1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
|
<pre>Network Working Group N. Williams
Request for Comments: 5660 Sun
Category: Standards Track October 2009
<span class="h1">IPsec Channels: Connection Latching</span>
Abstract
This document specifies, abstractly, how to interface applications
and transport protocols with IPsec so as to create "channels" by
latching "connections" (packet flows) to certain IPsec Security
Association (SA) parameters for the lifetime of the connections.
Connection latching is layered on top of IPsec and does not modify
the underlying IPsec architecture.
Connection latching can be used to protect applications against
accidentally exposing live packet flows to unintended peers, whether
as the result of a reconfiguration of IPsec or as the result of using
weak peer identity to peer address associations. Weak association of
peer ID and peer addresses is at the core of Better Than Nothing
Security (BTNS); thus, connection latching can add a significant
measure of protection to BTNS IPsec nodes.
Finally, the availability of IPsec channels will make it possible to
use channel binding to IPsec channels.
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
<span class="grey">Williams Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Conventions Used in This Document ..........................<a href="#page-4">4</a>
<a href="#section-2">2</a>. Connection Latching .............................................<a href="#page-4">4</a>
<a href="#section-2.1">2.1</a>. Latching of Quality-of-Protection Parameters ...............<a href="#page-8">8</a>
<a href="#section-2.2">2.2</a>. Connection Latch State Machine .............................<a href="#page-9">9</a>
<a href="#section-2.3">2.3</a>. Normative Model: ULP Interfaces to the Key Manager ........<a href="#page-12">12</a>
<a href="#section-2.3.1">2.3.1</a>. Race Conditions and Corner Cases ...................<a href="#page-17">17</a>
<a href="#section-2.3.2">2.3.2</a>. Example ............................................<a href="#page-18">18</a>
<a href="#section-2.4">2.4</a>. Informative Model: Local Packet Tagging ...................<a href="#page-19">19</a>
<a href="#section-2.5">2.5</a>. Non-Native Mode IPsec .....................................<a href="#page-21">21</a>
<a href="#section-2.6">2.6</a>. Implementation Note Regarding Peer IDs ....................<a href="#page-22">22</a>
<a href="#section-3">3</a>. Optional Features ..............................................<a href="#page-22">22</a>
<a href="#section-3.1">3.1</a>. Optional Protection .......................................<a href="#page-22">22</a>
<a href="#section-4">4</a>. Simultaneous Latch Establishment ...............................<a href="#page-23">23</a>
<a href="#section-5">5</a>. Connection Latching to IPsec for Various ULPs ..................<a href="#page-23">23</a>
<a href="#section-5.1">5.1</a>. Connection Latching to IPsec for TCP ......................<a href="#page-24">24</a>
5.2. Connection Latching to IPsec for UDP with
Simulated Connections .....................................<a href="#page-24">24</a>
5.3. Connection Latching to IPsec for UDP with
Datagram-Tagging APIs .....................................<a href="#page-25">25</a>
<a href="#section-5.4">5.4</a>. Connection Latching to IPsec for SCTP .....................<a href="#page-25">25</a>
<a href="#section-5.5">5.5</a>. Handling of BROKEN State for TCP and SCTP .................<a href="#page-26">26</a>
<a href="#section-6">6</a>. Security Considerations ........................................<a href="#page-27">27</a>
<a href="#section-6.1">6.1</a>. Impact on IPsec ...........................................<a href="#page-27">27</a>
<a href="#section-6.2">6.2</a>. Impact on IPsec of Optional Features ......................<a href="#page-28">28</a>
<a href="#section-6.3">6.3</a>. Security Considerations for Applications ..................<a href="#page-28">28</a>
<a href="#section-6.4">6.4</a>. Channel Binding and IPsec APIs ............................<a href="#page-29">29</a>
<a href="#section-6.5">6.5</a>. Denial-of-Service Attacks .................................<a href="#page-29">29</a>
<a href="#section-7">7</a>. Acknowledgements ...............................................<a href="#page-30">30</a>
<a href="#section-8">8</a>. References .....................................................<a href="#page-30">30</a>
<a href="#section-8.1">8.1</a>. Normative References ......................................<a href="#page-30">30</a>
<a href="#section-8.2">8.2</a>. Informative References ....................................<a href="#page-30">30</a>
<span class="grey">Williams Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
IPsec protects packets with little or no regard for stateful packet
flows associated with upper-layer protocols (ULPs). This exposes
applications that rely on IPsec for session protection to risks
associated with changing IPsec configurations, configurations that
allow multiple peers access to the same addresses, and/or weak
association of peer IDs and their addresses. The latter can occur as
a result of "wildcard" matching in the IPsec Peer Authorization
Database (PAD), particularly when Better Than Nothing Security (BTNS)
[<a href="./rfc5387" title=""Problem and Applicability Statement for Better-Than-Nothing Security (BTNS)"">RFC5387</a>] is used.
Applications that wish to use IPsec may have to ensure that local
policy on the various end-points is configured appropriately
[<a href="./rfc5406" title=""Guidelines for Specifying the Use of IPsec Version 2"">RFC5406</a>] [<a href="#ref-USING-IPSEC" title=""Guidelines for using IPsec and IKEv2"">USING-IPSEC</a>]. There are no standard Application
Programming Interfaces (APIs) to do this (though there are non-
standard APIs, such as [<a href="#ref-IP_SEC_OPT.man" title=""ipsec(7P) man page, Solaris 10 Reference Manual Collection"">IP_SEC_OPT.man</a>]) -- a major consequence of
which, for example, is that applications must still use hostnames
(and, e.g., the Domain Name System [<a href="./rfc1034" title=""Domain names - concepts and facilities"">RFC1034</a>]) and IP addresses in
existing APIs and must depend on an IPsec configuration that they may
not be able to verify. In addition to specifying aspects of required
Security Policy Database (SPD) configuration, application
specifications must also address PAD/SPD configuration to strongly
bind individual addresses to individual IPsec identities and
credentials (certificates, public keys, etc.).
IPsec is, then, quite cumbersome for use by applications. To address
this, we need APIs to IPsec. Not merely APIs for configuring IPsec,
but also APIs that are similar to the existing IP APIs (e.g., "BSD
Sockets"), so that typical applications making use of UDP [<a href="./rfc0768" title=""User Datagram Protocol"">RFC0768</a>],
TCP [<a href="./rfc0793" title=""Transmission Control Protocol"">RFC0793</a>], and Stream Control Transmission Protocol (SCTP)
[<a href="./rfc4960" title=""Stream Control Transmission Protocol"">RFC4960</a>] can make use of IPsec with minimal changes.
This document describes the foundation for IPsec APIs that UDP and
TCP applications can use: a way to bind the traffic flows for, e.g.,
TCP connections to security properties desired by the application.
We call these "connection latches" (and, in some contexts, "IPsec
channels"). The methods outlined below achieve this by interfacing
ULPs and applications to IPsec.
If widely adopted, connection latching could make application use of
IPsec much simpler, at least for certain classes of applications.
Connection latching, as specified herein, is primarily about watching
updates to the SPD and Security Association Database (SAD) to detect
changes that are adverse to an application's requirements for any
given packet flow, and to react accordingly (such as by synchronously
alerting the ULP and application before packets can be sent or
<span class="grey">Williams Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
received under the new policy). Under no circumstance are IPsec
policy databases to be modified by connection latching in any way
that can persist beyond the lifetime of the related packet flows, nor
reboots. Under no circumstance is the PAD to be modified at all by
connection latching. If all optional features of connection latching
are excluded, then connection latching can be implemented as a
monitor of SPD and SAD changes that intrudes in their workings no
more than is needed to provide synchronous alerts to ULPs and
applications.
We assume the reader is familiar with the IPsec architecture
[<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>] and Internet Key Exchange Protocol version 2 (IKEv2)
[<a href="./rfc4306" title=""Internet Key Exchange (IKEv2) Protocol"">RFC4306</a>].
Note: the terms "connection latch" and "IPsec channel" are used
interchangeably below. The latter term relates to "channel binding"
[<a href="./rfc5056" title=""On the Use of Channel Bindings to Secure Channels"">RFC5056</a>]. Connection latching is suitable for use in channel
binding applications, or will be, at any rate, when the channel
bindings for IPsec channels are defined (the specification of IPsec
channel bindings is out of scope for this document).
Note: where this document mentions IPsec peer "ID" it refers to the
Internet Key Exchange (IKE) peer ID (e.g., the ID derived from a
peer's cert, as well as the cert), not the peer's IP address.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Conventions Used in This Document</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
Abstract function names are all capitalized and denoted by a pair of
parentheses. In their descriptions, the arguments appear within the
parentheses, with optional arguments surrounded by square brackets.
Return values, if any, are indicated by following the function
argument list with "->" and a description of the return value. For
example, "FOO(3-tuple, [message])" would be a function named "FOO"
with two arguments, one of them optional, and returning nothing,
whereas "FOOBAR(handle) -> state" would be a function with a single,
required argument that returns a value. The values' types are
described in the surrounding text.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Connection Latching</span>
An "IPsec channel" is a packet flow associated with a ULP control
block, such as a TCP connection, where all the packets are protected
by IPsec SAs such that:
<span class="grey">Williams Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
o the peer's identity is the same for the lifetime of the packet
flow;
o the quality of IPsec protection used for the packet flow's
individual packets is the same for all of them for the lifetime of
the packet flow.
An IPsec channel is created when the associated packet flow is
created. This can be the result of a local operation (e.g., a
connect()) that causes the initial outgoing packet for that flow to
be sent, or it can be the result of receiving the first/initiating
packet for that flow (e.g., a TCP SYN packet).
An IPsec channel is destroyed when the associated packet flow ends.
An IPsec channel can also be "broken" when the connection latch
cannot be maintained for some reason (see below), in which case the
ULP and application are informed.
IPsec channels are created by "latching" various parameters listed
below to a ULP connection when the connections are created. The
REQUIRED set of parameters bound in IPsec channels is:
o Type of protection: confidentiality and/or integrity protection;
o Transport mode versus tunnel mode;
o Quality of protection (QoP): cryptographic algorithm suites, key
lengths, and replay protection (see <a href="#section-2.1">Section 2.1</a>);
o Local identity: the local ID asserted to the peer, as per the
IPsec processing model [<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>] and BTNS [<a href="./rfc5386" title=""Better-Than- Nothing Security: An Unauthenticated Mode of IPsec"">RFC5386</a>];
o Peer identity: the peer's asserted and authorized IDs, as per the
IPsec processing model [<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>] and BTNS [<a href="./rfc5386" title=""Better-Than- Nothing Security: An Unauthenticated Mode of IPsec"">RFC5386</a>].
The SAs that protect a given IPsec channel's packets may change over
time in that they may expire and be replaced with equivalent SAs, or
they may be re-keyed. The set of SAs that protect an IPsec channel's
packets need not be related by anything other than the fact that they
must be congruent to the channel (i.e., the SAs' parameters must
match those that are latched into the channel). In particular, it is
desirable that IPsec channels survive the expiration of IKE_SAs and
child SAs because operational considerations of the various key
exchange protocols then cannot affect the design and features of
connection latching.
<span class="grey">Williams Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
When a situation arises in which the SPD is modified, or an SA is
added to the SAD, such that the new policy and/or SA are not
congruent to an established channel (see previous paragraph), then we
consider this a conflict. Conflict resolution is addressed below.
Requirements and recommendations:
o If an IPsec channel is desired, then packets for a given
connection MUST NOT be sent until the channel is established.
o If an IPsec channel is desired, then inbound packets for a given
connection MUST NOT be accepted until the channel is established.
That is, inbound packets for a given connection arriving prior to
the establishment of the corresponding IPsec channel must be
dropped or the channel establishment must fail.
o Once an IPsec channel is established, packets for the latched
connection MUST NOT be sent unprotected nor protected by an SA
that does not match the latched parameters.
o Once an IPsec channel is established, packets for the latched
connection MUST NOT be accepted unprotected nor protected by an SA
that does not match the latched parameters. That is, such packets
must either be dropped or cause the channel to be terminated and
the application to be informed before data from such a packet can
be delivered to the application.
o Implementations SHOULD provide programming interfaces for
inquiring the values of the parameters latched in a connection.
o Implementations that provide such programming interfaces MUST make
available to applications all relevant and available information
about a peer's ID, including authentication information. This
includes the peer certificate, when one is used, and the trust
anchor to which it was validated (but not necessarily the whole
certificate validation chain).
o Implementations that provide such programming interfaces SHOULD
make available to applications any information about local and/or
remote public and private IP addresses, in the case of NAT-
traversal.
o Implementations that provide such programming interfaces SHOULD
make available to applications the inner and outer local and peer
addresses whenever the latched connection uses tunnel-mode SAs.
<span class="grey">Williams Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
o Implementations SHOULD provide programming interfaces for setting
the values of the parameters to be latched in a connection that
will be initiated or accepted, but these interfaces MUST limit
what values applications may request according to system policy
(i.e., the IPsec PAD and SPD) and the application's local
privileges.
(Typical system policy may not allow applications any choices
here. Policy extensions allowing for optional protection are
described in <a href="#section-3.1">Section 3.1</a>.)
o Implementations SHOULD create IPsec channels automatically by
default when the application does not explicitly request an IPsec
channel. Implementations MAY provide a way to disable automatic
creation of connection latches.
o The parameters latched in an IPsec channel MUST remain unchanged
once the channel is established.
o Timeouts while establishing child SAs with parameters that match
those latched into an IPsec channel MUST be treated as packet loss
(as happens, for example, when a network partitions); normal ULP
and/or application timeout handling and retransmission
considerations apply.
o Implementations that have a restartable key management process (or
"daemon") MUST arrange for existing latched connections to either
be broken and disconnected, or for them to survive the restart of
key exchange processes. (This is implied by the above
requirements.) For example, if such an implementation relies on
keeping some aspects of connection latch state in the restartable
key management process (e.g., values that potentially have large
representations, such as BTNS peer IDs), then either such state
must be restored on restart of such a process, or outstanding
connection latches must be transitioned to the CLOSED state.
o Dynamic IPsec policy (see <a href="#section-3.1">Section 3.1</a>) related to connection
latches, if any, MUST be torn down when latched connections are
torn down, and MUST NOT survive reboots.
o When IKE dead-peer detection (DPD) concludes that the remote peer
is dead or has rebooted, then the system SHOULD consider all
connection latches with that peer to be irremediably broken.
We describe two models, one of them normative, of IPsec channels for
native IPsec implementations. The normative model is based on
abstract programming interfaces in the form of function calls between
ULPs and the key management component of IPsec (basically, the SAD,
<span class="grey">Williams Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
augmented with a Latch Database (LD)). The second model is based on
abstract programming interfaces between ULPs and the IPsec
(Encapsulating Security Payload / Authentication Header (ESP/AH))
layer in the form of meta-data tagging of packets within the IP
stack.
The two models given below are not, however, entirely equivalent.
One model cannot be implemented with Network Interface cards (NICs)
that offload ESP/AH but that do not tag incoming packets passed to
the host processor with SA information, nor allow the host processor
to so tag outgoing packets. That same model can be easily extended
to support connection latching with unconnected datagram "sockets",
while the other model is rigidly tied to a notion of "connections"
and cannot be so extended. There may be other minor differences
between the two models. Rather than seek to establish equivalency
for some set of security guarantees, we instead choose one model to
be the normative one.
We also provide a model for non-native implementations, such as bump-
in-the-stack (BITS) and Security Gateway (SG) implementations. The
connection latching model for non-native implementations is not full-
featured as it depends on estimating packet flow state, which may not
always be possible. Nor can non-native IPsec implementations be
expected to provide APIs related to connection latching
(implementations that do could be said to be native). As such, this
third model is not suitable for channel binding applications
[<a href="./rfc5056" title=""On the Use of Channel Bindings to Secure Channels"">RFC5056</a>].
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Latching of Quality-of-Protection Parameters</span>
In IPsec, the assumption of IKE initiator/responder roles is non-
deterministic. That is, sometimes an IKE SA and child SAs will be
initiated by the "client" (e.g., the caller of the connect() BSD
sockets function) and sometimes by the "server" (e.g., the caller of
the accept() BSD Sockets function). This means that the negotiation
of quality of protection is also non-deterministic unless one of the
peers offers a single cryptographic suite in the IKE negotiation.
When creating narrow child SAs with traffic selectors matching the
connection latch's 5-tuple, it is possible to constrain the IKE
Quality-of-Protection negotiation to a single cryptographic suite.
Therefore, implementations SHOULD provide an API for requesting the
use of such child SAs. Implementors SHOULD consider an application
request for a specific QoP to imply a request for narrow child SAs.
<span class="grey">Williams Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
When using SAs with traffic selectors encompassing more than just a
single flow, then the system may only be able to latch a set of
cryptographic suites, rather than a single cryptographic suite. In
such a case, an implementation MUST report the QoP being used as
indeterminate.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Connection Latch State Machine</span>
Connection latches can exist in any of the following five states:
o LISTENER
o ESTABLISHED
o BROKEN (there exist SAs that conflict with the given connection
latch, conflicting SPD changes have been made, or DPD has been
triggered and the peer is considered dead or restarted)
o CLOSED (by the ULP, the application or administratively)
and always have an associated owner, or holder, such as a ULP
transmission control block (TCB).
A connection latch can be born in the LISTENER state, which can
transition only to the CLOSED state. The LISTENER state corresponds
to LISTEN state of TCP (and other ULPs) and is associated with IP
3-tuples, and can give rise to new connection latches in the
ESTABLISHED state.
A connection latch can also be born in the ESTABLISHED and BROKEN
states, either through the direct initiative of a ULP or when an
event occurs that causes a LISTENER latch to create a new latch (in
either ESTABLISHED or BROKEN states). These states represent an
active connection latch for a traffic flow's 5-tuple. Connection
latches in these two states can transition to the other of the two
states, as well as to the CLOSED state.
Connection latches remain in the CLOSED state until their owners are
informed except where the owner caused the transition, in which case
this state is fleeting. Transitions from ESTABLISHED or BROKEN
states to the CLOSED state should typically be initiated by latch
owners, but implementations SHOULD provide administrative interfaces
through which to close active latches.
Connection latches transition to the BROKEN state when there exist
SAs in the SAD whose traffic selectors encompass the 5-tuple bound by
the latch, and whose peer and/or parameters conflict with those bound
by the latch. Transitions to the BROKEN state also take place when
<span class="grey">Williams Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
SPD changes occur that would cause the latched connection's packets
to be sent or received with different protection parameters than
those that were latched. Transitions to the BROKEN state are also
allowed when IKEv2 DPD concludes that the remote peer is dead or has
rebooted. Transitions to the BROKEN state always cause the
associated owner to be informed. Connection latches in the BROKEN
state transition back to ESTABLISHED when all SA and/or SPD conflicts
are cleared.
Most state transitions are the result of local actions of the latch
owners (ULPs). The only exceptions are: birth into the ESTABLISHED
state from latches in the LISTENER state, transitions to the BROKEN
state, transitions from the BROKEN state to ESTABLISHED, and
administrative transitions to the CLOSED state. (Additionally, see
the implementation note about restartable key management processes in
<a href="#section-2">Section 2</a>.)
<span class="grey">Williams Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
The state diagram below makes use of conventions described in
<a href="#section-1.1">Section 1.1</a> and state transition events described in <a href="#section-2.3">Section 2.3</a>.
<CREATE_LISTENER_LATCH(3-tuple, ...)>
:
v <CREATE_CONNECTION_LATCH(5-tuple, ...)>
/--------\ : :
+------|LISTENER|...... : :
| \--------/ : : : +--------------------+
| : : : : |Legend: |
| : : : : | dotted lines denote|
| <conn. trigger event> : : | latch creation |
| (e.g., TCP SYN : : : | |
| received, : : : | solid lines denote |
| connect() : : : | state transition|
| called, ...) v v : | |
| : /-----------\ : | semi-solid lines |
| : |ESTABLISHED| : | denote async |
| <conflict> \-----------/ : | notification |
| : ^ | : +--------------------+
| : | <conflict
| : <conflict or DPD>
| : cleared> | :
| : | | :
| : | v v
| : /----------------\
| :.....>| BROKEN |.-.-.-.-.-> <ALERT()>
| \----------------/
| |
<RELEASE_LATCH()> <RELEASE_LATCH()>
| |
| v
| /------\
+------------------->|CLOSED|
\------/
Figure 1: Connection Latching State Machine
The details of the transitions depend on the model of connection
latching followed by any given implementation. See the following
sections.
<span class="grey">Williams Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Normative Model: ULP Interfaces to the Key Manager</span>
This section describes the NORMATIVE model of connection latching.
In this section, we describe connection latching in terms of a
function-call interface between ULPs and the "key manager" component
of a native IPsec implementation. Abstract interfaces for creating,
inquiring about, and releasing IPsec channels are described.
This model adds a service to the IPsec key manager (i.e., the
component that manages the SAD and interfaces with separate
implementations of, or directly implements, key exchange protocols):
management of connection latches. There is also a new IPsec
database, the Latch Database (LD), that contains all connection latch
objects. The LD does not persist across system reboots.
The traditional IPsec processing model allows the concurrent
existence of SAs with different peers but overlapping traffic
selectors. Such behavior, in this model, directly violates the
requirements for connection latching (see <a href="#section-2">Section 2</a>). We address
this problem by requiring that connection latches be broken (and
holders informed) when such conflicts arise.
The following INFORMATIVE figure illustrates this model and API in
terms that are familiar to many implementors, though not applicable
to all:
<span class="grey">Williams Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
+--------------------------------------------+
| +--------------+ |
| |Administrator | |
| |apps | |
| +--------------+ |
| ^ ^ |
| | | | user mode
| v v |
| +--------------+ +-------++--------+ |
| |App | |IKEv2 || | |
| | | | +---+ || +----+ | |
| | | | |PAD| || |SPD | | |
| | | | +---+ || +--^-+ | |
| +--------------+ +-+-----++----+---+ |
| ^ | | |
+---|---------------------|-----------|------+ user/kernel mode
| |syscalls | PF_KEY | | interface
| | | [<a href="./rfc2367" title=""PF_KEY Key Management API, Version 2"">RFC2367</a>] | |
+---|---------------------|-----------|------+
| v | | |
|+-------+ +------------|-----------|-----+|
||ULP | | IPsec key|manager | ||
|+-------+ | | +--------v----+||
| ^ ^ | | | Logical SPD |||
| | | | | +-----------^-+||
| | | | +-------+ | || kernel mode
| | | | | | ||
| | | | +----------+ +--v--+ | ||
| | +-------->| Latch DB |<-->| SAD | | ||
| | | +----------+ +--^--+ | ||
| | +--------------------|------|--+|
+-|-------------------------------v------v---+
| | IPsec Layer (ESP/AH) |
| | |
+-v------------------------------------------+
| IP Layer |
+--------------------------------------------+
Figure 2: Informative Implementation Architecture Diagram
The ULP interfaces to the IPsec LD are as follows:
o CREATE_LISTENER_LATCH(3-tuple, [type and quality-of-protection
parameters]) -> latch handle | error
<span class="grey">Williams Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
If there is no conflicting connection latch object in the
LISTENER state for the given 3-tuple (local address, protocol,
and local port number), and local policy permits it, then this
operation atomically creates a connection latch object in the
LISTENER state for the given 3-tuple.
When a child SA is created that matches a listener latch's
3-tuple, but not any ESTABLISHED connection latch's 5-tuple
(local address, remote address, protocol, local port number,
and remote port number), then the key manager creates a new
connection latch object in the ESTABLISHED state. The key
manager MUST inform the holder of the listener latch of
connection latches created as a result of the listener latch;
see the "ALERT()" interface below.
o CREATE_CONNECTION_LATCH(5-tuple, [type and quality-of-protection
parameters], [peer ID], [local ID]) -> latch handle | error
If a) the requested latch does not exist (or exists, but is in
the CLOSED state), b) all the latch parameters are provided, or
if suitable SAs exist in the SAD from which to derive them, and
c) if there are no conflicts with the SPD and SAD, then this
creates a connection latch in the ESTABLISHED state. If the
latch parameters are not provided and no suitable SAs exist in
the SAD from which to derive those parameters, then the key
manager MUST initiate child SAs, and if need be, IKE_SA, from
which to derive those parameters.
The key manager MAY delay the child SA setup and return
immediately after the policy check, knowing that the ULP that
requested the latch will subsequently output a packet that will
trigger the SA establishment. Such an implementation may
require an additional, fleeting state in the connection latch
state machine, a "LARVAL" state, so to speak, that is not
described herein.
If the connection latch ultimately cannot be established,
either because of conflicts or because no SAs can be
established with the peer at the destination address, then an
error is returned to the ULP. (If the key manager delayed SA
establishment, and SA establishment ultimately fails, then the
key manager has to inform the ULP, possibly asynchronously.
This is one of several details that implementors who use a
LARVAL state must take care of.)
<span class="grey">Williams Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
o RELEASE_LATCH(latch object handle)
Changes the state of the given connection latch to CLOSED; the
connection latch is then deleted.
The key manager MAY delete any existing child SAs that match
the given latch if it had been in the ESTABLISHED states. If
the key manager does delete such SAs, then it SHOULD inform the
peer with an informational Delete payload (see IKEv2
[<a href="./rfc4306" title=""Internet Key Exchange (IKEv2) Protocol"">RFC4306</a>]).
o FIND_LATCH(5-tuple) -> latch handle | error
Given a 5-tuple returns a latch handle (or an error).
o INQUIRE_LATCH(latch object handle) -> {latch state, latched
parameters} | error
Returns all available information about the given latch,
including its current state (or an error).
The IPsec LD interface to the ULP is as follows:
o ALERT(latch object handle, 5-tuple, new state, [reason])
Alerts a ULP as to an asynchronous state change for the given
connection latch and, optionally, provides a reason for the
change.
This interface is to be provided by each ULP to the key manager.
The specific details of how this interface is provided are
implementation details, thus not specified here (for example, this
could be a "callback" function or "closure" registered as part of
the CREATE_LISTENER_LATCH() interface, or it could be provided
when the ULP is loaded onto the running system via a registration
interface provided by the key manager).
Needless to say, the LD is updated whenever a connection latch object
is created, deleted, or broken.
The API described above is a new service of the IPsec key manager.
In particular, the IPsec key manager MUST prevent conflicts amongst
latches, and it MUST prevent conflicts between any latch and existing
or proposed child SAs as follows:
o Non-listener connection latches MUST NOT be created if there exist
conflicting SAs in the SAD at the time the connection latch is
requested or would be created (from a listener latch). A child SA
<span class="grey">Williams Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
conflicts with another, in view of a latch, if and only if: a) its
traffic selectors and the conflicting SA's match the given
latch's, and b) its peer, type-of-protection, or quality-of-
protection parameters differ from the conflicting SA.
o Child SA proposals that would conflict with an extant connection
latch and whose traffic selectors can be narrowed to avoid the
conflict SHOULD be narrowed (see <a href="./rfc4306#section-2.9">Section 2.9 of [RFC4306]</a>);
otherwise, the latch MUST be transitioned to the BROKEN state.
o Where child SA proposals that would conflict with an extant
connection latch cannot be narrowed to avoid the conflict, the key
manager MUST break the connection latch and inform the holder
(i.e., the ULP) prior to accepting the conflicting SAs.
Finally, the key manager MUST protect latched connections against SPD
changes that would change the quality of protection afforded to a
latched connection's traffic, or which would bypass it. When such a
configuration change takes place, the key manager MUST respond in
either of the following ways. The REQUIRED to implement behavior is
to transition into the BROKEN state all connection latches that
conflict with the given SPD change. An OPTIONAL behavior is to
logically update the SPD as if a PROTECT entry had been added at the
head of the SPD-S with traffic selectors matching only the latched
connection's 5-tuple, and with processing information taken from the
connection latch. Such updates of the SPD MUST NOT survive system
crashes or reboots.
ULPs create latched connections by interfacing with IPsec as follows:
o For listening end-points, the ULP will request a connection latch
listener object for the ULP listener's 3-tuple. Any latching
parameters requested by the application MUST be passed along.
o When the ULP receives a packet initiating a connection for a
5-tuple matching a 3-tuple listener latch, then the ULP will ask
the key manager whether a 5-tuple connection latch was created.
If not, then the ULP will either reject the new connection or
accept it and inform the application that the new connection is
not latched.
o When initiating a connection, the ULP will request a connection
latch object for the connection's 5-tuple. Any latching
parameters requested by the application MUST be passed along. If
no latch can be created, then the ULP MUST either return an error
to the application or continue with the new connection and inform
the application that the new connection is not latched.
<span class="grey">Williams Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
o When a connection is torn down and no further packets are expected
for it, then the ULP MUST request that the connection latch object
be destroyed.
o When tearing down a listener, the ULP MUST request that the
connection latch listener object be destroyed.
o When a ULP listener rejects connections, the ULP will request the
destruction of any connection latch objects that may have been
created as a result of the peer's attempt to open the connection.
o When the key manager informs a ULP that a connection latch has
transitioned to the BROKEN state, then the ULP MUST stop sending
packets and MUST drop all subsequent incoming packets for the
affected connection until it transitions back to ESTABLISHED.
Connection-oriented ULPs SHOULD act as though the connection is
experiencing packet loss.
o When the key manager informs a ULP that a connection latch has
been administratively transitioned to the CLOSED state, then
connection-oriented ULPs MUST act as though the connection has
been reset by the peer. Implementations of ULPs that are not
connection-oriented, and which have no API by which to simulate a
reset, MUST drop all inbound packets for that connection and MUST
NOT send any further packets -- the application is expected to
detect timeouts and act accordingly.
The main benefit of this model of connection latching is that it
accommodates IPsec implementations where ESP/AH handling is
implemented in hardware (for all or a subset of the host's SAD), even
where the hardware does not support tagging inbound packets with the
indexes of SAD entries corresponding to the SAs that protected them.
<span class="h4"><a class="selflink" id="section-2.3.1" href="#section-2.3.1">2.3.1</a>. Race Conditions and Corner Cases</span>
ULPs MUST drop inbound packets and stop sending packets immediately
upon receipt of a connection latch break message. Otherwise, the ULP
will not be able to distinguish inbound packets that were protected
consistently with the connection's latch from inbound packets that
were not. This may include dropping inbound packets that were
protected by a suitable SA; dropping such packets is no different,
from the ULP's point of view, than packet loss elsewhere on the
network at the IP layer or below -- harmless, from a security point
of view as the connection fails safe, but it can result in
retransmits.
<span class="grey">Williams Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
Another race condition is as follows. A PROTECTed TCP SYN packet may
be received and decapsulated, but the SA that protected it could have
expired before the key manager creates the connection latch that
would be created by that packet. In this case, the key manager will
have to initiate new child SAs so as to determine what the sender's
peer ID is so it can be included in the connection latch. Here,
there is no guarantee that the peer ID for the new SAs will be the
same as those of the peer that sent the TCP SYN packet. This race
condition is harmless: TCP will send a SYN+ACK to the wrong peer,
which will then respond with a RST -- the connection latch will
reflect the new peer however, so if the new peer is malicious it will
not be able to appear to be the old peer. Therefore, this race
condition is harmless.
<span class="h4"><a class="selflink" id="section-2.3.2" href="#section-2.3.2">2.3.2</a>. Example</span>
Consider several systems with a very simple PAD containing a single
entry like so:
Child SA
Rule Remote ID IDs allowed SPD Search by
---- --------- ----------- -------------
1 <any valid to trust anchor X> 192.0.2/24 by-IP
Figure 3: Example PAD
And a simple SPD like so:
Rule Local Remote Next Action
TS TS Proto
---- ----- ------ ----- ----------------
1 192.0.2/24:ANY 192.0.2/24:1-5000 TCP PROTECT(ESP,...)
1 192.0.2/24:1-5000 192.0.2/24:ANY TCP PROTECT(ESP,...)
1 ANY ANY ANY BYPASS
Figure 4: [SG-A] SPD Table
Effectively this says: for TCP ports 1-5000 in our network, allow
only peers that have credentials issued by CA X and PROTECT that
traffic with ESP, otherwise, bypass all other traffic.
Now let's consider two hosts, A and B, in this network that wish to
communicate using port 4000, and a third host, C, that is also in the
same network and wishes to attack A and/or B. All three hosts have
credentials and certificates issued by CA X. Let's also imagine that
A is connected to its network via a wireless link and is dynamically
addressed.
<span class="grey">Williams Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
B is listening on port 4000. A initiates a connection from port
32800 to B on port 4000.
We'll assume no IPsec APIs, but that TCP creates latches where
possible.
We'll consider three cases: a) A and B both support connection
latching, b) only A does, c) only B does. For the purposes of this
example, the SAD is empty on all three hosts when A initiates its TCP
connection to B on port 4000.
When an application running on A initiates a TCP connection to B on
port 4000, A will begin by creating a connection latch. Since the
SAD is empty, A will initiate an IKEv2 exchange to create an IKE_SA
with B and a pair of child SAs for the 5-tuple {TCP, A, 32800, B,
4000}, then a new latch will be created in ESTABLISHED state.
Sometime later, TCP will send a SYN packet protected by the A-to-B
child SA, per the SPD.
When an application running on B creates a TCP listener "socket" on
port 4000, B will create a LISTENER connection latch for the 3-tuple
{TCP, B, 4000}. When B receives A's TCP SYN packet, it will then
create a connection latch for {TCP, B, 4000, A, 32800}. Since, by
this point, child SAs have been created whose traffic selectors
encompass this 5-tuple and there are no other conflicting SAs in the
SAD, this connection latch will be created in the ESTABLISHED state.
If C attempts to mount a man-in-the-middle attack on A (i.e.,
pretends to have B's address(es)) any time after A created its
connection latch, then C's SAs with A will cause the connection latch
to break, and the TCP connection to be reset (since we assume no APIs
by which TCP could notify the application of the connection latch
break). If C attempts to impersonate A to B, then the same thing
will happen on B.
If A does not support connection latching, then C will be able to
impersonate B to A at any time. Without having seen the cleartext of
traffic between A and B, C will be limited by the TCP sequence
numbers to attacks such as RST attacks. Similarly, if B does not
support connection latching, then C will be able to impersonate A to
B.
<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a>. Informative Model: Local Packet Tagging</span>
In this section, we describe connection latching in terms of
interfaces between ULPs and IPsec based on tagging packets as they go
up and down the IP stack.
<span class="grey">Williams Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
This section is INFORMATIVE.
In this model, the ULPs maintain connection latch objects and state,
rather than the IPsec key manager, as well as effectively caching a
subset of the decorrelated SPD in ULP TCBs. Tagging packets, as they
move up and down the stack, with SA identifiers then allows the ULPs
to enforce connection latching semantics. These tags, of course,
don't appear on the wire.
The interface between the ULPs and IPsec interface is as follows:
o The IPsec layer tags all inbound protected packets addressed to
the host with the index of the SAD entry corresponding to the SA
that protected the packet.
o The IPsec layer understands two types of tags on outbound packets:
* a tag specifying a set of latched parameters (peer ID, quality
of protection, etc.) that the IPsec layer will use to find or
acquire an appropriate SA for protecting the outbound packet
(else IPsec will inform the ULP and drop the packet);
* a tag requesting feedback about the SA used to protect the
outgoing packet, if any.
ULPs create latched connections by interfacing with IPsec as follows:
o When the ULP passes a connection's initiating packet to IP, the
ULP requests feedback about the SA used to protect the outgoing
packet, if any, and may specify latching parameters requested by
the application. If the packet is protected by IPsec, then the
ULP records certain parameters of the SA used to protect it in the
connection's TCB.
o When a ULP receives a connection's initiating packet, it processes
the IPsec tag of the packet, and it records in the connection's
TCB the parameters of the SA that should be latched.
Once SA parameters are recorded in a connection's TCB, the ULP
enforces the connection's latch, or binding, to these parameters as
follows:
o The ULP processes the IPsec tag of all inbound packets for a given
connection and checks that the SAs used to protect input packets
match the connection latches recorded in the TCBs. Packets that
are not so protected are dropped (this corresponds to
transitioning the connection latch to the BROKEN state until the
<span class="grey">Williams Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
next acceptable packet arrives, but in this model, this transition
is imaginary) or cause the ULP to break the connection latch and
inform the application.
o The ULP always requests that outgoing packets be protected by SAs
that match the latched connection by appropriately tagging
outbound packets.
By effectively caching a subset of the decorrelated SPD in ULP TCBs
and through its packet tagging nature, this method of connection
latching can also optimize processing of the SPD by obviating the
need to search it, both, on input and output, for packets intended
for the host or originated by the host. This makes implementation of
the OPTIONAL "logical SPD" updates described in Sections <a href="#section-2.3">2.3</a> and <a href="#section-3.1">3.1</a>
an incidental side effect of this approach.
This model of connection latching may not be workable with ESP/AH
offload hardware that does not support the packet tagging scheme
described above.
Note that this model has no explicit BROKEN connection latch state.
Extending the ULP/IPsec packet-tagging interface to the application
for use with connection-less datagram transports should enable
applications to use such transports and implement connection latching
at the application layer.
<span class="h3"><a class="selflink" id="section-2.5" href="#section-2.5">2.5</a>. Non-Native Mode IPsec</span>
This section is INFORMATIVE.
Non-native IPsec implementations, primarily BITS and SG, can
implement connection latching, too. One major distinction between
native IPsec and BITS, bump-in-the-wire (BITW), or SG IPsec is the
lack of APIs for applications at the end-points in the case of the
latter. As a result, there can be no uses of the latch management
interfaces as described in <a href="#section-2.3">Section 2.3</a>: not at the ULP end-points.
Therefore, BITS/BITW/SG implementations must discern ULP connection
state from packet inspection (which many firewalls can do) and
emulate calls to the key manager accordingly.
When a connection latch is broken, a BITS/BITW/SG implementation may
have to fake a connection reset by sending appropriate packets (e.g.,
TCP RST packets), for the affected connections.
As with all stateful middleboxes, this scheme suffers from the
inability of the middlebox to interact with the applications. For
example, connection death may be difficult to ascertain. Nor can
<span class="grey">Williams Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
channel binding applications work with channels maintained by proxy
without being able to communicate (securely) about it with the
middlebox.
<span class="h3"><a class="selflink" id="section-2.6" href="#section-2.6">2.6</a>. Implementation Note Regarding Peer IDs</span>
One of the recommendations for connection latching implementors is to
make peer CERT payloads (certificates) available to the applications.
Additionally, raw public keys are likely to be used in the
construction of channel bindings for IPsec channels (see [<a href="#ref-IPSEC-CB" title=""End-Point Channel Bindings for IPsec Using IKEv2 and Public Keys"">IPSEC-CB</a>]),
and they must be available, in any case, in order to implement leap-
of-faith at the application layer (see [<a href="./rfc5386" title=""Better-Than- Nothing Security: An Unauthenticated Mode of IPsec"">RFC5386</a>] and [<a href="./rfc5387" title=""Problem and Applicability Statement for Better-Than-Nothing Security (BTNS)"">RFC5387</a>]).
Certificates and raw public keys are large bit strings, too large to
be reasonably kept in kernel-mode implementations of connection
latching (which will likely be the typical case). Such
implementations should intern peer IDs in a user-mode database and
use small integers to refer to them from the kernel-mode SAD and LD.
Corruption of such a database is akin to corruption of the SAD/LD; in
the event of corruption, the implementation MUST act as though all
ESTABLISHED and BROKEN connection latches are administratively
transitioned to the CLOSED state. Implementations without IPsec APIs
MAY hash peer IDs and use the hash to refer to them, preferably using
a strong hash algorithm.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Optional Features</span>
At its bare minimum, connection latching is a passive layer atop
IPsec that warns ULPs of SPD and SAD changes that are incompatible
with the SPD/SAD state that was applicable to a connection when it
was established.
There are some optional features, such as (abstract) APIs. Some of
these features make connection latching a somewhat more active
feature. Specifically, the optional logical SPD updates described in
<a href="#section-2.3">Section 2.3</a> and the optional protection/bypass feature described in
the following sub-section.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Optional Protection</span>
Given IPsec APIs, an application could request that a connection's
packets be protected where they would otherwise be bypassed; that is,
applications could override BYPASS policy. Locally privileged
applications could request that their connections' packets be
bypassed rather than protected; that is, privileged applications
could override PROTECT policy. We call this "optional protection".
<span class="grey">Williams Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
Both native IPsec models of connection latching can be extended to
support optional protection. With the model described in
<a href="#section-2.4">Section 2.4</a>, optional protection comes naturally: the IPsec layer
need only check that the protection requested for outbound packets
meets or exceeds (as determined by local or system policy) the
quality of protection, if any, required by the SPD. In the case of
the model described in <a href="#section-2.3">Section 2.3</a>, enforcement of minimum protection
requirements would be done by the IPsec key manager via the
connection latch state machine.
When an application requests, and local policy permits, either
additional protection or bypassing protection, then the SPD MUST be
logically updated such that there exists a suitable SPD entry
protecting or bypassing the exact 5-tuple recorded by the
corresponding connection latch. Such logical SPD updates MUST be
made at connection latch creation time, and MUST be made atomically
(see the note about race conditions in <a href="#section-2.3">Section 2.3</a>). Such updates of
the SPD MUST NOT survive system crashes or reboots.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Simultaneous Latch Establishment</span>
Some connection-oriented ULPs, specifically TCP, support simultaneous
connections (where two clients connect to each other, using the same
5-tuple, at the same time). Connection latching supports
simultaneous latching as well, provided that the key exchange
protocol does not make it impossible.
Consider two applications doing a simultaneous TCP connect to each
other and requesting an IPsec channel. If they request the same
connection latching parameters, then the connection and channel
should be established as usual. Even if the key exchange protocol in
use doesn't support simultaneous IKE_SA and/or child SA
establishment, provided one peer's attempt to create the necessary
child SAs succeeds, then the other peer should be able to notice the
new SAs immediately upon failure of its attempts to create the same.
If, however, the two peer applications were to request different
connection latching parameters, then the connection latch must fail
on one end or on both ends.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Connection Latching to IPsec for Various ULPs</span>
The following sub-sections describe connection latching for each of
three transport protocols. Note that for TCP and UDP, there is
nothing in the following sections that should not already be obvious
from the remainder of this document. The section on SCTP, however,
specifies details related to SCTP multi-homing, that may not be as
obvious.
<span class="grey">Williams Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Connection Latching to IPsec for TCP</span>
IPsec connection latch creation/release for TCP [<a href="./rfc0793" title=""Transmission Control Protocol"">RFC0793</a>] connections
is triggered when:
o a TCP listener end-point is created (e.g., when the BSD Sockets
listen() function is called on a socket). This should cause the
creation of a LISTENER connection latch.
o a TCP SYN packet is received on an IP address and port number for
which there is a listener. This should cause the creation of an
ESTABLISHED or BROKEN connection latch.
o a TCP SYN packet is sent (e.g., as the result of a call to the BSD
Sockets connect() function). This should cause the creation of an
ESTABLISHED or BROKEN connection latch.
o any state transition of a TCP connection to the CLOSED state will
cause a corresponding transition for any associated connection
latch to the CLOSED state as well.
See <a href="#section-5.5">Section 5.5</a> for how to handle latch transitions to the BROKEN
state.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Connection Latching to IPsec for UDP with Simulated Connections</span>
UDP [<a href="./rfc0768" title=""User Datagram Protocol"">RFC0768</a>] is a connection-less transport protocol. However, some
networking APIs (e.g., the BSD Sockets API) allow for emulation of
UDP connections. In this case, connection latching can be supported
using either model given above. We ignore, in this section, the fact
that the connection latching model described in <a href="#section-2.4">Section 2.4</a> can
support per-datagram latching by extending its packet tagging
interfaces to the application.
IPsec connection latch creation/release for UDP connections is
triggered when:
o an application creates a UDP "connection". This should cause the
creation of an ESTABLISHED or BROKEN connection latch.
o an application destroys a UDP "connection". This should cause the
creation of an ESTABLISHED or BROKEN connection latch.
When a connection latch transitions to the BROKEN state and the
application requested (or system policy dictates it) that the
connection be broken, then UDP should inform the application, if
<span class="grey">Williams Standards Track [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
there is a way to do so, or else it should wait, allowing the
application-layer keepalive/timeout strategy, if any, to time out the
connection.
What constitutes an appropriate action in the face of administrative
transitions of connection latches to the CLOSED state depends on
whether the implementation's "connected" UDP sockets API provides a
way for the socket to return an error indicating that it has been
closed.
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. Connection Latching to IPsec for UDP with Datagram-Tagging APIs</span>
Implementations based on either model of connection latching can
provide applications with datagram-tagging APIs based on those
described in <a href="#section-2.4">Section 2.4</a>. Implementations UDP with of the normative
model of IPsec connection latching have to confirm, on output, that
the application provided 5-tuple agrees with the application-provided
connection latch; on input, UDP can derive the tag by searching for a
connection latch matching incoming datagram's 5-tuple.
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. Connection Latching to IPsec for SCTP</span>
SCTP [<a href="./rfc4960" title=""Stream Control Transmission Protocol"">RFC4960</a>], a connection-oriented protocol is similar, in some
ways, to TCP. The salient difference, with respect to connection
latching, between SCTP and TCP is that SCTP allows each end-point to
be identified by a set of IP addresses, though, like TCP, each end-
point of an SCTP connection (or, rather, SCTP association) can only
have one port number.
We can represent the multiplicity of SCTP association end-point
addresses as a multiplicity of 5-tuples, each of which with its own
connection latch. Alternatively, we can extend the connection latch
object to support a multiplicity of addresses for each end-point.
The first approach is used throughout this document; therefore, we
will assume that representation.
Of course, this approach results in N x M connection latches for any
SCTP associations (where one end-point has N addresses and the other
has M); whereas the alternative requires one connection latch per
SCTP association (with N + M addresses). Implementors may choose
either approach.
<span class="grey">Williams Standards Track [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
IPsec connection latch creation/release for SCTP connections is
triggered when:
o an SCTP listener end-point is created (e.g., when the SCTP sockets
listen() function is called on a socket). This should cause the
creation of a LISTENER connection latch for each address of the
listener.
o an SCTP INIT chunk is received on an IP address and port number
for which there is a listener. This should cause the creation of
one or more ESTABLISHED or BROKEN connection latches, one for each
distinct 5-tuple given the client and server's addresses.
o an SCTP INIT chunk is sent (e.g., as the result of a call to the
SCTP sockets connect() function). This should cause the creation
of one or more ESTABLISHED or BROKEN connection latches.
o an SCTP Address Configuration Change Chunk (ASCONF) [<a href="./rfc5061" title=""Stream Control Transmission Protocol (SCTP) Dynamic Address Reconfiguration"">RFC5061</a>]
adding an end-point IP address is sent or received. This should
cause the creation of one or more ESTABLISHED or BROKEN connection
latches.
o any state transition of an SCTP association to the CLOSED state
will cause a corresponding transition for any associated
connection latches to the CLOSED state as well.
o an SCTP ASCONF chunk [<a href="./rfc5061" title=""Stream Control Transmission Protocol (SCTP) Dynamic Address Reconfiguration"">RFC5061</a>] deleting an end-point IP address is
sent or received. This should cause one or more associated
connection latches to be CLOSED.
See <a href="#section-5.5">Section 5.5</a> for how to handle latch transitions to the BROKEN
state.
<span class="h3"><a class="selflink" id="section-5.5" href="#section-5.5">5.5</a>. Handling of BROKEN State for TCP and SCTP</span>
There are several ways to handle connection latch transitions to the
BROKEN state in the case of connection-oriented ULPs like TCP or
SCTP:
a. Wait for a possible future transition back to the ESTABLISHED
state, until which time the ULP will not move data between the
two end-points of the connection. ULP and application timeout
mechanisms will, of course, be triggered in the event of too
lengthy a stay in the BROKEN state. SCTP can detect these
timeouts and initiate failover, in the case of multi-homed
associations.
<span class="grey">Williams Standards Track [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
b. Act as though the connection has been reset (RST message
received, in TCP, or ABORT message received, in SCTP).
c. Act as though an ICMP destination unreachable message had been
received (in SCTP such messages can trigger path failover in the
case of multi-homed associations).
Implementations SHOULD provide APIs that allow applications either 1)
to be informed (asynchronously or otherwise) of latch breaks so that
they may choose a disposition, and/or 2) to select a specific
disposition a priori (before a latch break happens). The options for
disposition are wait, close, or proceed with path failover.
Implementations MUST provide a default disposition in the event of a
connection latch break. Though (a) is clearly the purist default, we
RECOMMEND (b) for TCP and SCTP associations where only a single path
remains (one 5-tuple), and (c) for multi-homed SCTP associations.
The rationale for this recommendation is as follows: a conflicting SA
most likely indicates that the original peer is gone and has been
replaced by another, and it's not likely that the original peer will
return; thus, failing faster seems reasonable.
Note that our recommended default behavior does not create off-path
reset denial-of-service (DoS) attacks. To break a connection latch,
an attacker would first have to successfully establish an SA, with
one of the connection's end-points, that conflicts with the
connection latch and that requires multiple messages to be exchanged
between that end-point and the attacker. Unless the attacker's
chosen victim end-point allows the attacker to claim IP address
ranges for its SAs, then the attacker would have to actually take
over the other end-point's addresses, which rules out off-path
attacks.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Security Considerations</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Impact on IPsec</span>
Connection latching effectively adds a mechanism for dealing with the
existence, in the SAD, of multiple non-equivalent child SAs with
overlapping traffic selectors. This mechanism consists of, at
minimum, a local notification of transport protocols (and, through
them, applications) of the existence of such a conflict that affects
a transport layer's connections. Affected transports are also
notified when the conflict is cleared. The transports must drop
inbound packets, and must not send outbound packets for connections
that are affected by a conflict. In this minimal form, connection
latching is a passive, local feature layered atop IPsec.
<span class="grey">Williams Standards Track [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
We achieve this by adding a new type of IPsec database, the Latch
Database (LD), containing objects that represent a transport
protocol's interest in protecting a given packet flow from such
conflicts. The LD is managed in conjunction with updates to the SAD
and the SPD, so that updates to either that conflict with established
connection latches can be detected. For some IPsec implementations,
this may imply significant changes to their internals. However, two
different models of connection latching are given, and we hope that
most native IPsec implementors will find at least one model to be
simple enough to implement in their stack.
This notion of conflicting SAs and how to deal with the situation
does not modify the basic IPsec architecture -- the feature of IPsec
that allows such conflicts to arise remains, and it is up to the
transport protocols and applications to select whether and how to
respond to them.
There are, however, interesting corner cases in the normative model
of connection latching that implementors must be aware of. The notes
in <a href="#section-2.3.1">Section 2.3.1</a> are particularly relevant.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Impact on IPsec of Optional Features</span>
<a href="#section-3">Section 3</a> describes optional features of connection latching where
the key manager takes on a somewhat more active, though still local,
role. There are two such features: optional protect/bypass and
preservation of "logical" SPD entries to allow latched connections to
remain in the ESTABLISHED state in the face of adverse administrative
SPD (but not SAD) changes. These two features interact with
administrative interfaces to IPsec; administrators must be made aware
of these features, and they SHOULD be given a way to break
ESTABLISHED connection latches. Also, given recent trends toward
centralizing parts of IPsec policy, these two features can be said to
have non-local effects where they prevent distributed policy changes
from taking effect completely.
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Security Considerations for Applications</span>
Connection latching is not negotiated. It is therefore possible for
one end of a connection to be using connection latching while the
other does not; in which case, it's possible for policy changes local
to the non-latched end to cause packets to be sent unprotected. The
end doing connection latching will reject unprotected packets, but if
they bear sensitive data, then the damage may already be done.
Therefore, applications SHOULD check that both ends of a connection
are latched (such a check is implicit for applications that use
channel binding to IPsec).
<span class="grey">Williams Standards Track [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
Connection latching protects individual connections from weak peer
ID<->address binding, IPsec configuration changes, and from
configurations that allow multiple peers to assert the same
addresses. But connection latching does not ensure that any two
connections with the same end-point addresses will have the same
latched peer IDs. In other words, applications that use multiple
concurrent connections between two given nodes may not be protected
any more or less by use of IPsec connection latching than by use of
IPsec alone without connection latching. Such multi-connection
applications can, however, examine the latched SA parameters of each
connection to ensure that all concurrent connections with the same
end-point addresses also have the same end-point IPsec IDs.
Connection latching protects against TCP RST attacks. It does not
help, however, if the original peer of a TCP connection is no longer
available (e.g., if an attacker has been able to interrupt the
network connection between the two peers).
<span class="h3"><a class="selflink" id="section-6.4" href="#section-6.4">6.4</a>. Channel Binding and IPsec APIs</span>
IPsec channels are a prerequisite for channel binding [<a href="./rfc5056" title=""On the Use of Channel Bindings to Secure Channels"">RFC5056</a>] to
IPsec. Connection latching provides such channels, but the channel
bindings for IPsec channels (latched connections) are not specified
herein -- that is a work in progress [<a href="#ref-IPSEC-CB" title=""End-Point Channel Bindings for IPsec Using IKEv2 and Public Keys"">IPSEC-CB</a>].
Without IPsec APIs, connection latching provides marginal security
benefits over traditional IPsec. Such APIs are not described herein;
see [<a href="#ref-ABSTRACT-API" title=""An abstract interface between applications and IPsec"">ABSTRACT-API</a>].
<span class="h3"><a class="selflink" id="section-6.5" href="#section-6.5">6.5</a>. Denial-of-Service Attacks</span>
Connection latch state transitions to the BROKEN state can be
triggered by on-path attackers and any off-path attackers that can
attack routers or cause an end-point to accept an ICMP Redirect
message. Connection latching protects applications against on- and
off-path attackers in general, but not against on-path denial of
service specifically.
Attackers can break latches if they can trigger DPD on one or both
end-points and if they cause packets to not move between two end-
points. Such attacks generally require that the attacker be on-path;
therefore, we consider it acceptable to break latches when DPD
concludes that a peer is dead or rebooted.
Attackers can also break latches if IPsec policy on a node allows the
attacker to use the IP address of a peer of that node. Such
<span class="grey">Williams Standards Track [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
configurations are expected to be used in conjunction with BTNS in
general. Such attacks generally require that the attacker be on-
path.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Acknowledgements</span>
The author thanks Michael Richardson for all his help, as well as
Stephen Kent, Sam Hartman, Bill Sommerfeld, Dan McDonald, Daniel
Migault, and many others who've participated in the BTNS WG or who've
answered questions about IPsec, connection latching implementations,
etc.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-RFC0768">RFC0768</a>] Postel, J., "User Datagram Protocol", STD 6,
<a href="./rfc768">RFC 768</a>, August 1980.
[<a id="ref-RFC0793">RFC0793</a>] Postel, J., "Transmission Control Protocol", STD 7,
<a href="./rfc793">RFC 793</a>, September 1981.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC4301">RFC4301</a>] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", <a href="./rfc4301">RFC 4301</a>, December 2005.
[<a id="ref-RFC4306">RFC4306</a>] Kaufman, C., "Internet Key Exchange (IKEv2)
Protocol", <a href="./rfc4306">RFC 4306</a>, December 2005.
[<a id="ref-RFC4960">RFC4960</a>] Stewart, R., "Stream Control Transmission
Protocol", <a href="./rfc4960">RFC 4960</a>, September 2007.
[<a id="ref-RFC5061">RFC5061</a>] Stewart, R., Xie, Q., Tuexen, M., Maruyama, S., and
M. Kozuka, "Stream Control Transmission Protocol
(SCTP) Dynamic Address Reconfiguration", <a href="./rfc5061">RFC 5061</a>,
September 2007.
[<a id="ref-RFC5386">RFC5386</a>] Williams, N. and M. Richardson, "Better-Than-
Nothing Security: An Unauthenticated Mode of
IPsec", <a href="./rfc5386">RFC 5386</a>, November 2008.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-ABSTRACT-API">ABSTRACT-API</a>] Richardson, M., "An abstract interface between
applications and IPsec", Work in Progress,
November 2008.
<span class="grey">Williams Standards Track [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc5660">RFC 5660</a> IPsec Connection Latching October 2009</span>
[<a id="ref-IPSEC-CB">IPSEC-CB</a>] Williams, N., "End-Point Channel Bindings for IPsec
Using IKEv2 and Public Keys", Work in Progress,
April 2008.
[<a id="ref-IP_SEC_OPT.man">IP_SEC_OPT.man</a>] Sun Microsystems, Inc., "ipsec(7P) man page,
Solaris 10 Reference Manual Collection".
[<a id="ref-RFC1034">RFC1034</a>] Mockapetris, P., "Domain names - concepts and
facilities", STD 13, <a href="./rfc1034">RFC 1034</a>, November 1987.
[<a id="ref-RFC2367">RFC2367</a>] McDonald, D., Metz, C., and B. Phan, "PF_KEY Key
Management API, Version 2", <a href="./rfc2367">RFC 2367</a>, July 1998.
[<a id="ref-RFC5056">RFC5056</a>] Williams, N., "On the Use of Channel Bindings to
Secure Channels", <a href="./rfc5056">RFC 5056</a>, November 2007.
[<a id="ref-RFC5387">RFC5387</a>] Touch, J., Black, D., and Y. Wang, "Problem and
Applicability Statement for Better-Than-Nothing
Security (BTNS)", <a href="./rfc5387">RFC 5387</a>, November 2008.
[<a id="ref-RFC5406">RFC5406</a>] Bellovin, S., "Guidelines for Specifying the Use of
IPsec Version 2", <a href="https://www.rfc-editor.org/bcp/bcp146">BCP 146</a>, <a href="./rfc5406">RFC 5406</a>, February 2009.
[<a id="ref-USING-IPSEC">USING-IPSEC</a>] Dondeti, L. and V. Narayanan, "Guidelines for using
IPsec and IKEv2", Work in Progress, October 2006.
Author's Address
Nicolas Williams
Sun Microsystems
5300 Riata Trace Ct
Austin, TX 78727
US
EMail: Nicolas.Williams@sun.com
Williams Standards Track [Page 31]
</pre>
|
