Use of Reliable Transport in the Internet Key Exchange Protocol Version 2 (IKEv2)

The Internet Key Exchange protocol version 2 (IKEv2) originally used unreliable transport (UDP) for its messages. Later it was extended to use TCP where UDP is blocked. UDP is still considered as a preferred transport for IKEv2, and TCP is only used if UDP datagrams cannot get through. Originally IKEv2 peers exchanged relatively small amount of data, so that simple retransmission mechanism on top of UDP with no congestion control sufficed. The situation has changed when post-quantum cryptographic algorithms started to be incorporated into IKEv2 . Most of post-quantum algorithms require IKE peers to exchange much more data, than classical algorithms, up to tens (or even hundreds) Kbytes. Few proposals exist that allow to overcome the 64 Kbytes limitation on the size of an IKE payload (, , ). When IKE messages grow up to tens (or even hundreds) Kbytes, using UDP as a transport will become challenging. Use of IKE fragmentation avoids IP fragmentation problems and also allows each IKE message fragment to fit into UDP datagram, even if the original message doesn't. However, all IKE fragments are always being sent (and retransmitted) at once, so that with the increased number of fragments and the lack of congestion control the simple retransmission mechanism of IKEv2 will perform poorly, perhaps even making more truble to the network. Using reliable transport (like TCP) for IKEv2 would be a solution to the problem. However, the current use of TCP as defined in implies that ESP SAs are also encapsulated in TCP, which has negative impact on IPsec performance (see Section 9 of . This specification allows to decouple IKE and IPsec transports, so that it makes possible to negotiate and use reliable transport for IKEv2 while maintaining using unreliable transport for IPsec. The idea to decouple IKE and IPsec transports was originally presented in .

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

If the initiator supports this extension and is configured to use and it and also anticipates that large amount of data may be exchanged in this SA (e.g. it proposes Key Exchange transforms with large public keys), then the initiator starts the IKE_SA_INIT exchange using UDP port 4500 and includes a new status type notification RELIABLE_IKE_TRANSPORT (<TBA by IANA>) into the request message. The RELIABLE_IKE_TRANSPORT notification has protocol 0, SPI size 0 and contains no data. Using UDP port 4500 for the IKE_SA_INIT messages is explicitly allowed by , and ensures that IPsec packets can get through if they are UDP encapsulated. If the responder supports this extension and is configured to use it and the IKE_SA_INIT request contains the RELIABLE_IKE_TRANSPORT notification, then the responder sends back this notification in the response.

HDR, SAr1, KEr1, Nr, [N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP),] <--- N(RELIABLE_IKE_TRANSPORT) ]]> In this case the initiator MUST switch to TCP using destination port 4500 in the next exchange (IKE_INTERMEDIATE or IKE_AUTH) and the responder MUST be prepared to receive the next exchange request message on TCP port 4500.

<--- HDR, SK{...} ]]> All subsequent IKE exchanges MUST continue to use TCP transport. In particular, peers MUST NOT try to swich IKE transport to UDP as defined in Sections 7.1 and 7.3 of . All recommendations of regarding maintaning TCP connection apply accordingly. With this IKE extension child SAs are created as defined in - they either use direct transport over IP or are UDP encapsulated if NAT is detected. Note, that in the latter case peers are responsible for maintaining NAT mapping by sending NAT keepalives (see Section 2.23 of ).

Section 10 of discusses security implications of using TCP as IKE transport.

This document defines a new Notify Message Type in the "IKEv2 Notify Message Status Types" registry:

RELIABLE_IKE_TRANSPORT ]]>