1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
|
<pre>Network Working Group P. Eronen, Ed.
Request for Comments: 4555 Nokia
Category: Standards Track June 2006
<span class="h1">IKEv2 Mobility and Multihoming Protocol (MOBIKE)</span>
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes the MOBIKE protocol, a mobility and
multihoming extension to Internet Key Exchange (IKEv2). MOBIKE
allows the IP addresses associated with IKEv2 and tunnel mode IPsec
Security Associations to change. A mobile Virtual Private Network
(VPN) client could use MOBIKE to keep the connection with the VPN
gateway active while moving from one address to another. Similarly,
a multihomed host could use MOBIKE to move the traffic to a different
interface if, for instance, the one currently being used stops
working.
<span class="grey">Eronen Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Motivation . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-1.2">1.2</a>. Scope and Limitations . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-1.3">1.3</a>. Terminology and Notation . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-2">2</a>. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-2.1">2.1</a>. Basic Operation . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-2.2">2.2</a>. Example Protocol Exchanges . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-2.3">2.3</a>. MOBIKE and Network Address Translation (NAT) . . . . . . . <a href="#page-9">9</a>
<a href="#section-3">3</a>. Protocol Exchanges . . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-3.1">3.1</a>. Initial IKE Exchange . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-3.2">3.2</a>. Signaling Support for MOBIKE . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-3.3">3.3</a>. Initial Tunnel Header Addresses . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-3.4">3.4</a>. Additional Addresses . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-3.5">3.5</a>. Changing Addresses in IPsec SAs . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-3.6">3.6</a>. Updating Additional Addresses . . . . . . . . . . . . . . <a href="#page-15">15</a>
<a href="#section-3.7">3.7</a>. Return Routability Check . . . . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-3.8">3.8</a>. Changes in NAT Mappings . . . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-3.9">3.9</a>. NAT Prohibition . . . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-3.10">3.10</a>. Path Testing . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-3.11">3.11</a>. Failure Recovery and Timeouts . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-3.12">3.12</a>. Dead Peer Detection . . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-4">4</a>. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-4.1">4.1</a>. Notify Messages - Error Types . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-4.2">4.2</a>. Notify Messages - Status Types . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-5">5</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-5.1">5.1</a>. Traffic Redirection and Hijacking . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-5.2">5.2</a>. IPsec Payload Protection . . . . . . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-5.3">5.3</a>. Denial-of-Service Attacks against Third Parties . . . . . <a href="#page-25">25</a>
<a href="#section-5.4">5.4</a>. Spoofing Network Connectivity Indications . . . . . . . . <a href="#page-26">26</a>
<a href="#section-5.5">5.5</a>. Address and Topology Disclosure . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-6">6</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-7">7</a>. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-8">8</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-8.1">8.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-8.2">8.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#appendix-A">Appendix A</a>. Implementation Considerations . . . . . . . . . . . . <a href="#page-31">31</a>
<a href="#appendix-A.1">A.1</a>. Links from SPD Cache to Outbound SAD Entries . . . . . . . <a href="#page-31">31</a>
<a href="#appendix-A.2">A.2</a>. Creating Outbound SAs . . . . . . . . . . . . . . . . . . <a href="#page-31">31</a>
<span class="grey">Eronen Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Motivation</span>
IKEv2 is used for performing mutual authentication, as well as
establishing and maintaining IPsec Security Associations (SAs). In
the base IKEv2 protocol [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>], the IKE SAs and tunnel mode IPsec
SAs are created implicitly between the IP addresses that are used
when the IKE_SA is established. These IP addresses are then used as
the outer (tunnel header) addresses for tunnel mode IPsec packets
(transport mode IPsec SAs are beyond the scope of this document).
Currently, it is not possible to change these addresses after the
IKE_SA has been created.
There are scenarios where these IP addresses might change. One
example is mobility: a host changes its point of network attachment
and receives a new IP address. Another example is a multihoming host
that would like to change to a different interface if, for instance,
the currently used interface stops working for some reason.
Although the problem can be solved by creating new IKE and IPsec SAs
when the addresses need to be changed, this may not be optimal for
several reasons. In some cases, creating a new IKE_SA may require
user interaction for authentication, such as entering a code from a
token card. Creating new SAs often involves expensive calculations
and possibly a large number of round-trips. For these reasons, a
mechanism for updating the IP addresses of existing IKE and IPsec SAs
is needed. The MOBIKE protocol described in this document provides
such a mechanism.
The main scenario for MOBIKE is enabling a remote access VPN user to
move from one address to another without re-establishing all security
associations with the VPN gateway. For instance, a user could start
from fixed Ethernet in the office and then disconnect the laptop and
move to the office's wireless LAN. When the user leaves the office,
the laptop could start using General Packet Radio Service (GPRS);
when the user arrives home, the laptop could switch to the home
wireless LAN. MOBIKE updates only the outer (tunnel header)
addresses of IPsec SAs, and the addresses and other traffic selectors
used inside the tunnel stay unchanged. Thus, mobility can be
(mostly) invisible to applications and their connections using the
VPN.
<span class="grey">Eronen Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
MOBIKE also supports more complex scenarios where the VPN gateway
also has several network interfaces: these interfaces could be
connected to different networks or ISPs, they may be a mix of IPv4
and IPv6 addresses, and the addresses may change over time.
Furthermore, both parties could be VPN gateways relaying traffic for
other parties.
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Scope and Limitations</span>
This document focuses on the main scenario outlined above and
supports only tunnel mode IPsec SAs.
The mobility support in MOBIKE allows both parties to move, but does
not provide a "rendezvous" mechanism that would allow simultaneous
movement of both parties or discovery of the addresses when the
IKE_SA is first established. Therefore, MOBIKE is best suited for
situations where the address of at least one endpoint is relatively
stable and can be discovered using existing mechanisms such as DNS
(see <a href="#section-3.1">Section 3.1</a>).
MOBIKE allows both parties to be multihomed; however, only one pair
of addresses is used for an SA at a time. In particular, load
balancing is beyond the scope of this specification.
MOBIKE follows the IKEv2 practice where a response message is sent to
the same address and port from which the request was received. This
implies that MOBIKE does not work over address pairs that provide
only unidirectional connectivity.
Network Address Translators (NATs) introduce additional limitations
beyond those listed above. For details, refer to <a href="#section-2.3">Section 2.3</a>.
The base version of the MOBIKE protocol does not cover all potential
future use scenarios, such as transport mode, application to securing
SCTP, or optimizations desirable in specific circumstances. Future
extensions may be defined later to support additional requirements.
Please consult the MOBIKE design document [<a href="#ref-Design" title=""Design of the MOBIKE protocol"">Design</a>] for further
information and rationale behind these limitations.
<span class="h3"><a class="selflink" id="section-1.3" href="#section-1.3">1.3</a>. Terminology and Notation</span>
When messages containing IKEv2 payloads are described, optional
payloads are shown in brackets (for instance, "[FOO]"), and a plus
sign indicates that a payload can be repeated one or more times (for
instance, "FOO+"). To provide context, some diagrams also show what
existing IKEv2 payloads would typically be included in the exchanges.
These payloads are shown for illustrative purposes only; see [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>]
for an authoritative description.
<span class="grey">Eronen Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
When this document describes updating the source/destination
addresses of an IPsec SA, it means updating IPsec-related state so
that outgoing Encapsulating Security Payload (ESP)/Authentication
Header (AH) packets use those addresses in the tunnel header.
Depending on how the nominal divisions between Security Association
Database (SAD), Security Policy Database (SPD), and Peer
Authorization Database (PAD) described in [<a href="#ref-IPsecArch" title=""Security Architecture for the Internet Protocol"">IPsecArch</a>] are actually
implemented, an implementation can have several different places that
have to be updated.
In this document, the term "initiator" means the party who originally
initiated the first IKE_SA (in a series of possibly several rekeyed
IKE_SAs); "responder" is the other peer. During the lifetime of the
IKE_SA, both parties may initiate INFORMATIONAL or CREATE_CHILD_SA
exchanges; in this case, the terms "exchange initiator" and "exchange
responder" are used. The term "original initiator" (which in [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>]
refers to the party who started the latest IKE_SA rekeying) is not
used in this document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="#ref-KEYWORDS" title=""Key words for use in RFCs to Indicate Requirement Levels"">KEYWORDS</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Protocol Overview</span>
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Basic Operation</span>
MOBIKE allows both parties to have several addresses, and there are
up to N*M pairs of IP addresses that could potentially be used. The
decision of which of these pairs to use has to take into account
several factors. First, the parties may have preferences about which
interface should be used due to, for instance, performance and cost
reasons. Second, the decision is constrained by the fact that some
of the pairs may not work at all due to incompatible IP versions,
outages in the network, problems at the local link at either end, and
so on.
MOBIKE solves this problem by taking a simple approach: the party
that initiated the IKE_SA (the "client" in a remote access VPN
scenario) is responsible for deciding which address pair is used for
the IPsec SAs and for collecting the information it needs to make
this decision (such as determining which address pairs work or do not
work). The other party (the "gateway" in a remote access VPN
scenario) simply tells the initiator what addresses it has, but does
not update the IPsec SAs until it receives a message from the
initiator to do so. This approach applies to the addresses in the
IPsec SAs; in the IKE_SA case, the exchange initiator can decide
which addresses are used.
<span class="grey">Eronen Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
Making the decision at the initiator is consistent with how normal
IKEv2 works: the initiator decides which addresses it uses when
contacting the responder. It also makes sense, especially when the
initiator is a mobile node: it is in a better position to decide
which of its network interfaces should be used for both upstream and
downstream traffic.
The details of exactly how the initiator makes the decision, what
information is used in making it, how the information is collected,
how preferences affect the decision, and when a decision needs to be
changed are largely beyond the scope of MOBIKE. This does not mean
that these details are unimportant: on the contrary, they are likely
to be crucial in any real system. However, MOBIKE is concerned with
these details only to the extent that they are visible in IKEv2/IPsec
messages exchanged between the peers (and thus need to be
standardized to ensure interoperability).
Many of these issues are not specific to MOBIKE, but are common with
the use of existing hosts in dynamic environments or with mobility
protocols such as Mobile IP [<a href="#ref-MIP4" title=""IP Mobility Support for IPv4"">MIP4</a>] [<a href="#ref-MIP6" title=""Mobility Support in IPv6"">MIP6</a>]. A number of mechanisms
already exist or are being developed to deal with these issues. For
instance, link-layer and IP-layer mechanisms can be used to track the
status of connectivity within the local link [<a href="./rfc2461" title=""Neighbor Discovery for IP Version 6 (IPv6)"">RFC2461</a>]; movement
detection is being specified for both IPv4 and IPv6 in [<a href="#ref-DNA4" title=""Detecting Network Attachment in IPv4 (DNAv4)"">DNA4</a>],
[<a href="#ref-DNA6" title=""Detecting Network Attachment in IPv6 - Best Current Practices for hosts"">DNA6</a>], and so on.
Naturally, updating the addresses of IPsec SAs has to take into
account several security considerations. MOBIKE includes two
features designed to address these considerations. First, a "return
routability" check can be used to verify the addresses provided by
the peer. This makes it more difficult to flood third parties with
large amounts of traffic. Second, a "NAT prohibition" feature
ensures that IP addresses have not been modified by NATs, IPv4/IPv6
translation agents, or other similar devices. This feature is
enabled only when NAT Traversal is not used.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Example Protocol Exchanges</span>
A simple MOBIKE exchange in a mobile scenario is illustrated below.
The notation is based on [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>], Section 1.2. In addition, the
source/destination IP addresses and ports are shown for each packet:
here IP_I1, IP_I2, IP_R1, and IP_R2 represent IP addresses used by
the initiator and the responder.
<span class="grey">Eronen Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
Initiator Responder
----------- -----------
1) (IP_I1:500 -> IP_R1:500)
HDR, SAi1, KEi, Ni,
N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP) -->
<-- (IP_R1:500 -> IP_I1:500)
HDR, SAr1, KEr, Nr,
N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP)
2) (IP_I1:4500 -> IP_R1:4500)
HDR, SK { IDi, CERT, AUTH,
CP(CFG_REQUEST),
SAi2, TSi, TSr,
N(MOBIKE_SUPPORTED) } -->
<-- (IP_R1:4500 -> IP_I1:4500)
HDR, SK { IDr, CERT, AUTH,
CP(CFG_REPLY),
SAr2, TSi, TSr,
N(MOBIKE_SUPPORTED) }
(Initiator gets information from lower layers that its attachment
point and address have changed.)
3) (IP_I2:4500 -> IP_R1:4500)
HDR, SK { N(UPDATE_SA_ADDRESSES),
N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP) } -->
<-- (IP_R1:4500 -> IP_I2:4500)
HDR, SK { N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP) }
(Responder verifies that the initiator has given it a correct IP
address.)
4) <-- (IP_R1:4500 -> IP_I2:4500)
HDR, SK { N(COOKIE2) }
(IP_I2:4500 -> IP_R1:4500)
HDR, SK { N(COOKIE2) } -->
Step 1 is the normal IKE_INIT exchange. In step 2, the peers inform
each other that they support MOBIKE. In step 3, the initiator
notices a change in its own address, and informs the responder about
<span class="grey">Eronen Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
this by sending an INFORMATIONAL request containing the
UPDATE_SA_ADDRESSES notification. The request is sent using the new
IP address. At this point, it also starts to use the new address as
a source address in its own outgoing ESP traffic. Upon receiving the
UPDATE_SA_ADDRESSES notification, the responder records the new
address and, if it is required by policy, performs a return
routability check of the address. When this check (step 4)
completes, the responder starts to use the new address as the
destination for its outgoing ESP traffic.
Another protocol run in a multihoming scenario is illustrated below.
In this scenario, the initiator has one address but the responder has
two.
Initiator Responder
----------- -----------
1) (IP_I1:500 -> IP_R1:500)
HDR, SAi1, KEi, Ni,
N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP) -->
<-- (IP_R1:500 -> IP_I1:500)
HDR, SAr1, KEr, Nr,
N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP)
2) (IP_I1:4500 -> IP_R1:4500)
HDR, SK { IDi, CERT, AUTH,
CP(CFG_REQUEST),
SAi2, TSi, TSr,
N(MOBIKE_SUPPORTED) } -->
<-- (IP_R1:4500 -> IP_I1:4500)
HDR, SK { IDr, CERT, AUTH,
CP(CFG_REPLY),
SAr2, TSi, TSr,
N(MOBIKE_SUPPORTED),
N(ADDITIONAL_IP4_ADDRESS) }
(The initiator suspects a problem in the currently used address pair
and probes its liveness.)
<span class="grey">Eronen Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
3) (IP_I1:4500 -> IP_R1:4500)
HDR, SK { N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP) } -->
(IP_I1:4500 -> IP_R1:4500)
HDR, SK { N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP) } -->
...
(Eventually, the initiator gives up on the current address pair and
tests the other available address pair.)
4) (IP_I1:4500 -> IP_R2:4500)
HDR, SK { N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP) }
<-- (IP_R2:4500 -> IP_I1:4500)
HDR, SK { N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP) }
(This worked, and the initiator requests the peer to switch to new
addresses.)
5) (IP_I1:4500 -> IP_R2:4500)
HDR, SK { N(UPDATE_SA_ADDRESSES),
N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP),
N(COOKIE2) } -->
<-- (IP_R2:4500 -> IP_I1:4500)
HDR, SK { N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP),
N(COOKIE2) }
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. MOBIKE and Network Address Translation (NAT)</span>
In some MOBIKE scenarios, the network may contain NATs or stateful
packet filters (for brevity, the rest of this document simply
describes NATs). The NAT Traversal feature specified in [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>]
allows IKEv2 to work through NATs in many cases, and MOBIKE can
leverage this functionality: when the addresses used for IPsec SAs
are changed, MOBIKE can enable or disable IKEv2 NAT Traversal, as
needed.
Nevertheless, there are some limitations because NATs usually
introduce an asymmetry into the network: only packets coming from the
"inside" cause state to be created. This asymmetry leads to
<span class="grey">Eronen Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
restrictions on what MOBIKE can do. To give a concrete example,
consider a situation where both peers have only a single address, and
the initiator is behind a NAT. If the responder's address now
changes, it needs to send a packet to the initiator using its new
address. However, if the NAT is, for instance, of the common
"restricted cone" type (see [<a href="#ref-STUN" title=""STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)"">STUN</a>] for one description of different
NAT types), this is not possible. The NAT will drop packets sent
from the new address (unless the initiator has previously sent a
packet to that address -- which it cannot do until it knows the
address).
For simplicity, MOBIKE does not attempt to handle all possible NAT-
related scenarios. Instead, MOBIKE assumes that if NATs are present,
the initiator is the party "behind" the NAT, and the case where the
responder's addresses change is not fully supported (meaning that no
special effort is made to support this functionality). Responders
may also be unaware of NATs or specific types of NATs they are
behind. However, when a change has occurred that will cause a loss
of connectivity, MOBIKE responders will still attempt to inform the
initiator of the change. Depending on, for instance, the exact type
of NAT, it may or may not succeed. However, analyzing the exact
circumstances when this will or will not work is not done in this
document.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Protocol Exchanges</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Initial IKE Exchange</span>
The initiator is responsible for finding a working pair of addresses
so that the initial IKE exchange can be carried out. Any information
from MOBIKE extensions will only be available later, when the
exchange has progressed far enough. Exactly how the addresses used
for the initial exchange are discovered is beyond the scope of this
specification; typical sources of information include local
configuration and DNS.
If either or both of the peers have multiple addresses, some
combinations may not work. Thus, the initiator SHOULD try various
source and destination address combinations when retransmitting the
IKE_SA_INIT request.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Signaling Support for MOBIKE</span>
Implementations that wish to use MOBIKE for a particular IKE_SA MUST
include a MOBIKE_SUPPORTED notification in the IKE_AUTH exchange (in
case of multiple IKE_AUTH exchanges, in the message containing the SA
payload).
<span class="grey">Eronen Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
The format of the MOBIKE_SUPPORTED notification is described in
<a href="#section-4">Section 4</a>.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Initial Tunnel Header Addresses</span>
When an IPsec SA is created, the tunnel header IP addresses (and
port, if doing UDP encapsulation) are taken from the IKE_SA, not the
IP header of the IKEv2 message requesting the IPsec SA. The
addresses in the IKE_SA are initialized from the IP header of the
first IKE_AUTH request.
The addresses are taken from the IKE_AUTH request because IKEv2
requires changing from port 500 to 4500 if a NAT is discovered. To
simplify things, implementations that support both this specification
and NAT Traversal MUST change to port 4500 if the correspondent also
supports both, even if no NAT was detected between them (this way,
there is no need to change the ports later if a NAT is detected on
some other path).
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. Additional Addresses</span>
Both the initiator and responder MAY include one or more
ADDITIONAL_IP4_ADDRESS and/or ADDITIONAL_IP6_ADDRESS notifications in
the IKE_AUTH exchange (in case of multiple IKE_AUTH exchanges, in the
message containing the SA payload). Here "ADDITIONAL_*_ADDRESS"
means either an ADDITIONAL_IP4_ADDRESS or an ADDITIONAL_IP6_ADDRESS
notification.
Initiator Responder
----------- -----------
HDR, SK { IDi, [CERT], [IDr], AUTH,
[CP(CFG_REQUEST)]
SAi2, TSi, TSr,
N(MOBIKE_SUPPORTED),
[N(ADDITIONAL_*_ADDRESS)+] } -->
<-- HDR, SK { IDr, [CERT], AUTH,
[CP(CFG_REPLY)],
SAr2, TSi, TSr,
N(MOBIKE_SUPPORTED)
[N(ADDITIONAL_*_ADDRESS)+] }
The recipient stores this information, but no other action is taken
at this time.
Although both the initiator and responder maintain a set of peer
addresses (logically associated with the IKE_SA), it is important to
note that they use this information for slightly different purposes.
<span class="grey">Eronen Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
The initiator uses the set of responder addresses as an input to its
address selection policy; it may, at some later point, decide to move
the IPsec traffic to one of these addresses using the procedure
described in <a href="#section-3.5">Section 3.5</a>. The responder normally does not use the
set of initiator addresses for anything: the addresses are used only
when the responder's own addresses change (see <a href="#section-3.6">Section 3.6</a>).
The set of addresses available to the peers can change during the
lifetime of the IKE_SA. The procedure for updating this information
is described in <a href="#section-3.6">Section 3.6</a>.
Note that if some of the initiator's interfaces are behind a NAT
(from the responder's point of view), the addresses received by the
responder will be incorrect. This means the procedure for changing
responder addresses described in <a href="#section-3.6">Section 3.6</a> does not fully work when
the initiator is behind a NAT. For the same reason, the peers also
SHOULD NOT use this information for any other purpose than what is
explicitly described either in this document or a future
specification updating it.
<span class="h3"><a class="selflink" id="section-3.5" href="#section-3.5">3.5</a>. Changing Addresses in IPsec SAs</span>
In MOBIKE, the initiator decides what addresses are used in the IPsec
SAs. That is, the responder does not normally update any IPsec SAs
without receiving an explicit UPDATE_SA_ADDRESSES request from the
initiator. (As described below, the responder can, however, update
the IKE_SA in some circumstances.)
The reasons why the initiator wishes to change the addresses are
largely beyond the scope of MOBIKE. Typically, triggers include
information received from lower layers, such as changes in IP
addresses or link-down indications. Some of this information can be
unreliable: for instance, ICMP messages could be spoofed by an
attacker. Unreliable information SHOULD be treated only as a hint
that there might be a problem, and the initiator SHOULD trigger Dead
Peer Detection (that is, send an INFORMATIONAL request) to determine
if the current path is still usable.
Changing addresses can also be triggered by events within IKEv2. At
least the following events can cause the initiator to re-evaluate its
local address selection policy, possibly leading to changing the
addresses.
o An IKEv2 request has been re-transmitted several times, but no
valid reply has been received. This suggests the current path is
no longer working.
<span class="grey">Eronen Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
o An INFORMATIONAL request containing an ADDITIONAL_IP4_ADDRESS,
ADDITIONAL_IP6_ADDRESS, or NO_ADDITIONAL_ADDRESSES notification is
received. This means the peer's addresses may have changed. This
is particularly important if the announced set of addresses no
longer contains the currently used address.
o An UNACCEPTABLE_ADDRESSES notification is received as a response
to address update request (described below).
o The initiator receives a NAT_DETECTION_DESTINATION_IP notification
that does not match the previous UPDATE_SA_ADDRESSES response (see
<a href="#section-3.8">Section 3.8</a> for a more detailed description).
The description in the rest of this section assumes that the
initiator has already decided what the new addresses should be. When
this decision has been made, the initiator:
o Updates the IKE_SA with the new addresses, and sets the
"pending_update" flag in the IKE_SA.
o Updates the IPsec SAs associated with this IKE_SA with the new
addresses (unless the initiator's policy requires a return
routability check before updating the IPsec SAs, and the check has
not been done for this responder address yet).
o If the IPsec SAs were updated in the previous step: If NAT
Traversal is not enabled, and the responder supports NAT Traversal
(as indicated by NAT detection payloads in the IKE_SA_INIT
exchange), and the initiator either suspects or knows that a NAT
is likely to be present, enables NAT Traversal (that is, enables
UDP encapsulation of outgoing ESP packets and sending of NAT-
Keepalive packets).
o If there are outstanding IKEv2 requests (requests for which the
initiator has not yet received a reply), continues retransmitting
them using the addresses in the IKE_SA (the new addresses).
o When the window size allows, sends an INFORMATIONAL request
containing the UPDATE_SA_ADDRESSES notification (which does not
contain any data), and clears the "pending_update" flag. The
request will be as follows:
<span class="grey">Eronen Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
Initiator Responder
----------- -----------
HDR, SK { N(UPDATE_SA_ADDRESSES),
[N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP)],
[N(NO_NATS_ALLOWED)],
[N(COOKIE2)] } -->
o If a new address change occurs while waiting for the response,
starts again from the first step (and ignores responses to this
UPDATE_SA_ADDRESSES request).
When processing an INFORMATIONAL request containing the
UPDATE_SA_ADDRESSES notification, the responder:
o Determines whether it has already received a newer
UPDATE_SA_ADDRESSES request than this one (if the responder uses a
window size greater than one, it is possible that requests are
received out of order). If it has, a normal response message
(described below) is sent, but no other action is taken.
o If the NO_NATS_ALLOWED notification is present, processes it as
described in <a href="#section-3.9">Section 3.9</a>.
o Checks that the (source IP address, destination IP address) pair
in the IP header is acceptable according to local policy. If it
is not, replies with a message containing the
UNACCEPTABLE_ADDRESSES notification (and possibly COOKIE2).
o Updates the IP addresses in the IKE_SA with the values from the IP
header. (Using the address from the IP header is consistent with
normal IKEv2, and allows IKEv2 to work with NATs without needing
unilateral self-address fixing [<a href="#ref-UNSAF" title=""IAB Considerations for UNilateral Self-Address Fixing (UNSAF) Across Network Address Translation"">UNSAF</a>].)
o Replies with an INFORMATIONAL response:
Initiator Responder
----------- -----------
<-- HDR, SK { [N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP)],
[N(COOKIE2)] }
o If necessary, initiates a return routability check for the new
initiator address (see <a href="#section-3.7">Section 3.7</a>) and waits until the check is
completed.
o Updates the IPsec SAs associated with this IKE_SA with the new
addresses.
<span class="grey">Eronen Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
o If NAT Traversal is supported and NAT detection payloads were
included, enables or disables NAT Traversal.
When the initiator receives the reply:
o If an address change has occurred after the request was first
sent, no MOBIKE processing is done for the reply message because a
new UPDATE_SA_ADDRESSES is going to be sent (or has already been
sent, if window size greater than one is in use).
o If the response contains the UNEXPECTED_NAT_DETECTED notification,
the initiator processes the response as described in <a href="#section-3.9">Section 3.9</a>.
o If the response contains an UNACCEPTABLE_ADDRESSES notification,
the initiator MAY select another addresses and retry the exchange,
keep on using the previously used addresses, or disconnect.
o It updates the IPsec SAs associated with this IKE_SA with the new
addresses (unless this was already done earlier before sending the
request; this is the case when no return routability check was
required).
o If NAT Traversal is supported and NAT detection payloads were
included, the initiator enables or disables NAT Traversal.
There is one exception to the rule that the responder never updates
any IPsec SAs without receiving an UPDATE_SA_ADDRESSES request. If
the source address that the responder is currently using becomes
unavailable (i.e., sending packets using that source address is no
longer possible), the responder is allowed to update the IPsec SAs to
use some other address (in addition to initiating the procedure
described in the next section).
<span class="h3"><a class="selflink" id="section-3.6" href="#section-3.6">3.6</a>. Updating Additional Addresses</span>
As described in <a href="#section-3.4">Section 3.4</a>, both the initiator and responder can
send a list of additional addresses in the IKE_AUTH exchange. This
information can be updated by sending an INFORMATIONAL exchange
request message that contains either one or more
ADDITIONAL_IP4_ADDRESS/ADDITIONAL_IP6_ADDRESS notifications or the
NO_ADDITIONAL_ADDRESSES notification.
If the exchange initiator has only a single IP address, it is placed
in the IP header, and the message contains the
NO_ADDITIONAL_ADDRESSES notification. If the exchange initiator has
several addresses, one of them is placed in the IP header, and the
rest in ADDITIONAL_IP4_ADDRESS/ADDITIONAL_IP6_ADDRESS notifications.
<span class="grey">Eronen Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
The new list of addresses replaces the old information (in other
words, there are no separate add/delete operations; instead, the
complete list is sent every time these notifications are used).
The message exchange will look as follows:
Initiator Responder
----------- -----------
HDR, SK { [N(ADDITIONAL_*_ADDRESS)+],
[N(NO_ADDITIONAL_ADDRESSES)],
[N(NO_NATS_ALLOWED)],
[N(COOKIE2)] } -->
<-- HDR, SK { [N(COOKIE2)] }
When a request containing an ADDITIONAL_IP4_ADDRESS,
ADDITIONAL_IP6_ADDRESS, or NO_ADDITIONAL_ADDRESSES notification is
received, the exchange responder:
o Determines whether it has already received a newer request to
update the addresses (if a window size greater than one is used,
it is possible that the requests are received out of order). If
it has, a response message is sent, but the address set is not
updated.
o If the NO_NATS_ALLOWED notification is present, processes it as
described in <a href="#section-3.9">Section 3.9</a>.
o Updates the set of peer addresses based on the IP header and the
ADDITIONAL_IP4_ADDRESS, ADDITIONAL_IP6_ADDRESS, and
NO_ADDITIONAL_ADDRESSES notifications.
o Sends a response.
The initiator MAY include these notifications in the same request as
UPDATE_SA_ADDRESSES.
If the request to update the addresses is retransmitted using several
different source addresses, a new INFORMATIONAL request MUST be sent.
There is one additional complication: when the responder wants to
update the address set, the currently used addresses may no longer
work. In this case, the responder uses the additional address list
received from the initiator, and the list of its own addresses, to
determine which addresses to use for sending the INFORMATIONAL
request. This is the only time the responder uses the additional
address list received from the initiator.
<span class="grey">Eronen Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
Note that both peers can have their own policies about what addresses
are acceptable to use, and certain types of policies may simplify
implementation. For instance, if the responder has a single fixed
address, it does not need to process the ADDITIONAL_IP4_ADDRESS and
ADDITIONAL_IP6_ADDRESS notifications it receives (beyond ignoring
unrecognized status notifications, as already required in [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>]).
Furthermore, if the initiator has a policy saying that only the
responder address specified in local configuration is acceptable, it
does not have to send its own additional addresses to the responder
(since the responder does not need them except when changing its own
address).
<span class="h3"><a class="selflink" id="section-3.7" href="#section-3.7">3.7</a>. Return Routability Check</span>
Both parties can optionally verify that the other party can actually
receive packets at the claimed address. By default, this "return
routability check" SHOULD be performed. In environments where the
peer is expected to be well-behaved (many corporate VPNs, for
instance), or the address can be verified by some other means (e.g.,
a certificate issued by an authority trusted for this purpose), the
return routability check MAY be omitted.
The check can be done before updating the IPsec SAs, immediately
after updating them, or continuously during the connection. By
default, the return routability check SHOULD be done before updating
the IPsec SAs, but in some environments it MAY be postponed until
after the IPsec SAs have been updated.
Any INFORMATIONAL exchange can be used for return routability
purposes, with one exception (described later in this section): when
a valid response is received, we know the other party can receive
packets at the claimed address.
To ensure that the peer cannot generate the correct INFORMATIONAL
response without seeing the request, a new payload is added to
INFORMATIONAL messages. The sender of an INFORMATIONAL request MAY
include a COOKIE2 notification, and if included, the recipient of an
INFORMATIONAL request MUST copy the notification as-is to the
response. When processing the response, the original sender MUST
verify that the value is the same one as sent. If the values do not
match, the IKE_SA MUST be closed. (See also <a href="#section-4.2.5">Section 4.2.5</a> for the
format of the COOKIE2 notification.)
<span class="grey">Eronen Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
The exception mentioned earlier is as follows: If the same
INFORMATIONAL request has been sent to several different addresses
(i.e., the destination address in the IKE_SA has been updated after
the request was first sent), receiving the INFORMATIONAL response
does not tell which address is the working one. In this case, a new
INFORMATIONAL request needs to be sent to check return routability.
<span class="h3"><a class="selflink" id="section-3.8" href="#section-3.8">3.8</a>. Changes in NAT Mappings</span>
IKEv2 performs Dead Peer Detection (DPD) if there has recently been
only outgoing traffic on all of the SAs associated with the IKE_SA.
In MOBIKE, these messages can also be used to detect if NAT mappings
have changed (for example, if the keepalive interval is too long, or
the NAT box is rebooted). More specifically, if both peers support
both this specification and NAT Traversal, the
NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP
notifications MAY be included in any INFORMATIONAL request; if the
request includes them, the responder MUST also include them in the
response (but no other action is taken, unless otherwise specified).
When the initiator is behind a NAT (as detected earlier using the
NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP
notifications), it SHOULD include these notifications in DPD messages
and compare the received NAT_DETECTION_DESTINATION_IP notifications
with the value from the previous UPDATE_SA_ADDRESSES response (or the
IKE_SA_INIT response). If the values do not match, the IP address
and/or port seen by the responder has changed, and the initiator
SHOULD send UPDATE_SA_ADDRESSES as described in <a href="#section-3.5">Section 3.5</a>. If the
initiator suspects that the NAT mapping has changed, it MAY also skip
the detection step and send UPDATE_SA_ADDRESSES immediately. This
saves one roundtrip if the NAT mapping has indeed changed.
Note that this approach to detecting NAT mapping changes may cause an
extra address update when the IKE_SA is rekeyed. This is because the
NAT_DETECTION_DESTINATION_IP hash also includes the IKE Security
Parameter Indexes (SPIs), which change when performing rekeying.
This unnecessary update is harmless, however.
When MOBIKE is in use, the dynamic updates (specified in [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>],
Section 2.23), where the peer address and port are updated from the
last valid authenticated packet, work in a slightly different
fashion. The host not behind a NAT MUST NOT use these dynamic
updates for IKEv2 packets, but MAY use them for ESP packets. This
ensures that an INFORMATIONAL exchange that does not contain
UPDATE_SA_ADDRESSES does not cause any changes, allowing it to be
used for, e.g., testing whether a particular path works.
<span class="grey">Eronen Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
<span class="h3"><a class="selflink" id="section-3.9" href="#section-3.9">3.9</a>. NAT Prohibition</span>
Basic IKEv2/IPsec without NAT Traversal support may work across some
types of one-to-one "basic" NATs and IPv4/IPv6 translation agents in
tunnel mode. This is because the IKEv2 integrity checksum does not
cover the addresses in the IP header. This may be considered a
problem in some circumstances, because in some sense any modification
of the IP addresses can be considered an attack.
This specification addresses the issue by protecting the IP addresses
when NAT Traversal has not been explicitly enabled. This means that
MOBIKE without NAT Traversal support will not work if the paths
contain NATs, IPv4/IPv6 translation agents, or other nodes that
modify the addresses in the IP header. This feature is mainly
intended for IPv6 and site-to-site VPN cases, where the
administrators may know beforehand that NATs are not present, and
thus any modification to the packet can be considered an attack.
More specifically, when NAT Traversal is not enabled, all messages
that can update the addresses associated with the IKE_SA and/or IPsec
SAs (the first IKE_AUTH request and all INFORMATIONAL requests that
contain any of the following notifications: UPDATE_SA_ADDRESSES,
ADDITIONAL_IP4_ADDRESS, ADDITIONAL_IP6_ADDRESS,
NO_ADDITIONAL_ADDRESSES) MUST also include a NO_NATS_ALLOWED
notification. The exchange responder MUST verify that the contents
of the NO_NATS_ALLOWED notification match the addresses in the IP
header. If they do not match, a response containing an
UNEXPECTED_NAT_DETECTED notification is sent. The response message
is sent to the address and port that the corresponding request came
from, not to the address contained in the NO_NATS_ALLOWED
notification.
If the exchange initiator receives an UNEXPECTED_NAT_DETECTED
notification in response to its INFORMATIONAL request, it SHOULD
retry the operation several times using new INFORMATIONAL requests.
Similarly, if the initiator receives UNEXPECTED_NAT_DETECTED in the
IKE_AUTH exchange, it SHOULD retry IKE_SA establishment several
times, starting from a new IKE_SA_INIT request. This ensures that an
attacker who is able to modify only a single packet does not
unnecessarily cause a path to remain unused. The exact number of
retries is not specified in this document because it does not affect
interoperability. However, because the IKE message will also be
rejected if the attacker modifies the integrity checksum field, a
reasonable number here would be the number of retries that is being
used for normal retransmissions.
<span class="grey">Eronen Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
If an UNEXPECTED_NAT_DETECTED notification is sent, the exchange
responder MUST NOT use the contents of the NO_NATS_ALLOWED
notification for any other purpose than possibly logging the
information for troubleshooting purposes.
<span class="h3"><a class="selflink" id="section-3.10" href="#section-3.10">3.10</a>. Path Testing</span>
IKEv2 Dead Peer Detection allows the peers to detect if the currently
used path has stopped working. However, if either of the peers has
several addresses, Dead Peer Detection alone does not tell which of
the other paths might work.
If required by its address selection policy, the initiator can use
normal IKEv2 INFORMATIONAL request/response messages to test whether
a certain path works. Implementations MAY do path testing even if
the path currently being used is working to, for example, detect when
a better (but previously unavailable) path becomes available.
<span class="h3"><a class="selflink" id="section-3.11" href="#section-3.11">3.11</a>. Failure Recovery and Timeouts</span>
In MOBIKE, the initiator is responsible for detecting and recovering
from most failures.
To give the initiator enough time to detect the error, the responder
SHOULD use relatively long timeout intervals when, for instance,
retransmitting IKEv2 requests or deciding whether to initiate Dead
Peer Detection. While no specific timeout lengths are required, it
is suggested that responders continue retransmitting IKEv2 requests
for at least five minutes before giving up.
<span class="h3"><a class="selflink" id="section-3.12" href="#section-3.12">3.12</a>. Dead Peer Detection</span>
MOBIKE uses the same Dead Peer Detection method as normal IKEv2, but
as addresses may change, it is not sufficient to just verify that the
peer is alive, but also that it is synchronized with the address
updates and has not, for instance, ignored an address update due to
failure to complete return routability test. This means that when
there are incoming IPsec packets, MOBIKE nodes SHOULD inspect the
addresses used in those packets and determine that they correspond to
those that should be employed. If they do not, such packets SHOULD
NOT be used as evidence that the peer is able to communicate with
this node and or that the peer has received all address updates.
<span class="grey">Eronen Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Payload Formats</span>
This specification defines several new IKEv2 Notify payload types.
See [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>], Section 3.10, for a general description of the Notify
payload.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Notify Messages - Error Types</span>
<span class="h4"><a class="selflink" id="section-4.1.1" href="#section-4.1.1">4.1.1</a>. UNACCEPTABLE_ADDRESSES Notify Payload</span>
The responder can include this notification in an INFORMATIONAL
exchange response to indicate that the address change in the
corresponding request message (which contained an UPDATE_SA_ADDRESSES
notification) was not carried out.
The Notify Message Type for UNACCEPTABLE_ADDRESSES is 40. The
Protocol ID and SPI Size fields are set to zero. There is no data
associated with this Notify type.
<span class="h4"><a class="selflink" id="section-4.1.2" href="#section-4.1.2">4.1.2</a>. UNEXPECTED_NAT_DETECTED Notify Payload</span>
See <a href="#section-3.9">Section 3.9</a> for a description of this notification.
The Notify Message Type for UNEXPECTED_NAT_DETECTED is 41. The
Protocol ID and SPI Size fields are set to zero. There is no data
associated with this Notify type.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Notify Messages - Status Types</span>
<span class="h4"><a class="selflink" id="section-4.2.1" href="#section-4.2.1">4.2.1</a>. MOBIKE_SUPPORTED Notify Payload</span>
The MOBIKE_SUPPORTED notification is included in the IKE_AUTH
exchange to indicate that the implementation supports this
specification.
The Notify Message Type for MOBIKE_SUPPORTED is 16396. The Protocol
ID and SPI Size fields are set to zero. The notification data field
MUST be left empty (zero-length) when sending, and its contents (if
any) MUST be ignored when this notification is received. This allows
the field to be used by future versions of this protocol.
<span class="h4"><a class="selflink" id="section-4.2.2" href="#section-4.2.2">4.2.2</a>. ADDITIONAL_IP4_ADDRESS and ADDITIONAL_IP6_ADDRESS Notify</span>
<span class="h4"> Payloads</span>
Both parties can include ADDITIONAL_IP4_ADDRESS and/or
ADDITIONAL_IP6_ADDRESS notifications in the IKE_AUTH exchange and
INFORMATIONAL exchange request messages; see <a href="#section-3.4">Section 3.4</a> and
<a href="#section-3.6">Section 3.6</a> for more detailed description.
<span class="grey">Eronen Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
The Notify Message Types for ADDITIONAL_IP4_ADDRESS and
ADDITIONAL_IP6_ADDRESS are 16397 and 16398, respectively. The
Protocol ID and SPI Size fields are set to zero. The data associated
with these Notify types is either a four-octet IPv4 address or a
16-octet IPv6 address.
<span class="h4"><a class="selflink" id="section-4.2.3" href="#section-4.2.3">4.2.3</a>. NO_ADDITIONAL_ADDRESSES Notify Payload</span>
The NO_ADDITIONAL_ADDRESSES notification can be included in an
INFORMATIONAL exchange request message to indicate that the exchange
initiator does not have addresses beyond the one used in the exchange
(see <a href="#section-3.6">Section 3.6</a> for more detailed description).
The Notify Message Type for NO_ADDITIONAL_ADDRESSES is 16399. The
Protocol ID and SPI Size fields are set to zero. There is no data
associated with this Notify type.
<span class="h4"><a class="selflink" id="section-4.2.4" href="#section-4.2.4">4.2.4</a>. UPDATE_SA_ADDRESSES Notify Payload</span>
This notification is included in INFORMATIONAL exchange requests sent
by the initiator to update addresses of the IKE_SA and IPsec SAs (see
<a href="#section-3.5">Section 3.5</a>).
The Notify Message Type for UPDATE_SA_ADDRESSES is 16400. The
Protocol ID and SPI Size fields are set to zero. There is no data
associated with this Notify type.
<span class="h4"><a class="selflink" id="section-4.2.5" href="#section-4.2.5">4.2.5</a>. COOKIE2 Notify Payload</span>
This notification MAY be included in any INFORMATIONAL request for
return routability check purposes (see <a href="#section-3.7">Section 3.7</a>). If the
INFORMATIONAL request includes COOKIE2, the exchange responder MUST
copy the notification to the response message.
The data associated with this notification MUST be between 8 and 64
octets in length (inclusive), and MUST be chosen by the exchange
initiator in a way that is unpredictable to the exchange responder.
The Notify Message Type for this message is 16401. The Protocol ID
and SPI Size fields are set to zero.
<span class="h4"><a class="selflink" id="section-4.2.6" href="#section-4.2.6">4.2.6</a>. NO_NATS_ALLOWED Notify Payload</span>
See <a href="#section-3.9">Section 3.9</a> for a description of this notification.
The Notify Message Type for this message is 16402. The notification
data contains the IP addresses and ports from/to which the packet was
sent. For IPv4, the notification data is 12 octets long and is
defined as follows:
<span class="grey">Eronen Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Source IPv4 address !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Destination IPv4 address !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Source port ! Destination port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
For IPv6, the notification data is 36 octets long and is defined as
follows:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
! Source IPv6 address !
! !
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
! Destination IPv6 address !
! !
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Source port ! Destination port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Protocol ID and SPI Size fields are set to zero.
<span class="grey">Eronen Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Security Considerations</span>
The main goals of this specification are to maintain the security
offered by usual IKEv2 procedures and to counter mobility-related
threats in an appropriate manner. This section describes new
security considerations introduced by MOBIKE. See [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>] for
security considerations for IKEv2 in general.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Traffic Redirection and Hijacking</span>
MOBIKE payloads relating to updating addresses are encrypted,
integrity protected, and replay protected using the IKE_SA. This
assures that no one except the participants can, for instance, give a
control message to change the addresses.
However, as with normal IKEv2, the actual IP addresses in the IP
header are not covered by the integrity protection. This means that
a NAT between the parties (or an attacker acting as a NAT) can modify
the addresses and cause incorrect tunnel header (outer) IP addresses
to be used for IPsec SAs. The scope of this attack is limited mainly
to denial of service because all traffic is protected using IPsec.
This attack can only be launched by on-path attackers that are
capable of modifying IKEv2 messages carrying NAT detection payloads
(such as Dead Peer Detection messages). By modifying the IP header
of these packets, the attackers can lead the peers to believe a new
NAT or a changed NAT binding exists between them. The attack can
continue as long as the attacker is on the path, modifying the IKEv2
messages. If this is no longer the case, IKEv2 and MOBIKE mechanisms
designed to detect NAT mapping changes will eventually recognize that
the intended traffic is not getting through, and will update the
addresses appropriately.
MOBIKE introduces the NO_NATS_ALLOWED notification that is used to
detect modification, by outsiders, of the addresses in the IP header.
When this notification is used, communication through NATs and other
address translators is impossible, so it is sent only when not doing
NAT Traversal. This feature is mainly intended for IPv6 and site-to-
site VPN cases, where the administrators may know beforehand that
NATs are not present.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. IPsec Payload Protection</span>
The use of IPsec protection on payload traffic protects the
participants against disclosure of the contents of the traffic,
should the traffic end up in an incorrect destination or be subject
to eavesdropping.
<span class="grey">Eronen Standards Track [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
However, security associations originally created for the protection
of a specific flow between specific addresses may be updated by
MOBIKE later on. This has to be taken into account if the (outer) IP
address of the peer was used when deciding what kind of IPsec SAs the
peer is allowed to create.
For instance, the level of required protection might depend on the
current location of the VPN client, or access might be allowed only
from certain IP addresses.
It is recommended that security policies, for peers that are allowed
to use MOBIKE, are configured in a manner that takes into account
that a single security association can be used at different times
through paths of varying security properties.
This is especially critical for traffic selector authorization. The
(logical) Peer Authorization Database (PAD) contains the information
used by IKEv2 when determining what kind of IPsec SAs a peer is
allowed to create. This process is described in [<a href="#ref-IPsecArch" title=""Security Architecture for the Internet Protocol"">IPsecArch</a>], <a href="#section-4.4.3">Section</a>
<a href="#section-4.4.3">4.4.3</a>. When a peer requests the creation of an IPsec SA with some
traffic selectors, the PAD must contain "Child SA Authorization Data"
linking the identity authenticated by IKEv2 and the addresses
permitted for traffic selectors. See also [<a href="#ref-Clarifications" title=""IKEv2 Clarifications and Implementation Guidelines"">Clarifications</a>] for a
more extensive discussion.
It is important to note that simply sending IKEv2 packets using some
particular address does not automatically imply a permission to
create IPsec SAs with that address in the traffic selectors.
However, some implementations are known to use policies where simply
being reachable at some address X implies a temporary permission to
create IPsec SAs for address X. Here "being reachable" usually means
the ability to send (or spoof) IP packets with source address X and
receive (or eavesdrop) packets sent to X.
Using this kind of policies or extensions with MOBIKE may need
special care to enforce the temporary nature of the permission. For
example, when the peer moves to some other address Y (and is no
longer reachable at X), it might be necessary to close IPsec SAs with
traffic selectors matching X. However, these interactions are beyond
the scope of this document.
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. Denial-of-Service Attacks against Third Parties</span>
Traffic redirection may be performed not just to gain access to the
traffic or to deny service to the peers, but also to cause a denial-
of-service attack on a third party. For instance, a high-speed TCP
session or a multimedia stream may be redirected towards a victim
host, causing its communications capabilities to suffer.
<span class="grey">Eronen Standards Track [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
The attackers in this threat can be either outsiders or even one of
the IKEv2 peers. In usual VPN usage scenarios, attacks by the peers
can be easily dealt with if the authentication performed in the
initial IKEv2 negotiation can be traced to persons who can be held
responsible for the attack. This may not be the case in all
scenarios, particularly with opportunistic approaches to security.
If the attack is launched by an outsider, the traffic flow would
normally stop soon due to the lack of responses (such as transport
layer acknowledgements). However, if the original recipient of the
flow is malicious, it could maintain the traffic flow for an extended
period of time, since it often would be able to send the required
acknowledgements (see [<a href="#ref-Aura02" title=""Security of Internet Location Management"">Aura02</a>] for more discussion).
It should also be noted, as shown in [<a href="#ref-Bombing" title=""A note about 3rd party bombing in Mobile IPv6"">Bombing</a>], that without ingress
filtering in the attacker's network, such attacks are already
possible simply by sending spoofed packets from the attacker to the
victim directly. Furthermore, if the attacker's network has ingress
filtering, this attack is largely prevented for MOBIKE as well.
Consequently, it makes little sense to protect against attacks of
similar nature in MOBIKE. However, it still makes sense to limit the
amplification capabilities provided to attackers, so that they cannot
use stream redirection to send a large number of packets to the
victim by sending just a few packets themselves.
This specification includes return routability tests to limit the
duration of any "third party bombing" attacks by off-path (relative
to the victim) attackers. The tests are authenticated messages that
the peer has to respond to, and can be performed before the address
change takes effect, immediately afterwards, or even periodically
during the session. The tests contain unpredictable data, and only
someone who has the keys associated with the IKE SA and has seen the
request packet can properly respond to the test.
The duration of the attack can also be limited if the victim reports
the unwanted traffic to the originating IPsec tunnel endpoint using
ICMP error messages or INVALID_SPI notifications. As described in
[<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>], Section 2.21, this SHOULD trigger a liveness test, which
also doubles as a return routability check if the COOKIE2
notification is included.
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. Spoofing Network Connectivity Indications</span>
Attackers may spoof various indications from lower layers and the
network in an effort to confuse the peers about which addresses are
or are not working. For example, attackers may spoof link-layer
error messages in an effort to cause the parties to move their
traffic elsewhere or even to disconnect. Attackers may also spoof
<span class="grey">Eronen Standards Track [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
information related to network attachments, router discovery, and
address assignments in an effort to make the parties believe they
have Internet connectivity when, in reality, they do not.
This may cause use of non-preferred addresses or even denial of
service.
MOBIKE does not provide any protection of its own for indications
from other parts of the protocol stack. These vulnerabilities can be
mitigated through the use of techniques specific to the other parts
of the stack, such as validation of ICMP errors [<a href="#ref-ICMPAttacks" title=""ICMP attacks against TCP"">ICMPAttacks</a>], link
layer security, or the use of [<a href="#ref-SEND" title=""SEcure Neighbor Discovery (SEND)"">SEND</a>] to protect IPv6 Router and
Neighbor Discovery.
Ultimately, MOBIKE depends on the delivery of IKEv2 messages to
determine which paths can be used. If IKEv2 messages sent using a
particular source and destination addresses reach the recipient and a
reply is received, MOBIKE will usually consider the path working; if
no reply is received even after retransmissions, MOBIKE will suspect
the path is broken. An attacker who can consistently control the
delivery or non-delivery of the IKEv2 messages in the network can
thus influence which addresses actually get used.
<span class="h3"><a class="selflink" id="section-5.5" href="#section-5.5">5.5</a>. Address and Topology Disclosure</span>
MOBIKE address updates and the ADDITIONAL_IP4_ADDRESS/
ADDITIONAL_IP6_ADDRESS notifications reveal information about which
networks the peers are connected to.
For example, consider a host A with two network interfaces: a
cellular connection and a wired Ethernet connection to a company LAN.
If host A now contacts host B using IKEv2 and sends
ADDITIONAL_IP4_ADDRESS/ADDITIONAL_IP6_ADDRESS notifications, host B
receives additional information it might not otherwise know. If host
A used the cellular connection for the IKEv2 traffic, host B can also
see the company LAN address (and perhaps further guess that host A is
used by an employee of that company). If host A used the company LAN
to make the connection, host B can see that host A has a subscription
from this particular cellular operator.
These additional addresses can also disclose more accurate location
information than just a single address. Suppose that host A uses its
cellular connection for IKEv2 traffic, but also sends an
ADDITIONAL_IP4_ADDRESS notification containing an IP address
corresponding to, say, a wireless LAN at a particular coffee shop
location. It is likely that host B can now make a much better guess
at A's location than would be possible based on the cellular IP
address alone.
<span class="grey">Eronen Standards Track [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
Furthermore, as described in <a href="#section-3.4">Section 3.4</a>, some of the addresses could
also be private addresses behind a NAT.
In many environments, disclosing address information is not a problem
(and indeed it cannot be avoided if the hosts wish to use those
addresses for IPsec traffic). For instance, a remote access VPN
client could consider the corporate VPN gateway sufficiently
trustworthy for this purpose. Furthermore, the
ADDITIONAL_IP4_ADDRESS and ADDITIONAL_IP6_ADDRESS notifications are
sent encrypted, so the addresses are not visible to eavesdroppers
(unless, of course, they are later used for sending IKEv2/IPsec
traffic).
However, if MOBIKE is used in some more opportunistic approach, it
can be desirable to limit the information that is sent. Naturally,
the peers do not have to disclose any addresses they do not want to
use for IPsec traffic. Also, as noted in <a href="#section-3.6">Section 3.6</a>, an initiator
whose policy is to always use the locally configured responder
address does not have to send any ADDITIONAL_IP4_ADDRESS/
ADDITIONAL_IP6_ADDRESS payloads.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. IANA Considerations</span>
This document does not create any new namespaces to be maintained by
IANA, but it requires new values in namespaces that have been defined
in the IKEv2 base specification [<a href="#ref-IKEv2" title=""Internet Key Exchange (IKEv2) Protocol"">IKEv2</a>].
This document defines several new IKEv2 notifications whose values
have been allocated from the "IKEv2 Notify Message Types" namespace.
Notify Messages - Error Types Value
----------------------------- -----
UNACCEPTABLE_ADDRESSES 40
UNEXPECTED_NAT_DETECTED 41
Notify Messages - Status Types Value
------------------------------ -----
MOBIKE_SUPPORTED 16396
ADDITIONAL_IP4_ADDRESS 16397
ADDITIONAL_IP6_ADDRESS 16398
NO_ADDITIONAL_ADDRESSES 16399
UPDATE_SA_ADDRESSES 16400
COOKIE2 16401
NO_NATS_ALLOWED 16402
These notifications are described in <a href="#section-4">Section 4</a>.
<span class="grey">Eronen Standards Track [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Acknowledgements</span>
This document is a collaborative effort of the entire MOBIKE WG. We
would particularly like to thank Jari Arkko, Tuomas Aura, Marcelo
Bagnulo, Stephane Beaulieu, Elwyn Davies, Lakshminath Dondeti,
Francis Dupont, Paul Hoffman, James Kempf, Tero Kivinen, Pete McCann,
Erik Nordmark, Mohan Parthasarathy, Pekka Savola, Bill Sommerfeld,
Maureen Stillman, Shinta Sugimoto, Hannes Tschofenig, and Sami
Vaarala. This document also incorporates ideas and text from earlier
MOBIKE-like protocol proposals, including [<a href="#ref-AddrMgmt" title=""Address Management for IKE version 2"">AddrMgmt</a>], [<a href="#ref-Kivinen" title=""MOBIKE protocol"">Kivinen</a>],
[<a href="#ref-MOPO" title=""Mobility Protocol Options for IKEv2 (MOPO-IKE)"">MOPO</a>], and [<a href="#ref-SMOBIKE" title=""Simple Mobility and Multihoming Extensions for IKEv2 (SMOBIKE)"">SMOBIKE</a>], and the MOBIKE design document [<a href="#ref-Design" title=""Design of the MOBIKE protocol"">Design</a>].
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-IKEv2">IKEv2</a>] Kaufman, C., "Internet Key Exchange (IKEv2)
Protocol", <a href="./rfc4306">RFC 4306</a>, December 2005.
[<a id="ref-IPsecArch">IPsecArch</a>] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", <a href="./rfc4301">RFC 4301</a>, December 2005.
[<a id="ref-KEYWORDS">KEYWORDS</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="./rfc2119">RFC 2119</a>, March 1997.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-AddrMgmt">AddrMgmt</a>] Dupont, F., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22Address+Management+for+IKE+version+2%22'>"Address Management for IKE version 2"</a>,
Work in Progress, November 2005.
[<a id="ref-Aura02">Aura02</a>] Aura, T., Roe, M., and J. Arkko, "Security of
Internet Location Management", Proc. 18th Annual
Computer Security Applications Conference (ACSAC),
December 2002.
[<a id="ref-Bombing">Bombing</a>] Dupont, F., "A note about 3rd party bombing in
Mobile IPv6", Work in Progress, December 2005.
[<a id="ref-Clarifications">Clarifications</a>] Eronen, P. and P. Hoffman, "IKEv2 Clarifications
and Implementation Guidelines", Work in Progress,
February 2006.
[<a id="ref-DNA4">DNA4</a>] Aboba, B., Carlson, J., and S. Cheshire, "Detecting
Network Attachment in IPv4 (DNAv4)", <a href="./rfc4436">RFC 4436</a>,
March 2006.
<span class="grey">Eronen Standards Track [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
[<a id="ref-DNA6">DNA6</a>] Narayanan, S., Daley, G., and N. Montavont,
"Detecting Network Attachment in IPv6 - Best
Current Practices for hosts", Work in Progress,
October 2005.
[<a id="ref-Design">Design</a>] Kivinen, T. and H. Tschofenig, "Design of the
MOBIKE protocol", Work in Progress, January 2006.
[<a id="ref-ICMPAttacks">ICMPAttacks</a>] Gont, F., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22ICMP+attacks+against+TCP%22'>"ICMP attacks against TCP"</a>, Work in
Progress, October 2005.
[<a id="ref-Kivinen">Kivinen</a>] Kivinen, T., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22MOBIKE+protocol%22'>"MOBIKE protocol"</a>, Work in Progress,
February 2004.
[<a id="ref-MIP4">MIP4</a>] Perkins, C., "IP Mobility Support for IPv4",
<a href="./rfc3344">RFC 3344</a>, August 2002.
[<a id="ref-MIP6">MIP6</a>] Johnson, D., Perkins, C., and J. Arkko, "Mobility
Support in IPv6", <a href="./rfc3775">RFC 3775</a>, June 2004.
[<a id="ref-MOPO">MOPO</a>] Eronen, P., "Mobility Protocol Options for IKEv2
(MOPO-IKE)", Work in Progress, February 2005.
[<a id="ref-RFC2461">RFC2461</a>] Narten, T., Nordmark, E., and W. Simpson, "Neighbor
Discovery for IP Version 6 (IPv6)", <a href="./rfc2461">RFC 2461</a>,
December 1998.
[<a id="ref-SEND">SEND</a>] Arkko, J., Kempf, J., Zill, B., and P. Nikander,
"SEcure Neighbor Discovery (SEND)", <a href="./rfc3971">RFC 3971</a>,
March 2005.
[<a id="ref-SMOBIKE">SMOBIKE</a>] Eronen, P. and H. Tschofenig, "Simple Mobility and
Multihoming Extensions for IKEv2 (SMOBIKE)",
Work in Progress, March 2004.
[<a id="ref-STUN">STUN</a>] Rosenberg, J., Weinberger, J., Huitema, C., and R.
Mahy, "STUN - Simple Traversal of User Datagram
Protocol (UDP) Through Network Address Translators
(NATs)", <a href="./rfc3489">RFC 3489</a>, March 2003.
[<a id="ref-UNSAF">UNSAF</a>] Daigle, L., "IAB Considerations for UNilateral
Self-Address Fixing (UNSAF) Across Network Address
Translation", <a href="./rfc3424">RFC 3424</a>, November 2002.
<span class="grey">Eronen Standards Track [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Implementation Considerations</span>
<span class="h3"><a class="selflink" id="appendix-A.1" href="#appendix-A.1">A.1</a>. Links from SPD Cache to Outbound SAD Entries</span>
[<a href="#ref-IPsecArch" title=""Security Architecture for the Internet Protocol"">IPsecArch</a>], Section 4.4.2, says that "For outbound processing, each
SAD entry is pointed to by entries in the SPD-S part of the SPD
cache". The document does not specify how exactly this "pointing" is
done, since this is an implementation detail that does not have to be
standardized.
However, it is clear that the links between the SPD cache and the SAD
have to be done correctly to ensure that outbound packets are sent
over the right SA. Some implementations are known to have problems
in this area.
In particular, simply storing the (remote tunnel header IP address,
remote SPI) pair in the SPD cache is not sufficient, since the pair
does not always uniquely identify a single SAD entry. For instance,
two hosts behind the same NAT can accidentally happen to choose the
same SPI value. The situation can also occur when a host is assigned
an IP address previously used by some other host, and the SAs
associated with the old host have not yet been deleted by Dead Peer
Detection. This may lead to packets being sent over the wrong SA or,
if the key management daemon ensures the pair is unique, denying the
creation of otherwise valid SAs.
Storing the remote tunnel header IP address in the SPD cache may also
complicate the implementation of MOBIKE, since the address can change
during the lifetime of the SA. Thus, we recommend implementing the
links between the SPD cache and the SAD in a way that does not
require modification when the tunnel header IP address is updated by
MOBIKE.
<span class="h3"><a class="selflink" id="appendix-A.2" href="#appendix-A.2">A.2</a>. Creating Outbound SAs</span>
When an outbound packet requires IPsec processing but no suitable SA
exists, a new SA will be created. In this case, the host has to
determine (1) who is the right peer for this SA, (2) whether the host
already has an IKE_SA with this peer, and (3) if no IKE_SA exists,
the IP address(es) of the peer for contacting it.
Neither [<a href="#ref-IPsecArch" title=""Security Architecture for the Internet Protocol"">IPsecArch</a>] nor MOBIKE specifies how exactly these three
steps are carried out. [<a href="#ref-IPsecArch" title=""Security Architecture for the Internet Protocol"">IPsecArch</a>], Section 4.4.3.4, says:
<span class="grey">Eronen Standards Track [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
For example, assume that IKE A receives an outbound packet
destined for IP address X, a host served by a security gateway.
<a href="./rfc2401">RFC 2401</a> [<a href="./rfc2401">RFC2401</a>] and this document do not specify how A
determines the address of the IKE peer serving X. However, any
peer contacted by A as the presumed representative for X must be
registered in the PAD in order to allow the IKE exchange to be
authenticated. Moreover, when the authenticated peer asserts that
it represents X in its traffic selector exchange, the PAD will be
consulted to determine if the peer in question is authorized to
represent X.
In step 1, there may be more than one possible peer (e.g., several
security gateways that are allowed to represent X). In step 3, the
host may need to consult a directory such as DNS to determine the
peer IP address(es).
When performing these steps, implementations may use information
contained in the SPD, the PAD, and possibly some other
implementation-specific databases. Regardless of how exactly the
steps are implemented, it is important to remember that IP addresses
can change, and that an IP address alone does not always uniquely
identify a single IKE peer (for the same reasons as why the
combination of the remote IP address and SPI does not uniquely
identify an outbound IPsec SA; see <a href="#appendix-A.1">Appendix A.1</a>). Thus, in steps 1
and 2 it may be easier to identify the "right peer" using its
authenticated identity instead of its current IP address. However,
these implementation details are beyond the scope of this
specification.
Author's Address
Pasi Eronen (editor)
Nokia Research Center
P.O. Box 407
FIN-00045 Nokia Group
Finland
EMail: pasi.eronen@nokia.com
<span class="grey">Eronen Standards Track [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc4555">RFC 4555</a> MOBIKE Protocol June 2006</span>
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Eronen Standards Track [Page 33]
</pre>
|
