Network Working Group V. Smyslov Internet-Draft ELVIS-PLUS Intended status: Standards Track 7 July 2023 Expires: 8 January 2024 Use of Reliable Transport in the Internet Key Exchange Protocol Version 2 (IKEv2) draft-smyslov-ipsecme-ikev2-reliable-transport-00 Abstract The Internet Key Exchange protocol version 2 (IKE2) can operate either over unreliable (UDP) transport or over reliable (TCP) transport. If TCP is used, then IPsec tunnels created by IKEv2 also use TCP. This document specifies how to decouple IKEv2 and IPsec transports, so that IKEv2 can operate over TCP, while IPsec tunnels use unreliable transport. This feature allows IKEv2 to effectively exchange large blobs of data (e.g. when post-quantum algorithms are employed) while avoiding performance problems which arise when TCP is used for IPsec. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 8 January 2024. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights Smyslov Expires 8 January 2024 [Page 1] Internet-Draft Reliable Transport in IKEv2 July 2023 and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology and Notation . . . . . . . . . . . . . . . . . . 3 3. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 6.2. Informative References . . . . . . . . . . . . . . . . . 5 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction The Internet Key Exchange protocol version 2 (IKEv2) [RFC7296] originally used unreliable transport (UDP) for its messages. Later it was extended to use TCP [RFC9329] where UDP is blocked. UDP is still considered as a preferred transport for IKEv2, and TCP is only used if UDP datagrams cannot get through. Originally IKEv2 peers exchanged relatively small amount of data, so that simple retransmission mechanism on top of UDP with no congestion control sufficed. The situation has changed when post-quantum cryptographic algorithms started to be incorporated into IKEv2 [RFC9370]. Most of post-quantum algorithms require IKE peers to exchange much more data, than classical algorithms, up to tens (or even hundreds) Kbytes. Few proposals exist that allow to overcome the 64 Kbytes limitation on the size of an IKE payload ([I-D.nir-ipsecme-big-payload], [I-D.smyslov-ipsecme-ikev2-extended-pld], [I-D.tjhai-ikev2-beyond-64k-limit]). When IKE messages grow up to tens (or even hundreds) Kbytes, using UDP as a transport will become challenging. Use of IKE fragmentation [RFC7383] avoids IP fragmentation problems and also allows each IKE message fragment to fit into UDP datagram, even if the original message doesn't. However, all IKE fragments are always being sent (and retransmitted) at once, so that with the increased number of fragments and the lack of congestion control the simple retransmission mechanism of IKEv2 will perform poorly, perhaps even making more truble to the network. Smyslov Expires 8 January 2024 [Page 2] Internet-Draft Reliable Transport in IKEv2 July 2023 Using reliable transport (like TCP) for IKEv2 would be a solution to the problem. However, the current use of TCP as defined in [RFC9329] implies that ESP SAs are also encapsulated in TCP, which has negative impact on IPsec performance (see Section 9 of [RFC9329]. This specification allows to decouple IKE and IPsec transports, so that it makes possible to negotiate and use reliable transport for IKEv2 while maintaining using unreliable transport for IPsec. The idea to decouple IKE and IPsec transports was originally presented in [I-D.tjhai-ikev2-beyond-64k-limit]. 2. Terminology and Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Protocol Details If the initiator supports this extension and is configured to use and it and also anticipates that large amount of data may be exchanged in this SA (e.g. it proposes Key Exchange transforms with large public keys), then the initiator starts the IKE_SA_INIT exchange using UDP port 4500 and includes a new status type notification RELIABLE_IKE_TRANSPORT () into the request message. The RELIABLE_IKE_TRANSPORT notification has protocol 0, SPI size 0 and contains no data. Using UDP port 4500 for the IKE_SA_INIT messages is explicitly allowed by [RFC7296], and ensures that IPsec packets can get through if they are UDP encapsulated. If the responder supports this extension and is configured to use it and the IKE_SA_INIT request contains the RELIABLE_IKE_TRANSPORT notification, then the responder sends back this notification in the response. Initiator (UDP:4500) Responder (UDP:4500) ------------------------------------------------------------------- HDR , SAi1, KEi1, Ni, [N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP),] N(RELIABLE_IKE_TRANSPORT) ---> HDR, SAr1, KEr1, Nr, [N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP),] <--- N(RELIABLE_IKE_TRANSPORT) Smyslov Expires 8 January 2024 [Page 3] Internet-Draft Reliable Transport in IKEv2 July 2023 In this case the initiator MUST switch to TCP using destination port 4500 in the next exchange (IKE_INTERMEDIATE or IKE_AUTH) and the responder MUST be prepared to receive the next exchange request message on TCP port 4500. Initiator (TCP) Responder (TCP:4500) ------------------------------------------------------------------- HDR, SK{...} ---> <--- HDR, SK{...} All subsequent IKE exchanges MUST continue to use TCP transport. In particular, peers MUST NOT try to swich IKE transport to UDP as defined in Sections 7.1 and 7.3 of [RFC9329]. All recommendations of [RFC9329] regarding maintaning TCP connection apply accordingly. With this IKE extension child SAs are created as defined in [RFC7296] - they either use direct transport over IP or are UDP encapsulated if NAT is detected. Note, that in the latter case peers are responsible for maintaining NAT mapping by sending NAT keepalives (see Section 2.23 of [RFC7296]). 4. Security Considerations Section 10 of [RFC9329] discusses security implications of using TCP as IKE transport. 5. IANA Considerations This document defines a new Notify Message Type in the "Notify Message Types - Status Types" registry: RELIABLE_IKE_TRANSPORT 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Smyslov Expires 8 January 2024 [Page 4] Internet-Draft Reliable Transport in IKEv2 July 2023 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, . [RFC9329] Pauly, T. and V. Smyslov, "TCP Encapsulation of Internet Key Exchange Protocol (IKE) and IPsec Packets", RFC 9329, DOI 10.17487/RFC9329, November 2022, . 6.2. Informative References [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation", RFC 7383, DOI 10.17487/RFC7383, November 2014, . [RFC9370] Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May 2023, . [I-D.tjhai-ikev2-beyond-64k-limit] Tjhai, C., Heider, T., and V. Smyslov, "Beyond 64KB Limit of IKEv2 Payloads", Work in Progress, Internet-Draft, draft-tjhai-ikev2-beyond-64k-limit-03, 28 July 2022, . [I-D.nir-ipsecme-big-payload] Nir, Y., "A Larger Internet Key Exchange version 2 (IKEv2) Payload", Work in Progress, Internet-Draft, draft-nir- ipsecme-big-payload-01, 28 January 2023, . [I-D.smyslov-ipsecme-ikev2-extended-pld] Smyslov, V., "Extended IKEv2 Payload Format", Work in Progress, Internet-Draft, draft-smyslov-ipsecme-ikev2- extended-pld-01, 6 March 2023, . Author's Address Smyslov Expires 8 January 2024 [Page 5] Internet-Draft Reliable Transport in IKEv2 July 2023 Valery Smyslov ELVIS-PLUS PO Box 81 Moscow (Zelenograd) 124460 Russian Federation Phone: +7 495 276 0211 Email: svan@elvis.ru Smyslov Expires 8 January 2024 [Page 6]