| Internet-Draft | Reliable Transport in IKEv2 | July 2023 |
| Smyslov | Expires 8 January 2024 | [Page] |
The Internet Key Exchange protocol version 2 (IKE2) can operate either over unreliable (UDP) transport or over reliable (TCP) transport. If TCP is used, then IPsec tunnels created by IKEv2 also use TCP. This document specifies how to decouple IKEv2 and IPsec transports, so that IKEv2 can operate over TCP, while IPsec tunnels use unreliable transport. This feature allows IKEv2 to effectively exchange large blobs of data (e.g. when post-quantum algorithms are employed) while avoiding performance problems which arise when TCP is used for IPsec.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Internet Key Exchange protocol version 2 (IKEv2) [RFC7296] originally used unreliable transport (UDP) for its messages. Later it was extended to use TCP [RFC9329] where UDP is blocked. UDP is still considered as a preferred transport for IKEv2, and TCP is only used if UDP datagrams cannot get through.¶
Originally IKEv2 peers exchanged relatively small amount of data, so that simple retransmission mechanism on top of UDP with no congestion control sufficed. The situation has changed when post-quantum cryptographic algorithms started to be incorporated into IKEv2 [RFC9370]. Most of post-quantum algorithms require IKE peers to exchange much more data, than classical algorithms, up to tens (or even hundreds) Kbytes. Few proposals exist that allow to overcome the 64 Kbytes limitation on the size of an IKE payload ([I-D.nir-ipsecme-big-payload], [I-D.smyslov-ipsecme-ikev2-extended-pld], [I-D.tjhai-ikev2-beyond-64k-limit]).¶
When IKE messages grow up to tens (or even hundreds) Kbytes, using UDP as a transport will become challenging. Use of IKE fragmentation [RFC7383] avoids IP fragmentation problems and also allows each IKE message fragment to fit into UDP datagram, even if the original message doesn't. However, all IKE fragments are always being sent (and retransmitted) at once, so that with the increased number of fragments and the lack of congestion control the simple retransmission mechanism of IKEv2 will perform poorly, perhaps even making more truble to the network.¶
Using reliable transport (like TCP) for IKEv2 would be a solution to the problem. However, the current use of TCP as defined in [RFC9329] implies that ESP SAs are also encapsulated in TCP, which has negative impact on IPsec performance (see Section 9 of [RFC9329].¶
This specification allows to decouple IKE and IPsec transports, so that it makes possible to negotiate and use reliable transport for IKEv2 while maintaining using unreliable transport for IPsec.¶
The idea to decouple IKE and IPsec transports was originally presented in [I-D.tjhai-ikev2-beyond-64k-limit].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
If the initiator supports this extension and is configured to use and it and also anticipates that large amount of data may be exchanged in this SA (e.g. it proposes Key Exchange transforms with large public keys), then the initiator starts the IKE_SA_INIT exchange using UDP port 4500 and includes a new status type notification RELIABLE_IKE_TRANSPORT (<TBA by IANA>) into the request message. The RELIABLE_IKE_TRANSPORT notification has protocol 0, SPI size 0 and contains no data. Using UDP port 4500 for the IKE_SA_INIT messages is explicitly allowed by [RFC7296], and ensures that IPsec packets can get through if they are UDP encapsulated.¶
If the responder supports this extension and is configured to use it and the IKE_SA_INIT request contains the RELIABLE_IKE_TRANSPORT notification, then the responder sends back this notification in the response.¶
Initiator (UDP:4500) Responder (UDP:4500)
-------------------------------------------------------------------
HDR , SAi1, KEi1, Ni,
[N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP),]
N(RELIABLE_IKE_TRANSPORT) --->
HDR, SAr1, KEr1, Nr,
[N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP),]
<--- N(RELIABLE_IKE_TRANSPORT)
¶
In this case the initiator MUST switch to TCP using destination port 4500 in the next exchange (IKE_INTERMEDIATE or IKE_AUTH) and the responder MUST be prepared to receive the next exchange request message on TCP port 4500.¶
Initiator (TCP) Responder (TCP:4500)
-------------------------------------------------------------------
HDR, SK{...} --->
<--- HDR, SK{...}
¶
All subsequent IKE exchanges MUST continue to use TCP transport. In particular, peers MUST NOT try to swich IKE transport to UDP as defined in Sections 7.1 and 7.3 of [RFC9329]. All recommendations of [RFC9329] regarding maintaning TCP connection apply accordingly.¶
With this IKE extension child SAs are created as defined in [RFC7296] - they either use direct transport over IP or are UDP encapsulated if NAT is detected. Note, that in the latter case peers are responsible for maintaining NAT mapping by sending NAT keepalives (see Section 2.23 of [RFC7296]).¶
Section 10 of [RFC9329] discusses security implications of using TCP as IKE transport.¶
This document defines a new Notify Message Type in the "Notify Message Types - Status Types" registry:¶
<TBA> RELIABLE_IKE_TRANSPORT¶