IKEv2 based lightweight secure data communicationCisco Systems India Pvt. Ltd.SEZ Unit, Cessna Business ParkSarjapur Marathahalli Outer Ring RoadBangaloreKarnataka560087India+91 80 4426 4834amjads@cisco.comCisco Systems India Pvt. Ltd.SEZ Unit, Cessna Business ParkSarjapur Marathahalli Outer Ring RoadBangaloreKarnataka560087India+91 80 4426 2731rsj@cisco.com
Security Area
Internet-Draft This document describes an IKEv2 based lightweight secure data communication mechanism over UDP port 4500,
that supports reliable and unreliable data transfers, integrity protected encryption and integrity-only protection, in-band and out-of-band keys, fragmentation and payload identification. With this mechanism, IKEv2 provides a complete secure connectivity solution that addresses key management and secure data communication needs of applications. The Internet Key Exchange Protocol version 2 (IKEv2), specified in RFC5996 , is a UDP based reliable protocol that provides encrypted and integrity protected secure communication channel similar to ESP defined in RFC4303 . IKEv2 defines mechanisms for mutual authentication of peers, session key establishment, SA management and exchange of configuration information. As IKEv2 provides encryption, integrity protection, replay protection along with reliable communication, mobility, windowing, load-balancing and fragmentation, IKEv2 has all the properties required for scalable secure data communication. This document defines an IKEv2 based secure data communication mechanism over UDP port 4500, henceforth referred to as IKEv2 data channel in this document. To be able to use IKEv2 data channel the IKEv2 negotiation MUST start on port 4500. For application multiplexing, either ephemeral source UDP port numbers or IKEv2 identity MAY be used. A packet received on UDP port 4500 can either be an IKE packet or an ESP packet. The first 4 octets of the UDP payload are used to differentiate between IKE and ESP packets. For ESP packets the first octets form the ESP SPI, a non-zero value with values 1 through 255 reserved. This draft proposes to use one of the reserved ESP SPI values as IKEV2-DATA-MARKER to identify IKEv2 data packets. Differentiating IKEv2 data packets from control packets allows to leverage the IKEv2 protocol's security and reliability mechanisms and security parameters for data communication while avoiding the overhead of IKEv2 header and generic payload headers for data packets. It also enables the support for unacknowledged data transfer, integrity-only protection, out-of-band keys, fragmentation, payload identification and secure group communication. Similar to Childless IKEv2 defined in RFC6023, IKEv2 data channel does not negotiate/require child IPsec SA in the IKEv2 initial exchange and subsequently. Please refer the appendix section of this document for details on the alternative mechanisms that were considered for data communication over IKEv2 and their drawbacks. Secure connectivity in Internet of Things (IoT) and Machine to Machine (M2M) domains offers unique challenges. The challenges of secure connectivity solution for IoT and M2M are: being lightweight, scalability, reliability and easier deployment. The solution must be lightweight for the resource constrained IoT devices, scalable for IoT gateways to aggregate a multitude of IoT devices, reliable for the lossy sensor networks and easily deployable on a variety of IoT device and gateway vendor platforms and operating systems. IKEv2 data channel is lightweight and scalable as it is UDP based and hence resides in the application layer. It resides in the operating system user space and does not require integration within operating system kernel. It uses only parent IKEv2 SA negotiation. It uses a minimal overhead secure encapsulation by avoiding the overhead of IKEv2 header and generic payload headers for data packets. IKEv2 data channel provides reliability using the IKEv2 protocol's retransmission mechanism. IKEv2 data channel does not require operating system integration and resides in application space, hence it is easily deployable on different operating system platforms. So IKEv2 data channel addresses the above challenges of secure connectivity solution for IoT and M2M. Further, IKEv2 data channel also provides unreliable data transfer, an option for integrity-only protection for applications that do not require confidentiality such as routing protocols. IKEv2 data channel can also provide secure group communication by integrating with group keying mechanism such as Group Key Management using IKEv2 defined in G-IKEv2.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in
RFC 2119. Following are some of the benefits of IKEv2 data channel:
Lightweight and scalable data communication mechanism. Support for acknowledged and unacknowledged data transfer. Support for integrity-only protection, in addition to integrity protected encryption. Support for multicast communication using G-IKEv2 as control channel. Easier integration and adoption across multiple platforms and operating systems as the IKEv2 protocol resides in OS application layer (user space). Reliable secure communication over UDP suitable for lossy networks. Better NAT and firewall traversal, IKEv2 protocol being UDP based. Leverages the built in support for mobility, fragmentation and load balancing mechanisms in IKEv2. Support for IKEv2 based certificate as well pre-shared key and EAP authentication methods. As IKEv2 is an identity centric protocol rather than IP centric, IKEv2 data channel provides easier integration with policy servers in dynamic deployment scenarios. IKEv2 data channel can leverage any protocol improvements to IKEv2 control channel e.g. Minimal IKEv2 . Since IKEv2 data channel uses the same UDP port as control channel, it works seamlessly with load balancers and PAT devices. Support for payload type identification in tunnelling mode, allowing a session to carry multiple traffic types such as IPv4, IPv6, non-IP and other traffic types Support for application multiplexing using either ephemeral source UDP port numbers or IKEv2 identity. One of the main use cases envisaged for IKEv2 data channel is secure communication for IoT and M2M for endpoint to endpoint and endpoint to gateway that would aggregate and relay the connections to back-end applications. 1. Endpoint to Endpoint: IKEv2 data channel in endpoint to endpoint scenario offers the advantages of being lightweight and easily deployable being data-plane and hardware independent. 2. Endpoint to Security Gateway: IKEv2 data channel in endpoint to security gateway scenario offers the advantages being scalable to be able to aggregate large number of sessions and relay the connections to back-end applications in the datacenter.
Use-cases of IKEv2 data channel for IoT and M2M scenarios:
UDP based IKEv2 data channel provides a lightweight and scalable secure connectivity solution for IoT and M2M domains. The IKEv2 data channel's reliable data transfer is suitable for lossy sensor networks. The IKEv2 data channel's unreliable data transfer is suitable for delay sensitive applications. The IKEv2 data channel's integrity-only protection is suitable for routing protocol security. With IKEv2 data channel, IKEv2 provides a single and complete solution for key management and secure communication needs of the applications such as IoT and M2M. This document proposes following extensions to IKEv2 protocol for data communication:
IKEv2 Notify type 'IKEV2_DATA_CHANNEL_SUPPORTED' for IKEv2 data channel negotiation.IKEv2 packet formats for IKEv2 Data and Data-Ack packets. IKEv2 data channel will support the following data transfer modes:
Acknowledged data transferUnacknowledged data transfer IKEv2 data channel will support the following data protection modes:
Encryption and Integrity protectionIntegrity only protection IKEv2 data channel will support in-band and out-of-band keys:
IKEv2 data channel using the same keys as IKEv2 control channel (in-band) IKEv2 data channel using the different keys from IKEv2 control channel (out-of-band) IKEv2 data channel will support data fragmentation built within IKEv2 data payload. The IKEv2 data channel capabilities are negotiated using the IKEV2_DATA_CHANNEL_SUPPORTED Notify in IKE_SA_INIT exchange. Any combination of data transfer modes, protection modes and in-band or out-of-band keys can be negotiated. This data transfer mode provides a lightweight reliable data transfer over UDP suitable for lossy transports such as sensor networks. This mode will use IKEv2 protocol's existing reliability and windowing mechanisms as described in [RFC5996]. This mode uses IKEv2 data and data-ack packets. The Message IDs are used for reliability and replay protection. This mode provides unreliable data transfer over UDP suitable for delay sensitive traffic such as voice. This mode uses unidirectional packet sequence numbers for replay protection similar to ESP anti-replay mechanism as described in [RFC4303]. This mode uses IKEv2 data packets with no data-ack packets. This protection mode provides encryption and integrity protection of IKEv2 data packets similar to the IKEv2 Encrypted payload as defined in [RFC5996]. This protection mode provides integrity protection of IKEv2 data packets and no encryption similar to ESP null encryption as described in [RFC4303]. This is suitable for applications that just need data integrity and not confidentiality such as routing protocol exchanges. IKEv2 data channel will use the same keys as IKEv2 control channel to provide encryption and integrity protection. With in-band keys, for additional security, the IKEv2 nodes MAY force a rekey immediately after the initial exchange to protect the credentials exchanged in the initial exchange, even if the keys were to be compromised after the initial exchange. IKEv2 data channel will use different keys from IKEv2 control channel to provide encryption and integrity protection. The negotiation of out-of-band keys is outside the scope of IKEv2 data channel. An example of out-of-band keys is the group keys negotiated using G-IKEv2 . IKEv2 data channel provides fragmentation of the cleartext data payload based on a pre-configured MTU value, in order to avoid fragmentation after encryption. The fragmentation is done on cleartext packet before encryption and integrity protection. The Fragment bit, Frag Num field, and Total Fragment fields in IKEv2 data packet specify if the packet contains a fragment, the fragment number and the total number of fragments respectively. The receiver SHOULD decrypt and reassemble the cleartext fragments after receiving and validating all the encrypted fragments. IKEv2 nodes can negotiate to use IKEv2 data channel and its capabilities by exchanging IKEV2_DATA_CHANNEL_SUPPORTED Notify type in IKE_SA_INIT exchange.
IKEv2 initiator can communicate its intent to use IKEv2 data channel by including a notify payload of type IKEV2_DATA_CHANNEL_SUPPORTED along with the proposed capabilities in IKE_SA_INIT request. IKEv2 responder can indicate its willingness to use IKEv2 data channel with the proposed capabilities by including a notify payload of type IKEV2_DATA_CHANNEL_SUPPORTED along with the same capabilities in IKE_SA_INIT response. If the capabilities proposed by IKEv2 Initiator are not acceptable to IKEv2 responder, it MUST NOT include IKEV2_DATA_CHANNEL_SUPPORTED Notify type in IKE_SA_INIT response. The absence of Notify payload of type IKEV2_DATA_CHANNEL_SUPPORTED in IKE_SA_INIT response indicates the incapability or unwillingness of the IKEv2 responder to use IKEv2 data channel. If IKEv2 responder does not include the same capabilities as proposed by IKEv2 initiator, IKEv2 initiator MUST treat this as unsuccessful negotiation of IKEv2 data channel. On unsuccessful negotiation of IKEv2 data channel, IKEv2 initiator and responder MUST NOT use IKEv2 data channel for data transfer. However rest of the IKEv2 negotiation can proceed as normal. On successful negotiation of IKEv2 Data Channel, IKEv2 Initiator and Responder MUST exclude any payloads related to Child SA negotiation in IKE_AUTH exchange and can use IKEv2 data channel for data transfer.Protocol ID (1 octet): MUST be 1, as this message is related to an IKEv2 SA.SPI Size (1 octet): MUST be zero, in conformance with section 3.10 of [RFC5996].Notify Message Type (2 octets): MUST be xxxxx, the value assigned for IKEV2_DATA_CHANNEL_SUPPORTED by IANA.Flags (8 bits): Specify the IKEv2 Data channel properties
bit 0:
0 - Acknowledged transfer1 - Unacknowledged transferbit 1:
0 - Encryption and Integrity protection1 - Integrity-only protectionbit 2:
0 - Use same keys for IKEv2 Control and Data channel protection (In-band keys)1 - Use different keys for IKEv2 Control and Data channel protection (Out-of-band keys)bit 3-7:
Reserved, sender MUST set these bits to zero and receiver MUST ignore itFlags (1 octet):
bit-0 (Ack bit): The Ack bit MUST be used only when unacknowledged data transfer is negotiated.
0 - Payload is a data packet1 - Payload is a data ack packetbit-1 (Fragment bit): Specifies if the payload is a fragment.
0 - Payload is not a fragment1 - Payload is a fragmentbit-2-7: Reserved, sender MUST set these bits to zero and receiver MUST ignore it Payload Type (1 octets): Identifies the payload type in tunnelling mode, allowing a session to carry multiple traffic types such as IPv4, IPv6, non-IP and other traffic types.
0 - Not used1 - IPv42 - IPv63-255 - ReservedLength (2 octets, unsigned integer): Length in octets of the entire IKEv2 Data packet.Frag Num (1 octet): Specifies fragment number if Fragment bit is set. If Fragment bit is not set, sender MUST set this field to zeros and receiver MUST ignore it.Total Frags (1 octet): Specifies the total number of fragments number, if Fragment bit is set. If Fragment bit is not set, sender MUST set this field to zeros and receiver MUST ignore it.SPI (8 octets): A value used be receiver to lookup the session associated with the packet in order to verify integrity and decrypt the data packet. This value is usually the data packet receiver's IKE SPI.Sequence Number (4 octets): This field identifies the IKEv2 Data packet sequence numbers. For acknowledged data transfer, this field is used for re-transmission, windowing and anti-replay checks. For unacknowledged data transfer, this field is used for anti-replay checks.
The IKEv2 Data Ack packet is integrity protected and is not encrypted as it does not carry any data. The Data Ack packet contains the SPI to identify the session and Sequence number to identify the packet being acknowledged.
Flags (1 octet):
bit 0 (Ack bit): Set to 1 to indicate it is a Data Ack packet. bits (1-7): Reserved, sender MUST set these bits to zero and receiver MUST ignore them.Length (2 octets, unsigned integer): Length in octets of the entire IKEv2 Data Ack packet.SPI (8 octets): A value used be receiver to lookup the session associated with the packet in order to verify integrity of the data ack packet.Sequence Number (4 octets): This field identifies the sequence number of the IKEv2 Data packet being acknowledged. This protocol variation inherits all the security properties of regular IKEv2 as described in [RFC5996].
The new notification carried in the initial exchange advertises the capability, and cannot be forged or added by an adversary without being detected, because the response to the initial exchange is authenticated with the AUTH payload of the IKE_AUTH exchange.
IKEv2 data payload inherits all security properties of ESP protocol defined in [RFC4303].
This document introduces one new IKEv2 Notification Message types as described in . The new Notify Message Types must be assigned values between 16429 and 40959.
IKEV2_DATA_CHANNEL_SUPPORTED This document proposes to use one of the reserved ESP SPI values (1 through 255, preferably 1) as
IKEV2-DATA-MARKER to identify IKEv2 data packets received over UDP port 4500. We would like to thank following people (in alphabetical order) for their review comments and valuable
suggestions for idea and initial version of the document: Amit Phadnis, Arif Shouqi, Balaji B L, Brian Weis, Cheryl Madson, Frederic Detienne, J P Vasseur, Kalyani Garigipati, Mike Sullenberger, Naresh Sunkara, Nick Doyle, Paul Hoffman, Rajiv Shankar Daulath, Ramesh Nethi, Sandeep Rao, Scott Fluhrer, and Thamil Kandasamy. This section lists all the changes in this document. NOTE TO RFC EDITOR: Please remove this section in before final RFC publication.Internet Key Exchange Protocol Version 2: IKEv2MicrosoftVPN ConsortiumCheck PointNokiaIP Encapsulating Security Payload (ESP)BBN TechnologiesA Childless Initiation of IKEv2 SACheck PointNSNChina MobileCiscoIKEv2 FragmentationELVIS-PLUSGroup Key Management using IKEv2CiscoCiscoCiscoCheck PointMinimal IKEv2INSIDE SecureKey words for use in RFCs to Indicate Requirement
LevelsHarvard University1350 Mass. Ave.CambridgeMA 02138- +1 617 495 3864sob@harvard.edu
General
keywordRedirect Mechanism for IKEv2WiChorus
This section describes the alternative mechanisms for data communication over IKEv2 that were
considered and their drawbacks.
The existing IKEv2 control channel can be used for data transfer using a new IKEv2 exchange type DATA exchange similar to INFORMATIONAL exchange, and a new payload type to encapsulate cleartext data that will be protected by Encrypted payload.
A drawback with this approach is that the data packets will incur the overhead of IKEv2 header (28 octets) and a minimum of two generic payload headers (4 octets each) with a total protocol overhead of 36 octets per data packet. Also, it is difficult to support unacknowledged data transfer and integrity-only protection for data packets.
IKEv2 header can be modified to allow differentiation between control and data packets using
the first four bytes of the header and the rest of the header can be different for control
and data packets. A possible way to accomplish this is to move the Exchange type field to the
beginning of IKEv2 header.
The obvious drawback with this approach is that it is not backward compatible with existing
IKEv2 protocol. Also, it makes it difficult to support unacknowledged data transfer and
integrity-only protection for data packets.
A separate UDP port e.g 501 can be used for IKEv2 data channel that allows to leverage the IKEv2 protocol's security and reliability mechanisms and security parameters for data communication while avoiding the overhead of IKEv2 header and generic payload headers for data packets. Use of a fixed UDP port for data channel instead of dynamically negotiated UDP ports has the advantage of not requiring the firewalls to snoop the IKEv2 control channel to be able to determine and allow the traffic on data channel UDP port.
A drawback with this approach is that the use of different ports for IKEv2 control and data channels makes it difficult for load balancers to associate an IKEv2 control channel with its data channel when there are multiple IKEv2 initiators behind a PAT device. Also when IKEv2 initiator is behind a PAT device, the data packets from responder will be dropped by the PAT device as port 501 will not be open unless there is data traffic from initiator.