From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc8229.txt | 1403 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1403 insertions(+) create mode 100644 doc/rfc/rfc8229.txt (limited to 'doc/rfc/rfc8229.txt') diff --git a/doc/rfc/rfc8229.txt b/doc/rfc/rfc8229.txt new file mode 100644 index 0000000..696f36c --- /dev/null +++ b/doc/rfc/rfc8229.txt @@ -0,0 +1,1403 @@ + + + + + + +Internet Engineering Task Force (IETF) T. Pauly +Request for Comments: 8229 Apple Inc. +Category: Standards Track S. Touati +ISSN: 2070-1721 Ericsson + R. Mantha + Cisco Systems + August 2017 + + + TCP Encapsulation of IKE and IPsec Packets + +Abstract + + This document describes a method to transport Internet Key Exchange + Protocol (IKE) and IPsec packets over a TCP connection for traversing + network middleboxes that may block IKE negotiation over UDP. This + method, referred to as "TCP encapsulation", involves sending both IKE + packets for Security Association establishment and Encapsulating + Security Payload (ESP) packets over a TCP connection. This method is + intended to be used as a fallback option when IKE cannot be + negotiated over UDP. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc8229. + + + + + + + + + + + + + + + + +Pauly, et al. Standards Track [Page 1] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +Copyright Notice + + Copyright (c) 2017 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Prior Work and Motivation ..................................4 + 1.2. Terminology and Notation ...................................5 + 2. Configuration ...................................................5 + 3. TCP-Encapsulated Header Formats .................................6 + 3.1. TCP-Encapsulated IKE Header Format .........................6 + 3.2. TCP-Encapsulated ESP Header Format .........................7 + 4. TCP-Encapsulated Stream Prefix ..................................7 + 5. Applicability ...................................................8 + 5.1. Recommended Fallback from UDP ..............................8 + 6. Connection Establishment and Teardown ...........................9 + 7. Interaction with NAT Detection Payloads ........................11 + 8. Using MOBIKE with TCP Encapsulation ............................11 + 9. Using IKE Message Fragmentation with TCP Encapsulation .........12 + 10. Considerations for Keep-Alives and Dead Peer Detection ........12 + 11. Middlebox Considerations ......................................12 + 12. Performance Considerations ....................................13 + 12.1. TCP-in-TCP ...............................................13 + 12.2. Added Reliability for Unreliable Protocols ...............14 + 12.3. Quality-of-Service Markings ..............................14 + 12.4. Maximum Segment Size .....................................14 + 12.5. Tunneling ECN in TCP .....................................14 + 13. Security Considerations .......................................15 + 14. IANA Considerations ...........................................16 + 15. References ....................................................16 + 15.1. Normative References .....................................16 + 15.2. Informative References ...................................17 + + + + + + + +Pauly, et al. Standards Track [Page 2] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + Appendix A. Using TCP Encapsulation with TLS ......................18 + Appendix B. Example Exchanges of TCP Encapsulation with TLS .......19 + B.1. Establishing an IKE Session ................................19 + B.2. Deleting an IKE Session ....................................21 + B.3. Re-establishing an IKE Session .............................22 + B.4. Using MOBIKE between UDP and TCP Encapsulation .............23 + Acknowledgments ...................................................25 + Authors' Addresses ................................................25 + +1. Introduction + + The Internet Key Exchange Protocol version 2 (IKEv2) [RFC7296] is a + protocol for establishing IPsec Security Associations (SAs), using + IKE messages over UDP for control traffic, and using Encapsulating + Security Payload (ESP) [RFC4303] messages for encrypted data traffic. + Many network middleboxes that filter traffic on public hotspots block + all UDP traffic, including IKE and IPsec, but allow TCP connections + through because they appear to be web traffic. Devices on these + networks that need to use IPsec (to access private enterprise + networks, to route Voice over IP calls to carrier networks, or + because of security policies) are unable to establish IPsec SAs. + This document defines a method for encapsulating IKE control messages + as well as IPsec data messages within a TCP connection. + + Using TCP as a transport for IPsec packets adds a third option to the + list of traditional IPsec transports: + + 1. Direct. Currently, IKE negotiations begin over UDP port 500. If + no Network Address Translation (NAT) device is detected between + the Initiator and the Responder, then subsequent IKE packets are + sent over UDP port 500, and IPsec data packets are sent + using ESP. + + 2. UDP Encapsulation [RFC3948]. If a NAT is detected between the + Initiator and the Responder, then subsequent IKE packets are sent + over UDP port 4500 with four bytes of zero at the start of the + UDP payload, and ESP packets are sent out over UDP port 4500. + Some peers default to using UDP encapsulation even when no NAT is + detected on the path, as some middleboxes do not support IP + protocols other than TCP and UDP. + + 3. TCP Encapsulation. If the other two methods are not available or + appropriate, IKE negotiation packets as well as ESP packets can + be sent over a single TCP connection to the peer. + + + + + + + +Pauly, et al. Standards Track [Page 3] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + Direct use of ESP or UDP encapsulation should be preferred by + IKE implementations due to performance concerns when using + TCP encapsulation (Section 12). Most implementations should use + TCP encapsulation only on networks where negotiation over UDP has + been attempted without receiving responses from the peer or if a + network is known to not support UDP. + +1.1. Prior Work and Motivation + + Encapsulating IKE connections within TCP streams is a common approach + to solve the problem of UDP packets being blocked by network + middleboxes. The specific goals of this document are as follows: + + o To promote interoperability by defining a standard method of + framing IKE and ESP messages within TCP streams. + + o To be compatible with the current IKEv2 standard without requiring + modifications or extensions. + + o To use IKE over UDP by default to avoid the overhead of other + alternatives that always rely on TCP or Transport Layer Security + (TLS) [RFC5246]. + + Some previous alternatives include: + + Cellular Network Access + Interworking Wireless LAN (IWLAN) uses IKEv2 to create secure + connections to cellular carrier networks for making voice calls + and accessing other network services over Wi-Fi networks. 3GPP has + recommended that IKEv2 and ESP packets be sent within a TLS + connection to be able to establish connections on restrictive + networks. + + ISAKMP over TCP + Various non-standard extensions to the Internet Security + Association and Key Management Protocol (ISAKMP) have been + deployed that send IPsec traffic over TCP or TCP-like packets. + + Secure Sockets Layer (SSL) VPNs + Many proprietary VPN solutions use a combination of TLS and IPsec + in order to provide reliability. These often run on TCP port 443. + + IKEv2 over TCP + IKEv2 over TCP as described in [IKE-over-TCP] is used to avoid UDP + fragmentation. + + + + + + +Pauly, et al. Standards Track [Page 4] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +1.2. Terminology and Notation + + This document distinguishes between the IKE peer that initiates TCP + connections to be used for TCP encapsulation and the roles of + Initiator and Responder for particular IKE messages. During the + course of IKE exchanges, the role of IKE Initiator and Responder may + swap for a given SA (as with IKE SA rekeys), while the Initiator of + the TCP connection is still responsible for tearing down the TCP + connection and re-establishing it if necessary. For this reason, + this document will use the term "TCP Originator" to indicate the IKE + peer that initiates TCP connections. The peer that receives TCP + connections will be referred to as the "TCP Responder". If an IKE SA + is rekeyed one or more times, the TCP Originator MUST remain the peer + that originally initiated the first IKE SA. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +2. Configuration + + One of the main reasons to use TCP encapsulation is that UDP traffic + may be entirely blocked on a network. Because of this, support for + TCP encapsulation is not specifically negotiated in the IKE exchange. + Instead, support for TCP encapsulation must be pre-configured on both + the TCP Originator and the TCP Responder. + + Implementations MUST support TCP encapsulation on TCP port 4500, + which is reserved for IPsec NAT traversal. + + Beyond a flag indicating support for TCP encapsulation, the + configuration for each peer can include the following optional + parameters: + + o Alternate TCP ports on which the specific TCP Responder listens + for incoming connections. Note that the TCP Originator may + initiate TCP connections to the TCP Responder from any local port. + + o An extra framing protocol to use on top of TCP to further + encapsulate the stream of IKE and IPsec packets. See Appendix A + for a detailed discussion. + + + + + + + + +Pauly, et al. Standards Track [Page 5] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + Since TCP encapsulation of IKE and IPsec packets adds overhead and + has potential performance trade-offs compared to direct or + UDP-encapsulated SAs (as described in Section 12), implementations + SHOULD prefer ESP direct or UDP-encapsulated SAs over + TCP-encapsulated SAs when possible. + +3. TCP-Encapsulated Header Formats + + Like UDP encapsulation, TCP encapsulation uses the first four bytes + of a message to differentiate IKE and ESP messages. TCP + encapsulation also adds a Length field to define the boundaries of + messages within a stream. The message length is sent in a 16-bit + field that precedes every message. If the first 32 bits of the + message are zeros (a non-ESP marker), then the contents comprise an + IKE message. Otherwise, the contents comprise an ESP message. + Authentication Header (AH) messages are not supported for TCP + encapsulation. + + Although a TCP stream may be able to send very long messages, + implementations SHOULD limit message lengths to typical UDP datagram + ESP payload lengths. The maximum message length is used as the + effective MTU for connections that are being encrypted using ESP, so + the maximum message length will influence characteristics of inner + connections, such as the TCP Maximum Segment Size (MSS). + + Note that this method of encapsulation will also work for placing IKE + and ESP messages within any protocol that presents a stream + abstraction, beyond TCP. + +3.1. TCP-Encapsulated IKE Header Format + + 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Non-ESP Marker | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + ~ IKE header [RFC7296] ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 1 + + + + + + + +Pauly, et al. Standards Track [Page 6] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + The IKE header is preceded by a 16-bit Length field in network byte + order that specifies the length of the IKE message (including the + non-ESP marker) within the TCP stream. As with IKE over UDP + port 4500, a zeroed 32-bit non-ESP marker is inserted before the + start of the IKE header in order to differentiate the traffic from + ESP traffic between the same addresses and ports. + + o Length (2 octets, unsigned integer) - Length of the IKE packet, + including the Length field and non-ESP marker. + +3.2. TCP-Encapsulated ESP Header Format + + 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + ~ ESP header [RFC4303] ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 2 + + The ESP header is preceded by a 16-bit Length field in network byte + order that specifies the length of the ESP packet within the TCP + stream. + + The Security Parameter Index (SPI) field [RFC7296] in the ESP header + MUST NOT be a zero value. + + o Length (2 octets, unsigned integer) - Length of the ESP packet, + including the Length field. + +4. TCP-Encapsulated Stream Prefix + + Each stream of bytes used for IKE and IPsec encapsulation MUST begin + with a fixed sequence of six bytes as a magic value, containing the + characters "IKETCP" as ASCII values. This value is intended to + identify and validate that the TCP connection is being used for TCP + encapsulation as defined in this document, to avoid conflicts with + the prevalence of previous non-standard protocols that used TCP + port 4500. This value is only sent once, by the TCP Originator only, + at the beginning of any stream of IKE and ESP messages. + + If other framing protocols are used within TCP to further encapsulate + or encrypt the stream of IKE and ESP messages, the stream prefix must + be at the start of the TCP Originator's IKE and ESP message stream + + + +Pauly, et al. Standards Track [Page 7] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + within the added protocol layer (Appendix A). Although some framing + protocols do support negotiating inner protocols, the stream prefix + should always be used in order for implementations to be as generic + as possible and not rely on other framing protocols on top of TCP. + + 0 1 2 3 4 5 + +------+------+------+------+------+------+ + | 0x49 | 0x4b | 0x45 | 0x54 | 0x43 | 0x50 | + +------+------+------+------+------+------+ + + Figure 3 + +5. Applicability + + TCP encapsulation is applicable only when it has been configured to + be used with specific IKE peers. If a Responder is configured to use + TCP encapsulation, it MUST listen on the configured port(s) in case + any peers will initiate new IKE sessions. Initiators MAY use TCP + encapsulation for any IKE session to a peer that is configured to + support TCP encapsulation, although it is recommended that Initiators + should only use TCP encapsulation when traffic over UDP is blocked. + + Since the support of TCP encapsulation is a configured property, not + a negotiated one, it is recommended that if there are multiple IKE + endpoints representing a single peer (such as multiple machines with + different IP addresses when connecting by Fully Qualified Domain + Name, or endpoints used with IKE redirection), all of the endpoints + equally support TCP encapsulation. + + If TCP encapsulation is being used for a specific IKE SA, all + messages for that IKE SA and its Child SAs MUST be sent over a TCP + connection until the SA is deleted or IKEv2 Mobility and Multihoming + (MOBIKE) is used to change the SA endpoints and/or the encapsulation + protocol. See Section 8 for more details on using MOBIKE to + transition between encapsulation modes. + +5.1. Recommended Fallback from UDP + + Since UDP is the preferred method of transport for IKE messages, + implementations that use TCP encapsulation should have an algorithm + for deciding when to use TCP after determining that UDP is unusable. + If an Initiator implementation has no prior knowledge about the + network it is on and the status of UDP on that network, it SHOULD + always attempt to negotiate IKE over UDP first. IKEv2 defines how to + use retransmission timers with IKE messages and, specifically, + IKE_SA_INIT messages [RFC7296]. Generally, this means that the + implementation will define a frequency of retransmission and the + maximum number of retransmissions allowed before marking the IKE SA + + + +Pauly, et al. Standards Track [Page 8] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + as failed. An implementation can attempt negotiation over TCP once + it has hit the maximum retransmissions over UDP, or slightly before + to reduce connection setup delays. It is recommended that the + initial message over UDP be retransmitted at least once before + falling back to TCP, unless the Initiator knows beforehand that the + network is likely to block UDP. + +6. Connection Establishment and Teardown + + When the IKE Initiator uses TCP encapsulation, it will initiate a TCP + connection to the Responder using the configured TCP port. The first + bytes sent on the stream MUST be the stream prefix value (Section 4). + After this prefix, encapsulated IKE messages will negotiate the IKE + SA and initial Child SA [RFC7296]. After this point, both + encapsulated IKE (Figure 1) and ESP (Figure 2) messages will be sent + over the TCP connection. The TCP Responder MUST wait for the entire + stream prefix to be received on the stream before trying to parse out + any IKE or ESP messages. The stream prefix is sent only once, and + only by the TCP Originator. + + In order to close an IKE session, either the Initiator or Responder + SHOULD gracefully tear down IKE SAs with DELETE payloads. Once the + SA has been deleted, the TCP Originator SHOULD close the TCP + connection if it does not intend to use the connection for another + IKE session to the TCP Responder. If the connection is left idle and + the TCP Responder needs to clean up resources, the TCP Responder MAY + close the TCP connection. + + An unexpected FIN or a TCP Reset on the TCP connection may indicate a + loss of connectivity, an attack, or some other error. If a DELETE + payload has not been sent, both sides SHOULD maintain the state for + their SAs for the standard lifetime or timeout period. The TCP + Originator is responsible for re-establishing the TCP connection if + it is torn down for any unexpected reason. Since new TCP connections + may use different ports due to NAT mappings or local port allocations + changing, the TCP Responder MUST allow packets for existing SAs to be + received from new source ports. + + A peer MUST discard a partially received message due to a broken + connection. + + Whenever the TCP Originator opens a new TCP connection to be used for + an existing IKE SA, it MUST send the stream prefix first, before any + IKE or ESP messages. This follows the same behavior as the initial + TCP connection. + + + + + + +Pauly, et al. Standards Track [Page 9] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + If a TCP connection is being used to resume a previous IKE session, + the TCP Responder can recognize the session using either the IKE SPI + from an encapsulated IKE message or the ESP SPI from an encapsulated + ESP message. If the session had been fully established previously, + it is suggested that the TCP Originator send an UPDATE_SA_ADDRESSES + message if MOBIKE is supported, or an informational message (a + keep-alive) otherwise. + + The TCP Responder MUST NOT accept any messages for the existing IKE + session on a new incoming connection, unless that connection begins + with the stream prefix. If either the TCP Originator or TCP + Responder detects corruption on a connection that was started with a + valid stream prefix, it SHOULD close the TCP connection. The + connection can be determined to be corrupted if there are too many + subsequent messages that cannot be parsed as valid IKE messages or + ESP messages with known SPIs, or if the authentication check for an + ESP message with a known SPI fails. Implementations SHOULD NOT + tear down a connection if only a single ESP message has an unknown + SPI, since the SPI databases may be momentarily out of sync. If + there is instead a syntax issue within an IKE message, an + implementation MUST send the INVALID_SYNTAX notify payload and + tear down the IKE SA as usual, rather than tearing down the TCP + connection directly. + + A TCP Originator SHOULD only open one TCP connection per IKE SA, over + which it sends all of the corresponding IKE and ESP messages. This + helps ensure that any firewall or NAT mappings allocated for the TCP + connection apply to all of the traffic associated with the IKE SA + equally. + + Similarly, a TCP Responder SHOULD at any given time send packets for + an IKE SA and its Child SAs over only one TCP connection. It SHOULD + choose the TCP connection on which it last received a valid and + decryptable IKE or ESP message. In order to be considered valid for + choosing a TCP connection, an IKE message must be successfully + decrypted and authenticated, not be a retransmission of a previously + received message, and be within the expected window for IKE + message IDs. Similarly, an ESP message must pass authentication + checks and be decrypted, and must not be a replay of a previous + message. + + Since a connection may be broken and a new connection re-established + by the TCP Originator without the TCP Responder being aware, a TCP + Responder SHOULD accept receiving IKE and ESP messages on both old + and new connections until the old connection is closed by the TCP + Originator. A TCP Responder MAY close a TCP connection that it + perceives as idle and extraneous (one previously used for IKE and ESP + messages that has been replaced by a new connection). + + + +Pauly, et al. Standards Track [Page 10] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + Multiple IKE SAs MUST NOT share a single TCP connection, unless one + is a rekey of an existing IKE SA, in which case there will + temporarily be two IKE SAs on the same TCP connection. + +7. Interaction with NAT Detection Payloads + + When negotiating over UDP port 500, IKE_SA_INIT packets include + NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP payloads to + determine if UDP encapsulation of IPsec packets should be used. + These payloads contain SHA-1 digests of the SPIs, IP addresses, and + ports as defined in [RFC7296]. IKE_SA_INIT packets sent on a TCP + connection SHOULD include these payloads with the same content as + when sending over UDP and SHOULD use the applicable TCP ports when + creating and checking the SHA-1 digests. + + If a NAT is detected due to the SHA-1 digests not matching the + expected values, no change should be made for encapsulation of + subsequent IKE or ESP packets, since TCP encapsulation inherently + supports NAT traversal. Implementations MAY use the information that + a NAT is present to influence keep-alive timer values. + + If a NAT is detected, implementations need to handle transport mode + TCP and UDP packet checksum fixup as defined for UDP encapsulation in + [RFC3948]. + +8. Using MOBIKE with TCP Encapsulation + + When an IKE session that has negotiated MOBIKE [RFC4555] is + transitioning between networks, the Initiator of the transition may + switch between using TCP encapsulation, UDP encapsulation, or no + encapsulation. Implementations that implement both MOBIKE and TCP + encapsulation MUST support dynamically enabling and disabling TCP + encapsulation as interfaces change. + + When a MOBIKE-enabled Initiator changes networks, the + UPDATE_SA_ADDRESSES notification SHOULD be sent out first over UDP + before attempting over TCP. If there is a response to the + UPDATE_SA_ADDRESSES notification sent over UDP, then the ESP packets + should be sent directly over IP or over UDP port 4500 (depending on + if a NAT was detected), regardless of if a connection on a previous + network was using TCP encapsulation. Similarly, if the Responder + only responds to the UPDATE_SA_ADDRESSES notification over TCP, then + the ESP packets should be sent over the TCP connection, regardless of + if a connection on a previous network did not use TCP encapsulation. + + + + + + + +Pauly, et al. Standards Track [Page 11] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +9. Using IKE Message Fragmentation with TCP Encapsulation + + IKE message fragmentation [RFC7383] is not required when using TCP + encapsulation, since a TCP stream already handles the fragmentation + of its contents across packets. Since fragmentation is redundant in + this case, implementations might choose to not negotiate IKE + fragmentation. Even if fragmentation is negotiated, an + implementation SHOULD NOT send fragments when going over a TCP + connection, although it MUST support receiving fragments. + + If an implementation supports both MOBIKE and IKE fragmentation, it + SHOULD negotiate IKE fragmentation over a TCP-encapsulated session in + case the session switches to UDP encapsulation on another network. + +10. Considerations for Keep-Alives and Dead Peer Detection + + Encapsulating IKE and IPsec inside of a TCP connection can impact the + strategy that implementations use to detect peer liveness and to + maintain middlebox port mappings. Peer liveness should be checked + using IKE informational packets [RFC7296]. + + In general, TCP port mappings are maintained by NATs longer than UDP + port mappings, so IPsec ESP NAT keep-alives [RFC3948] SHOULD NOT be + sent when using TCP encapsulation. Any implementation using TCP + encapsulation MUST silently drop incoming NAT keep-alive packets + and not treat them as errors. NAT keep-alive packets over a + TCP-encapsulated IPsec connection will be sent as an ESP message with + a one-octet-long payload with the value 0xFF. + + Note that, depending on the configuration of TCP and TLS on the + connection, TCP keep-alives [RFC1122] and TLS keep-alives [RFC6520] + may be used. These MUST NOT be used as indications of IKE peer + liveness. + +11. Middlebox Considerations + + Many security networking devices, such as firewalls or intrusion + prevention systems, network optimization/acceleration devices, and + NAT devices, keep the state of sessions that traverse through them. + + These devices commonly track the transport-layer and/or application- + layer data to drop traffic that is anomalous or malicious in nature. + While many of these devices will be more likely to pass + TCP-encapsulated traffic as opposed to UDP-encapsulated traffic, some + may still block or interfere with TCP-encapsulated IKE and IPsec + traffic. + + + + + +Pauly, et al. Standards Track [Page 12] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + A network device that monitors the transport layer will track the + state of TCP sessions, such as TCP sequence numbers. TCP + encapsulation of IKE should therefore use standard TCP behaviors to + avoid being dropped by middleboxes. + +12. Performance Considerations + + Several aspects of TCP encapsulation for IKE and IPsec packets may + negatively impact the performance of connections within a tunnel-mode + IPsec SA. Implementations should be aware of these performance + impacts and take these into consideration when determining when to + use TCP encapsulation. Implementations SHOULD favor using direct ESP + or UDP encapsulation over TCP encapsulation whenever possible. + +12.1. TCP-in-TCP + + If the outer connection between IKE peers is over TCP, inner TCP + connections may suffer negative effects from using TCP within TCP. + Running TCP within TCP is discouraged, since the TCP algorithms + generally assume that they are running over an unreliable datagram + layer. + + If the outer (tunnel) TCP connection experiences packet loss, this + loss will be hidden from any inner TCP connections, since the outer + connection will retransmit to account for the losses. Since the + outer TCP connection will deliver the inner messages in order, any + messages after a lost packet may have to wait until the loss is + recovered. This means that loss on the outer connection will be + interpreted only as delay by inner connections. The burstiness of + inner traffic can increase, since a large number of inner packets may + be delivered across the tunnel at once. The inner TCP connection may + interpret a long period of delay as a transmission problem, + triggering a retransmission timeout, which will cause spurious + retransmissions. The sending rate of the inner connection may be + unnecessarily reduced if the retransmissions are not detected as + spurious in time. + + The inner TCP connection's round-trip-time estimation will be + affected by the burstiness of the outer TCP connection if there are + long delays when packets are retransmitted by the outer TCP + connection. This will make the congestion control loop of the inner + TCP traffic less reactive, potentially permanently leading to a lower + sending rate than the outer TCP would allow for. + + + + + + + + +Pauly, et al. Standards Track [Page 13] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + TCP-in-TCP can also lead to increased buffering, or bufferbloat. + This can occur when the window size of the outer TCP connection is + reduced and becomes smaller than the window sizes of the inner TCP + connections. This can lead to packets backing up in the outer TCP + connection's send buffers. In order to limit this effect, the outer + TCP connection should have limits on its send buffer size and on the + rate at which it reduces its window size. + + Note that any negative effects will be shared between all flows going + through the outer TCP connection. This is of particular concern for + any latency-sensitive or real-time applications using the tunnel. If + such traffic is using a TCP-encapsulated IPsec connection, it is + recommended that the number of inner connections sharing the tunnel + be limited as much as possible. + +12.2. Added Reliability for Unreliable Protocols + + Since ESP is an unreliable protocol, transmitting ESP packets over a + TCP connection will change the fundamental behavior of the packets. + Some application-level protocols that prefer packet loss to delay + (such as Voice over IP or other real-time protocols) may be + negatively impacted if their packets are retransmitted by the TCP + connection due to packet loss. + +12.3. Quality-of-Service Markings + + Quality-of-Service (QoS) markings, such as the Differentiated + Services Code Point (DSCP) and Traffic Class, should be used with + care on TCP connections used for encapsulation. Individual packets + SHOULD NOT use different markings than the rest of the connection, + since packets with different priorities may be routed differently and + cause unnecessary delays in the connection. + +12.4. Maximum Segment Size + + A TCP connection used for IKE encapsulation SHOULD negotiate its MSS + in order to avoid unnecessary fragmentation of packets. + +12.5. Tunneling ECN in TCP + + Since there is not a one-to-one relationship between outer IP packets + and inner ESP/IP messages when using TCP encapsulation, the markings + for Explicit Congestion Notification (ECN) [RFC3168] cannot be simply + mapped. However, any ECN Congestion Experienced (CE) marking on + inner headers should be preserved through the tunnel. + + + + + + +Pauly, et al. Standards Track [Page 14] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + Implementations SHOULD follow the ECN compatibility mode for tunnel + ingress as described in [RFC6040]. In compatibility mode, the outer + tunnel TCP connection marks its packet headers as not ECN-capable. + If upon egress, the arriving outer header is marked with CE, the + implementation will drop the inner packet, since there is not a + distinct inner packet header onto which to translate the ECN + markings. + +13. Security Considerations + + IKE Responders that support TCP encapsulation may become vulnerable + to new Denial-of-Service (DoS) attacks that are specific to TCP, such + as SYN-flooding attacks. TCP Responders should be aware of this + additional attack surface. + + TCP Responders should be careful to ensure that (1) the stream prefix + "IKETCP" uniquely identifies incoming streams as streams that use the + TCP encapsulation protocol and (2) they are not running any other + protocols on the same listening port (to avoid potential conflicts). + + Attackers may be able to disrupt the TCP connection by sending + spurious TCP Reset packets. Therefore, implementations SHOULD make + sure that IKE session state persists even if the underlying TCP + connection is torn down. + + If MOBIKE is being used, all of the security considerations outlined + for MOBIKE apply [RFC4555]. + + Similarly to MOBIKE, TCP encapsulation requires a TCP Responder to + handle changes to source address and port due to network or + connection disruption. The successful delivery of valid IKE or ESP + messages over a new TCP connection is used by the TCP Responder to + determine where to send subsequent responses. If an attacker is able + to send packets on a new TCP connection that pass the validation + checks of the TCP Responder, it can influence which path future + packets will take. For this reason, the validation of messages on + the TCP Responder must include decryption, authentication, and replay + checks. + + Since TCP provides reliable, in-order delivery of ESP messages, the + ESP anti-replay window size SHOULD be set to 1. See [RFC4303] for a + complete description of the ESP anti-replay window. This increases + the protection of implementations against replay attacks. + + + + + + + + +Pauly, et al. Standards Track [Page 15] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +14. IANA Considerations + + TCP port 4500 is already allocated to IPsec for NAT traversal. This + port SHOULD be used for TCP-encapsulated IKE and ESP as described in + this document. + + This document updates the reference for TCP port 4500: + + Keyword Decimal Description Reference + ----------- -------- ------------------- --------- + ipsec-nat-t 4500/tcp IPsec NAT-Traversal RFC 8229 + + Figure 4 + +15. References + +15.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + . + + [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. + Stenberg, "UDP Encapsulation of IPsec ESP Packets", + RFC 3948, DOI 10.17487/RFC3948, January 2005, + . + + [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", + RFC 4303, DOI 10.17487/RFC4303, December 2005, + . + + [RFC6040] Briscoe, B., "Tunnelling of Explicit Congestion + Notification", RFC 6040, DOI 10.17487/RFC6040, + November 2010, . + + [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. + Kivinen, "Internet Key Exchange Protocol Version 2 + (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, + October 2014, . + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . + + + + + + + +Pauly, et al. Standards Track [Page 16] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +15.2. Informative References + + [IKE-over-TCP] + Nir, Y., "A TCP transport for the Internet Key Exchange", + Work in Progress, draft-ietf-ipsecme-ike-tcp-01, + December 2012. + + [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - + Communication Layers", STD 3, RFC 1122, + DOI 10.17487/RFC1122, October 1989, + . + + [RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within + HTTP/1.1", RFC 2817, DOI 10.17487/RFC2817, May 2000, + . + + [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition + of Explicit Congestion Notification (ECN) to IP", + RFC 3168, DOI 10.17487/RFC3168, September 2001, + . + + [RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol + (MOBIKE)", RFC 4555, DOI 10.17487/RFC4555, June 2006, + . + + [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security + (TLS) Protocol Version 1.2", RFC 5246, + DOI 10.17487/RFC5246, August 2008, + . + + [RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport + Layer Security (TLS) and Datagram Transport Layer Security + (DTLS) Heartbeat Extension", RFC 6520, + DOI 10.17487/RFC6520, February 2012, + . + + [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 + (IKEv2) Message Fragmentation", RFC 7383, + DOI 10.17487/RFC7383, November 2014, + . + + + + + + + + + + + +Pauly, et al. Standards Track [Page 17] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +Appendix A. Using TCP Encapsulation with TLS + + This section provides recommendations on how to use TLS in addition + to TCP encapsulation. + + When using TCP encapsulation, implementations may choose to use TLS + [RFC5246] on the TCP connection to be able to traverse middleboxes, + which may otherwise block the traffic. + + If a web proxy is applied to the ports used for the TCP connection + and TLS is being used, the TCP Originator can send an HTTP CONNECT + message to establish an SA through the proxy [RFC2817]. + + The use of TLS should be configurable on the peers, and may be used + as the default when using TCP encapsulation or may be used as a + fallback when basic TCP encapsulation fails. The TCP Responder may + expect to read encapsulated IKE and ESP packets directly from the TCP + connection, or it may expect to read them from a stream of TLS data + packets. The TCP Originator should be pre-configured to use TLS + or not when communicating with a given port on the TCP Responder. + + When new TCP connections are re-established due to a broken + connection, TLS must be renegotiated. TLS session resumption is + recommended to improve efficiency in this case. + + The security of the IKE session is entirely derived from the IKE + negotiation and key establishment and not from the TLS session (which + in this context is only used for encapsulation purposes); therefore, + when TLS is used on the TCP connection, both the TCP Originator and + the TCP Responder SHOULD allow the NULL cipher to be selected for + performance reasons. + + Implementations should be aware that the use of TLS introduces + another layer of overhead requiring more bytes to transmit a given + IKE and IPsec packet. For this reason, direct ESP, UDP + encapsulation, or TCP encapsulation without TLS should be preferred + in situations in which TLS is not required in order to traverse + middleboxes. + + + + + + + + + + + + + +Pauly, et al. Standards Track [Page 18] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +Appendix B. Example Exchanges of TCP Encapsulation with TLS + +B.1. Establishing an IKE Session + + Client Server + ---------- ---------- + 1) -------------------- TCP Connection ------------------- + (IP_I:Port_I -> IP_R:Port_R) + TcpSyn ----------> + <---------- TcpSyn,Ack + TcpAck ----------> + + 2) --------------------- TLS Session --------------------- + ClientHello ----------> + ServerHello + Certificate* + ServerKeyExchange* + <---------- ServerHelloDone + ClientKeyExchange + CertificateVerify* + [ChangeCipherSpec] + Finished ----------> + [ChangeCipherSpec] + <---------- Finished + + 3) ---------------------- Stream Prefix -------------------- + "IKETCP" ----------> + 4) ----------------------- IKE Session --------------------- + Length + Non-ESP Marker ----------> + IKE_SA_INIT + HDR, SAi1, KEi, Ni, + [N(NAT_DETECTION_*_IP)] + <------ Length + Non-ESP Marker + IKE_SA_INIT + HDR, SAr1, KEr, Nr, + [N(NAT_DETECTION_*_IP)] + Length + Non-ESP Marker ----------> + first IKE_AUTH + HDR, SK {IDi, [CERTREQ] + CP(CFG_REQUEST), IDr, + SAi2, TSi, TSr, ...} + <------ Length + Non-ESP Marker + first IKE_AUTH + HDR, SK {IDr, [CERT], AUTH, + EAP, SAr2, TSi, TSr} + + + + + + +Pauly, et al. Standards Track [Page 19] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + Length + Non-ESP Marker ----------> + IKE_AUTH + EAP + repeat 1..N times + <------ Length + Non-ESP Marker + IKE_AUTH + EAP + Length + Non-ESP Marker ----------> + final IKE_AUTH + HDR, SK {AUTH} + <------ Length + Non-ESP Marker + final IKE_AUTH + HDR, SK {AUTH, CP(CFG_REPLY), + SA, TSi, TSr, ...} + -------------- IKE and IPsec SAs Established ------------ + Length + ESP Frame ----------> + + Figure 5 + + 1. The client establishes a TCP connection with the server on + port 4500 or on an alternate pre-configured port that the server + is listening on. + + 2. If configured to use TLS, the client initiates a TLS handshake. + During the TLS handshake, the server SHOULD NOT request the + client's certificate, since authentication is handled as part of + IKE negotiation. + + 3. The client sends the stream prefix for TCP-encapsulated IKE + (Section 4) traffic to signal the beginning of IKE negotiation. + + 4. The client and server establish an IKE connection. This example + shows EAP-based authentication, although any authentication type + may be used. + + + + + + + + + + + + + + + + + + + +Pauly, et al. Standards Track [Page 20] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +B.2. Deleting an IKE Session + + Client Server + ---------- ---------- + 1) ----------------------- IKE Session --------------------- + Length + Non-ESP Marker ----------> + INFORMATIONAL + HDR, SK {[N,] [D,] + [CP,] ...} + <------ Length + Non-ESP Marker + INFORMATIONAL + HDR, SK {[N,] [D,] + [CP], ...} + + 2) --------------------- TLS Session --------------------- + close_notify ----------> + <---------- close_notify + 3) -------------------- TCP Connection ------------------- + TcpFin ----------> + <---------- Ack + <---------- TcpFin + Ack ----------> + -------------------- IKE SA Deleted ------------------- + + Figure 6 + + 1. The client and server exchange informational messages to notify + IKE SA deletion. + + 2. The client and server negotiate TLS session deletion using TLS + CLOSE_NOTIFY. + + 3. The TCP connection is torn down. + + The deletion of the IKE SA should lead to the disposal of the + underlying TLS and TCP state. + + + + + + + + + + + + + + + +Pauly, et al. Standards Track [Page 21] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +B.3. Re-establishing an IKE Session + + Client Server + ---------- ---------- + 1) -------------------- TCP Connection ------------------- + (IP_I:Port_I -> IP_R:Port_R) + TcpSyn ----------> + <---------- TcpSyn,Ack + TcpAck ----------> + 2) --------------------- TLS Session --------------------- + ClientHello ----------> + <---------- ServerHello + [ChangeCipherSpec] + Finished + [ChangeCipherSpec] ----------> + Finished + 3) ---------------------- Stream Prefix -------------------- + "IKETCP" ----------> + 4) <---------------------> IKE/ESP Flow <------------------> + Length + ESP Frame ----------> + + Figure 7 + + 1. If a previous TCP connection was broken (for example, due to a + TCP Reset), the client is responsible for re-initiating the TCP + connection. The TCP Originator's address and port (IP_I and + Port_I) may be different from the previous connection's address + and port. + + 2. In the ClientHello TLS message, the client SHOULD send the + session ID it received in the previous TLS handshake if + available. It is up to the server to perform either an + abbreviated handshake or a full handshake based on the session ID + match. + + 3. After TCP and TLS are complete, the client sends the stream + prefix for TCP-encapsulated IKE traffic (Section 4). + + 4. The IKE and ESP packet flow can resume. If MOBIKE is being used, + the Initiator SHOULD send an UPDATE_SA_ADDRESSES message. + + + + + + + + + + + +Pauly, et al. Standards Track [Page 22] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +B.4. Using MOBIKE between UDP and TCP Encapsulation + + Client Server + ---------- ---------- + (IP_I1:UDP500 -> IP_R:UDP500) + 1) ----------------- IKE_SA_INIT Exchange ----------------- + (IP_I1:UDP4500 -> IP_R:UDP4500) + Non-ESP Marker -----------> + Initial IKE_AUTH + HDR, SK { IDi, CERT, AUTH, + CP(CFG_REQUEST), + SAi2, TSi, TSr, + N(MOBIKE_SUPPORTED) } + <----------- Non-ESP Marker + Initial IKE_AUTH + HDR, SK { IDr, CERT, AUTH, + EAP, SAr2, TSi, TSr, + N(MOBIKE_SUPPORTED) } + <------------------ IKE SA Establishment ---------------> + + 2) ------------ MOBIKE Attempt on New Network -------------- + (IP_I2:UDP4500 -> IP_R:UDP4500) + Non-ESP Marker -----------> + INFORMATIONAL + HDR, SK { N(UPDATE_SA_ADDRESSES), + N(NAT_DETECTION_SOURCE_IP), + N(NAT_DETECTION_DESTINATION_IP) } + + + 3) -------------------- TCP Connection ------------------- + (IP_I2:Port_I -> IP_R:Port_R) + TcpSyn -----------> + <----------- TcpSyn,Ack + TcpAck -----------> + + 4) --------------------- TLS Session --------------------- + ClientHello -----------> + ServerHello + Certificate* + ServerKeyExchange* + <----------- ServerHelloDone + ClientKeyExchange + CertificateVerify* + [ChangeCipherSpec] + Finished -----------> + [ChangeCipherSpec] + <----------- Finished + + + + +Pauly, et al. Standards Track [Page 23] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + + 5) ---------------------- Stream Prefix -------------------- + "IKETCP" ----------> + + 6) ----------------------- IKE Session --------------------- + Length + Non-ESP Marker -----------> + INFORMATIONAL (Same as step 2) + HDR, SK { N(UPDATE_SA_ADDRESSES), + N(NAT_DETECTION_SOURCE_IP), + N(NAT_DETECTION_DESTINATION_IP) } + + <------- Length + Non-ESP Marker + HDR, SK { N(NAT_DETECTION_SOURCE_IP), + N(NAT_DETECTION_DESTINATION_IP) } + 7) <----------------- IKE/ESP Data Flow -------------------> + + Figure 8 + + 1. During the IKE_SA_INIT exchange, the client and server exchange + MOBIKE_SUPPORTED notify payloads to indicate support for MOBIKE. + + 2. The client changes its point of attachment to the network and + receives a new IP address. The client attempts to re-establish + the IKE session using the UPDATE_SA_ADDRESSES notify payload, but + the server does not respond because the network blocks UDP + traffic. + + 3. The client brings up a TCP connection to the server in order to + use TCP encapsulation. + + 4. The client initiates a TLS handshake with the server. + + 5. The client sends the stream prefix for TCP-encapsulated IKE + traffic (Section 4). + + 6. The client sends the UPDATE_SA_ADDRESSES notify payload on the + TCP-encapsulated connection. Note that this IKE message is the + same as the one sent over UDP in step 2; it should have the same + message ID and contents. + + 7. The IKE and ESP packet flow can resume. + + + + + + + + + + + +Pauly, et al. Standards Track [Page 24] + +RFC 8229 TCP Encapsulation of IKE and IPsec Packets August 2017 + + +Acknowledgments + + The authors would like to acknowledge the input and advice of Stuart + Cheshire, Delziel Fernandes, Yoav Nir, Christoph Paasch, Yaron + Sheffer, David Schinazi, Graham Bartlett, Byju Pularikkal, March Wu, + Kingwel Xie, Valery Smyslov, Jun Hu, and Tero Kivinen. Special + thanks to Eric Kinnear for his implementation work. + +Authors' Addresses + + Tommy Pauly + Apple Inc. + 1 Infinite Loop + Cupertino, California 95014 + United States of America + + Email: tpauly@apple.com + + + Samy Touati + Ericsson + 2755 Augustine + Santa Clara, California 95054 + United States of America + + Email: samy.touati@ericsson.com + + + Ravi Mantha + Cisco Systems + SEZ, Embassy Tech Village + Panathur, Bangalore 560 037 + India + + Email: ramantha@cisco.com + + + + + + + + + + + + + + + + +Pauly, et al. Standards Track [Page 25] + -- cgit v1.2.3