1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
|
Internet Engineering Task Force (IETF) R. Singh, Ed.
Request for Comments: 6311 G. Kalyani
Category: Standards Track Cisco
ISSN: 2070-1721 Y. Nir
Check Point
Y. Sheffer
Porticor
D. Zhang
Huawei
July 2011
Protocol Support for High Availability of IKEv2/IPsec
Abstract
The IPsec protocol suite is widely used for business-critical network
traffic. In order to make IPsec deployments highly available, more
scalable, and failure-resistant, they are often implemented as IPsec
High Availability (HA) clusters. However, there are many issues in
IPsec HA clustering, and in particular in Internet Key Exchange
Protocol version 2 (IKEv2) clustering. An earlier document, "IPsec
Cluster Problem Statement", enumerates the issues encountered in the
IKEv2/IPsec HA cluster environment. This document resolves these
issues with the least possible change to the protocol.
This document defines an extension to the IKEv2 protocol to solve the
main issues of "IPsec Cluster Problem Statement" in the commonly
deployed hot standby cluster, and provides implementation advice for
other issues. The main issues solved are the synchronization of
IKEv2 Message ID counters, and of IPsec replay counters.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6311.
Singh, et al. Standards Track [Page 1]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Singh, et al. Standards Track [Page 2]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
Table of Contents
1. Introduction ....................................................3
2. Terminology .....................................................5
3. Issues Resolved from IPsec Cluster Problem Statement ............7
3.1. Large Amount of State ......................................8
3.2. Multiple Members Using the Same SA .........................9
3.3. Avoiding Collisions in SPI Number Allocation ...............9
3.4. Interaction with Counter Modes .............................9
4. The IKEv2/IPsec SA Counter Synchronization Problem .............10
5. SA Counter Synchronization Solution ............................11
5.1. Processing Rules for IKE Message ID Synchronization .......13
5.2. Processing Rules for IPsec Replay Counter
Synchronization ...........................................14
6. IKEv2/IPsec Synchronization Notification Payloads ..............14
6.1. The IKEV2_MESSAGE_ID_SYNC_SUPPORTED Notification ..........15
6.2. The IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED Notification ......15
6.3. The IKEV2_MESSAGE_ID_SYNC Notification ....................16
6.4. The IPSEC_REPLAY_COUNTER_SYNC Notification ................16
7. Implementation Details .........................................17
8. IKE SA and IPsec SA Message Sequencing .........................18
8.1. Handling of Pending IKE Messages ..........................18
8.2. Handling of Pending IPsec Messages ........................18
8.3. IKE SA Inconsistencies ....................................19
9. Step-by-Step Details ...........................................19
10. Interaction with Other Specifications .........................20
11. Security Considerations .......................................21
12. IANA Considerations ...........................................21
13. Acknowledgements ..............................................22
14. References ....................................................22
14.1. Normative References .....................................22
14.2. Informative References ...................................22
Appendix A. IKEv2 Message ID Sync Examples ........................24
A.1. Normal Failover -- Example 1 ...............................24
A.2. Normal Failover -- Example 2 ...............................24
A.3. Normal Failover -- Example 3 ...............................25
A.4. Simultaneous Failover ......................................25
1. Introduction
The IPsec protocol suite, including the Internet Key Exchange
Protocol version 2 (IKEv2), is a major building block of virtual
private networks (VPNs). In order to make such VPNs highly
available, more scalable, and failure-resistant, these VPNs are
implemented as IKEv2/IPsec Highly Available (HA) clusters. However,
Singh, et al. Standards Track [Page 3]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
there are many issues with the IKEv2/IPsec HA cluster. Sections 3
and 4 below expand on the issues around the IKEv2/IPsec HA cluster
solution, issues which were first described in the problem
statement [6].
In the case of a hot standby cluster implementation of IKEv2/
IPsec-based VPNs, the IKEv2/IPsec session is first established
between the peer and the active member of the cluster. Later, the
active member continuously syncs/updates the IKE/IPsec security
association (SA) state to the standby member of the cluster. This
primary SA state sync-up takes place upon each SA bring-up and/or
rekey. Performing the SA state synchronization/update for every
single IKE and IPsec message is very costly, so normally it is done
periodically. As a result, when the failover event happens, this is
first detected by the standby member and, possibly after a
considerable amount of time, it becomes the active member. During
this failover process, the peer is unaware of the failover event, and
keeps sending IKE requests and IPsec packets to the cluster, as in
fact it is allowed to do because of the IKEv2 windowing feature.
After the newly active member starts, it detects the mismatch in IKE
Message ID values and IPsec replay counters and needs to resolve this
situation. Please see Section 4 for more details of the problem.
This document defines an extension to the IKEv2 protocol to solve the
main issues of IKE Message ID synchronization and IPsec SA replay
counter synchronization, and gives implementation advice to address
other issues. Following is a summary of the solutions provided in
this document:
o IKEv2 Message ID synchronization: This is done by syncing up the
expected send and receive Message ID values with the peer, and
updating the values at the newly active cluster member.
o IPsec replay counter synchronization: This is done by incrementing
the cluster's outgoing SA replay counter values by a "large"
number; in addition, the newly active member requests the peer to
increment the replay counter values it is using for the peer's
outgoing traffic.
Although this document describes the IKEv2 Message ID and IPsec
replay counter synchronization in the context of an IPsec HA cluster,
the solution provided is generic and can be used in other scenarios
where IKEv2 Message ID or IPsec SA replay counter synchronization may
be required.
Singh, et al. Standards Track [Page 4]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
Implementations differ on the need to synchronize the IKEv2 Message
ID and/or IPsec replay counters. Both of these problems are handled
separately, using a separate notification for each capability. This
provides the flexibility of implementing either or both of these
solutions.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [1].
"SA Counter Synchronization" is the informational exchange defined in
this document to synchronize the IKEv2/IPsec SA counter information
between one member of the cluster and the peer.
Some of the terms listed below are reused from [6] with further
clarification in the context of the current document.
o "Hot Standby Cluster", or "HS Cluster", is a cluster where only
one of the members is active at any one time. This member is also
referred to as the "active" member, whereas the other(s) are
referred to as "standby" members. The Virtual Router Redundancy
Protocol (VRRP) [7] is one method of building such a cluster. The
goal of the hot standby cluster is to create the illusion of a
single virtual gateway to the peer(s).
o "Active Member" is the primary member in the hot standby cluster.
It is responsible for forwarding packets on behalf of the virtual
gateway.
o "Standby Member" is the primary backup member. This member takes
control, i.e., becomes the active member, after the failover
event.
o "Peer" is an IKEv2/IPsec endpoint that maintains an IPsec
connection with the hot standby cluster. The peer identifies the
cluster by the cluster's (single) IP address. If a failover event
occurs, the standby member of the cluster becomes active, and the
peer normally doesn't notice that failover has taken place.
Although we treat the peer as a single entity, it may also be a
cluster.
Singh, et al. Standards Track [Page 5]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
o "Multiple failover" is the situation where, in a cluster with
three or more members, multiple failover events happen in rapid
succession, e.g., from M1 to M2, and then to M3. It is our goal
that the implementation should be able to handle this situation,
i.e., to handle the new failover event even if it is still
processing the old failover.
o "Simultaneous failover" is the situation where two clusters have
an IPsec connection between them, and failover happens at both
ends at the same time. It is our goal that implementations should
be able to handle simultaneous failover.
o "IPsec replay counter" is the Encapsulating Security Payload (ESP)
Sequence Number or Extended Sequence Number (Section 2.2 of [2]),
or the respective field in the Authentication Header (AH) protocol
(Section 2.5 of [3]).
The generic term "IKEv2/IPsec SA Counters" is used throughout this
document. This term refers to both IKEv2 Message ID counters and
IPsec replay counters. According to the IPsec standards, the IKEv2
Message ID counter is mandatory, and used to ensure reliable delivery
as well as to protect against message replay in IKEv2; the IPsec SA
replay counters are optional, and are used to provide the IPsec anti-
replay feature.
Singh, et al. Standards Track [Page 6]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
Some of these terms are used in the following architectural diagram.
+---------------+
| |
| Hot Standby |
| Cluster |
| |
| +---------+ |
| | | |
| | Active | |
| | | |
| | Member | |
| | | |
| +---------+ |
| ^ |
+---------+ | Synch | |
| | | Channel | |
| IPsec | IKE/IPsec Traffic | | |
| | <=============================> | | |
| Peer | | | |
| | | | |
+---------+ | | |
| v |
| +---------+ |
| | | |
| | Standby | |
| | | |
| | Member | |
| | | |
| +---------+ |
+---------------+
An IPsec Hot Standby Cluster
3. Issues Resolved from IPsec Cluster Problem Statement
"IPsec Cluster Problem Statement" [6] enumerates the problems raised
by IPsec clusters. The following table lists the problem statement's
sections that are resolved by this document.
o 3.2. A Lot of Long-Lived State
o 3.3. IKE Counters
o 3.4. Outbound SA Counters
o 3.5. Inbound SA Counters
o 3.6. Missing Synch Messages
Singh, et al. Standards Track [Page 7]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
o 3.7. Simultaneous Use of IKE and IPsec SAs by Different Members
* 3.7.1. Outbound SAs Using Counter Modes
o 3.8. Different IP Addresses for IKE and IPsec
o 3.9. Allocation of SPIs
The main problem areas are solved using the protocol extension
defined below, starting with Section 5; additionally, this section
provides implementation advice for other issues in the following
subsections. Implementers should note that these subsections include
a number of new security-critical requirements.
3.1. Large Amount of State
Section 3.2 of the problem statement [6] mentions that a lot of state
needs to be synchronized for a cluster to be transparent. The actual
volume of that data is very much implementation-dependent, and even
for the same implementation, the amounts of data may vary wildly. An
IPsec gateway used for inter-domain VPN with a dozen other gateways,
and having SAs that are rekeyed every 8 hours, will need a lot less
synchronization traffic than a similar gateway used for remote
access, and supporting 10,000 clients. This is because counter
synchronization is proportional to the number of SAs and requires
little data, and the setting up of an SA requires a lot of data.
Additionally, remote access IKE and IPsec SA setup tend to happen at
a particular time of day, so the example gateway with the 10,000
clients may see 30-50 IKE SA setups per second at 9:00 AM. This
would require very heavy synchronization traffic over that short
period of time.
If a large volume of traffic is necessary, it may be advisable to use
a dedicated high-speed network interface for synch traffic. When
packet loss can be made extremely low, it may be advisable to use a
stateless transport such as UDP, to minimize network overhead.
If these methods are insufficient, it may be prudent that for some
SAs the entire state is not synchronized. Instead, only an
indication of the SA's existence is synchronized. This, in
combination with a sticky solution (as described in Section 3.7 of
the problem statement [6]) ensures that the traffic from a particular
peer does not reach a different member before an actual failover
happens. When that happens, the method described in [8] can be used
to quickly force the peer to set up a new SA.
Singh, et al. Standards Track [Page 8]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
3.2. Multiple Members Using the Same SA
In a load-sharing cluster of the "duplicate" variety (see Section 3.7
of the problem statement [6]), multiple members may need to send
traffic with the same selectors. To actually use the same SA, the
cluster would have to synchronize the replay counter after every
packet, and that would impose unreasonable requirements on the synch
connection.
A far better solution would be to not synchronize the outbound SA,
and create multiple outbound SAs, one for each member. The problem
with this option is that the peer might view these multiple parallel
SAs as redundant, and tear down all but one of them.
Section 2.8 of [4] specifically allows multiple parallel SAs, but the
reason given for this is to have multiple SAs with different Quality
of Service (QoS) attributes. So while this is not a new requirement
of IKEv2 implementations working with QoS, we re-iterate here that
IPsec peers MUST accept the long-term existence of multiple parallel
SAs, even when QoS mechanisms are not in use.
3.3. Avoiding Collisions in SPI Number Allocation
Section 3.9 of the problem statement [6] describes the problem of two
cluster members allocating the same Security Parameter Index (SPI)
number for two different SAs. This behavior would violate
Section 4.4.2.1 of [5]. There are several schemes to allow
implementations to avoid such collisions, such as partitioning the
SPI space, a request-response over the synch channel, and locking
mechanisms. We believe that these are sufficiently robust and
available so that we don't need to make an exception to the rules in
Section 4.4.2.1 of RFC 4301 [5], and we can leave this problem for
the implementations to solve. Cluster members must not generate
multiple inbound SAs with the same SPI.
3.4. Interaction with Counter Modes
For SAs involving counter mode ciphers such as Counter Mode (CTR) [9]
or Galois/Counter Mode (GCM) [10], there is yet another complication.
The initial vector for such modes MUST NOT be repeated, and senders
may use methods such as counters or linear feedback shift registers
(LFSRs) to ensure this property. For an SA shared between multiple
active members (load-sharing cases), implementations MUST ensure that
no initial vector is ever repeated. Similar concerns apply to an SA
failing over from one member to another. See [11] for a discussion
of this problem in another context.
Singh, et al. Standards Track [Page 9]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
Just as in the SPI collision problem, there are ways to avoid a
collision of initial vectors, and this is left up to implementations.
In the context of load sharing, parallel SAs are a simple solution to
this problem as well.
4. The IKEv2/IPsec SA Counter Synchronization Problem
The IKEv2 protocol [4] states that "An IKE endpoint MUST NOT exceed
the peer's stated window size for transmitted IKE requests".
All IKEv2 messages are required to follow a request-response
paradigm. The initiator of an IKEv2 request MUST retransmit the
request, until it has received a response from the peer. IKEv2
introduces a windowing mechanism that allows multiple requests to be
outstanding at a given point of time, but mandates that the sender's
window should not move until the oldest message it has sent is
acknowledged. Loss of even a single message leads to repeated
retransmissions followed by an IKEv2 SA teardown if the
retransmissions remain unacknowledged.
An IPsec hot standby cluster is required to ensure that in the case
of failover, the standby member becomes active immediately. The
standby member is expected to have the exact value of the Message ID
counter as the active member had before failover. Even assuming the
best effort to update the Message ID values from active to standby
member, the values at the standby member can still be stale due to
the following reasons:
o The standby member is unaware of the last message that was
received and acknowledged by the previously active member, as the
failover event could have happened before the standby member could
be updated.
o The standby member does not have information about on-going
unacknowledged requests sent by the previously active member. As
a result, after the failover event, the newly active member cannot
retransmit those requests.
When a standby member takes over as the active member, it can only
initialize the Message ID values from the previously updated values.
This would make it reject requests from the peer when these values
are stale. Conversely, the standby member may end up reusing a stale
Message ID value, which would cause the peer to drop the request.
Eventually, there is a high probability of the IKEv2 and
corresponding IPsec SAs getting torn down simply because of a
transitory Message ID mismatch and retransmission of requests,
negating the benefits of the high-availability cluster despite the
periodic update between the cluster members.
Singh, et al. Standards Track [Page 10]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
A similar issue is also observed with IPsec anti-replay counters if
anti-replay protection is enabled, which is commonly the case.
Regardless of how well the ESP and AH SA counters are synchronized
from the active to the standby member, there is a chance that the
standby member would end up with stale counter values. The standby
member would then use those stale counter values when sending IPsec
packets. The peer would drop such packets, since when the anti-
replay protection feature is enabled, duplicate use of counters is
not allowed. Note that IPsec allows the sender to skip some counter
values and continue sending with higher counter values.
We conclude that a mechanism is required to ensure that the standby
member has correct Message ID and IPsec counter values when it
becomes active, so that sessions are not torn down as a result of
mismatched counters.
5. SA Counter Synchronization Solution
This document defines two separate approaches to resolving the issues
of mismatched IKE Message ID values and IPsec counter values.
o In the case of IKE Message ID values, the newly active cluster
member and the peer negotiate a pair of new values so that future
IKE messages will not be dropped.
o For IPsec counter values, the newly active member and the peer
both increment their respective counter values, "skipping forward"
by a large number, to ensure that no IPsec counters are ever
reused.
Although conceptually separate, the two synchronization processes
would typically take place simultaneously.
First, the peer and the active member of the cluster negotiate their
ability to support IKEv2 Message ID synchronization and/or IPsec
replay counter synchronization. This is done by exchanging one or
both of the IKEV2_MESSAGE_ID_SYNC_SUPPORTED and
IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED notifications during the IKE_AUTH
exchange. When negotiating these capabilities, the responder MUST
NOT assert support of a capability unless such support was asserted
by the initiator. Only a capability whose support was asserted by
both parties can be used during the lifetime of the SA. The peer's
capabilities with regard to this extension are part of the IKEv2 SA
state, and thus MUST be shared between the cluster members.
This per-IKE SA information is shared with the other cluster members.
Singh, et al. Standards Track [Page 11]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
Peer Active Member
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH,
[N(IKEV2_MESSAGE_ID_SYNC_SUPPORTED),]
[N(IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED),]
SAi2, TSi, TSr} ---------->
<-------- HDR, SK {IDr, [CERT+], [CERTREQ+], AUTH,
[N(IKEV2_MESSAGE_ID_SYNC_SUPPORTED),]
[N(IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED),]
SAr2, TSi, TSr}
After a failover event, the standby member MAY use the IKE Message ID
and/or IPsec replay counter synchronization capability when it
becomes the active member, and provided support for the capabilities
used has been negotiated. Following that, the peer MUST respond to
any synchronization message it receives from the newly active cluster
member, subject to the rules noted below.
After the failover event, when the standby member becomes active, it
has to synchronize its SA counters with the peer. There are now four
possible cases:
1. The cluster member wishes to only perform IKE Message ID value
synchronization. In this case, it initiates an Informational
exchange, with Message ID zero and the sole notification
IKEV2_MESSAGE_ID_SYNC.
2. If the newly active member wishes to perform only IPsec replay
counter synchronization, it generates a regular IKEv2
Informational exchange using the current Message ID values, and
containing the IPSEC_REPLAY_COUNTER_SYNC notification.
3. If synchronization of both counters is needed, the cluster member
generates a zero-Message ID message as in case #1, and includes
both notifications in this message.
4. Lastly, the peer may not support this extension. This is known
to the newly active member (because the cluster members must
share this information, as noted earlier). This case is the
existing IKEv2 behavior, and the IKE and IPsec SAs may or may not
survive the failover, depending on the exact state on the peer
and the cluster member.
This figure contains the IKE message exchange used for SA counter
synchronization. The following subsections describe the details of
the sender and receiver processing of each message.
Singh, et al. Standards Track [Page 12]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
Standby [Newly Active] Member Peer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
HDR, SK {N(IKEV2_MESSAGE_ID_SYNC),
[N(IPSEC_REPLAY_COUNTER_SYNC)]} -------->
<--------- HDR, SK {N(IKEV2_MESSAGE_ID_SYNC)}
Alternatively, if only IPsec replay counter synchronization is
desired, a normal Informational exchange is used, where the Message
ID is non-zero:
Standby [Newly Active] Member Peer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
HDR, SK{N(IPSEC_REPLAY_COUNTER_SYNC)} -------->
<--------- HDR
5.1. Processing Rules for IKE Message ID Synchronization
The newly active member sends a request containing two counter
values, one for the member (itself) and another for the peer, as well
as a random nonce. We denote the values M1 and P1. The peer
responds with a message containing two counter values, M2 and P2
(note that the values appear in the opposite order in the
notification's payload). The goal of the rules below is to prevent
an attacker from replaying a synchronization message and thereby
invalidating IKE messages that are currently in process.
o M1 is the next sender's Message ID to be used by the member. M1
MUST be chosen so that it is larger than any value known to have
been used. It is RECOMMENDED to increment the known value at
least by the size of the IKE sender window.
o P1 SHOULD be 1 more than the last Message ID value received from
the peer, but may be any higher value.
o The member SHOULD communicate the sent values to the other cluster
members, so that if a second failover event takes place, the
synchronization message is not replayed. Such a replay would
result in the eventual deletion of the IKE SA (see below).
o The peer MUST silently drop any received synchronization message
if M1 is lower than or equal to the highest value it has seen from
the cluster. This includes any previous received synchronization
messages.
Singh, et al. Standards Track [Page 13]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
o M2 MUST be at least the higher of the received M1, and one more
than the highest sender value received from the cluster. This
includes any previous received synchronization messages.
o P2 MUST be the higher of the received P1 value, and one more than
the highest sender value used by the peer.
o The request contains a Nonce field. This field MUST be returned
in the response, unchanged. A response MUST be silently dropped
if the received nonce does not match the one that was sent.
o Both the request and the response MUST NOT contain any additional
payloads, other than an optional IPSEC_REPLAY_COUNTER_SYNC
notification in the request.
o The request and the response MUST both be sent with a Message ID
value of zero.
5.2. Processing Rules for IPsec Replay Counter Synchronization
Upon failover, the newly active member MUST increment its own replay
counter (the counter used for outgoing traffic), so as to prevent the
case of its traffic being dropped by the peer as replay. We note
that IPsec allows the replay counter to skip forward by any amount.
The estimate is based on the outgoing IPsec bandwidth and the
frequency of synchronization between cluster members. In those
implementations where it is difficult to estimate this value, the
counter can be incremented by a very large number, e.g., 2**30. In
the latter case, a rekey SHOULD follow shortly afterwards, to ensure
that the counter never wraps around.
Next, the cluster member estimates the number of incoming messages it
might have missed, using similar logic. The member sends out an
IPSEC_REPLAY_COUNTER_SYNC notification, either stand-alone or
together with an IKEV2_MESSAGE_ID_SYNC notification.
If the IPSEC_REPLAY_COUNTER_SYNC is included in the same message as
IKEV2_MESSAGE_ID_SYNC, the peer MUST process the Message ID
notification first (which might cause the entire message to be
dropped as a replay). Then, it MUST increment the replay counters
for all Child SAs associated with the current IKE SA by the amount
requested by the cluster member.
6. IKEv2/IPsec Synchronization Notification Payloads
This section lists the new notification payload types defined by this
extension.
Singh, et al. Standards Track [Page 14]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
All multi-octet fields representing integers are laid out in big
endian order (also known as "most significant byte first", or
"network byte order").
6.1. The IKEV2_MESSAGE_ID_SYNC_SUPPORTED Notification
This notification payload is included in the IKE_AUTH request/
response to indicate support of the IKEv2 Message ID synchronization
mechanism described in this document.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Protocol ID(=0)| SPI Size (=0) | Notify Message Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The 'Next Payload', 'Payload Length', 'Protocol ID', 'SPI Size', and
'Notify Message Type' fields are the same as described in Section 3
of [4]. The 'SPI Size' field MUST be set to 0 to indicate that the
SPI is not present in this message. The 'Protocol ID' MUST be set to
0, since the notification is not specific to a particular security
association. The 'Payload Length' field is set to the length in
octets of the entire payload, including the generic payload header.
The 'Notify Message Type' field is set to indicate
IKEV2_MESSAGE_ID_SYNC_SUPPORTED (16420). There is no data associated
with this notification.
6.2. The IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED Notification
This notification payload is included in the IKE_AUTH request/
response to indicate support for the IPsec SA replay counter
synchronization mechanism described in this document.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Protocol ID(=0)| SPI Size (=0) | Notify Message Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The 'Next Payload', 'Payload Length', 'Protocol ID', 'SPI Size', and
'Notify Message Type' fields are the same as described in Section 3
of [4] . The 'SPI Size' field MUST be set to 0 to indicate that the
SPI is not present in this message. The 'Protocol ID' MUST be set to
0, since the notification is not specific to a particular security
Singh, et al. Standards Track [Page 15]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
association. The 'Payload Length' field is set to the length in
octets of the entire payload, including the generic payload header.
The 'Notify Message Type' field is set to indicate
IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED (16421). There is no data
associated with this notification.
6.3. The IKEV2_MESSAGE_ID_SYNC Notification
This notification payload type (16422) is defined to synchronize the
IKEv2 Message ID values between the newly active (formerly standby)
cluster member and the peer.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Protocol ID(=0)| SPI Size (=0) | Notify Message Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Nonce Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EXPECTED_SEND_REQ_MESSAGE_ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EXPECTED_RECV_REQ_MESSAGE_ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
It contains the following data.
o Nonce Data (4 octets): The random nonce data. The data should be
identical in the synchronization request and response.
o EXPECTED_SEND_REQ_MESSAGE_ID (4 octets): This field is used by the
sender of this notification payload to indicate the Message ID it
will use in the next request that it will send to the other
protocol peer.
o EXPECTED_RECV_REQ_MESSAGE_ID (4 octets): This field is used by the
sender of this notification payload to indicate the Message ID it
is expecting in the next request to be received from the other
protocol peer.
6.4. The IPSEC_REPLAY_COUNTER_SYNC Notification
This notification payload type (16423) is defined to synchronize the
IPsec SA replay counters between the newly active (formerly standby)
cluster member and the peer. Since there may be numerous IPsec SAs
Singh, et al. Standards Track [Page 16]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
established under a single IKE SA, we do not directly synchronize the
value of each one. Instead, a delta value is sent, and all replay
counters for Child SAs of this IKE SA are incremented by the same
value. Note that this solution requires that either all Child SAs
use Extended Sequence Numbers (ESNs) or else that no Child SA uses
ESNs. This notification is only sent by the cluster.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Protocol ID(=0)| SPI Size (=0) | Notify Message Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Incoming IPsec SA delta value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The notification payload contains the following data.
o Incoming IPsec SA delta value (4 or 8 octets): The sender requests
that the peer should increment all the Child SA replay counters
for the sender's incoming (the peer's outgoing) traffic by this
value. The size of this field depends on the ESN bit associated
with the Child SAs: if the ESN bit is 1, the field's size is 8
octets; otherwise, it is 4 octets. We note that this constrains
the Child SAs of each IKE SA to either all have the ESN bit on
or off.
7. Implementation Details
This protocol does not change any of the existing IKEv2 rules
regarding Message ID values.
The standby member can initiate the synchronization of IKEv2 Message
IDs under different circumstances.
o When it receives a problematic IKEv2/IPsec packet, i.e., a packet
outside its expected receive window.
o When it has to send the first IKEv2/IPsec packet after a failover
event.
o When it has just received control from the active member and
wishes to update the values proactively, so that it need not start
this exchange later, when sending or receiving the request.
Singh, et al. Standards Track [Page 17]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
To clarify the first alternative: the normal IKE behavior of
rejecting out-of-window messages is not changed, but such messages
can still be a valid trigger for the exchange defined in this
document. To avoid denial-of-service (DoS) attacks resulting from
replayed messages, the peer MUST NOT initiate counter synchronization
for any particular IKE SA more than once per failover event.
The standby member can initiate the synchronization of IPsec SA
replay counters:
o If there has been traffic using the IPsec SA in the recent past
and the standby member suspects that its replay counter may be
stale.
Since there can be a large number of sessions at the standby member,
and sending synchronization exchanges for all of them may result in
overload, the standby member can choose to initiate the exchange in a
"lazy" fashion: only when it has to send or expects to receive
traffic from each peer. In general, the standby member is free to
initiate this exchange at its discretion. Implementation
considerations include the ability to survive a certain amount of
traffic loss, and the capacity of a cluster member to initiate
counter synchronization simultaneously with a large number of peers.
8. IKE SA and IPsec SA Message Sequencing
The straightforward definitions of message sequence numbers,
retransmissions, and replay protection in IPsec and IKEv2 are
strained by the failover scenarios described in this document. This
section describes some policy choices that need to be made by
implementations in this setting.
8.1. Handling of Pending IKE Messages
After sending its "receive" counter, the cluster member MUST reject
(silently drop) any incoming IKE messages that are outside its
declared window. A similar rule applies to the peer. Local policies
vary, and strict implementations will reject any incoming IKE message
arriving before Message ID synchronization is complete.
8.2. Handling of Pending IPsec Messages
For IPsec, there is often a trade-off between security and
reliability of the protected protocols. Here again, there is some
leeway for local policy. Some implementations might accept incoming
Singh, et al. Standards Track [Page 18]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
traffic that is outside the replay window for some time after the
failover event, and until the counters had been synchronized. Strict
implementations will only accept traffic that's inside the "safe"
window.
8.3. IKE SA Inconsistencies
IKEv2 is normally a reliable protocol. As long as an IKE SA is
valid, both peers share a single, consistent view of the IKE SA and
all associated Child SAs. Failover situations as described in this
document may involve forced deletion of IKE messages, resulting in
inconsistencies, such as Child SAs that exist on only one of the
peers. Such SAs might cause an INVALID_SPI to be returned when used
by that peer. Note that Section 1.5 of [4] allows but does not
mandate sending an INVALID_SPI notification in this case.
The IPsecME Working Group discussed at some point a proposed set of
rules for dealing with such situations. However, we believe that
these situations should be rare in practice; as a result, the
"default" behavior of tearing down the entire IKE SA is to be
preferred over the complexity of dealing with a multitude of edge
cases.
9. Step-by-Step Details
This section goes through the sequence of steps of a typical failover
event, looking at a case where the IKEv2 Message ID values are
synchronized.
o The active cluster member and the peer device establish the
session. They both announce the capability to synchronize counter
information by sending the IKEV2_MESSAGE_ID_SYNC_SUPPORTED
notification in the IKE_AUTH exchange.
o Some time later, the active member dies, and a standby member
takes over. The standby member sends its own idea of the IKE
Message IDs (both incoming and outgoing) to the peer in an
Informational message exchange with Message ID zero.
o The peer first authenticates the message. The peer compares the
received values with the values available locally and picks the
higher value. It then updates its Message IDs with the higher
values and also proposes the same values in its response.
o The peer should not wait for any pending responses while
responding with the new Message ID values. For example, if the
window size is 5 and the peer's window is 3-7, and if the peer has
sent requests 3, 4, 5, 6, and 7 and received responses only for 4,
Singh, et al. Standards Track [Page 19]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
5, 6, and 7 but not for 3, then it should include the value 8 in
its EXPECTED_SEND_REQ_MESSAGE_ID payload and should not wait for a
response to message 3 any more.
o Similarly, the peer should also not wait for pending (incoming)
requests. For example, if the window size is 5 and the peer's
window is 3-7, and if the peer has received requests 4, 5, 6, and
7 but not 3, then it should send the value 8 in the
EXPECTED_RECV_REQ_MESSAGE_ID payload, and should not expect to
receive message 3 any more.
10. Interaction with Other Specifications
The usage scenario of this IKEv2/IPsec SA counter synchronization
solution is that an IKEv2 SA has been established between the active
member of a hot standby cluster and a peer, followed by a failover
event occurring and the standby member becoming active. The solution
further assumes that the IKEv2 SA state was continuously synchronized
between the active and standby members of the cluster before the
failover event.
o Session resumption [12] assumes that a peer (client or initiator)
detects the need to re-establish the session. In IKEv2/IPsec SA
counter synchronization, it is the newly active member (a gateway
or responder) that detects the need to synchronize the SA counter
after the failover event. Also, in a hot standby cluster, the
peer establishes the IKEv2/IPsec session with a single IP address
that represents the whole cluster, so the peer normally does not
detect the event of failover in the cluster unless the standby
member takes too long to become active and the IKEv2 SA times out
by use of the IKEv2 liveness check mechanism. To conclude,
session resumption and SA counter synchronization after failover
are mutually exclusive: they are not expected to be used together,
and both features can coexist within the same implementation
without affecting each other.
o The IKEv2 Redirect mechanism for load balancing [13] can be used
either during the initial stages of SA setup (the IKE_SA_INIT and
IKE_AUTH exchanges) or after session establishment. SA counter
synchronization is only useful after the IKE SA has been
established and a failover event has occurred. So, unlike
Redirect, it is irrelevant during the first two exchanges.
Redirect after the session has been established is mostly useful
Singh, et al. Standards Track [Page 20]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
for timed or planned shutdown/maintenance. A real failover event
cannot be detected by the active member ahead of time, and so
using Redirect after session establishment is not possible in the
case of failover. So, Redirect and SA counter synchronization
after failover are mutually exclusive, in the sense described
above.
o IKEv2 Failure Detection [8] solves a similar problem where the
peer can rapidly detect that a cluster member has crashed based on
a token. It is unrelated to the current scenario, because the
goal in failover is for the peer not to notice that a failure has
occurred.
11. Security Considerations
Since Message ID synchronization messages need to be sent with
Message ID zero, they are potentially vulnerable to replay attacks.
Because of the semantics of this protocol, these can only be denial-
of-service (DoS) attacks, and we are aware of two variants.
o Replay of Message ID synchronization request: This is countered by
the requirement that the Send counter sent by the cluster member
should always be monotonically increasing, a rule that the peer
enforces by silently dropping messages that contradict it.
o Replay of the Message ID synchronization response: This is
countered by sending the nonce data along with the synchronization
payload. The same nonce data has to be returned in the response.
Thus, the standby member will accept a reply only for the current
request. After it receives a valid response, it MUST NOT process
the same response again and MUST discard any additional responses.
As mentioned in Section 7, triggering counter synchronization by out-
of-window, potentially replayed messages could open a DoS
vulnerability. This risk is mitigated by the solution described in
that section.
12. IANA Considerations
This document introduces four new IKEv2 Notification Message types as
described in Section 6. The new Notify Message Types have been
assigned values as follows.
Singh, et al. Standards Track [Page 21]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
+-------------------------------------+-------+
| Name | Value |
+-------------------------------------+-------+
| IKEV2_MESSAGE_ID_SYNC_SUPPORTED | 16420 |
| IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED | 16421 |
| IKEV2_MESSAGE_ID_SYNC | 16422 |
| IPSEC_REPLAY_COUNTER_SYNC | 16423 |
+-------------------------------------+-------+
13. Acknowledgements
We would like to thank Pratima Sethi and Frederic Detienne for their
review comments and valuable suggestions for the initial version of
the document.
We would also like to thank the following people (in alphabetical
order) for their review comments and valuable suggestions: Dan
Harkins, Paul Hoffman, Steve Kent, Tero Kivinen, David McGrew, and
Pekka Riikonen.
14. References
14.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303,
December 2005.
[3] Kent, S., "IP Authentication Header", RFC 4302, December 2005.
[4] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, "Internet Key
Exchange Protocol Version 2 (IKEv2)", RFC 5996, September 2010.
[5] Kent, S. and K. Seo, "Security Architecture for the Internet
Protocol", RFC 4301, December 2005.
14.2. Informative References
[6] Nir, Y., "IPsec Cluster Problem Statement", RFC 6027,
October 2010.
[7] Nadas, S., Ed., "Virtual Router Redundancy Protocol (VRRP)
Version 3 for IPv4 and IPv6", RFC 5798, March 2010.
Singh, et al. Standards Track [Page 22]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
[8] Nir, Y., Ed., Wierbowski, D., Detienne, F., and P. Sethi, "A
Quick Crash Detection Method for the Internet Key Exchange
Protocol (IKE)", RFC 6290, June 2011.
[9] Housley, R., "Using Advanced Encryption Standard (AES) Counter
Mode With IPsec Encapsulating Security Payload (ESP)",
RFC 3686, January 2004.
[10] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM)
in IPsec Encapsulating Security Payload (ESP)", RFC 4106,
June 2005.
[11] McGrew, D. and B. Weis, "Using Counter Modes with Encapsulating
Security Payload (ESP) and Authentication Header (AH) to
Protect Group Traffic", RFC 6054, November 2010.
[12] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange Protocol
Version 2 (IKEv2) Session Resumption", RFC 5723, January 2010.
[13] Devarapalli, V. and K. Weniger, "Redirect Mechanism for the
Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 5685,
November 2009.
Singh, et al. Standards Track [Page 23]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
Appendix A. IKEv2 Message ID Sync Examples
This (non-normative) section presents some examples that illustrate
how the IKEv2 Message ID values are synchronized. We use a tuple
notation, denoting the two counters EXPECTED_SEND_REQ_MESSAGE_ID and
EXPECTED_RECV_REQ_MESSAGE_ID on each protocol party as
(EXPECTED_SEND_REQ_MESSAGE_ID, EXPECTED_RECV_REQ_MESSAGE_ID).
Note that if the IKE message counters are already synchronized (as in
the first example), we expect the numbers to be reversed between the
two sides. If one protocol party intends to send the next request as
4, then the other expects the next received request to be 4.
A.1. Normal Failover -- Example 1
Standby (Newly Active) Member Peer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sync Request (0, 5) -------->
Peer has the values (5, 0), so it sends
<------------- (5, 0) as the Sync Response
In this example, the peer has most recently sent an IKE request with
Message ID 4, and has never received a request. So the peer's
expected values for the next pair of messages are (5, 0). These are
the same values as received from the member, and therefore they are
sent as-is.
A.2. Normal Failover -- Example 2
Standby (Newly Active) Member Peer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sync Request (2, 3) -------->
Peer has the values (4, 5), so it sends
<------------- (4, 5) as the Sync Response
In this example, the peer has most recently sent an IKE message with
the Message ID 3, and received one with ID 4. So the peer's expected
values for the next pair of messages are (4, 5). These are both
higher than the corresponding values just received from the member
(the order of tuple members is reversed when doing this comparison!),
and therefore they are sent as-is.
Singh, et al. Standards Track [Page 24]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
A.3. Normal Failover -- Example 3
Standby (Newly Active) Member Peer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sync Request (2, 5) -------->
Peer has the values (2, 4), so it sends
<-------------(5, 4) as the Sync Response
In this example, the newly active member expects to send the next IKE
message with ID 2. It sends an expected receive value of 5, which is
higher than the last ID value it has seen from the peer, because it
believes some incoming messages may have been lost. The peer has
last sent a message with ID 1, and received one with ID 3, indicating
that a couple of messages sent by the previously active member had
not been synchronized into the other member. So the peer's next
expected (send, receive) values are (2, 4). The peer replies with
the maximum of the received and the expected value for both send and
receive counters: (max(2, 5), max(4, 2)) = (5, 4).
A.4. Simultaneous Failover
In the case of simultaneous failover, both sides send their
synchronization requests simultaneously. The eventual outcome of
synchronization consists of the higher counter values. This is
demonstrated in the following figure.
Standby (Newly Active) Member Peer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sync Request (4,4) ----->
<-------------- Sync Request (5,5)
Sync Response (5,5) ---->
<-------- Sync Response (5,5)
Singh, et al. Standards Track [Page 25]
^L
RFC 6311 High Availability in IKEv2/IPsec July 2011
Authors' Addresses
Raj Singh (editor)
Cisco Systems, Inc.
Divyashree Chambers, B Wing, O'Shaugnessy Road
Bangalore, Karnataka 560025
India
Phone: +91 80 4301 3320
EMail: rsj@cisco.com
Kalyani Garigipati
Cisco Systems, Inc.
Divyashree Chambers, B Wing, O'Shaugnessy Road
Bangalore, Karnataka 560025
India
Phone: +91 80 4426 4831
EMail: kagarigi@cisco.com
Yoav Nir
Check Point Software Technologies Ltd.
5 Hasolelim St.
Tel Aviv 67897
Israel
EMail: ynir@checkpoint.com
Yaron Sheffer
Porticor Cloud Security
EMail: yaronf.ietf@gmail.com
Dacheng Zhang
Huawei Technologies Ltd.
EMail: zhangdacheng@huawei.com
Singh, et al. Standards Track [Page 26]
^L
|
