Internet Key Exchange version 2 (IKEv2) extension for the ESP Header Compression (EHC) Strategy

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

This section defines terms and acronyms used in this document. EHC Strategy is a generic term defined in that defines the way EHC Rules are coordinated. the specific EHC Strategy agreed between the two peers. defines Diet-ESP as an EHC Strategy and other may be defined in the future. This document only considers Diet-ESP but provides negotiation mechanisms so future EHC Strategies may also be negotiated. New EHC Strategies will require to register the necessary associated EHC Strategy Configuration Parameters. This will typically include a specific designation as well as specific configuration parameters. The parameters are designated as EHC Strategy Configuration Parameter (Parameter) describes the configuration parameters associated to a specific EHC Strategy. The Parameters includes the EHC Strategy as well as configuration parameters. designates the necessary attributes associated to each Parameter exchanged in order to agree on the EHC Strategy Configuration Parameter. This document considers two type of attributes: the Range Attribute that indicates a range for a given Parameter, and the Value Attribute that indicates a fixed value associated to a Parameter. the payload that indicates a supported range of values on an specific EHC Strategy Configuration Parameter. In this document, all Parameters are associated a specific Range Attribute. the payload that indicates a value of an specific EHC Strategy Configuration Parameter. In this document, all Parameters are associated a specific Value Payload.

ESP Header Compression (EHC) reduces the ESP overhead by compressing ESP fields. Compression results from a coordination of various EHC Rules performed by the EHC Strategy. The EHC Strategy may require to be configured with some configuration parameters designated as EHC Strategy Configuration Parameter (or simply Parameter). When a Security Association (SA) is enabling EHC the two peers needs to agree which EHC Strategy strategy is applied as well as its associated configuration parameters. This document describes an extension of IKEv2 that enables two peers to agree on a specific EHC Strategy as well as its associated Parameters.

ESP Header Compression requires IKEv2 to negotiate the IPsec mode and the used EHC strategy and its corresponding parameters. EHC Strategies are configured on a per-SA basis and need to be agreed between the two peers. An EHC Strategy is agreed when peers have agreed on the EHC Strategy as well as its associated Parameters. For example, defines an EHC Strategy called as Diet-ESP which requires the following Parameters to be set: udplite_coverage, tcp_lsb, tcp_options, tcp_urgent, esp_sn_lsb, esp_spi_lsb, esp_align. The negotiation of the EHC Strategy as well as its Parameters is performed via the EHC_STRATEGY_SUPPORTED Notify Payload exchange. When the initiator is willing to negotiate an EHC Strategy for a given SA, it sends a single EHC_STRATEGY_SUPPORTED Notify Payload in its IKE_AUTH and CREATE_CHILD_SA exchange. This Notify Payload indicates the support to negotiate EHC Strategies. In addition, the Notify Payload MAY indicates with a Range Attribute, the supported values for each Parameter, including the Designated EHC Strategy. If the initiator does not have any restriction regarding a specific Parameter, there is no need to provide an Range Value associated to that Parameter. Currently, the only defined EHC Strategy is Diet-ESP, and the EHC_STRATEGY_SUPPORTED Notify Payload indicates the support for Diet-ESP unless Diet-ESP is explicitly excluded by the Range Attribute. In the future, when other EHC Strategies will be defined, the support of that new Designated EHC Strategy will need to be explicitly announced with its associated Range Attribute. Other Parameters MAY also have their own associated Range Attribute. Note that if multiple EHC Strategies that share a given Parameter, the Range Attribute is applied for all designated EHC Strategies. In other words, it is not possible to have a given Parameter associated with different values depending on the EHC Strategy. Upon receiving the IKE_AUTH and CREATE_CHILD_SA with a EHC_STRATEGY_SUPPORTED Notify Payload, a receiver that does not support this extension or that is not willing to activate EHC ignores the Notify Payload and the negotiation continues as a standard ESP negotiation. If the responder supports EHC Strategy negotiation and chooses to apply a supported EHC Strategy to the negotiated SA, it reads all Range Attributes and selects a Designated EHC Strategy as well as specific values for each Parameter associated to the Designated EHC Strategy. The responder enables EHC for the negotiated SA and responds with an EHC_STRATEGY_SUPPORTED Notify Payload which indicates the selected Parameters' values using Value Attributes. The responder MAY send a Value Attribute that corresponds to all selected Parameters. On the other hand, the responder MAY also send only the Value Attribute of Parameters whose value differs from the default value. In fact each EHC Strategy defines default values for each Parameters. In some cases, the supported values provided by the initiator may not match those of the responder, and so EHC cannot be activated. The responder may want to indicate the supported range provided by the initiator were not acceptable by responding with a EHC_STRATEGY_UNACCEPTABLE_PARAMETER. The initiator MAY carry Range Attributes in order to indicates what it supports. Upon receiving a EHC_STRATEGY_SUPPORTED Notify Payload back, the initiator reads the Value Attributes and checks the Parameters match the supported range. The initiator may configure the EHC Strategy with the provided parameters or abort the negotiation with a Delete Payload as specified in section 3.11 of . Upon receiving a EHC_STRATEGY_UNACCEPTABLE_PARAMETER Notify Payload, the initiator may use the regular ESP or delete the SA. When the SA is deleted, the initiator is expected to restart a negotiation providing contraints that respect those of the responder.

<-- HDR, SA, KEr, Nr HDR, SK {IDi, AUTH, SA, TSi, TSr, N(EHC_STRATEGY_SUPPORTED) <-- HDR, SK {IDr, AUTH, SA, TSi, TSr, N(EHC_STRATEGY_SUPPORTED) ]]>

illustrates the Notify Payload packet format as described in section 3.10 of , used for EHC_STRATEGY_SUPPORTED and EHC_STRATEGY_UNACCEPTABLE_PARAMETER Notify Payloads. The EHC_STRATEGY_SUPPORTED and EHC_STRATEGY_UNACCEPTABLE_PARAMETER Notify Payloads are used during the IKE_AUTH and CREATE_CHILD_SA. The sender is expected to send only a single payload. When multiple payloads are received, the receiver MAY consider the first one and MUST ignore the remaining ones.

The fields Next Payload, Critical Bit, RESERVED, and Payload Length are defined in . Specific fields defined in this document are: set to zero. set to zero. Specifies the type of notification message. It is set to: <TBA2 by IANA> for the EHC_STRATEGY_SUPPORTED <TBA3 by IANA> for EHC_STRATEGY_UNACCEPTABLE_PARAMETER

The EHC_STRATEGY_SUPPORTED Notify Payload indicates the supported EHC Strategies. When sent by the initiator, it MAY contain Range Attributes (see ). A responder not understanding a Range Attribute MUST ignore it. This is intended to ease the negotiation of new EHC Strategies with new Parameters. It is its responsibility to understand the Parameters associated to the negotiated EHC Strategy. When sent by the responder, it MAY contain Value Attributes (see ). An initiator not understanding a Value Payload MUST NOT create the SA and SHOULD send a Delete Payload to the responder as described in section 3.11 of .

The EHC_STRATEGY_UNACCEPTABLE_PARAMETER Notify Payload indicates the responder supports of EHC Strategy negotiation but was not able to configure it due to the constraints provided by the initiator. The responder MAY insert Range Attributes (see ) to inform the initiator of its supported ranges. The responder has configured the SA without enabling the EHC. Upon receiving the Notify Payload, the initiator MAY accept the SA without EHC. It MAY also Delete the SA as described in section 3.11 of and renegotiate the SA, considering the responder's supported ranges.

This document only considers Diet-ESP, which requires the following Parameters to be agreed by the two peers: esp_align, esp_spi_lsb, esp_sn_lsb, tcp_urgent, tcp_options, tcp_lsb, udplite_coverage. In addition, in order to enable future EHC Strategies, the following parameter has been introduce to designate the agreed EHC Strategy: ehc_strategy. lists these Parameters with description and associated values. In addition, each of these parameter is associated to a default value. The default value is considered unless other values are specified by the responder. The associated default value is specified in .

For each of these Parameters, the initiator or responder may indicate acceptable values of these Parameters. Such constraints are expressed with the Range Attributes. Each Parameters has its corresponding payload which carries the minimum and maximum acceptable values associated to the parameters (see ). Similarly, for each of these Parameters, the responder needs to be able to provide the selected value associated to the Parameter. Each of these Parameters' value can be expressed by via the Value Attribute. Each parameter has a corresponding payload which carries the associated value (see ). The Range Attribute and Value Attribute use the format of the Transform Attribute of section 3.3.5 of represented in . The fields are described in .

The document considers only the TLV format so AF = 0 with the Parameter Types defined in and acceptable and default Parameter's Values are defined in .

The Parameter's value of ehc_strategy, esp_align, esp_spi_lsb, esp_sn_lsb, tcp_urgent, tcp_options, tcp_lsb and udplite_coverage is coded on 1 byte, so the Attribute Data of the Range Attribute is 2 byte long and the Attribute Length is set to 4. The first byte indicates the minimal acceptable value, while the second byte indicates the maximal value. Similarly, udplight_coverage is coded on 2 bytes, so the Attribute Data of the Range Attribute is 4 byte long, and Attribute Length is set to 6.

The Parameters ehc_strategy, esp_align, esp_spi_lsb, esp_sn_lsb, tcp_urgent, tcp_options and tcp_lsb the Attribute Data is codes on 1 byte, and Attribute Length is set to 3. Similarly, udplight_coverage is coded on 2 bytes, so the Attribute Data of the Value Attribute is 2 byte long and the Attribute Length is set to 4.

IANA is requested to allocate two values in the IKEv2 Notify Message Types - Status Types registry: