IPsecME Working Group Y. Nir
Internet-Draft Check Point
Intended status: Standards Track August 22, 2013
Expires: February 23, 2014

Handing Over Child SAs Following Re-Authentication in IKEv2
draft-nir-ipsecme-cafr-01

Abstract

This document describes an extension to the IKEv2 protocol whereby Child SAs are moved to the new IKE SA following re-authentication. This allows for a smoother transition with no loss of connectivity.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on February 23, 2014.

Copyright Notice

Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

The Internet Key Exchange version 2 (IKEv2) protocol, as specified in [RFC5996bis] associates Child SAs with the IKE SAs under which the exchange that created them took place. With the deletion of the IKE SA due to expiry, policy change, or an explicit message from the peer, the child SAs associated with it are implicitly closed as described in section 1.4.1 of the IKEv2 document. This behavior is not desired when IKE SAs are replaced rather than deleted, because those child SAs could still be valid and there is no security reason to create new ones prematurely.

There are two cases where an IKE SA is replaced.

  1. Rekeying, where new keys are generated. This is described in section 2.18 of RFC 5996. This is done mainly for key freshness.
  2. Re-Authentication, where both sides authenticate, and new keys are generated. This is done as part of a risk management policy, to limit the time that compromised IKE SA keys can be used to provide the attacker access to the network. No reauthentication exchange is specified in the RFC. Instead, it's simply the Initial and Authentication exchanges done as if from scratch. This is described in section 2.8.3 of RFC 5996.

For rekeying, RFC 5996 provides a way to avoid having to re-create all child SAs. When an IKE SA is rekeyed, all the Child SAs under the old IKE SA are inherited by the new IKE SA, so that the subsequent deletion of the old IKE SA does not affect the Child SAs. This behavior is described in section 2.8 paragraph 4 of RFC 5996.

For reauthentication, RFC 5996 does not provide a similar mechanism, and section 2.8.3 explicitly says that Child SAs need to be created from scratch. This is often inconvenient, as IPsec systems usually create Child SAs only in response to traffic and multiple Child SAs may exist for a single IKE SA. The protocol extension in this draft closes this gap.

1.1. Conventions Used in This Document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

The terms IKE SA, Child SA, Rekeying, and Reauthentication are as described in the RFC 5996.

2. Handing Over Child SAs

This document defines a new notification that can be sent over an old IKE SA, just after an IKE_AUTH exchange has been used to re-authenticate. The notification tells the peer to transfer all Child SAs that belong to the current (old) IKE SA to be owned by the new IKE SA, so that when the old IKE SA is deleted, those Child SAs are not. If both peers send this notification, all Child SAs belonging to the old IKE SA are immediately inherited by the new IKE SA.

In addition to the Child SAs, any IP address assigned to either peer through the use of the CFG payload (as described in section 2.19 of RFC 5996), is also associated with the new IKE SA.

The new notification MAY be accompanied by a DELETE payload, so as to transfer the Child SAs and delete the old IKE SA at the same time.

2.1. The HAND_OVER_CHILD_SAS Notification

The HAND_OVER_CHILD_SA notification is formatted as follows:

                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    ! Next Payload  !C!  RESERVED   !         Payload Length        !
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    !  Protocol ID  !   SPI Size    !  HAND_OVER_CHILD_SAS Type     !
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                                                               |
    ~                Security Parameter Index (SPI)                 ~
    |                                                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            
                                  Figure 1
                

2.2. Verifying the HAND_OVER_CHILD_SAS Notification

To go through with the new IKE SA inheriting the SAs of the old IKE SA, all of the following MUST apply:

If either of the above conditions does not apply, a conformant implementation MUST NOT send the HAND_OVER_CHILD_SAS Notification. Additionally, an implementation MUST NOT hand over the child SAs if the other side has not sent the notification, and MUST hand them over if both it and the other side had sent the notification.

3. The Illustrated Protocol

The Informational exchange after creating a new IKE SA:

   Initiator                                   Responder
   -----------------------------------------------------------------
   HDR, SK {
            N(HAND_OVER_IKE_SAS, new IKE SA SPIs),
            DELETE
           }              -->
                                               HDR, SK {
                              N(HAND_OVER_IKE_SAS, new IKE SA SPIs)
                          <--                          }
                            
                                  Figure 2
                          
        

Note that in the above figure, the HDR has the IKE SPIs of the old IKE SAs, and the SK payload uses the keys of the old IKE SA, because this message is sent over the old IKE SA.

4. Interaction with Other Standards

This document changes things so that there is often no need to create new Child SAs along with the new IKE SA when reauthenticating. This makes the full IKE_AUTH exchange with the piggy-backed Child SA exchange (as described in RFC 5996) superfluous. Implementations should consider implementing the childless extension of IKEv2 ([RFC6023]) in addition to this specification.

5. Acknowledgements

The author would like to thank Valery Smyslov for the suggestion of moving the hand-over from the IKE_AUTH to an Informational under the old IKE SA. This changed (in version -01) simplified the protocol significantly.

6. IANA Considerations

IANA is requested to assign a notify message type from the status types range (16418-40959) of the "IKEv2 Notify Message Types" registry with name "HAND_OVER_CHILD_SAS"

7. Security Considerations

The HAND_OVER_CHILD_SAS notification is sent protected by the old IKE SA. This protects against stealing child SAs. The requirement for sameness of authenticated identity protects against errors by one peer transferring child SAs to some other peer, although we cannot think of any attack that would exploit this.

8. Changes from Previous Versions

[NOTE TO RFC EDITOR: PLEASE REMOVE THIS SECTION]

Version -01 moved the sending of the notification from the IKE_AUTH exchange that is part of reauthentication to the Informational exchange that is part of closing the old IKE SA. This made cryptographic binding to the old IKE SA unnecessary.

9. References

9.1. Normative References

[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[2] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P. and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", Internet-Draft draft-kivinen-ipsecme-ikev2-rfc5996bis-00, August 2013.

9.2. Informative References

[1] Nir, Y., Tschofenig, H., Deng, H. and R. Singh, "A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)", RFC 6023, October 2010.

Author's Address

Yoav Nir Check Point Software Technologies Ltd. 5 Hasolelim st. Tel Aviv, 6789735 Israel EMail: ynir@checkpoint.com