Internet-Draft Reliable Transport in IKEv2 July 2023
Smyslov Expires 8 January 2024 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-smyslov-ipsecme-ikev2-reliable-transport-00
Published:
Intended Status:
Standards Track
Expires:
Author:
V. Smyslov
ELVIS-PLUS

Use of Reliable Transport in the Internet Key Exchange Protocol Version 2 (IKEv2)

Abstract

The Internet Key Exchange protocol version 2 (IKE2) can operate either over unreliable (UDP) transport or over reliable (TCP) transport. If TCP is used, then IPsec tunnels created by IKEv2 also use TCP. This document specifies how to decouple IKEv2 and IPsec transports, so that IKEv2 can operate over TCP, while IPsec tunnels use unreliable transport. This feature allows IKEv2 to effectively exchange large blobs of data (e.g. when post-quantum algorithms are employed) while avoiding performance problems which arise when TCP is used for IPsec.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 8 January 2024.

Table of Contents

1. Introduction

The Internet Key Exchange protocol version 2 (IKEv2) [RFC7296] originally used unreliable transport (UDP) for its messages. Later it was extended to use TCP [RFC9329] where UDP is blocked. UDP is still considered as a preferred transport for IKEv2, and TCP is only used if UDP datagrams cannot get through.

Originally IKEv2 peers exchanged relatively small amount of data, so that simple retransmission mechanism on top of UDP with no congestion control sufficed. The situation has changed when post-quantum cryptographic algorithms started to be incorporated into IKEv2 [RFC9370]. Most of post-quantum algorithms require IKE peers to exchange much more data, than classical algorithms, up to tens (or even hundreds) Kbytes. Few proposals exist that allow to overcome the 64 Kbytes limitation on the size of an IKE payload ([I-D.nir-ipsecme-big-payload], [I-D.smyslov-ipsecme-ikev2-extended-pld], [I-D.tjhai-ikev2-beyond-64k-limit]).

When IKE messages grow up to tens (or even hundreds) Kbytes, using UDP as a transport will become challenging. Use of IKE fragmentation [RFC7383] avoids IP fragmentation problems and also allows each IKE message fragment to fit into UDP datagram, even if the original message doesn't. However, all IKE fragments are always being sent (and retransmitted) at once, so that with the increased number of fragments and the lack of congestion control the simple retransmission mechanism of IKEv2 will perform poorly, perhaps even making more truble to the network.

Using reliable transport (like TCP) for IKEv2 would be a solution to the problem. However, the current use of TCP as defined in [RFC9329] implies that ESP SAs are also encapsulated in TCP, which has negative impact on IPsec performance (see Section 9 of [RFC9329].

This specification allows to decouple IKE and IPsec transports, so that it makes possible to negotiate and use reliable transport for IKEv2 while maintaining using unreliable transport for IPsec.

The idea to decouple IKE and IPsec transports was originally presented in [I-D.tjhai-ikev2-beyond-64k-limit].

2. Terminology and Notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Protocol Details

If the initiator supports this extension and is configured to use and it and also anticipates that large amount of data may be exchanged in this SA (e.g. it proposes Key Exchange transforms with large public keys), then the initiator starts the IKE_SA_INIT exchange using UDP port 4500 and includes a new status type notification RELIABLE_IKE_TRANSPORT (<TBA by IANA>) into the request message. The RELIABLE_IKE_TRANSPORT notification has protocol 0, SPI size 0 and contains no data. Using UDP port 4500 for the IKE_SA_INIT messages is explicitly allowed by [RFC7296], and ensures that IPsec packets can get through if they are UDP encapsulated.

If the responder supports this extension and is configured to use it and the IKE_SA_INIT request contains the RELIABLE_IKE_TRANSPORT notification, then the responder sends back this notification in the response.

Initiator (UDP:4500)               Responder (UDP:4500)
-------------------------------------------------------------------
HDR , SAi1, KEi1, Ni,
[N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP),]
N(RELIABLE_IKE_TRANSPORT)  --->
                                   HDR, SAr1, KEr1, Nr,
                                   [N(NAT_DETECTION_SOURCE_IP),
                                   N(NAT_DETECTION_DESTINATION_IP),]
                             <---  N(RELIABLE_IKE_TRANSPORT)

In this case the initiator MUST switch to TCP using destination port 4500 in the next exchange (IKE_INTERMEDIATE or IKE_AUTH) and the responder MUST be prepared to receive the next exchange request message on TCP port 4500.

Initiator (TCP)                    Responder (TCP:4500)
-------------------------------------------------------------------
HDR, SK{...}  --->
                             <---  HDR, SK{...}

All subsequent IKE exchanges MUST continue to use TCP transport. In particular, peers MUST NOT try to swich IKE transport to UDP as defined in Sections 7.1 and 7.3 of [RFC9329]. All recommendations of [RFC9329] regarding maintaning TCP connection apply accordingly.

With this IKE extension child SAs are created as defined in [RFC7296] - they either use direct transport over IP or are UDP encapsulated if NAT is detected. Note, that in the latter case peers are responsible for maintaining NAT mapping by sending NAT keepalives (see Section 2.23 of [RFC7296]).

4. Security Considerations

Section 10 of [RFC9329] discusses security implications of using TCP as IKE transport.

5. IANA Considerations

This document defines a new Notify Message Type in the "Notify Message Types - Status Types" registry:

<TBA>         RELIABLE_IKE_TRANSPORT

6. References

6.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC7296]
Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, , <https://www.rfc-editor.org/info/rfc7296>.
[RFC9329]
Pauly, T. and V. Smyslov, "TCP Encapsulation of Internet Key Exchange Protocol (IKE) and IPsec Packets", RFC 9329, DOI 10.17487/RFC9329, , <https://www.rfc-editor.org/info/rfc9329>.

6.2. Informative References

[RFC7383]
Smyslov, V., "Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation", RFC 7383, DOI 10.17487/RFC7383, , <https://www.rfc-editor.org/info/rfc7383>.
[RFC9370]
Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, , <https://www.rfc-editor.org/info/rfc9370>.
[I-D.tjhai-ikev2-beyond-64k-limit]
Tjhai, C., Heider, T., and V. Smyslov, "Beyond 64KB Limit of IKEv2 Payloads", Work in Progress, Internet-Draft, draft-tjhai-ikev2-beyond-64k-limit-03, , <https://datatracker.ietf.org/doc/html/draft-tjhai-ikev2-beyond-64k-limit-03>.
[I-D.nir-ipsecme-big-payload]
Nir, Y., "A Larger Internet Key Exchange version 2 (IKEv2) Payload", Work in Progress, Internet-Draft, draft-nir-ipsecme-big-payload-01, , <https://datatracker.ietf.org/doc/html/draft-nir-ipsecme-big-payload-01>.
[I-D.smyslov-ipsecme-ikev2-extended-pld]
Smyslov, V., "Extended IKEv2 Payload Format", Work in Progress, Internet-Draft, draft-smyslov-ipsecme-ikev2-extended-pld-01, , <https://datatracker.ietf.org/doc/html/draft-smyslov-ipsecme-ikev2-extended-pld-01>.

Author's Address

Valery Smyslov
ELVIS-PLUS
PO Box 81
Moscow (Zelenograd)
124460
Russian Federation