Announcing Supported Authentication Methods in IKEv2ELVIS-PLUSPO Box 81Moscow (Zelenograd)124460RU+7 495 276 0211svan@elvis.ru This specification defines a mechanism that allows the Internet Key Exchange version 2 (IKEv2)
implementations to indicate the list of supported authentication methods to their peers while establishing
IKEv2 Security Association (SA). This mechanism improves interoperability when IKEv2 partners
are configured with multiple different credentials to authenticate each other.
The Internet Key Exchange version 2 (IKEv2) protocol, defined in ,
performs authenticated key exchange in IPsec. IKEv2, unlike its predecessor IKEv1,
defined in , doesn't include a mechanism to negotiate an authentication
method that the peers would use to authenticate each other. It is assumed that each peer selects whatever
authentication method it thinks is appropriate, depending on authentication credentials it has.
This approach generally works well when there is no ambiguity in selecting authentication credentials.
The problem may arise when there are several credentials of different type configured on one peer,
while only some of them are supported on the other peer. Another problem situation is when
a single credential may be used to produce different types of authentication tokens
(e.g. signatures of different formats).
Emerging post-quantum signature algorithms may bring additional challenges for implementations,
especially if so called hybrid schemes are used (e.g. see ).
This specification defines an extension to the IKEv2 protocol that allows peers to
announce their supported authentication methods, thus decreasing risks of SA establishment
failure in situations when there are several ways for the peers to authenticate themselves.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted
as described in BCP 14 when, and only when,
they appear in all capitals, as shown here.
When establishing IKE SA each party may send a list of authentication methods it supports and is configured to use to its peer.
The sending party may additionally specify that some of the authentication methods are only for use with
the particular trust anchors. Upon receiving this information the peer may take it into consideration while
selecting an algorithm for its authentication if several alternatives are available. If the responder is willing to use this extension, it includes a new status type notify SUPPORTED_AUTH_METHODS
in the IKE_SA_INIT response message. This notification contains a list of authentication methods supported by the responder, ordered by their preference.
<-- HDR, SAr1, KEr, Nr, [CERTREQ,]
[N(SUPPORTED_AUTH_METHODS)(...)]
]]> If the initiator doesn't support this extension, it ignores the received notification as an unknown status notify.
Regardless of whether the notification is received, if the initiator supports and is willing to use this extension,
it includes the SUPPORTED_AUTH_METHODS notification in the IKE_AUTH request message,
with a list of authentication methods supported by the initiator, ordered by their preference.
<-- HDR, SK {IDr, [CERT,]
AUTH, SAr2, TSi, TSr }
]]> Since the responder sends the SUPPORTED_AUTH_METHODS notification in the IKE_SA_INIT exchange,
it must take care that the size of the response message wouldn't grow too much so that IP fragmentation takes place.
If the following conditions are met:
the SUPPORTED_AUTH_METHODS notification to be included is so large, that the responder suspects
that IP fragmentation of the resulting IKE_SA_INIT response message may happen;both peers support the IKE_INTERMEDIATE exchange, defined in (i.e.
the responder has received and is going to send the INTERMEDIATE_EXCHANGE_SUPPORTED notification);
then the responder may choose not to send actual list of the supported authentication
methods in the IKE_SA_INIT exchange and instead ask the initiator to start the IKE_INTERMEDIATE
exchange for the list to be sent in. In this case the responder includes SUPPORTED_AUTH_METHODS notification
containing no data in the IKE_SA_INIT response.
If the initiator receives the empty SUPPORTED_AUTH_METHODS notification in the IKE_SA_INIT exchange,
it means that the responder is going to send the list of the supported authentication methods in the
IKE_INTERMEDIATE exchange. If this exchange is to be initiated anyway for some other reason, then
the responder MAY use it to send the SUPPORTED_AUTH_METHODS notification. Otherwise, the initiator
MAY start the IKE_INTERMEDIATE exchange just for this sole purpose by sending an empty IKE_INTERMEDIATE request.
The initiator MAY also indicate its identity (and possibly the perceived responder's identity too)
by including the IDi payload (possibly along with the IDr payload) into the IKE_INTERMEDIATE request.
This information could help the responder to send back only those authentication methods,
that are configured to be used for authentication of this particular initiator.
If these payloads are sent, they MUST be identical to the IDi/IDr payloads sent later in the IKE_AUTH request.
If the responder has sent any CERTREQ payload in the IKE_SA_INIT, then it MUST re-send the same
payload(s) in the IKE_INTERMEDIATE response containing the SUPPORTED_AUTH_METHODS notification
if any of the included Announcements has a non-zero Cert Link field (see and ).
This requirement allows peers to have a list of Announcements and a list of CAs in the same message,
which simplifies their linking (note, that this requirement is always fulfilled for the IKE_SA_INIT and IKE_AUTH exchanges).
However, if for any reason the responder doesn't re-send CERTREQ payload(s) in the IKE_INTERMEDIATE exchange, then
the initiator MUST NOT abort negotiation. Instead, the initiator MAY either link the Announcements to the CAs received in the IKE_SA_INIT response,
or MAY ignore the Announcements containing links to CAs.
If multiple IKE_INTERMEDIATE exchanges take place during IKE SA establishments, it is RECOMMENDED that the responder
use the last IKE_INTERMEDIATE exchange (the one just before IKE_AUTH) to send the list of supported auth methods.
However, it is not always possible for the responder to know how many IKE_INTERMEDIATE exchanges
the initiator will use. In this case the responder MAY send the list in any IKE_INTERMEDIATE exchange.
If the initiator sends IDi/IDr in an IKE_INTERMEDIATE request, then it is RECOMMENDED that the responder
sends back the list of authentication methods in the response.
<-- HDR, SAr1, KEr, Nr, [CERTREQ,]
[N(SUPPORTED_AUTH_METHODS)()]
HDR, SK {..., [IDi, [IDr,]]} -->
<-- HDR, SK {..., [CERTREQ,]
[N(SUPPORTED_AUTH_METHODS)(...)] }
HDR, SK {IDi, [CERT,] [CERTREQ,]
[IDr,] AUTH, SAi2, TSi, TSr,
[N(SUPPORTED_AUTH_METHODS)(...)] } -->
<-- HDR, SK {IDr, [CERT,]
AUTH, SAr2, TSi, TSr }
]]> Note, that sending the SUPPORTED_AUTH_METHODS notification and using information obtained from it
is optional for both the initiator and the responder. If multiple SUPPORTED_AUTH_METHODS notifications are included
in a message, all their announcements form a single ordered list, unless overriden by other extension
(see ).
The format of the SUPPORTED_AUTH_METHODS notification is shown below.
The Notify payload format is defined in Section 3.10 of .
When a Notify payload of type SUPPORTED_AUTH_METHODS is sent, the
Protocol ID field is set to 0, the SPI Size is set to 0, meaning there is no SPI field,
and the Notify Message Type is set to <TBA by IANA>.
The Notification Data field contains the list of supported authentication methods announcements.
Each individual announcement is a variable-size data blob, which format depends
on the announced authentication method. The blob always starts with an octet containing the length of the blob
followed by an octet containing the authentication method. Authentication methods are represented
as values from the "IKEv2 Authentication Method" registry defined in .
The meaning of the remaining octets of the blob, if any, depends on the authentication method.
Note, that for the currently defined authentication methods the length octet
fully defines both the format and the semantics of the blob.
If more authentication methods are defined in future, the corresponding documents
must describe the semantics of the announcements for these methods. Implementations
MUST ignore announcements which semantics they don't understand.
If the announcement contains an authentication method that is not concerned
with public key cryptography, then the following format is used.
Length - Length of the blob, must be 2 for this case.Auth Method - Announced authentication method.
This format is applicable for the authentication methods "Shared Key Message Integrity Code" (2) and "NULL Authentication" (13).
Note, that authentication method "Generic Secure Password Authentication Method" (12) would also
fall in this category, however it is negotiated separately (see and
for this reason there is no point to announce it via this mechanism. See also .
If the announcement contains an authentication method that is concerned
with public key cryptography, then the following format is used. This format
allows to link the announcement with a particular trust anchor from the
Certificate Request payload.
Length - Length of the blob, must be 3 for this case.Auth Method - Announced authentication method.Cert Link - Links this announcement with particular CA.
If the Cert Link field contains non-zero value N, it means that the announced authentication method is intended to be used
only with the N-th trust anchor (CA certificate) from the Certificate Request payload(s) sent by this peer. If it is zero,
then this authentication method may be used with any CA.
If multiple CERTREQ payloads were sent, the CAs from all of them are treated as a single list for the purpose of the linking.
If no Certificate Request payload were receives, the content of this field MUST be ignored and treated as zero.
This format is applicable for the authentication methods "RSA Digital Signature" (1),
"DSS Digital Signature" (3), "ECDSA with SHA-256 on the P-256 curve" (9),
"ECDSA with SHA-384 on the P-384 curve" (10) and "ECDSA with SHA-512 on the P-512 curve" (11).
Note however, that these authentication methods are currently superseded by
the "Digital Signature" (14) authentication method, which has a different announcement format,
described below.
The following format is currently used only with the "Digital Signature" (14) authentication method.
3) | Auth Method | Cert Link | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
| |
~ AlgorithmIdentifier ASN.1 object ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]>Length - Length of the blob, must be greater than 3 for this case.Auth Method - Announced authentication method, at the time of writing this document only value 14 ("Digital Signature") is allowed.Cert Link - Links this announcement with particular CA; see for details.AlgorithmIdentifier ASN.1 object - the AlgorithmIdentifier of PKIX (see Section 4.1.1.2 of ),
encoded using distinguished encoding rules (DER) .
The "Digital Signature" authentication method, defined in ,
supersedes previously defined signature authentication methods. In this case
the real authentication algorithm is identified via AlgorithmIdentifier ASN.1 object.
Appendix A in contains examples of Commonly Used ASN.1 Objects.
Generally in IKEv2 each party independently determines the way it authenticates itself to the peer.
In other words, authentication methods selected by the peers need not be the same.
However, some IKEv2 extensions break this rule.
The prominent example is , (Secure Password Framework for Internet Key Exchange Version 2),
which defines a framework for using Password-authenticated key exchanges (PAKE) in IKEv2.
With this framework peers negotiate using one of PAKE methods in the IKE_SA_INIT exchange -
the initiator sends a list of supported PAKE methods in the request and the responder picks one of them and sends it back
in the response.
If peers negotiate PAKE for authentication, then the selected PAKE method is used by both initiator and responder
and no other authentication methods are involved. For this reason there is no point to announce
supported authentication methods in this case. Thus, if the peers choose to go with PAKE,
they MUST NOT send the SUPPORTED_AUTH_METHODS notification.
If peers are going to use Multiple Authentication Exchanges ,
then they MAY include multiple SUPPORTED_AUTH_METHODS notifications instead of one, each containing authentication methods
appropriate for each authentication round. The notifications are included in the order
of the preference of performing authentication rounds.
Security considerations for IKEv2 protocol are discussed in .
Security properties of different authentication methods varies.
Refer to corresponding documents, listed in for discussion
of security properties of each authentication method.
Announcing authentication methods gives an eavesdropper additional information about peers' capabilities.
If a peer advertises NULL authentication along with other methods, then active attacker on the path can encourage peers
to use NULL authentication by removing all other announcements. Note, that this is not a real attack,
since NULL authentication should be allowed by local security policy.
This document defines a new Notify Message Types in the "Notify Message Types - Status Types" registry referencing this RFC: SUPPORTED_AUTH_METHODS [RFCXXXX]
]]>The author would like to thank Paul Wouters for his valuable comments and proposals.
The author is also grateful to Daniel Van Geest, who made proposals for protocol improvement.ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)
Internet Key Exchange Version 2 (IKEv2) ParametersIANA This appendix shows some examples of announcing authentication methods.
This appendix is purely informative; if it disagrees with the body of this document, the other text is considered correct.
Note that some payloads that are not relevant to this specification may be omitted for brevity.
This example illustrates the situation when the SUPPORTED_AUTH_METHODS notify fits into the IKE_SA_INIT
message and thus the IKE_INTERMEDIATE exchange is not needed. In this scenario the responder
announces that it supports the "Shared Key Message Integrity Code" and the "NULL Authentication"
authentication methods. The initiator informs the responder that it supports
only the "Shared Key Message Integrity Code" authentication method.
<-- HDR, SAr1, KEr, Nr,
N(SUPPORTED_AUTH_METHODS(
PSK, NULL))
IKE_AUTH
HDR, SK {IDi,
AUTH, SAi2, TSi, TSr,
N(SUPPORTED_AUTH_METHODS(PSK))} -->
<-- HDR, SK {IDr,
AUTH, SAr2, TSi, TSr}
]]>This example illustrates the situation when the IKE_INTERMEDIATE
exchange is used. In this scenario the responder announces that
it supports the "Digital signature" authentication method using the RSASSA-PSS algorithm
with CA1 and CA2 and the same method using the ECDSA algorithm with CA3.
The initiator supports only the "Digital signature" authentication method using the RSASSA-PSS algorithm
with no link to a particular CA.
<-- HDR, SAr1, KEr, Nr,
CERTREQ(CA1, CA2, CA3),
N(SIGNATURE_HASH_ALGORITHMS),
N(SUPPORTED_AUTH_METHODS())
IKE_INTERMEDIATE
HDR, SK {..., IDi]} -->
<-- HDR, SK {...,
CERTREQ(CA1, CA2, CA3),
N(SUPPORTED_AUTH_METHODS(
SIGNATURE(RSASSA-PSS:1),
SIGNATURE(RSASSA-PSS:2),
SIGNATURE(ECDSA:3)))}
IKE_AUTH
HDR, SK {IDi, CERT, CERTREQ(CA2),
AUTH, SAi2, TSi, TSr,
N(SUPPORTED_AUTH_METHODS(
SIGNATURE(RSASSA-PSS:0)))} -->
<-- HDR, SK {IDr, CERT,
AUTH, SAr2, TSi, TSr}
]]>