Message
+ Types for the Host Identity Protocol [RFC7401].
+
+ The parameters and their type numbers are defined in Sections 5.1.1
+ and 5.1.2, and they have been added to the "Parameter Types"
+ namespace created by [RFC7401]. No new action regarding these values
+ is required by this specification, other than updating the reference
+ from [RFC5202] to this specification.
+
+ The new NOTIFICATION error types and their values are defined in
+ Section 5.1.3, and they have been added to the "Notify Message Types"
+ namespace created by [RFC7401]. No new action regarding these values
+ is required by this specification, other than updating the reference
+ from [RFC5202] to this specification.
+
+ Section 5.1.2 of this document defines values for "ESP Transform
+ Suite IDs", which are registered in a new IANA registry, with an
+ "IETF Review" registration procedure [RFC5226] for new values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 28]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+10. References
+
+10.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
+ ESP and AH", RFC 2404, November 1998,
+ <http://www.rfc-editor.org/info/rfc2404>.
+
+ [RFC2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm and
+ Its Use With IPsec", RFC 2410, November 1998,
+ <http://www.rfc-editor.org/info/rfc2410>.
+
+ [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher
+ Algorithm and Its Use with IPsec", RFC 3602,
+ September 2003, <http://www.rfc-editor.org/info/rfc3602>.
+
+ [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
+ (GCM) in IPsec Encapsulating Security Payload (ESP)",
+ RFC 4106, June 2005, <http://www.rfc-editor.org/
+ info/rfc4106>.
+
+ [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
+ RFC 4303, December 2005, <http://www.rfc-editor.org/
+ info/rfc4303>.
+
+ [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM
+ Mode with IPsec Encapsulating Security Payload (ESP)",
+ RFC 4309, December 2005, <http://www.rfc-editor.org/
+ info/rfc4309>.
+
+ [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The
+ AES-CMAC Algorithm", RFC 4493, June 2006,
+ <http://www.rfc-editor.org/info/rfc4493>.
+
+ [RFC4494] Song, JH., Poovendran, R., and J. Lee, "The AES-CMAC-96
+ Algorithm and Its Use with IPsec", RFC 4494, June 2006,
+ <http://www.rfc-editor.org/info/rfc4494>.
+
+ [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message
+ Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
+ May 2006, <http://www.rfc-editor.org/info/rfc4543>.
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 29]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256,
+ HMAC-SHA-384, and HMAC-SHA-512 with IPsec", RFC 4868,
+ May 2007, <http://www.rfc-editor.org/info/rfc4868>.
+
+ [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T.
+ Henderson, "Host Identity Protocol Version 2 (HIPv2)",
+ RFC 7401, April 2015, <http://www.rfc-editor.org/
+ info/rfc7401>.
+
+10.2. Informative References
+
+ [HIP-ARCH] Moskowitz, R., Ed., and M. Komu, "Host Identity Protocol
+ Architecture", Work in Progress,
+ draft-ietf-hip-rfc4423-bis-09, October 2014.
+
+ [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
+ September 1981, <http://www.rfc-editor.org/info/rfc791>.
+
+ [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
+ Internet Protocol", RFC 4301, December 2005,
+ <http://www.rfc-editor.org/info/rfc4301>.
+
+ [RFC5202] Jokela, P., Moskowitz, R., and P. Nikander, "Using the
+ Encapsulating Security Payload (ESP) Transport Format with
+ the Host Identity Protocol (HIP)", RFC 5202, April 2008,
+ <http://www.rfc-editor.org/info/rfc5202>.
+
+ [RFC5206] Nikander, P., Henderson, T., Vogt, C., and J. Arkko,
+ "End-Host Mobility and Multihoming with the Host Identity
+ Protocol", RFC 5206, April 2008,
+ <http://www.rfc-editor.org/info/rfc5206>.
+
+ [RFC5207] Stiemerling, M., Quittek, J., and L. Eggert, "NAT and
+ Firewall Traversal Issues of Host Identity Protocol (HIP)
+ Communication", RFC 5207, April 2008,
+ <http://www.rfc-editor.org/info/rfc5207>.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ May 2008, <http://www.rfc-editor.org/info/rfc5226>.
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 30]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ [RFC5770] Komu, M., Henderson, T., Tschofenig, H., Melen, J., and A.
+ Keranen, "Basic Host Identity Protocol (HIP) Extensions
+ for Traversal of Network Address Translators", RFC 5770,
+ April 2010, <http://www.rfc-editor.org/info/rfc5770>.
+
+ [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
+ Kivinen, "Internet Key Exchange Protocol Version 2
+ (IKEv2)", STD 79, RFC 7296, October 2014,
+ <http://www.rfc-editor.org/info/rfc7296>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 31]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+Appendix A. A Note on Implementation Options
+
+ It is possible to implement this specification in multiple different
+ ways. As noted above, one possible way of implementing this is to
+ rewrite IP headers below IPsec. In such an implementation, IPsec is
+ used as if it was processing IPv6 transport mode packets, with the
+ IPv6 header containing HITs instead of IP addresses in the source and
+ destination address fields. In outgoing packets, after IPsec
+ processing, the HITs are replaced with actual IP addresses, based on
+ the HITs and the SPI. In incoming packets, before IPsec processing,
+ the IP addresses are replaced with HITs, based on the SPI in the
+ incoming packet. In such an implementation, all IPsec policies are
+ based on HITs and the upper layers only see packets with HITs in the
+ place of IP addresses. Consequently, support of HIP does not
+ conflict with other uses of IPsec as long as the SPI spaces are kept
+ separate. Appendix B describes another way to implement this
+ specification.
+
+Appendix B. Bound End-to-End Tunnel Mode for ESP
+
+ This section introduces an alternative way of implementing the
+ necessary functions for HIP ESP transport. Compared to the option of
+ implementing the required address rewrites outside of IPsec, BEET has
+ one implementation-level benefit. In a BEET-mode-based
+ implementation, the address-rewriting information is kept in one
+ place, at the SAD. On the other hand, when address rewriting is
+ implemented separately, the implementation MUST make sure that the
+ information in the SAD and the information in the separate
+ address-rewriting database are kept in synchrony. As a result, the
+ BEET-mode-based way of implementing this specification is RECOMMENDED
+ over the separate implementation, as it binds the identities,
+ encryption, and locators tightly together. It should be noted that
+ implementing BEET mode doesn't require that corresponding hosts
+ implement it, as the behavior is only visible internally in a host.
+
+ BEET mode is a combination of IPsec tunnel and transport modes, and
+ it provides some of the features from both. HIP uses HITs as the
+ "inner" addresses and IP addresses as "outer" addresses, like IP
+ addresses are used in tunnel mode. Instead of tunneling packets
+ between hosts, a conversion between inner and outer addresses is made
+ at end hosts, and the inner address is never sent on the wire after
+ the initial HIP negotiation. BEET provides IPsec transport mode
+ syntax (no inner headers) with limited tunnel mode semantics (fixed
+ logical inner addresses -- the HITs -- and changeable outer IP
+ addresses).
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 32]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+B.1. Protocol Definition
+
+ In this section, we define the exact protocol formats and operations.
+
+B.1.1. Changes to Security Association Data Structures
+
+ A BEET mode Security Association contains the same data as a regular
+ tunnel mode Security Association, with the exception that the inner
+ selectors must be single addresses and cannot be subnets. The data
+ includes the following:
+
+ o A pair of inner IP addresses.
+
+ o A pair of outer IP addresses.
+
+ o Cryptographic keys and other data as defined in Section 4.4.2 of
+ RFC 4301 [RFC4301].
+
+ A conforming implementation MAY store the data in a way similar to a
+ regular tunnel mode Security Association.
+
+ Note that in a conforming implementation the inner and outer
+ addresses MAY belong to different address families. All
+ implementations that support both IPv4 and IPv6 SHOULD support both
+ IPv4-over-IPv6 and IPv6-over-IPv4 tunneling.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 33]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+B.1.2. Packet Format
+
+ The wire packet format is identical to the ESP transport mode wire
+ format as defined in Section 3.1.1 of [RFC4303]. However, the
+ resulting packet contains outer IP addresses instead of the inner IP
+ addresses received from the upper layer. The construction of the
+ outer headers is defined in Section 5.1.2 of RFC 4301 [RFC4301]. The
+ following diagram illustrates ESP BEET mode positioning for typical
+ IPv4 and IPv6 packets.
+
+ IPv4 INNER ADDRESSES
+ --------------------
+
+ BEFORE APPLYING ESP
+ ------------------------------
+ | inner IP hdr | | |
+ | | TCP | Data |
+ ------------------------------
+
+ AFTER APPLYING ESP, OUTER v4 ADDRESSES
+ ----------------------------------------------------
+ | outer IP hdr | | | | ESP | ESP |
+ | (any options) | ESP | TCP | Data | Trailer | ICV |
+ ----------------------------------------------------
+ |<---- encryption ---->|
+ |<-------- integrity ------->|
+
+ AFTER APPLYING ESP, OUTER v6 ADDRESSES
+ ------------------------------------------------------
+ | outer | new ext | | | | ESP | ESP |
+ | IP hdr | hdrs | ESP | TCP | Data | Trailer| ICV |
+ ------------------------------------------------------
+ |<--- encryption ---->|
+ |<------- integrity ------->|
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 34]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ IPv4 INNER ADDRESSES with options
+ ---------------------------------
+
+ BEFORE APPLYING ESP
+ ------------------------------
+ | inner IP hdr | | |
+ | + options | TCP | Data |
+ ------------------------------
+
+ AFTER APPLYING ESP, OUTER v4 ADDRESSES
+ ----------------------------------------------------------
+ | outer IP hdr | | | | | ESP | ESP |
+ | (any options) | ESP | PH | TCP | Data | Trailer | ICV |
+ ----------------------------------------------------------
+ |<------- encryption ------->|
+ |<----------- integrity ---------->|
+
+ AFTER APPLYING ESP, OUTER v6 ADDRESSES
+ ------------------------------------------------------------
+ | outer | new ext | | | | | ESP | ESP |
+ | IP hdr | hdrs | ESP | PH | TCP | Data | Trailer| ICV |
+ ------------------------------------------------------------
+ |<------ encryption ------->|
+ |<---------- integrity ---------->|
+
+ PH Pseudo Header for IPv4 options
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 35]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ IPv6 INNER ADDRESSES
+ --------------------
+
+ BEFORE APPLYING ESP
+ ------------------------------------------
+ | | ext hdrs | | |
+ | inner IP hdr | if present | TCP | Data |
+ ------------------------------------------
+
+ AFTER APPLYING ESP, OUTER v6 ADDRESSES
+ --------------------------------------------------------------
+ | outer | new ext | | dest | | | ESP | ESP |
+ | IP hdr | hdrs | ESP | opts.| TCP | Data | Trailer | ICV |
+ --------------------------------------------------------------
+ |<---- encryption ---->|
+ |<------- integrity ------>|
+
+ AFTER APPLYING ESP, OUTER v4 ADDRESSES
+ ----------------------------------------------------
+ | outer | | dest | | | ESP | ESP |
+ | IP hdr | ESP | opts.| TCP | Data | Trailer | ICV |
+ ----------------------------------------------------
+ |<------- encryption -------->|
+ |<----------- integrity ----------->|
+
+B.1.3. Cryptographic Processing
+
+ The outgoing packets MUST be protected exactly as in ESP transport
+ mode [RFC4303]. That is, the upper-layer protocol packet is wrapped
+ into an ESP header, encrypted, and authenticated exactly as if
+ regular transport mode was used. The resulting ESP packet is subject
+ to IP header processing as defined in Appendices B.1.4 and B.1.5.
+ The incoming ESP protected messages are verified and decrypted
+ exactly as if regular transport mode was used. The resulting
+ cleartext packet is subject to IP header processing as defined in
+ Appendices B.1.4 and B.1.6.
+
+B.1.4. IP Header Processing
+
+ The biggest difference between BEET mode and the other two modes is
+ in IP header processing. In the regular transport mode, the IP
+ header is kept intact. In the regular tunnel mode, an outer IP
+ header is created on output and discarded on input. In BEET mode,
+ the IP header is replaced with another one on both input and output.
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 36]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ On the BEET mode output side, the IP header processing MUST first
+ ensure that the IP addresses in the original IP header contain the
+ inner addresses as specified in the SA. This MAY be ensured by
+ proper policy processing, and it is possible that no checks are
+ needed at the time of SA processing. Once the IP header has been
+ verified to contain the right IP inner addresses, it is discarded. A
+ new IP header is created, using the fields of the discarded inner
+ header (except the IP addresses) to populate the fields of the new
+ outer header. The IP addresses in the new header MUST be the outer
+ tunnel addresses.
+
+ On the input side, the received IP header is simply discarded. Since
+ the packet has been decrypted and verified, no further checks are
+ necessary. A new IP header corresponding to a BEET mode inner header
+ is created, using the fields of the discarded outer header (except
+ the IP addresses) to populate the fields of the new inner header.
+ The IP addresses in the new header MUST be the inner addresses.
+
+ As the outer header fields are used as a hint for creating the inner
+ header, it must be noted that the inner header differs as compared to
+ a tunnel mode inner header. In BEET mode, the inner header will have
+ the Time to Live (TTL), Don't Fragment (DF) bit, and other option
+ values from the outer header. The TTL, DF bit, and other option
+ values of the inner header MUST be processed by the stack.
+
+B.1.5. Handling of Outgoing Packets
+
+ The outgoing BEET mode packets are processed as follows:
+
+ 1. The system MUST verify that the IP header contains the inner
+ source and destination addresses, exactly as defined in the SA.
+ This verification MAY be explicit, or it MAY be implicit, for
+ example, as a result of prior policy processing. Note that in
+ some implementations there may be no real IP header at this time
+ but the source and destination addresses may be carried out of
+ band. If the source address is still unassigned, it SHOULD be
+ ensured that the designated inner source address would be
+ selected at a later stage.
+
+ 2. The IP payload (the contents of the packet beyond the IP header)
+ is wrapped into an ESP header as defined in Section 3.3 of
+ [RFC4303].
+
+ 3. A new IP header is constructed, replacing the original one. The
+ new IP header MUST contain the outer source and destination
+ addresses, as defined in the SA. Note that in some
+ implementations there may be no real IP header at this time but
+ the source and destination addresses may be carried out of band.
+
+
+
+Jokela, et al. Standards Track [Page 37]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+ In the case where the source address must be left unassigned, it
+ SHOULD be ensured that the right source address is selected at a
+ later stage. Other than the addresses, it is RECOMMENDED that
+ the new IP header copies the fields from the original IP header.
+
+ 4. If there are any IPv4 options in the original packet, it is
+ RECOMMENDED that they are discarded. If the inner header
+ contains one or more options that need to be transported between
+ the tunnel endpoints, the sender MUST encapsulate the options as
+ defined in Appendix B.1.7.
+
+ Instead of literally discarding the IP header and constructing a new
+ one, a conforming implementation MAY simply replace the addresses in
+ an existing header. However, if the RECOMMENDED feature of allowing
+ the inner and outer addresses from different address families is
+ used, this simple strategy does not work.
+
+B.1.6. Handling of Incoming Packets
+
+ The incoming BEET mode packets are processed as follows:
+
+ 1. The system MUST verify and decrypt the incoming packet
+ successfully, as defined in Section 3.4 of [RFC4303]. If the
+ verification or decryption fails, the packet MUST be discarded.
+
+ 2. The original IP header is simply discarded, without any checks.
+ Since the ESP verification succeeded, the packet can be safely
+ assumed to have arrived from the right sender.
+
+ 3. A new IP header is constructed, replacing the original one. The
+ new IP header MUST contain the inner source and destination
+ addresses, as defined in the SA. If the sender has set the ESP
+ Next Header field to 94 and included the pseudo header as
+ described in Appendix B.1.7, the receiver MUST include the
+ options after the constructed IP header. Note that in some
+ implementations the real IP header may have already been
+ discarded and the source and destination addresses are carried
+ out of band. In such a case, the out-of-band addresses MUST be
+ the inner addresses. Other than the addresses, it is RECOMMENDED
+ that the new IP header copies the fields from the original IP
+ header.
+
+ Instead of literally discarding the IP header and constructing a new
+ one, a conforming implementation MAY simply replace the addresses in
+ an existing header. However, if the RECOMMENDED feature of allowing
+ the inner and outer addresses from different address families is
+ used, this simple strategy does not work.
+
+
+
+
+Jokela, et al. Standards Track [Page 38]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+B.1.7. Handling of IPv4 Options
+
+ In BEET mode, if IPv4 options are transported inside the tunnel, the
+ sender MUST include a pseudo header after the ESP header. The
+ pseudo header indicates that IPv4 options from the original packet
+ are to be applied to the packet on the input side.
+
+ The sender MUST set the Next Header field in the ESP header to 94.
+ The resulting pseudo header, including the IPv4 options, MUST be
+ padded to an 8-octet boundary. The padding length is expressed in
+ octets; valid padding lengths are 0 or 4 octets, as the original IPv4
+ options are already padded to a 4-octet boundary. The padding MUST
+ be filled with No Operation (NOP) options as defined in Section 3.1
+ ("Internet Header Format") of [RFC0791] ("Internet Protocol"). The
+ padding is added in front of the original options to ensure that the
+ receiver is able to reconstruct the original IPv4 datagram. The
+ Header Length field contains the length of the IPv4 options, and
+ padding in 8-octet units.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Next Header | Header Len | Pad Len | Reserved |
+ +---------------+---------------+-------------------------------+
+ | Padding (if needed) |
+ +---------------------------------------------------------------+
+ | IPv4 options ... |
+ | |
+ +---------------------------------------------------------------+
+
+ Next Header identifies the data following this header.
+ Length in octets 8-bit unsigned integer. Length of the
+ pseudo header in 8-octet units, not
+ including the first 8 octets.
+
+ The receiver MUST remove this pseudo header and padding as a part of
+ BEET processing, in order to reconstruct the original IPv4 datagram.
+ The IPv4 options included in the pseudo header MUST be added after
+ the reconstructed IPv4 (inner) header on the receiving side.
+
+
+
+
+
+
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 39]
+
+RFC 7402 Using the ESP Transport Format with HIP April 2015
+
+
+Acknowledgments
+
+ This document was separated from the base Host Identity Protocol
+ specification in the beginning of 2005. Since then, a number of
+ people have contributed to the text by providing comments and
+ modification proposals. The list of people includes Tom Henderson,
+ Jeff Ahrenholz, Jan Melen, Jukka Ylitalo, and Miika Komu.
+ Especially, the authors want to thank Pekka Nikander for his
+ invaluable contributions to the document since the first draft
+ version. The authors also want to thank Charlie Kaufman for
+ reviewing the document with his eye on the usage of crypto
+ algorithms.
+
+ Due to the history of this document, most of the ideas are inherited
+ from the base Host Identity Protocol specification. Thus, the list
+ of people in the Acknowledgments section of that specification is
+ also valid for this document. Many people have given valuable
+ feedback, and our apologies to anyone whose name is missing.
+
+Authors' Addresses
+
+ Petri Jokela
+ Ericsson Research NomadicLab
+ JORVAS FIN-02420
+ Finland
+
+ Phone: +358 9 299 1
+ EMail: petri.jokela@nomadiclab.com
+
+
+ Robert Moskowitz
+ HTT Consulting
+ Oak Park, MI
+ United States
+
+ EMail: rgm@labs.htt-consult.com
+
+
+ Jan Melen
+ Ericsson Research NomadicLab
+ JORVAS FIN-02420
+ Finland
+
+ Phone: +358 9 299 1
+ EMail: jan.melen@nomadiclab.com
+
+
+
+
+
+
+Jokela, et al. Standards Track [Page 40]
+