From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc4302.txt | 1907 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1907 insertions(+) create mode 100644 doc/rfc/rfc4302.txt (limited to 'doc/rfc/rfc4302.txt') diff --git a/doc/rfc/rfc4302.txt b/doc/rfc/rfc4302.txt new file mode 100644 index 0000000..994331f --- /dev/null +++ b/doc/rfc/rfc4302.txt @@ -0,0 +1,1907 @@ + + + + + + +Network Working Group S. Kent +Request for Comments: 4302 BBN Technologies +Obsoletes: 2402 December 2005 +Category: Standards Track + + + IP Authentication Header + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2005). + +Abstract + + This document describes an updated version of the IP Authentication + Header (AH), which is designed to provide authentication services in + IPv4 and IPv6. This document obsoletes RFC 2402 (November 1998). + +Table of Contents + + 1. Introduction ....................................................3 + 2. Authentication Header Format ....................................4 + 2.1. Next Header ................................................5 + 2.2. Payload Length .............................................5 + 2.3. Reserved ...................................................6 + 2.4. Security Parameters Index (SPI) ............................6 + 2.5. Sequence Number ............................................8 + 2.5.1. Extended (64-bit) Sequence Number ...................8 + 2.6. Integrity Check Value (ICV) ................................9 + 3. Authentication Header Processing ................................9 + 3.1. Authentication Header Location .............................9 + 3.1.1. Transport Mode ......................................9 + 3.1.2. Tunnel Mode ........................................11 + 3.2. Integrity Algorithms ......................................11 + 3.3. Outbound Packet Processing ................................11 + 3.3.1. Security Association Lookup ........................12 + 3.3.2. Sequence Number Generation .........................12 + 3.3.3. Integrity Check Value Calculation ..................13 + 3.3.3.1. Handling Mutable Fields ...................13 + 3.3.3.2. Padding and Extended Sequence Numbers .....16 + + + +Kent Standards Track [Page 1] + +RFC 4302 IP Authentication Header December 2005 + + + 3.3.4. Fragmentation ......................................17 + 3.4. Inbound Packet Processing .................................18 + 3.4.1. Reassembly .........................................18 + 3.4.2. Security Association Lookup ........................18 + 3.4.3. Sequence Number Verification .......................19 + 3.4.4. Integrity Check Value Verification .................20 + 4. Auditing .......................................................21 + 5. Conformance Requirements .......................................21 + 6. Security Considerations ........................................22 + 7. Differences from RFC 2402 ......................................22 + 8. Acknowledgements ...............................................22 + 9. References .....................................................22 + 9.1. Normative References ......................................22 + 9.2. Informative References ....................................23 + Appendix A: Mutability of IP Options/Extension Headers ............25 + A1. IPv4 Options ...............................................25 + A2. IPv6 Extension Headers .....................................26 + Appendix B: Extended (64-bit) Sequence Numbers ....................28 + B1. Overview ...................................................28 + B2. Anti-Replay Window .........................................28 + B2.1. Managing and Using the Anti-Replay Window ............29 + B2.2. Determining the Higher-Order Bits (Seqh) of the + Sequence Number ......................................30 + B2.3. Pseudo-Code Example ..................................31 + B3. Handling Loss of Synchronization due to Significant + Packet Loss ................................................32 + B3.1. Triggering Re-synchronization ........................33 + B3.2. Re-synchronization Process ...........................33 + + + + + + + + + + + + + + + + + + + + + + + +Kent Standards Track [Page 2] + +RFC 4302 IP Authentication Header December 2005 + + +1. Introduction + + This document assumes that the reader is familiar with the terms and + concepts described in the "Security Architecture for the Internet + Protocol" [Ken-Arch], hereafter referred to as the Security + Architecture document. In particular, the reader should be familiar + with the definitions of security services offered by the + Encapsulating Security Payload (ESP) [Ken-ESP] and the IP + Authentication Header (AH), the concept of Security Associations, the + ways in which ESP can be used in conjunction with the Authentication + Header (AH), and the different key management options available for + ESP and AH. + + The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, + SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this + document, are to be interpreted as described in RFC 2119 [Bra97]. + + The IP Authentication Header (AH) is used to provide connectionless + integrity and data origin authentication for IP datagrams (hereafter + referred to as just "integrity") and to provide protection against + replays. This latter, optional service may be selected, by the + receiver, when a Security Association (SA) is established. (The + protocol default requires the sender to increment the sequence number + used for anti-replay, but the service is effective only if the + receiver checks the sequence number.) However, to make use of the + Extended Sequence Number feature in an interoperable fashion, AH does + impose a requirement on SA management protocols to be able to + negotiate this new feature (see Section 2.5.1 below). + + AH provides authentication for as much of the IP header as possible, + as well as for next level protocol data. However, some IP header + fields may change in transit and the value of these fields, when the + packet arrives at the receiver, may not be predictable by the sender. + The values of such fields cannot be protected by AH. Thus, the + protection provided to the IP header by AH is piecemeal. (See + Appendix A.) + + AH may be applied alone, in combination with the IP Encapsulating + Security Payload (ESP) [Ken-ESP], or in a nested fashion (see + Security Architecture document [Ken-Arch]). Security services can be + provided between a pair of communicating hosts, between a pair of + communicating security gateways, or between a security gateway and a + host. ESP may be used to provide the same anti-replay and similar + integrity services, and it also provides a confidentiality + (encryption) service. The primary difference between the integrity + provided by ESP and AH is the extent of the coverage. Specifically, + ESP does not protect any IP header fields unless those fields are + + + + +Kent Standards Track [Page 3] + +RFC 4302 IP Authentication Header December 2005 + + + encapsulated by ESP (e.g., via use of tunnel mode). For more details + on how to use AH and ESP in various network environments, see the + Security Architecture document [Ken-Arch]. + + Section 7 provides a brief review of the differences between this + document and RFC 2402 [RFC2402]. + +2. Authentication Header Format + + The protocol header (IPv4, IPv6, or IPv6 Extension) immediately + preceding the AH header SHALL contain the value 51 in its Protocol + (IPv4) or Next Header (IPv6, Extension) fields [DH98]. Figure 1 + illustrates the format for AH. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Next Header | Payload Len | RESERVED | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Security Parameters Index (SPI) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sequence Number Field | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + + Integrity Check Value-ICV (variable) | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 1. AH Format + + The following table refers to the fields that comprise AH, + (illustrated in Figure 1), plus other fields included in the + integrity computation, and illustrates which fields are covered by + the ICV and what is transmitted. + What What + # of Requ'd Integ is + bytes [1] Covers Xmtd + ------ ------ ------ ------ + IP Header variable M [2] plain + Next Header 1 M Y plain + Payload Len 1 M Y plain + RESERVED 2 M Y plain + SPI 4 M Y plain + Seq# (low-order 32 bits) 4 M Y plain + ICV variable M Y[3] plain + IP datagram [4] variable M Y plain + Seq# (high-order 32 bits) 4 if ESN Y not xmtd + ICV Padding variable if need Y not xmtd + + + +Kent Standards Track [Page 4] + +RFC 4302 IP Authentication Header December 2005 + + + [1] - M = mandatory + [2] - See Section 3.3.3, "Integrity Check Value Calculation", for + details of which IP header fields are covered. + [3] - Zeroed before ICV calculation (resulting ICV placed here + after calculation) + [4] - If tunnel mode -> IP datagram + If transport mode -> next header and data + + The following subsections define the fields that comprise the AH + format. All the fields described here are mandatory; i.e., they are + always present in the AH format and are included in the Integrity + Check Value (ICV) computation (see Sections 2.6 and 3.3.3). + + Note: All of the cryptographic algorithms used in IPsec expect their + input in canonical network byte order (see Appendix of RFC 791 + [RFC791]) and generate their output in canonical network byte order. + IP packets are also transmitted in network byte order. + + AH does not contain a version number, therefore if there are concerns + about backward compatibility, they MUST be addressed by using a + signaling mechanism between the two IPsec peers to ensure compatible + versions of AH, e.g., IKE [IKEv2] or an out-of-band configuration + mechanism. + +2.1. Next Header + + The Next Header is an 8-bit field that identifies the type of the + next payload after the Authentication Header. The value of this + field is chosen from the set of IP Protocol Numbers defined on the + web page of Internet Assigned Numbers Authority (IANA). For example, + a value of 4 indicates IPv4, a value of 41 indicates IPv6, and a + value of 6 indicates TCP. + +2.2. Payload Length + + This 8-bit field specifies the length of AH in 32-bit words (4-byte + units), minus "2". Thus, for example, if an integrity algorithm + yields a 96-bit authentication value, this length field will be "4" + (3 32-bit word fixed fields plus 3 32-bit words for the ICV, minus + 2). For IPv6, the total length of the header must be a multiple of + 8-octet units. (Note that although IPv6 [DH98] characterizes AH as + an extension header, its length is measured in 32-bit words, not the + 64-bit words used by other IPv6 extension headers.) See Section 2.6, + "Integrity Check Value (ICV)", for comments on padding of this field, + and Section 3.3.3.2.1, "ICV Padding". + + + + + + +Kent Standards Track [Page 5] + +RFC 4302 IP Authentication Header December 2005 + + +2.3. Reserved + + This 16-bit field is reserved for future use. It MUST be set to + "zero" by the sender, and it SHOULD be ignored by the recipient. + (Note that the value is included in the ICV calculation, but is + otherwise ignored by the recipient.) + +2.4. Security Parameters Index (SPI) + + The SPI is an arbitrary 32-bit value that is used by a receiver to + identify the SA to which an incoming packet is bound. For a unicast + SA, the SPI can be used by itself to specify an SA, or it may be used + in conjunction with the IPsec protocol type (in this case AH). + Because for unicast SAs the SPI value is generated by the receiver, + whether the value is sufficient to identify an SA by itself or + whether it must be used in conjunction with the IPsec protocol value + is a local matter. The SPI field is mandatory, and this mechanism + for mapping inbound traffic to unicast SAs described above MUST be + supported by all AH implementations. + + If an IPsec implementation supports multicast, then it MUST support + multicast SAs using the algorithm below for mapping inbound IPsec + datagrams to SAs. Implementations that support only unicast traffic + need not implement this de-multiplexing algorithm. + + In many secure multicast architectures, e.g., [RFC3740], a central + Group Controller/Key Server unilaterally assigns the group security + association's SPI. This SPI assignment is not negotiated or + coordinated with the key management (e.g., IKE) subsystems that + reside in the individual end systems that comprise the group. + Consequently, it is possible that a group security association and a + unicast security association can simultaneously use the same SPI. A + multicast-capable IPsec implementation MUST correctly de-multiplex + inbound traffic even in the context of SPI collisions. + + Each entry in the Security Association Database (SAD) [Ken-Arch] must + indicate whether the SA lookup makes use of the destination, or + destination and source, IP addresses, in addition to the SPI. For + multicast SAs, the protocol field is not employed for SA lookups. + For each inbound, IPsec-protected packet, an implementation must + conduct its search of the SAD such that it finds the entry that + matches the "longest" SA identifier. In this context, if two or more + SAD entries match based on the SPI value, then the entry that also + matches based on destination, or destination and source, address + comparison (as indicated in the SAD entry) is the "longest" match. + This implies a logical ordering of the SAD search as follows: + + + + + +Kent Standards Track [Page 6] + +RFC 4302 IP Authentication Header December 2005 + + + 1. Search the SAD for a match on {SPI, destination + address, source address}. If an SAD entry + matches, then process the inbound AH packet with that + matching SAD entry. Otherwise, proceed to step 2. + + 2. Search the SAD for a match on {SPI, destination + address}. If an SAD entry matches, then process + the inbound AH packet with that matching SAD + entry. Otherwise, proceed to step 3. + + 3. Search the SAD for a match on only {SPI} if the receiver + has chosen to maintain a single SPI space for AH and ESP, + or on {SPI, protocol} otherwise. If an SAD + entry matches, then process the inbound AH packet with + that matching SAD entry. Otherwise, discard the packet + and log an auditable event. + + In practice, an implementation MAY choose any method to accelerate + this search, although its externally visible behavior MUST be + functionally equivalent to having searched the SAD in the above + order. For example, a software-based implementation could index into + a hash table by the SPI. The SAD entries in each hash table bucket's + linked list are kept sorted to have those SAD entries with the + longest SA identifiers first in that linked list. Those SAD entries + having the shortest SA identifiers are sorted so that they are the + last entries in the linked list. A hardware-based implementation may + be able to effect the longest match search intrinsically, using + commonly available Ternary Content-Addressable Memory (TCAM) + features. + + The indication of whether source and destination address matching is + required to map inbound IPsec traffic to SAs MUST be set either as a + side effect of manual SA configuration or via negotiation using an SA + management protocol, e.g., IKE or Group Domain of Interpretation + (GDOI) [RFC3547]. Typically, Source-Specific Multicast (SSM) [HC03] + groups use a 3-tuple SA identifier composed of an SPI, a destination + multicast address, and source address. An Any-Source Multicast group + SA requires only an SPI and a destination multicast address as an + identifier. + + The set of SPI values in the range 1 through 255 is reserved by the + Internet Assigned Numbers Authority (IANA) for future use; a reserved + SPI value will not normally be assigned by IANA unless the use of the + assigned SPI value is specified in an RFC. The SPI value of zero (0) + is reserved for local, implementation-specific use and MUST NOT be + sent on the wire. (For example, a key management implementation + might use the zero SPI value to mean "No Security Association Exists" + + + + +Kent Standards Track [Page 7] + +RFC 4302 IP Authentication Header December 2005 + + + during the period when the IPsec implementation has requested that + its key management entity establish a new SA, but the SA has not yet + been established.) + +2.5. Sequence Number + + This unsigned 32-bit field contains a counter value that increases by + one for each packet sent, i.e., a per-SA packet sequence number. For + a unicast SA or a single-sender multicast SA, the sender MUST + increment this field for every transmitted packet. Sharing an SA + among multiple senders is permitted, though generally not + recommended. AH provides no means of synchronizing packet counters + among multiple senders or meaningfully managing a receiver packet + counter and window in the context of multiple senders. Thus, for a + multi-sender SA, the anti-reply features of AH are not available (see + Sections 3.3.2 and 3.4.3). + + The field is mandatory and MUST always be present even if the + receiver does not elect to enable the anti-replay service for a + specific SA. Processing of the Sequence Number field is at the + discretion of the receiver, but all AH implementations MUST be + capable of performing the processing described in Section 3.3.2, + "Sequence Number Generation", and Section 3.4.3, "Sequence Number + Verification". Thus, the sender MUST always transmit this field, but + the receiver need not act upon it. + + The sender's counter and the receiver's counter are initialized to 0 + when an SA is established. (The first packet sent using a given SA + will have a sequence number of 1; see Section 3.3.2 for more details + on how the sequence number is generated.) If anti-replay is enabled + (the default), the transmitted sequence number must never be allowed + to cycle. Thus, the sender's counter and the receiver's counter MUST + be reset (by establishing a new SA and thus a new key) prior to the + transmission of the 2^32nd packet on an SA. + +2.5.1. Extended (64-bit) Sequence Number + + To support high-speed IPsec implementations, a new option for + sequence numbers SHOULD be offered, as an extension to the current, + 32-bit sequence number field. Use of an Extended Sequence Number + (ESN) MUST be negotiated by an SA management protocol. Note that in + IKEv2, this negotiation is implicit; the default is ESN unless 32-bit + sequence numbers are explicitly negotiated. (The ESN feature is + applicable to multicast as well as unicast SAs.) + + The ESN facility allows use of a 64-bit sequence number for an SA. + (See Appendix B, "Extended (64-bit) Sequence Numbers", for details.) + Only the low-order 32 bits of the sequence number are transmitted in + + + +Kent Standards Track [Page 8] + +RFC 4302 IP Authentication Header December 2005 + + + the AH header of each packet, thus minimizing packet overhead. The + high-order 32 bits are maintained as part of the sequence number + counter by both transmitter and receiver and are included in the + computation of the ICV, but are not transmitted. + +2.6. Integrity Check Value (ICV) + + This is a variable-length field that contains the Integrity Check + Value (ICV) for this packet. The field must be an integral multiple + of 32 bits (IPv4 or IPv6) in length. The details of ICV processing + are described in Section 3.3.3, "Integrity Check Value Calculation", + and Section 3.4.4, "Integrity Check Value Verification". This field + may include explicit padding, if required to ensure that the length + of the AH header is an integral multiple of 32 bits (IPv4) or 64 bits + (IPv6). All implementations MUST support such padding and MUST + insert only enough padding to satisfy the IPv4/IPv6 alignment + requirements. Details of how to compute the required padding length + are provided below in Section 3.3.3.2, "Padding". The integrity + algorithm specification MUST specify the length of the ICV and the + comparison rules and processing steps for validation. + +3. Authentication Header Processing + +3.1. Authentication Header Location + + AH may be employed in two ways: transport mode or tunnel mode. (See + the Security Architecture document for a description of when each + should be used.) + +3.1.1. Transport Mode + + In transport mode, AH is inserted after the IP header and before a + next layer protocol (e.g., TCP, UDP, ICMP, etc.) or before any other + IPsec headers that have already been inserted. In the context of + IPv4, this calls for placing AH after the IP header (and any options + that it contains), but before the next layer protocol. (Note that + the term "transport" mode should not be misconstrued as restricting + its use to TCP and UDP.) The following diagram illustrates AH + transport mode positioning for a typical IPv4 packet, on a "before + and after" basis. + + + + + + + + + + + +Kent Standards Track [Page 9] + +RFC 4302 IP Authentication Header December 2005 + + + BEFORE APPLYING AH + ---------------------------- + IPv4 |orig IP hdr | | | + |(any options)| TCP | Data | + ---------------------------- + + AFTER APPLYING AH + ------------------------------------------------------- + IPv4 |original IP hdr (any options) | AH | TCP | Data | + ------------------------------------------------------- + |<- mutable field processing ->|<- immutable fields ->| + |<----- authenticated except for mutable fields ----->| + + In the IPv6 context, AH is viewed as an end-to-end payload, and thus + should appear after hop-by-hop, routing, and fragmentation extension + headers. The destination options extension header(s) could appear + before or after or both before and after the AH header depending on + the semantics desired. The following diagram illustrates AH + transport mode positioning for a typical IPv6 packet. + + BEFORE APPLYING AH + --------------------------------------- + IPv6 | | ext hdrs | | | + | orig IP hdr |if present| TCP | Data | + --------------------------------------- + + AFTER APPLYING AH + ------------------------------------------------------------ + IPv6 | |hop-by-hop, dest*, | | dest | | | + |orig IP hdr |routing, fragment. | AH | opt* | TCP | Data | + ------------------------------------------------------------ + |<--- mutable field processing -->|<-- immutable fields -->| + |<---- authenticated except for mutable fields ----------->| + + * = if present, could be before AH, after AH, or both + + ESP and AH headers can be combined in a variety of modes. The IPsec + Architecture document describes the combinations of security + associations that must be supported. + + Note that in transport mode, for "bump-in-the-stack" or "bump-in- + the-wire" implementations, as defined in the Security Architecture + document, inbound and outbound IP fragments may require an IPsec + implementation to perform extra IP reassembly/fragmentation in order + to both conform to this specification and provide transparent IPsec + support. Special care is required to perform such operations within + these implementations when multiple interfaces are in use. + + + + +Kent Standards Track [Page 10] + +RFC 4302 IP Authentication Header December 2005 + + +3.1.2. Tunnel Mode + + In tunnel mode, the "inner" IP header carries the ultimate (IP) + source and destination addresses, while an "outer" IP header contains + the addresses of the IPsec "peers," e.g., addresses of security + gateways. Mixed inner and outer IP versions are allowed, i.e., IPv6 + over IPv4 and IPv4 over IPv6. In tunnel mode, AH protects the entire + inner IP packet, including the entire inner IP header. The position + of AH in tunnel mode, relative to the outer IP header, is the same as + for AH in transport mode. The following diagram illustrates AH + tunnel mode positioning for typical IPv4 and IPv6 packets. + + ---------------------------------------------------------------- + IPv4 | | | orig IP hdr* | | | + |new IP header * (any options) | AH | (any options) |TCP| Data | + ---------------------------------------------------------------- + |<- mutable field processing ->|<------ immutable fields ----->| + |<- authenticated except for mutable fields in the new IP hdr->| + + -------------------------------------------------------------- + IPv6 | | ext hdrs*| | | ext hdrs*| | | + |new IP hdr*|if present| AH |orig IP hdr*|if present|TCP|Data| + -------------------------------------------------------------- + |<--- mutable field -->|<--------- immutable fields -------->| + | processing | + |<-- authenticated except for mutable fields in new IP hdr ->| + + * = if present, construction of outer IP hdr/extensions and + modification of inner IP hdr/extensions is discussed in + the Security Architecture document. + +3.2. Integrity Algorithms + + The integrity algorithm employed for the ICV computation is specified + by the SA. For point-to-point communication, suitable integrity + algorithms include keyed Message Authentication Codes (MACs) based on + symmetric encryption algorithms (e.g., AES [AES]) or on one-way hash + functions (e.g., MD5, SHA-1, SHA-256, etc.). For multicast + communication, a variety of cryptographic strategies for providing + integrity have been developed and research continues in this area. + +3.3. Outbound Packet Processing + + In transport mode, the sender inserts the AH header after the IP + header and before a next layer protocol header, as described above. + In tunnel mode, the outer and inner IP header/extensions can be + + + + + +Kent Standards Track [Page 11] + +RFC 4302 IP Authentication Header December 2005 + + + interrelated in a variety of ways. The construction of the outer IP + header/extensions during the encapsulation process is described in + the Security Architecture document. + +3.3.1. Security Association Lookup + + AH is applied to an outbound packet only after an IPsec + implementation determines that the packet is associated with an SA + that calls for AH processing. The process of determining what, if + any, IPsec processing is applied to outbound traffic is described in + the Security Architecture document. + +3.3.2. Sequence Number Generation + + The sender's counter is initialized to 0 when an SA is established. + The sender increments the sequence number (or ESN) counter for this + SA and inserts the low-order 32 bits of the value into the Sequence + Number field. Thus, the first packet sent using a given SA will + contain a sequence number of 1. + + If anti-replay is enabled (the default), the sender checks to ensure + that the counter has not cycled before inserting the new value in the + Sequence Number field. In other words, the sender MUST NOT send a + packet on an SA if doing so would cause the sequence number to cycle. + An attempt to transmit a packet that would result in sequence number + overflow is an auditable event. The audit log entry for this event + SHOULD include the SPI value, current date/time, Source Address, + Destination Address, and (in IPv6) the cleartext Flow ID. + + The sender assumes anti-replay is enabled as a default, unless + otherwise notified by the receiver (see Section 3.4.3) or if the SA + was configured using manual key management. Thus, typical behavior + of an AH implementation calls for the sender to establish a new SA + when the Sequence Number (or ESN) cycles, or in anticipation of this + value cycling. + + If anti-replay is disabled (as noted above), the sender does not need + to monitor or reset the counter, e.g., in the case of manual key + management (see Section 5). However, the sender still increments the + counter and when it reaches the maximum value, the counter rolls over + back to zero. (This behavior is recommended for multi-sender, + multicast SAs, unless anti-replay mechanisms outside the scope of + this standard are negotiated between the sender and receiver.) + + If ESN (see Appendix B) is selected, only the low-order 32 bits of + the sequence number are transmitted in the Sequence Number field, + although both sender and receiver maintain full 64-bit ESN counters. + However, the high-order 32 bits are included in the ICV calculation. + + + +Kent Standards Track [Page 12] + +RFC 4302 IP Authentication Header December 2005 + + + Note: If a receiver chooses not to enable anti-replay for an SA, then + the receiver SHOULD NOT negotiate ESN in an SA management protocol. + Use of ESN creates a need for the receiver to manage the anti-replay + window (in order to determine the correct value for the high-order + bits of the ESN, which are employed in the ICV computation), which is + generally contrary to the notion of disabling anti-replay for an SA. + +3.3.3. Integrity Check Value Calculation + + The AH ICV is computed over: + + o IP or extension header fields before the AH header that are + either immutable in transit or that are predictable in value + upon arrival at the endpoint for the AH SA + o the AH header (Next Header, Payload Len, Reserved, SPI, + Sequence Number (low-order 32 bits), and the ICV (which is set + to zero for this computation), and explicit padding bytes (if + any)) + o everything after AH is assumed to be immutable in transit + o the high-order bits of the ESN (if employed), and any implicit + padding required by the integrity algorithm + +3.3.3.1. Handling Mutable Fields + + If a field may be modified during transit, the value of the field is + set to zero for purposes of the ICV computation. If a field is + mutable, but its value at the (IPsec) receiver is predictable, then + that value is inserted into the field for purposes of the ICV + calculation. The Integrity Check Value field is also set to zero in + preparation for this computation. Note that by replacing each + field's value with zero, rather than omitting the field, alignment is + preserved for the ICV calculation. Also, the zero-fill approach + ensures that the length of the fields that are so handled cannot be + changed during transit, even though their contents are not explicitly + covered by the ICV. + + As a new extension header or IPv4 option is created, it will be + defined in its own RFC and SHOULD include (in the Security + Considerations section) directions for how it should be handled when + calculating the AH ICV. If the IP (v4 or v6) implementation + encounters an extension header that it does not recognize, it will + discard the packet and send an ICMP message. IPsec will never see + the packet. If the IPsec implementation encounters an IPv4 option + that it does not recognize, it should zero the whole option, using + the second byte of the option as the length. IPv6 options (in + Destination Extension Headers or the Hop-by-Hop Extension Header) + contain a flag indicating mutability, which determines appropriate + processing for such options. + + + +Kent Standards Track [Page 13] + +RFC 4302 IP Authentication Header December 2005 + + +3.3.3.1.1. ICV Computation for IPv4 + +3.3.3.1.1.1. Base Header Fields + + The IPv4 base header fields are classified as follows: + + Immutable + Version + Internet Header Length + Total Length + Identification + Protocol (This should be the value for AH.) + Source Address + Destination Address (without loose or strict source routing) + + Mutable but predictable + Destination Address (with loose or strict source routing) + + Mutable (zeroed prior to ICV calculation) + Differentiated Services Code Point (DSCP) + (6 bits, see RFC 2474 [NBBB98]) + Explicit Congestion Notification (ECN) + (2 bits, see RFC 3168 [RFB01]) + Flags + Fragment Offset + Time to Live (TTL) + Header Checksum + + DSCP - Routers may rewrite the DS field as needed to provide a + desired local or end-to-end service, thus its value upon reception + cannot be predicted by the sender. + + ECN - This will change if a router along the route experiences + congestion, and thus its value upon reception cannot be predicted by + the sender. + + Flags - This field is excluded because an intermediate router might + set the DF bit, even if the source did not select it. + + Fragment Offset - Since AH is applied only to non-fragmented IP + packets, the Offset Field must always be zero, and thus it is + excluded (even though it is predictable). + + TTL - This is changed en route as a normal course of processing by + routers, and thus its value at the receiver is not predictable by the + sender. + + + + + +Kent Standards Track [Page 14] + +RFC 4302 IP Authentication Header December 2005 + + + Header Checksum - This will change if any of these other fields + change, and thus its value upon reception cannot be predicted by the + sender. + +3.3.3.1.1.2. Options + + For IPv4 (unlike IPv6), there is no mechanism for tagging options as + mutable in transit. Hence the IPv4 options are explicitly listed in + Appendix A and classified as immutable, mutable but predictable, or + mutable. For IPv4, the entire option is viewed as a unit; so even + though the type and length fields within most options are immutable + in transit, if an option is classified as mutable, the entire option + is zeroed for ICV computation purposes. + +3.3.3.1.2. ICV Computation for IPv6 + +3.3.3.1.2.1. Base Header Fields + + The IPv6 base header fields are classified as follows: + + Immutable + Version + Payload Length + Next Header + Source Address + Destination Address (without Routing Extension Header) + + Mutable but predictable + Destination Address (with Routing Extension Header) + + Mutable (zeroed prior to ICV calculation) + DSCP (6 bits, see RFC2474 [NBBB98]) + ECN (2 bits, see RFC3168 [RFB01]) + Flow Label (*) + Hop Limit + + (*) The flow label described in AHv1 was mutable, and in + RFC 2460 [DH98] was potentially mutable. To retain + compatibility with existing AH implementations, the + flow label is not included in the ICV in AHv2. + +3.3.3.1.2.2. Extension Headers Containing Options + + IPv6 options in the Hop-by-Hop and Destination Extension Headers + contain a bit that indicates whether the option might change + (unpredictably) during transit. For any option for which contents + may change en-route, the entire "Option Data" field must be treated + as zero-valued octets when computing or verifying the ICV. The + + + +Kent Standards Track [Page 15] + +RFC 4302 IP Authentication Header December 2005 + + + Option Type and Opt Data Len are included in the ICV calculation. + All options for which the bit indicates immutability are included in + the ICV calculation. See the IPv6 specification [DH98] for more + information. + +3.3.3.1.2.3. Extension Headers Not Containing Options + + The IPv6 extension headers that do not contain options are explicitly + listed in Appendix A and classified as immutable, mutable but + predictable, or mutable. + +3.3.3.2. Padding and Extended Sequence Numbers + +3.3.3.2.1. ICV Padding + + As mentioned in Section 2.6, the ICV field may include explicit + padding if required to ensure that the AH header is a multiple of 32 + bits (IPv4) or 64 bits (IPv6). If padding is required, its length is + determined by two factors: + + - the length of the ICV + - the IP protocol version (v4 or v6) + + For example, if the output of the selected algorithm is 96 bits, no + padding is required for IPv4 or IPv6. However, if a different length + ICV is generated, due to use of a different algorithm, then padding + may be required depending on the length and IP protocol version. The + content of the padding field is arbitrarily selected by the sender. + (The padding is arbitrary, but need not be random to achieve + security.) These padding bytes are included in the ICV calculation, + counted as part of the Payload Length, and transmitted at the end of + the ICV field to enable the receiver to perform the ICV calculation. + Inclusion of padding in excess of the minimum amount required to + satisfy IPv4/IPv6 alignment requirements is prohibited. + +3.3.3.2.2. Implicit Packet Padding and ESN + + If the ESN option is elected for an SA, then the high-order 32 bits + of the ESN must be included in the ICV computation. For purposes of + ICV computation, these bits are appended (implicitly) immediately + after the end of the payload, and before any implicit packet padding. + + For some integrity algorithms, the byte string over which the ICV + computation is performed must be a multiple of a blocksize specified + by the algorithm. If the IP packet length (including AH and the 32 + high-order bits of the ESN, if enabled) does not match the blocksize + requirements for the algorithm, implicit padding MUST be appended to + the end of the packet, prior to ICV computation. The padding octets + + + +Kent Standards Track [Page 16] + +RFC 4302 IP Authentication Header December 2005 + + + MUST have a value of zero. The blocksize (and hence the length of + the padding) is specified by the algorithm specification. This + padding is not transmitted with the packet. The document that + defines an integrity algorithm MUST be consulted to determine if + implicit padding is required as described above. If the document + does not specify an answer to this, then the default is to assume + that implicit padding is required (as needed to match the packet + length to the algorithm's blocksize.) If padding bytes are needed + but the algorithm does not specify the padding contents, then the + padding octets MUST have a value of zero. + +3.3.4. Fragmentation + + If required, IP fragmentation occurs after AH processing within an + IPsec implementation. Thus, transport mode AH is applied only to + whole IP datagrams (not to IP fragments). An IPv4 packet to which AH + has been applied may itself be fragmented by routers en route, and + such fragments must be reassembled prior to AH processing at a + receiver. (This does not apply to IPv6, where there is no router- + initiated fragmentation.) In tunnel mode, AH is applied to an IP + packet, the payload of which may be a fragmented IP packet. For + example, a security gateway or a "bump-in-the-stack" or "bump-in- + the-wire" IPsec implementation (see the Security Architecture + document for details) may apply tunnel mode AH to such fragments. + + NOTE: For transport mode -- As mentioned at the end of Section 3.1.1, + bump-in-the-stack and bump-in-the-wire implementations may have to + first reassemble a packet fragmented by the local IP layer, then + apply IPsec, and then fragment the resulting packet. + + NOTE: For IPv6 -- For bump-in-the-stack and bump-in-the-wire + implementations, it will be necessary to examine all the extension + headers to determine if there is a fragmentation header and hence + that the packet needs reassembling prior to IPsec processing. + + Fragmentation, whether performed by an IPsec implementation or by + routers along the path between IPsec peers, significantly reduces + performance. Moreover, the requirement for an AH receiver to accept + fragments for reassembly creates denial of service vulnerabilities. + Thus, an AH implementation MAY choose to not support fragmentation + and may mark transmitted packets with the DF bit, to facilitate Path + MTU (PMTU) discovery. In any case, an AH implementation MUST support + generation of ICMP PMTU messages (or equivalent internal signaling + for native host implementations) to minimize the likelihood of + fragmentation. Details of the support required for MTU management + are contained in the Security Architecture document. + + + + + +Kent Standards Track [Page 17] + +RFC 4302 IP Authentication Header December 2005 + + +3.4. Inbound Packet Processing + + If there is more than one IPsec header/extension present, the + processing for each one ignores (does not zero, does not use) any + IPsec headers applied subsequent to the header being processed. + +3.4.1. Reassembly + + If required, reassembly is performed prior to AH processing. If a + packet offered to AH for processing appears to be an IP fragment, + i.e., the OFFSET field is nonzero or the MORE FRAGMENTS flag is set, + the receiver MUST discard the packet; this is an auditable event. + The audit log entry for this event SHOULD include the SPI value, + date/time, Source Address, Destination Address, and (in IPv6) the + Flow ID. + + NOTE: For packet reassembly, the current IPv4 spec does NOT require + either the zeroing of the OFFSET field or the clearing of the MORE + FRAGMENTS flag. In order for a reassembled packet to be processed by + IPsec (as opposed to discarded as an apparent fragment), the IP code + must do these two things after it reassembles a packet. + +3.4.2. Security Association Lookup + + Upon receipt of a packet containing an IP Authentication Header, the + receiver determines the appropriate (unidirectional) SA via lookup in + the SAD. For a unicast SA, this determination is based on the SPI or + the SPI plus protocol field, as described in Section 2.4. If an + implementation supports multicast traffic, the destination address is + also employed in the lookup (in addition to the SPI), and the sender + address also may be employed, as described in Section 2.4. (This + process is described in more detail in the Security Architecture + document.) The SAD entry for the SA also indicates whether the + Sequence Number field will be checked and whether 32- or 64-bit + sequence numbers are employed for the SA. The SAD entry for the SA + also specifies the algorithm(s) employed for ICV computation, and + indicates the key required to validate the ICV. + + If no valid Security Association exists for this packet the receiver + MUST discard the packet; this is an auditable event. The audit log + entry for this event SHOULD include the SPI value, date/time, Source + Address, Destination Address, and (in IPv6) the Flow ID. + + (Note that SA management traffic, such as IKE packets, does not need + to be processed based on SPI, i.e., one can de-multiplex this traffic + separately based on Next Protocol and Port fields, for example.) + + + + + +Kent Standards Track [Page 18] + +RFC 4302 IP Authentication Header December 2005 + + +3.4.3. Sequence Number Verification + + All AH implementations MUST support the anti-replay service, though + its use may be enabled or disabled by the receiver on a per-SA basis. + Anti-replay is applicable to unicast as well as multicast SAs. + However, this standard specifies no mechanisms for providing anti- + replay for a multi-sender SA (unicast or multicast). In the absence + of negotiation (or manual configuration) of an anti-replay mechanism + for such an SA, it is recommended that sender and receiver checking + of the Sequence Number for the SA be disabled (via negotiation or + manual configuration), as noted below. + + If the receiver does not enable anti-replay for an SA, no inbound + checks are performed on the Sequence Number. However, from the + perspective of the sender, the default is to assume that anti-replay + is enabled at the receiver. To avoid having the sender do + unnecessary sequence number monitoring and SA setup (see Section + 3.3.2, "Sequence Number Generation"), if an SA establishment protocol + such as IKE is employed, the receiver SHOULD notify the sender, + during SA establishment, if the receiver will not provide anti-replay + protection. + + If the receiver has enabled the anti-replay service for this SA, the + receive packet counter for the SA MUST be initialized to zero when + the SA is established. For each received packet, the receiver MUST + verify that the packet contains a Sequence Number that does not + duplicate the Sequence Number of any other packets received during + the life of this SA. This SHOULD be the first AH check applied to a + packet after it has been matched to an SA, to speed rejection of + duplicate packets. + + Duplicates are rejected through the use of a sliding receive window. + How the window is implemented is a local matter, but the following + text describes the functionality that the implementation must + exhibit. + + The "right" edge of the window represents the highest, validated + Sequence Number value received on this SA. Packets that contain + sequence numbers lower than the "left" edge of the window are + rejected. Packets falling within the window are checked against a + list of received packets within the window. + + If the ESN option is selected for an SA, only the low-order 32 bits + of the sequence number are explicitly transmitted, but the receiver + employs the full sequence number computed using the high-order 32 + bits for the indicated SA (from his local counter) when checking the + received Sequence Number against the receive window. In constructing + the full sequence number, if the low-order 32 bits carried in the + + + +Kent Standards Track [Page 19] + +RFC 4302 IP Authentication Header December 2005 + + + packet are lower in value than the low-order 32 bits of the + receiver's sequence number counter, the receiver assumes that the + high-order 32 bits have been incremented, moving to a new sequence + number subspace. (This algorithm accommodates gaps in reception for + a single SA as large as 2**32-1 packets. If a larger gap occurs, + additional, heuristic checks for re-synchronization of the receiver's + sequence number counter MAY be employed, as described in Appendix B.) + + If the received packet falls within the window and is not a + duplicate, or if the packet is to the right of the window, then the + receiver proceeds to ICV verification. If the ICV validation fails, + the receiver MUST discard the received IP datagram as invalid. This + is an auditable event. The audit log entry for this event SHOULD + include the SPI value, date/time, Source Address, Destination + Address, the Sequence Number, and (in IPv6) the Flow ID. The receive + window is updated only if the ICV verification succeeds. + + A MINIMUM window size of 32 packets MUST be supported, but a window + size of 64 is preferred and SHOULD be employed as the default. + Another window size (larger than the MINIMUM) MAY be chosen by the + receiver. (The receiver does NOT notify the sender of the window + size.) The receive window size should be increased for higher-speed + environments, irrespective of assurance issues. Values for minimum + and recommended receive window sizes for very high-speed (e.g., + multi-gigabit/second) devices are not specified by this standard. + +3.4.4. Integrity Check Value Verification + + The receiver computes the ICV over the appropriate fields of the + packet, using the specified integrity algorithm, and verifies that it + is the same as the ICV included in the ICV field of the packet. + Details of the computation are provided below. + + If the computed and received ICVs match, then the datagram is valid, + and it is accepted. If the test fails, then the receiver MUST + discard the received IP datagram as invalid. This is an auditable + event. The audit log entry SHOULD include the SPI value, date/time + received, Source Address, Destination Address, and (in IPv6) the Flow + ID. + + Implementation Note: + + Implementations can use any set of steps that results in the same + result as the following set of steps. Begin by saving the ICV + value and replacing it (but not any ICV field padding) with zero. + Zero all other fields that may have been modified during transit. + (See Section 3.3.3.1, "Handling Mutable Fields", for a discussion + of which fields are zeroed before performing the ICV calculation.) + + + +Kent Standards Track [Page 20] + +RFC 4302 IP Authentication Header December 2005 + + + If the ESN option is elected for this SA, append the high-order 32 + bits of the ESN after the end of the packet. Check the overall + length of the packet (as described above), and if it requires + implicit padding based on the requirements of the integrity + algorithm, append zero-filled bytes to the end of the packet + (after the ESN if present) as required. Perform the ICV + computation and compare the result with the saved value, using the + comparison rules defined by the algorithm specification. (For + example, if a digital signature and one-way hash are used for the + ICV computation, the matching process is more complex.) + +4. Auditing + + Not all systems that implement AH will implement auditing. However, + if AH is incorporated into a system that supports auditing, then the + AH implementation MUST also support auditing and MUST allow a system + administrator to enable or disable auditing for AH. For the most + part, the granularity of auditing is a local matter. However, + several auditable events are identified in this specification, and + for each of these events a minimum set of information that SHOULD be + included in an audit log is defined. Additional information also MAY + be included in the audit log for each of these events, and additional + events, not explicitly called out in this specification, also MAY + result in audit log entries. There is no requirement for the + receiver to transmit any message to the purported sender in response + to the detection of an auditable event, because of the potential to + induce denial of service via such action. + +5. Conformance Requirements + + Implementations that claim conformance or compliance with this + specification MUST fully implement the AH syntax and processing + described here for unicast traffic, and MUST comply with all + requirements of the Security Architecture document [Ken-Arch]. + Additionally, if an implementation claims to support multicast + traffic, it MUST comply with the additional requirements specified + for support of such traffic. If the key used to compute an ICV is + manually distributed, correct provision of the anti-replay service + would require correct maintenance of the counter state at the sender, + until the key is replaced, and there likely would be no automated + recovery provision if counter overflow were imminent. Thus, a + compliant implementation SHOULD NOT provide this service in + conjunction with SAs that are manually keyed. + + The mandatory-to-implement algorithms for use with AH are described + in a separate RFC [Eas04], to facilitate updating the algorithm + requirements independently from the protocol per se. Additional + algorithms, beyond those mandated for AH, MAY be supported. + + + +Kent Standards Track [Page 21] + +RFC 4302 IP Authentication Header December 2005 + + +6. Security Considerations + + Security is central to the design of this protocol, and these + security considerations permeate the specification. Additional + security-relevant aspects of using the IPsec protocol are discussed + in the Security Architecture document. + +7. Differences from RFC 2402 + + This document differs from RFC 2402 [RFC2402] in the following ways. + + o SPI -- modified to specify a uniform algorithm for SAD lookup + for unicast and multicast SAs, covering a wider range of + multicast technologies. For unicast, the SPI may be used + alone to select an SA, or may be combined with the protocol, + at the option of the receiver. For multicast SAs, the SPI is + combined with the destination address, and optionally the + source address, to select an SA. + o Extended Sequence Number -- added a new option for a 64-bit + sequence number for very high-speed communications. Clarified + sender and receiver processing requirements for multicast SAs + and multi-sender SAs. + o Moved references to mandatory algorithms to a separate + document [Eas04]. + +8. Acknowledgements + + The author would like to acknowledge the contributions of Ran + Atkinson, who played a critical role in initial IPsec activities, and + who authored the first series of IPsec standards: RFCs 1825-1827. + Karen Seo deserves special thanks for providing help in the editing + of this and the previous version of this specification. The author + also would like to thank the members of the IPsec and MSEC working + groups who have contributed to the development of this protocol + specification. + +9. References + +9.1. Normative References + + [Bra97] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Level", BCP 14, RFC 2119, March 1997. + + [DH98] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", RFC 2460, December 1998. + + + + + + +Kent Standards Track [Page 22] + +RFC 4302 IP Authentication Header December 2005 + + + [Eas04] 3rd Eastlake, D., "Cryptographic Algorithm Implementation + Requirements for Encapsulating Security Payload (ESP) and + Authentication Header (AH)", RFC 4305, December 2005. + + [Ken-Arch] Kent, S. and K. Seo, "Security Architecture for the + Internet Protocol", RFC 4301, December 2005. + + [RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, September + 1981. + + [RFC1108] Kent, S., "U.S. Department of Defense Security Options for + the Internet Protocol", RFC 1108, November 1991. + +9.2. Informative References + + [AES] Advanced Encryption Standard (AES), Federal Information + Processing Standard 197, National Institutes of Standards + and Technology, November 26, 2001. + + [HC03] Holbrook, H. and B. Cain, "Source Specific Multicast for + IP", Work in Progress, November 3, 2002. + + [IKEv2] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) + Protocol", RFC 4306, December 2005. + + [Ken-ESP] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC + 4303, December 2005. + + [NBBB98] Nichols, K., Blake, S., Baker, F., and D. Black, + "Definition of the Differentiated Services Field (DS + Field) in the IPv4 and IPv6 Headers", RFC 2474, December + 1998. + + [RFB01] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition + of Explicit Congestion Notification (ECN) to IP", RFC + 3168, September 2001. + + [RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP + MTU discovery options", RFC 1063, July 1988. + + [RFC1122] Braden, R., "Requirements for Internet Hosts - + Communication Layers", STD 3, RFC 1122, October 1989. + + [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, + November 1990. + + [RFC1385] Wang, Z., "EIP: The Extended Internet Protocol", RFC 1385, + November 1992. + + + +Kent Standards Track [Page 23] + +RFC 4302 IP Authentication Header December 2005 + + + [RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393, + January 1993. + + [RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi- + Destination Delivery", RFC 1770, March 1995. + + [RFC2113] Katz, D., "IP Router Alert Option", RFC 2113, February + 1997. + + [RFC2402] Kent, S. and R. Atkinson, "IP Authentication Header", RFC + 2402, November 1998. + + [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The + Group Domain of Interpretation", RFC 3547, July 2003. + + [RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security + Architecture", RFC 3740, March 2004. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Kent Standards Track [Page 24] + +RFC 4302 IP Authentication Header December 2005 + + +Appendix A: Mutability of IP Options/Extension Headers + +A1. IPv4 Options + + This table shows how the IPv4 options are classified with regard to + "mutability". Where two references are provided, the second one + supercedes the first. This table is based in part on information + provided in RFC 1700, "ASSIGNED NUMBERS", (October 1994). + + Opt. + Copy Class # Name Reference + ---- ----- --- ------------------------- -------- + IMMUTABLE -- included in ICV calculation + 0 0 0 End of Options List [RFC791] + 0 0 1 No Operation [RFC791] + 1 0 2 Security [RFC1108] (historic but + in use) + 1 0 5 Extended Security [RFC1108] (historic but + in use) + 1 0 6 Commercial Security + 1 0 20 Router Alert [RFC2113] + 1 0 21 Sender Directed Multi- [RFC1770] + Destination Delivery + MUTABLE -- zeroed + 1 0 3 Loose Source Route [RFC791] + 0 2 4 Time Stamp [RFC791] + 0 0 7 Record Route [RFC791] + 1 0 9 Strict Source Route [RFC791] + 0 2 18 Traceroute [RFC1393] + + EXPERIMENTAL, SUPERCEDED -- zeroed + 1 0 8 Stream ID [RFC791, RFC1122 (Host + Req)] + 0 0 11 MTU Probe [RFC1063, RFC1191 (PMTU)] + 0 0 12 MTU Reply [RFC1063, RFC1191 (PMTU)] + 1 0 17 Extended Internet Protocol [RFC1385, DH98 (IPv6)] + 0 0 10 Experimental Measurement + 1 2 13 Experimental Flow Control + 1 0 14 Experimental Access Ctl + 0 0 15 ??? + 1 0 16 IMI Traffic Descriptor + 1 0 19 Address Extension + + NOTE: Use of the Router Alert option is potentially incompatible with + use of IPsec. Although the option is immutable, its use implies that + each router along a packet's path will "process" the packet and + consequently might change the packet. This would happen on a hop- + by-hop basis as the packet goes from router to router. Prior to + + + +Kent Standards Track [Page 25] + +RFC 4302 IP Authentication Header December 2005 + + + being processed by the application to which the option contents are + directed (e.g., Resource Reservation Protocol (RSVP)/Internet Group + Management Protocol (IGMP)), the packet should encounter AH + processing. However, AH processing would require that each router + along the path is a member of a multicast-SA defined by the SPI. + This might pose problems for packets that are not strictly source + routed, and it requires multicast support techniques not currently + available. + + NOTE: Addition or removal of security labels (e.g., Basic Security + Option (BSO), Extended Security Option (ESO), or Commercial Internet + Protocol Security Option (CIPSO)) by systems along a packet's path + conflicts with the classification of these IP options as immutable + and is incompatible with the use of IPsec. + + NOTE: End of Options List options SHOULD be repeated as necessary to + ensure that the IP header ends on a 4-byte boundary in order to + ensure that there are no unspecified bytes that could be used for a + covert channel. + +A2. IPv6 Extension Headers + + This table shows how the IPv6 extension headers are classified with + regard to "mutability". + + Option/Extension Name Reference + ----------------------------------- --------- + MUTABLE BUT PREDICTABLE -- included in ICV calculation + Routing (Type 0) [DH98] + + BIT INDICATES IF OPTION IS MUTABLE (CHANGES UNPREDICTABLY DURING + TRANSIT) + Hop-by-Hop options [DH98] + Destination options [DH98] + + NOT APPLICABLE + Fragmentation [DH98] + + Options -- IPv6 options in the Hop-by-Hop and Destination + Extension Headers contain a bit that indicates whether the option + might change (unpredictably) during transit. For any option for + which contents may change en route, the entire "Option Data" field + must be treated as zero-valued octets when computing or verifying + the ICV. The Option Type and Opt Data Len are included in the ICV + calculation. All options for which the bit indicates immutability + are included in the ICV calculation. See the IPv6 specification + [DH98] for more information. + + + + +Kent Standards Track [Page 26] + +RFC 4302 IP Authentication Header December 2005 + + + Routing (Type 0) -- The IPv6 Routing Header "Type 0" will + rearrange the address fields within the packet during transit from + source to destination. However, the contents of the packet as it + will appear at the receiver are known to the sender and to all + intermediate hops. Hence, the IPv6 Routing Header "Type 0" is + included in the Integrity Check Value calculation as mutable but + predictable. The sender must order the field so that it appears as + it will at the receiver, prior to performing the ICV computation. + + Fragmentation -- Fragmentation occurs after outbound IPsec + processing (Section 3.3) and reassembly occurs before inbound IPsec + processing (Section 3.4). So the Fragmentation Extension Header, if + it exists, is not seen by IPsec. + + Note that on the receive side, the IP implementation could leave a + Fragmentation Extension Header in place when it does re-assembly. If + this happens, then when AH receives the packet, before doing ICV + processing, AH MUST "remove" (or skip over) this header and change + the previous header's "Next Header" field to be the "Next Header" + field in the Fragmentation Extension Header. + + Note that on the send side, the IP implementation could give the + IPsec code a packet with a Fragmentation Extension Header with Offset + of 0 (first fragment) and a More Fragments Flag of 0 (last fragment). + If this happens, then before doing ICV processing, AH MUST first + "remove" (or skip over) this header and change the previous header's + "Next Header" field to be the "Next Header" field in the + Fragmentation Extension Header. + + + + + + + + + + + + + + + + + + + + + + + +Kent Standards Track [Page 27] + +RFC 4302 IP Authentication Header December 2005 + + +Appendix B: Extended (64-bit) Sequence Numbers + +B1. Overview + + This appendix describes an Extended Sequence Number (ESN) scheme for + use with IPsec (ESP and AH) that employs a 64-bit sequence number, + but in which only the low-order 32 bits are transmitted as part of + each packet. It covers both the window scheme used to detect + replayed packets and the determination of the high-order bits of the + sequence number that are used both for replay rejection and for + computation of the ICV. It also discusses a mechanism for handling + loss of synchronization relative to the (not transmitted) high-order + bits. + +B2. Anti-Replay Window + + The receiver will maintain an anti-replay window of size W. This + window will limit how far out of order a packet can be, relative to + the packet with the highest sequence number that has been + authenticated so far. (No requirement is established for minimum or + recommended sizes for this window, beyond the 32- and 64-packet + values already established for 32-bit sequence number windows. + However, it is suggested that an implementer scale these values + consistent with the interface speed supported by an implementation + that makes use of the ESN option. Also, the algorithm described + below assumes that the window is no greater than 2^31 packets in + width.) All 2^32 sequence numbers associated with any fixed value + for the high-order 32 bits (Seqh) will hereafter be called a sequence + number subspace. The following table lists pertinent variables and + their definitions. + + Var. Size + Name (bits) Meaning + ---- ------ --------------------------- + W 32 Size of window + T 64 Highest sequence number authenticated so far, + upper bound of window + Tl 32 Lower 32 bits of T + Th 32 Upper 32 bits of T + B 64 Lower bound of window + Bl 32 Lower 32 bits of B + Bh 32 Upper 32 bits of B + Seq 64 Sequence Number of received packet + Seql 32 Lower 32 bits of Seq + Seqh 32 Upper 32 bits of Seq + + + + + + +Kent Standards Track [Page 28] + +RFC 4302 IP Authentication Header December 2005 + + + When performing the anti-replay check, or when determining which + high-order bits to use to authenticate an incoming packet, there are + two cases: + + + Case A: Tl >= (W - 1). In this case, the window is within one + sequence number subspace. (See Figure 1) + + Case B: Tl < (W - 1). In this case, the window spans two + sequence number subspaces. (See Figure 2) + + In the figures below, the bottom line ("----") shows two consecutive + sequence number subspaces, with zeros indicating the beginning of + each subspace. The two shorter lines above it show the higher-order + bits that apply. The "====" represents the window. The "****" + represents future sequence numbers, i.e., those beyond the current + highest sequence number authenticated (ThTl). + + Th+1 ********* + + Th =======***** + + --0--------+-----+-----0--------+-----------0-- + Bl Tl Bl + (Bl+2^32) mod 2^32 + + Figure 1 -- Case A + + + Th ====************** + + Th-1 === + + --0-----------------+--0--+--------------+--0-- + Bl Tl Bl + (Bl+2^32) mod 2^32 + + Figure 2 -- Case B + +B2.1. Managing and Using the Anti-Replay Window + + The anti-replay window can be thought of as a string of bits where + `W' defines the length of the string. W = T - B + 1 and cannot + exceed 2^32 - 1 in value. The bottom-most bit corresponds to B and + the top-most bit corresponds to T, and each sequence number from Bl + through Tl is represented by a corresponding bit. The value of the + bit indicates whether or not a packet with that sequence number has + been received and authenticated, so that replays can be detected and + rejected. + + + + +Kent Standards Track [Page 29] + +RFC 4302 IP Authentication Header December 2005 + + + When a packet with a 64-bit sequence number (Seq) greater than T is + received and validated, + + + B is increased by (Seq - T) + + (Seq - T) bits are dropped from the low end of the window + + (Seq - T) bits are added to the high end of the window + + The top bit is set to indicate that a packet with that sequence + number has been received and authenticated + + The new bits between T and the top bit are set to indicate that + no packets with those sequence numbers have been received yet. + + T is set to the new sequence number + + In checking for replayed packets, + + + Under Case A: If Seql >= Bl (where Bl = Tl - W + 1) AND + Seql <= Tl, then check the corresponding bit in the window to + see if this Seql has already been seen. If yes, reject the + packet. If no, perform integrity check (see Appendix B2.2 + below for determination of SeqH). + + + Under Case B: If Seql >= Bl (where Bl = Tl - W + 1) OR + Seql <= Tl, then check the corresponding bit in the window to + see if this Seql has already been seen. If yes, reject the + packet. If no, perform integrity check (see Appendix B2.2 + below for determination of Seqh). + +B2.2. Determining the Higher-Order Bits (Seqh) of the Sequence Number + + Because only `Seql' will be transmitted with the packet, the receiver + must deduce and track the sequence number subspace into which each + packet falls, i.e., determine the value of Seqh. The following + equations define how to select Seqh under "normal" conditions; see + Appendix B3 for a discussion of how to recover from extreme packet + loss. + + + Under Case A (Figure 1): + If Seql >= Bl (where Bl = Tl - W + 1), then Seqh = Th + If Seql < Bl (where Bl = Tl - W + 1), then Seqh = Th + 1 + + + Under Case B (Figure 2): + If Seql >= Bl (where Bl = Tl - W + 1), then Seqh = Th - 1 + If Seql < Bl (where Bl = Tl - W + 1), then Seqh = Th + + + + + + + + + +Kent Standards Track [Page 30] + +RFC 4302 IP Authentication Header December 2005 + + +B2.3. Pseudo-Code Example + + The following pseudo-code illustrates the above algorithms for anti- + replay and integrity checks. The values for `Seql', `Tl', `Th', and + `W' are 32-bit unsigned integers. Arithmetic is mod 2^32. + + If (Tl >= W - 1) Case A + If (Seql >= Tl - W + 1) + Seqh = Th + If (Seql <= Tl) + If (pass replay check) + If (pass integrity check) + Set bit corresponding to Seql + Pass the packet on + Else reject packet + Else reject packet + Else + If (pass integrity check) + Tl = Seql (shift bits) + Set bit corresponding to Seql + Pass the packet on + Else reject packet + Else + Seqh = Th + 1 + If (pass integrity check) + Tl = Seql (shift bits) + Th = Th + 1 + Set bit corresponding to Seql + Pass the packet on + Else reject packet + Else Case B + If (Seql >= Tl - W + 1) + Seqh = Th - 1 + If (pass replay check) + If (pass integrity check) + Set the bit corresponding to Seql + Pass packet on + Else reject packet + Else reject packet + Else + Seqh = Th + If (Seql <= Tl) + If (pass replay check) + If (pass integrity check) + Set the bit corresponding to Seql + Pass packet on + Else reject packet + Else reject packet + + + +Kent Standards Track [Page 31] + +RFC 4302 IP Authentication Header December 2005 + + + Else + If (pass integrity check) + Tl = Seql (shift bits) + Set the bit corresponding to Seql + Pass packet on + Else reject packet + +B3. Handling Loss of Synchronization due to Significant Packet Loss + + If there is an undetected packet loss of 2^32 or more consecutive + packets on a single SA, then the transmitter and receiver will lose + synchronization of the high-order bits, i.e., the equations in + Appendix B2.2. will fail to yield the correct value. Unless this + problem is detected and addressed, subsequent packets on this SA will + fail authentication checks and be discarded. The following procedure + SHOULD be implemented by any IPsec (ESP or AH) implementation that + supports the ESN option. + + Note that this sort of extended traffic loss seems unlikely to occur + if any significant fraction of the traffic on the SA in question is + TCP, because the source would fail to receive ACKs and would stop + sending long before 2^32 packets had been lost. Also, for any bi- + directional application, even ones operating above UDP, such an + extended outage would likely result in triggering some form of + timeout. However, a unidirectional application, operating over UDP, + might lack feedback that would cause automatic detection of a loss of + this magnitude, hence the motivation to develop a recovery method for + this case. + + The solution we've chosen was selected to: + + + minimize the impact on normal traffic processing. + + + avoid creating an opportunity for a new denial of service attack + such as might occur by allowing an attacker to force diversion of + resources to a re-synchronization process. + + limit the recovery mechanism to the receiver because anti-replay + is a service only for the receiver, and the transmitter generally + is not aware of whether the receiver is using sequence numbers in + support of this optional service. It is preferable for recovery + mechanisms to be local to the receiver. This also allows for + backward compatibility. + + + + + + + + + +Kent Standards Track [Page 32] + +RFC 4302 IP Authentication Header December 2005 + + +B3.1. Triggering Re-synchronization + + For each SA, the receiver records the number of consecutive packets + that fail authentication. This count is used to trigger the re- + synchronization process, which should be performed in the background + or using a separate processor. Receipt of a valid packet on the SA + resets the counter to zero. The value used to trigger the re- + synchronization process is a local parameter. There is no + requirement to support distinct trigger values for different SAs, + although an implementer may choose to do so. + +B3.2. Re-synchronization Process + + When the above trigger point is reached, a "bad" packet is selected + for which authentication is retried using successively larger values + for the upper half of the sequence number (Seqh). These values are + generated by incrementing by one for each retry. The number of + retries should be limited, in case this is a packet from the "past" + or a bogus packet. The limit value is a local parameter. (Because + the Seqh value is implicitly placed after the AH (or ESP) payload, it + may be possible to optimize this procedure by executing the integrity + algorithm over the packet up to the endpoint of the payload, then + compute different candidate ICVs by varying the value of Seqh.) + Successful authentication of a packet via this procedure resets the + consecutive failure count and sets the value of T to that of the + received packet. + + This solution requires support only on the part of the receiver, + thereby allowing for backward compatibility. Also, because re- + synchronization efforts would either occur in the background or + utilize an additional processor, this solution does not impact + traffic processing and a denial of service attack cannot divert + resources away from traffic processing. + +Author's Address + + Stephen Kent + BBN Technologies + 10 Moulton Street + Cambridge, MA 02138 + USA + + Phone: +1 (617) 873-3988 + EMail: kent@bbn.com + + + + + + + +Kent Standards Track [Page 33] + +RFC 4302 IP Authentication Header December 2005 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2005). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at ietf- + ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + +Kent Standards Track [Page 34] + -- cgit v1.2.3