Network Working GroupInternet Engineering Task Force (IETF) P. JokelaInternet-DraftRequest for Comments: 7402 Ericsson Research NomadicLab Obsoletes: 5202(if approved)R. MoskowitzIntended status:Category: Standards TrackVerizon Expires: March 9, 2015HTT Consulting ISSN: 2070-1721 J. Melen Ericsson Research NomadicLabSeptember 5, 2014April 2015 Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)draft-ietf-hip-rfc5202-bis-07Abstract This memo specifies anEncapsulatedEncapsulating Security Payload (ESP) based mechanism for transmission of user data packets, to be used with the Host Identity Protocol (HIP). This document obsoletes RFC 5202. Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 ofsix monthsRFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 9, 2015.http://www.rfc-editor.org/info/rfc7402. Copyright Notice Copyright (c)20142015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3....................................................3 2. Conventions Used in This Document. . . . . . . . . . . . . . 4...............................4 3. Using ESP with HIP. . . . . . . . . . . . . . . . . . . . . 4..............................................4 3.1. ESP Packet Format. . . . . . . . . . . . . . . . . . . . 5..........................................5 3.2. Conceptual ESP Packet Processing. . . . . . . . . . . . 5...........................5 3.2.1. Semantics of the Security Parameter Index (SPI). . . 6.....6 3.3. Security Association Establishment and Maintenance. . . 6.........6 3.3.1. ESP Security Associations. . . . . . . . . . . . . . 6...........................6 3.3.2. Rekeying. . . . . . . . . . . . . . . . . . . . . . 7............................................7 3.3.3. Security Association Management. . . . . . . . . . . 8.....................8 3.3.4. Security Parameter Index (SPI). . . . . . . . . . . 8......................8 3.3.5. Supported Ciphers. . . . . . . . . . . . . . . . . . 8...................................8 3.3.6. Sequence Number. . . . . . . . . . . . . . . . . . . 9.....................................9 3.3.7. Lifetimes and Timers. . . . . . . . . . . . . . . . 9................................9 3.4. IPsec and HIP ESP Implementation Considerations. . . . . 9............9 3.4.1. Data Packet Processing Considerations. . . . . . . . 9..............10 3.4.2. HIP Signaling Packet Considerations. . . . . . . . . 10................10 4. The Protocol. . . . . . . . . . . . . . . . . . . . . . . . 10...................................................11 4.1. ESP in HIP. . . . . . . . . . . . . . . . . . . . . . . 11................................................11 4.1.1. IPsec ESP Transport Format Type. . . . . . . . . . . 11....................11 4.1.2. Setting Up an ESP Security Association. . . . . . . 11.............11 4.1.3. Updating an Existing ESP SA. . . . . . . . . . . . . 12........................12 5. Parameter and Packet Formats. . . . . . . . . . . . . . . . 13...................................13 5.1. New Parameters. . . . . . . . . . . . . . . . . . . . . 13............................................13 5.1.1. ESP_INFO. . . . . . . . . . . . . . . . . . . . . . 13...........................................13 5.1.2. ESP_TRANSFORM. . . . . . . . . . . . . . . . . . . . 14......................................15 5.1.3. NOTIFICATION Parameter. . . . . . . . . . . . . . . 16.............................16 5.2. HIP ESP Security Association Setup. . . . . . . . . . . 16........................17 5.2.1. SetupDuringduring Base Exchange. . . . . . . . . . . . . 16.........................17 5.3. HIP ESP Rekeying. . . . . . . . . . . . . . . . . . . . 18..........................................18 5.3.1. Initializing Rekeying. . . . . . . . . . . . . . . . 18..............................19 5.3.2. Responding to the Rekeying Initialization. . . . . . 19..........19 5.4. ICMP Messages. . . . . . . . . . . . . . . . . . . . . . 19.............................................20 5.4.1. Unknown SPI. . . . . . . . . . . . . . . . . . . . . 19........................................20 6. Packet Processing. . . . . . . . . . . . . . . . . . . . . . 20..............................................20 6.1. Processing Outgoing Application Data. . . . . . . . . . 20......................20 6.2. Processing Incoming Application Data. . . . . . . . . . 20......................21 6.3. HMAC and SIGNATURE Calculation and Verification. . . . . 21...........21 6.4. Processing Incoming ESP SA Initialization (R1). . . . . 21............22 6.5. Processing Incoming Initialization Reply (I2). . . . . . 22.............22 6.6. Processing Incoming ESP SA Setup Finalization (R2). . . 22........23 6.7. Dropping HIP Associations. . . . . . . . . . . . . . . . 22.................................23 6.8. Initiating ESP SA Rekeying. . . . . . . . . . . . . . . 22................................23 6.9. Processing Incoming UPDATE Packets. . . . . . . . . . . 24........................24 6.9.1. Processing UPDATE Packet: No Outstanding Rekeying Request. . . . . . . . . . . . . . . . . . 24...................................25 6.10. Finalizing Rekeying. . . . . . . . . . . . . . . . . . . 25......................................26 6.11. Processing NOTIFY Packets. . . . . . . . . . . . . . . . 26................................26 7. Keying Material. . . . . . . . . . . . . . . . . . . . . . . 26................................................27 8. Security Considerations. . . . . . . . . . . . . . . . . . . 26........................................27 9. IANA Considerations. . . . . . . . . . . . . . . . . . . . . 27............................................28 10.Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 28 11.References. . . . . . . . . . . . . . . . . . . . . . . . . 28 11.1.....................................................29 10.1. Normativereferences . . . . . . . . . . . . . . . . . . 28 11.2.References .....................................29 10.2. Informativereferences . . . . . . . . . . . . . . . . . 29References ...................................30 Appendix A. A Note on Implementation Options. . . . . . . . . . 31......................32 Appendix B. Bound End-to-End TunnelmodeMode for ESP. . . . . . . . 31..................32 B.1. Protocoldefinition . . . . . . . . . . . . . . . . . . . 32Definition ........................................33 B.1.1. Changes to Security Associationdata structures . . . 32Data Structures .....33 B.1.2. Packetformat . . . . . . . . . . . . . . . . . . . . 32Format .......................................34 B.1.3. Cryptographicprocessing . . . . . . . . . . . . . . 34Processing ............................36 B.1.4. IPheader processing . . . . . . . . . . . 34Header Processing ................................36 B.1.5. Handling ofoutgoing packets . . . . . . . . . . . . 35Outgoing Packets ........................37 B.1.6. Handling ofincoming packets . . . . . . . . . . . . 36Incoming Packets ........................38 B.1.7. Handling of IPv4options handling . . . . . . . . . . . . . . . . 36Options ............................39 Acknowledgments ...................................................40 Authors' Addresses ................................................40 1. Introduction In the Host Identity Protocol Architecture[I-D.ietf-hip-rfc4423-bis],[HIP-ARCH], hosts are identified with public keys. The Host Identity Protocol[I-D.ietf-hip-rfc5201-bis](HIP) [RFC7401] base exchange allows any two HIP-supporting hosts to authenticate each other and to create a HIP association between themselves. During the base exchange, the hosts generate a piece of shared keying material using an authenticated Diffie-Hellman exchange. The HIP base exchange specification[I-D.ietf-hip-rfc5201-bis][RFC7401] does not describe any transport formats or methods for user data to be used during the actual communication; it only defines that it is mandatory to implement theEncapsulatedEncapsulating Security Payload (ESP) [RFC4303] based transport format and method. This document specifies how ESP is used with HIP to carry actual user data. To be more specific, this document specifies a set of HIP protocol extensions and their handling. Using these extensions, a pair of ESP Security Associations (SAs) is created between the hosts during the base exchange. The resulting ESP Security Associations use keys drawn from the keying material (KEYMAT) generated during the base exchange. After the HIP association and required ESP SAs have been established between the hosts, the user data communication is protected using ESP. In addition, this document specifies methods to update an existing ESP Security Association. It should be noted that representations of Host Identity are not carried explicitly in the headers of user data packets. Instead, the ESP Security Parameter Index (SPI) is used to indicate the right host context. The SPIs are selected during the HIP ESP setup exchange. For user data packets, ESP SPIs (in possible combination with IP addresses) are used indirectly to identify the host context, thereby avoiding any additional explicit protocol headers. HIP and ESP traffic have known issues with middlebox traversalRFC(RFC 5207[RFC5207].[RFC5207]). Other specifications exist for operating HIP and ESP overUDPUDP. (RFC 5770 [RFC5770] is an experimental specification, and others are beingdeveloped).developed.) Middlebox traversal is out of scope for this document. This document obsoletes RFC 5202. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. Using ESP with HIP The HIP base exchange is used to set up a HIP association between two hosts. The base exchange provides two-way host authentication and key material generation, but it does not provide any means for protecting data communication between the hosts. In this document, we specify the use of ESP for protecting user data traffic after the HIP base exchange. Note that this use of ESP is intended only for host-to-host traffic; security gateways are not supported. To support ESP use, the HIP base exchange messages require some minor additions to the parameters transported. In the R1 packet, the Responder adds the possible ESP transforms in an ESP_TRANSFORM parameter before sending it to the Initiator. The Initiator gets the proposed transforms, selects one of those proposed transforms, and adds it to the I2 packet in an ESP_TRANSFORM parameter. In this I2 packet, the Initiator also sends the SPI value that it wants to be used for ESP traffic flowing from the Responder to the Initiator. This information is carried using the ESP_INFO parameter. When finalizing the ESP SA setup, the Responder sends its SPI value to the Initiator in the R2 packet, again using ESP_INFO. 3.1. ESP Packet Format The ESP specification [RFC4303] defines the ESP packet format for IPsec. The HIP ESP packet looks exactly the same as the IPsec ESP transport format packet. The semantics, however, are a bit different and are described in more detail in the next subsection. 3.2. Conceptual ESP Packet Processing ESP packet processing can be implemented in different ways in HIP. It is possible to implement it in a way that a standards compliant, unmodified IPsec implementation [RFC4303] can be used in conjunction with some additional transport checksum processing above it, and if IP addresses are used as indexes to the right host context. When a standards compliant IPsec implementation that uses IP addresses in theSPDSecurity Policy Database (SPD) and Security Association Database (SAD) is used, the packet processing may take the following steps. For outgoing packets, assuming that the upper-layerpseudoheaderpseudo header has been built using IP addresses, the implementation recalculates upper-layer checksums using Host Identity Tags (HITs) and, after that, changes the packet source and destination addresses back to corresponding IP addresses. The packet is sent to the IPsec ESP for transport modehandlinghandling, and from there the encrypted packet is sent to the network. When an ESP packet is received, the packet is first puttothrough the IPsec ESP transport mode handling, and after decryption, the source and destination IP addresses are replaced withHITsHITs, and finally,upper- layerupper-layer checksums are verified before passing the packet to the upper layer. An alternative way to implement packet processing is the BEET (Bound End-to-End Tunnel) mode (see Appendix B). In BEET mode, the ESP packet is formatted as a transport mode packet, but the semantics of the connection are the same as for tunnel mode. The "outer" addresses of the packet are the IPaddressesaddresses, and the "inner" addresses are the HITs. For outgoing traffic, after the packet has been encrypted, the packet's IP header is changed to a new one that contains IP addresses instead of HITs, and the packet is sent to the network. When the ESP packet is received, the SPI value, together with the integrity protection, allow the packet to be securely associated with the right HIT pair. The packet header is replaced with a new header containing HITs, and the packet is decrypted. BEET mode is completely internal for a host and doesn't require that the corresponding hostimplements it, insteadimplement it; instead, the corresponding host can have ESP transport mode and do HIT IP conversions outside ESP. 3.2.1. Semantics of the Security Parameter Index (SPI) SPIs are used in ESP to find the right Security Association for received packets. The ESP SPIs have added significance when used with HIP; they are a compressed representation of a pair of HITs. Thus, SPIs MAY be used by intermediary systems in providing services like address mapping. Note that since the SPI has significance at the receiver, only the?<< DST, SPI>?,>, where DST is a destination IP address, uniquely identifies the receiver HIT at any given point of time. The same SPI value may be used by several hosts. A single?<< DST, SPI>?> value may denote different hosts and contexts at different points of time, depending on the host that is currently reachable at the DST. Each host selects for itself the SPI it wants to see in packets received from its peer. This allows it to select different SPIs for different peers. The SPI selection SHOULD be random; the rules of Section 2.1 of the ESP specification [RFC4303] must be followed. A different SPI SHOULD be used for each HIP exchange with a particular host; this is to avoid a replay attack. Additionally, when a host rekeys, the SPI MUST be changed. Furthermore, if a host changes over to use a different IP address, it MAY change the SPI. One method for SPI creation that meets the above criteria would be to concatenate the HIT with a 32-bit random or sequential number, hash this (using SHA1), and then use the high-order 32 bits as the SPI. The selected SPI is communicated to the peer in the third (I2) and fourth (R2) packets of the base HIP exchange. Changes in SPI are signaled with ESP_INFO parameters. 3.3. Security Association Establishment and Maintenance 3.3.1. ESP Security Associations In HIP, ESP Security Associations aresetupset up between the HIP nodes during the base exchange[I-D.ietf-hip-rfc5201-bis].[RFC7401]. Existing ESP SAs can be updated later using UPDATE messages. The reason for updating the ESP SA later can be, for example, a need for rekeying the SA because of sequence number rollover. Upon setting up a HIP association, each association is linked to two ESP SAs, one for incoming packets and one for outgoing packets. The Initiator's incoming SA corresponds with the Responder's outgoing one, and vice versa. The Initiator defines the SPI for its incoming association, as defined in Section 3.2.1. This SA is herein called SA-RI, and the corresponding SPI is called SPI-RI. Respectively, the Responder's incoming SA corresponds with the Initiator's outgoing SA and is called SA-IR, with the SPI being called SPI-IR. The Initiator creates SA-RI as a part of R1 processing, before sending out the I2, as explained in Section 6.4. The keys are derived from KEYMAT, as defined in Section 7. The Responder creates SA-RI as a part of I2 processing; see Section 6.5. The Responder creates SA-IR as a part of I2 processing, before sending out R2; see Section 6.5. The Initiator creates SA-IR when processing R2; see Section 6.6. The initial session keys are drawn from the generated keying material, KEYMAT, after the HIP keys have been drawn as specified in[I-D.ietf-hip-rfc5201-bis].[RFC7401]. When the HIP association is removed, the related ESP SAs MUST also be removed. 3.3.2. Rekeying After the initial HIP base exchange and SA establishment, both hosts are in the ESTABLISHED state. There are no longer Initiator and Responderrolesroles, and the association is symmetric. In this subsection, the party that initiates the rekey procedure is denoted with I' and the peer with R'. An existing HIP-created ESP SA may need updating during the lifetime of the HIP association. This document specifies the rekeying of an existing HIP-created ESP SA, using the UPDATE message. The ESP_INFO parameter introduced above is used for this purpose. I' initiates the ESP SA updating process when needed (see Section 6.8). It creates an UPDATE packet with required information and sends it to the peer node. The old SAs are still in use, local policy permitting. R', after receiving and processing the UPDATE (see Section 6.9), generates new SAs: SA-I'R' and SA-R'I'. It does not take the new outgoing SA into use, but still uses the old one, so there temporarilyexistsexist two SA pairs towards the same peer host. The SPI for the new outgoing SA, SPI-R'I', is specified in the received ESP_INFO parameter in the UPDATE packet. For the new incoming SA, R' generates the new SPI value, SPI-I'R', and includes it in the response UPDATE packet. When I' receives a response UPDATE from R', it generates new SAs, as described in Section 6.9: SA-I'R' and SA-R'I'. It starts using the new outgoing SA immediately. R' starts using the new outgoing SA when it receives traffic on the new incoming SA or when it receives the UPDATE ACK confirming completion of rekeying. After this, R' can remove the old SAs. Similarly, when the I' receives traffic from the new incoming SA, it can safely remove the old SAs. 3.3.3. Security Association Management An SA pair is indexed by the 2 SPIs and 2 HITs (both local and remote HITs since a system can have more than one HIT). An inactivity timer is RECOMMENDED for all SAs. If the state dictates the deletion of an SA, a timer is set to allow for any late arriving packets. 3.3.4. Security Parameter Index (SPI) The SPIs in ESP provide a simple compression of the HIP data from all packets after the HIP exchange. This does require a per HIT-pair Security Association (and SPI), and a decrease of policy granularity over other Key Management Protocols like Internet Key Exchange (IKE)[RFC5996].[RFC7296]. When a host updates the ESP SA, it provides a new inbound SPI to and gets a new outbound SPI from its peer. 3.3.5. Supported Ciphers All HIP implementations MUST support AES-128-CBC and AES-256-CBC [RFC3602]. If the Initiator does not support any of the transforms offered by the Responder, it should abandon the negotiation and inform the peer with a NOTIFY message about a non-supported transform. In addition to AES-128-CBC, all implementations SHOULD implement the ESP NULL encryption algorithm. When the ESP NULL encryption is used, it MUST be used together with SHA-256 authentication as specified in Section5.1.25.1.2. When an authentication-only suite is used (NULL, AES-CMAC-96, and AES-GMAC are examples), the suite MUST NOT be accepted if offered by the peer unless the local policy configuration regarding the peer host is explicitly set to allow an authentication-only mode. This is to prevent sessions from being downgraded to an authentication-only mode when one side's policy requests privacy for the session. 3.3.6. Sequence Number The Sequence Number field is MANDATORY when ESP is used with HIP. Anti-replay protection MUST be used in an ESP SA established with HIP. When ESP is used with HIP, a 64-bit sequence number MUST be used. This means that each host MUST rekey before its sequence number reaches 2^64. When using a 64-bit sequence number, the higher 32 bits are NOT included in the ESP header, but are simply kept local to both peers. See [RFC4301]. 3.3.7. Lifetimes and Timers HIP does not negotiate any lifetimes. All ESP lifetimes are local policy. The only lifetimes a HIP implementation MUST support are sequence number rollover (for replay protection), and SHOULD support timing out inactive ESP SAs. An SA times out if no packets are received using that SA. Implementations SHOULD support a configurable SA timeout value. Implementations MAY support lifetimes for the various ESP transforms. Each implementation SHOULD implement per-HIT configuration of the inactivity timeout, allowing statically configured HIP associations to stay alive for days, even when inactive. 3.4. IPsec and HIP ESP Implementation Considerations When HIP is run on a node where a standards compliant IPsec is used, some issues have to be considered. The HIP implementation must be able to co-exist with other IPsec keying protocols. When the HIP implementation selects the SPI value, it may lead to a collision if not implemented properly. To avoid the possibility for a collision, the HIP implementation MUST ensure that the SPI values used for HIP SAs are not used for IPsec or other SAs, and vice versa. Incoming packets using an SA that is not negotiated by HIP MUST NOT be processed as described in Section 3.2, paragraph 2. The SPI will identify the correct SA for packet decryption and MUST be used to identify that the packet has an upper-layer checksum that is calculated as specified in[I-D.ietf-hip-rfc5201-bis].[RFC7401]. 3.4.1. Data Packet Processing Considerations For outbound traffic, the SPDor (coordinated) SPDs(or coordinated SPDs, if there are two(one-- one for HIP and one for IPsec) MUST ensure that packets intended for HIP processing are given a HIP-enabled SA and that packets intended for IPsec processing are given an IPsec-enabled SA. The SP then MUST be bound to the matchingSASA, and non-HIP packets will not be processed by this SA. Data originating from a socket that is not using HIP MUST NOT have the checksum recalculated (as described in Section 3.2, paragraph2)2), and data MUST NOT be passed to the SP or SA created bytheHIP. It is possible that in the case of overlapping policies, the outgoing packet would be handledbothbytheboth IPsec and HIP. In this case, it is possible that the HIP association isend-to-end,end to end, while the IPsec SA is for encryption between the HIP host and aSecurity Gateway.security gateway. In the case of aSecurity Gatewaysecurity gateway ESP association, the ESPusesalways uses tunnel mode. In the case of IPsec tunnel mode, it is hard to see during the HIP SA processing if the IPsec ESP SA has the same final destination. Thus, traffic MUST be encryptedbothwith both the HIP ESP SA andwiththe IPsec SA when the IPsec ESP SA is used in tunnel mode. In the case of IPsec transport mode, the connectionend-pointsendpoints are the same. However, for HIP data packets it is not possible to avoid HIP SA processing, while mapping the HIP data packet's IP addresses to the corresponding HITs requires SPI values from the ESP header. In the case of a transport mode IPsec SA, the IPsec encryption MAY be skipped to avoid double encryption, if the local policy allows. 3.4.2. HIP Signaling Packet Considerations In general, HIP signaling packets should follow the same processing as HIP data packets. In the case of IPsec tunnel mode, the HIP signaling packets are always encrypted using an IPsec ESP SA.Note,Note that this hides the HIP signaling packets from the eventual HIPmiddle boxesmiddleboxes on the path between the originating host and theSecurity Gateway.security gateway. In the case of IPsec transport mode, the HIP signaling packets MAY skip the IPsec ESP SA encryption if the local policy allows. This allows the eventual HIPmiddle boxesmiddleboxes to handle the passing HIP signaling packets. 4. The Protocol In this section, the protocol for setting up an ESP association to be used with a HIP association is described. 4.1. ESP in HIP 4.1.1. IPsec ESP Transport Format Type The HIP handshake signals the TRANSPORT_FORMAT_LIST parameter in the R1 and I2 messages. This parameter contains a list of the supported HIP transport formats of the sendinghosthost, in the order of preference. The transport format type for IPsec ESP is the type number of the ESP_TRANSFORM parameter, i.e., 4095. 4.1.2. Setting Up an ESP Security Association Setting up an ESP Security Association between hosts using HIPconsists of three messages passed between the hosts. Theis performed by including parametersare includedinR1,the last three messages (R1, I2, and R2messages duringmessages) of the four-message HIP base exchange. Initiator Responder I1 ----------------------------------> R1: ESP_TRANSFORM <---------------------------------- I2: ESP_TRANSFORM, ESP_INFO ----------------------------------> R2: ESP_INFO <----------------------------------Setting up an ESP Security Association between HIP hosts requires three messages to exchange the information that is required during an ESP communication.The R1 message contains the ESP_TRANSFORM parameter, in which the sending host defines the possible ESP transforms it is willing to use for the ESP SA. Including the ESP_TRANSFORM parameter in the R1 message adds clarity to theTRANSPORT_FORMAT_LIST,TRANSPORT_FORMAT_LIST but may initiate negotiations for possibly unselected transforms. However, resource-constrained devices will most likely restrict support to a single transform for the sake of minimizing ROMoverheadoverhead, and the additional parameter adds negligible overhead with unconstrained devices. The I2 message contains the response to an ESP_TRANSFORM received in the R1 message. The sender must select one of the proposed ESP transforms from the ESP_TRANSFORM parameter in the R1 message and include the selected one in the ESP_TRANSFORM parameter in the I2 packet. In addition to the transform, the host includes the ESP_INFO parameter containing the SPI value to be used by the peer host. In the R2 message, the ESP SA setup is finalized. The packet contains the SPI information required by the Initiator for the ESP SA. 4.1.3. Updating an Existing ESP SA The update process is accomplished usingtwothree messages. The HIP UPDATE message is used to update the parameters of an existing ESP SA. The UPDATE mechanism and messageisare defined in[I-D.ietf-hip-rfc5201-bis],[RFC7401], and the additional parameters for updating an existing ESP SA are described here. The following picture shows a typical exchange when an existing ESP SA is updated. Messages include SEQ and ACK parameters required by the UPDATE mechanism. H1 H2 UPDATE: SEQ, ESP_INFO [, DIFFIE_HELLMAN] -----------------------------------------------------> UPDATE: SEQ, ACK, ESP_INFO [, DIFFIE_HELLMAN] <----------------------------------------------------- UPDATE: ACK -----------------------------------------------------> The host willing to update the ESP SA creates and sends an UPDATE message. The message contains the ESP_INFO parameter containing the old SPI value that was used, the new SPI value to be used, and the index value for the keying material, giving the point from where the next keys will be drawn. If new keying material must be generated, the UPDATE message will also contain the DIFFIE_HELLMAN parameter defined in[I-D.ietf-hip-rfc5201-bis].[RFC7401]. The host receiving the UPDATE message requesting update of an existing ESP SA MUST reply with an UPDATE message. In the reply message, the host sends the ESP_INFO parameter containing the corresponding values: old SPI, new SPI, and the keying material index. If the incoming UPDATE contained a DIFFIE_HELLMAN parameter, the reply packet MUST also contain a DIFFIE_HELLMAN parameter. 5. Parameter and Packet Formats In this section, new and modified HIP parameters are presented, as well as modified HIP packets. 5.1. New Parameters TwonewHIP parameters are defined for setting up ESP transport format associations in HIP communication and for rekeying existing ones. Also, the NOTIFICATION parameter, described in[I-D.ietf-hip-rfc5201-bis],[RFC7401], has twonewerrorparameters.values defined for this specification. Parameter Type Length Data ESP_INFO 65 12 Remote's old SPI, new SPI, and other info ESP_TRANSFORM 4095 variable ESP Encryption and Authentication Transform(s) 5.1.1. ESP_INFO During the establishment and update of an ESP SA, the SPI value of both hosts must be transmitted between the hosts. In addition, hosts need the index value to the KEYMAT when they are drawing keys from the generated keying material. The ESP_INFO parameter is used to transmit the SPI values and the KEYMAT index information between the hosts. During the initial ESP SA setup, the hosts send the SPI value that they want the peer to use when sending ESP data to them. The value is set in the NEW SPI field of the ESP_INFO parameter. In the initial setup, an old value for the SPI does notexist, thusexist; thus, the OLD SPIvaluefield value is set to zero. The OLD SPI field value may also be zero when additional SAs are set up between HIP hosts, e.g., in the case of multihomed HIP hosts [RFC5206]. However, such use is beyond the scope of this specification. The KEYMAT index value points to the place in the KEYMAT from where the keying material for the ESP SAs is drawn. The KEYMAT index value is zero only when the ESP_INFO is sent during a rekeying process and new keying material is generated. During the life of an SA established by HIP, one of the hosts may need to reset the Sequence Number to one and rekey. The reason for rekeying might be an approaching sequence number wrap in ESP, or a local policy on the use of a key. Rekeying ends the current SAs and starts new ones on both peers. During the rekeying process, the ESP_INFO parameter is used to transmit the changed SPI values and the keying material index. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | KEYMAT Index | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OLD SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | NEW SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 65 Length 12 KEYMAT IndexIndex,index, in bytes, where to continue to draw ESP keys from KEYMAT. If the packet includes a new Diffie-Hellman key and the ESP_INFO is sent in an UPDATE packet, the field MUST be zero. If the ESP_INFO is included in base exchange messages, the KEYMAT Index must have the index value of the point from where the ESP SA keys are drawn. Note that the length of this field limits the amount of keying material that can be drawn from KEYMAT. If that amount is exceeded, the packet MUST contain a new Diffie-Hellman key. OLD SPI old SPI for data sent to address(es) associated with this SA. If this is an initial SA setup, the OLD SPI value is zero. NEW SPI new SPI for data sent to address(es) associated with this SA. 5.1.2. ESP_TRANSFORM The ESP_TRANSFORM parameter is used during ESP SA establishment. The first party sends a selection of transform families in the ESP_TRANSFORM parameter, and the peer must select one of the proposed values and include it in the response ESP_TRANSFORM parameter. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | Suite ID #1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Suite ID #2 | Suite ID #3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Suite ID #n | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 4095 Length length in octets, excluding Type, Length, andpaddingpadding. Reserved zero when sent, ignored whenreceivedreceived. Suite ID defines the ESP Suite to beusedused. The following Suite IDs can be used: Suite ID Value RESERVED 0 [RFC7402] AES-128-CBC with HMAC-SHA1 1 [RFC3602], [RFC2404] DEPRECATED 2 [RFC7402] DEPRECATED 3 [RFC7402] DEPRECATED 4 [RFC7402] DEPRECATED 5 [RFC7402] DEPRECATED 6 [RFC7402] NULL with HMAC-SHA-256 7 [RFC2410], [RFC4868] AES-128-CBC with HMAC-SHA-256 8 [RFC3602], [RFC4868] AES-256-CBC with HMAC-SHA-256 9 [RFC3602], [RFC4868] AES-CCM-8 10 [RFC4309] AES-CCM-16 11 [RFC4309] AES-GCM witha 8 octetan 8-octet ICV 12 [RFC4106] AES-GCM with a16 octet16-octet ICV 13 [RFC4106] AES-CMAC-96 14 [RFC4493], [RFC4494] AES-GMAC 15 [RFC4543] The sender of an ESP transform parameter MUST make sure that there are no more than six (6) Suite IDs in one ESP transform parameter. Conversely, a recipient MUST be prepared to handle received transform parameters that contain more than six Suite IDs. The limited number of Suite IDs sets the maximum size of the ESP_TRANSFORM parameter. As the default configuration, the ESP_TRANSFORM parameter MUST contain at least one of the mandatory Suite IDs. There MAY be a configuration option that allows the administrator to override this default. Mandatory implementations: AES-128-CBC with HMAC-SHA-256. NULL with HMAC-SHA-256 SHOULD also be supported (see also Section 3.3.5). Under some conditions, it is possible to use Traffic Flow Confidentiality (TFC) [RFC4303] with ESP in BEET mode. However, the definition of such an operation is left for future work and must be done in a separate specification. 5.1.3. NOTIFICATION Parameter The HIP base specification defines a set of NOTIFICATION error types. The following error types are required for describing errors in ESP Transform crypto suites during negotiation. NOTIFICATION PARAMETER - ERROR TYPES Value ------------------------------------ ----- NO_ESP_PROPOSAL_CHOSEN 18 None of the proposed ESP Transform crypto suites was acceptable. INVALID_ESP_TRANSFORM_CHOSEN 19 The ESP Transform crypto suite does not correspond to one offered by the Responder. 5.2. HIP ESP Security Association Setup The ESP Security Association is set up during the base exchange. The following subsections define the ESP SA setup procedure using both base exchange messages (R1, I2, R2) and UPDATE messages. 5.2.1. SetupDuringduring Base Exchange 5.2.1.1. Modifications in R1 The ESP_TRANSFORM contains the ESP modes supported by the sender, in the order of preference. All implementations MUST supportAES- 128-CBCAES-128-CBC [RFC3602] with HMAC-SHA-256 [RFC4868]. The following figure shows the resulting R1 packet layout. The HIP parameters for the R1 packet: IP ( HIP ( [ R1_COUNTER, ] PUZZLE, DIFFIE_HELLMAN, HIP_CIPHER, ESP_TRANSFORM, HOST_ID, [ ECHO_REQUEST, ] HIP_SIGNATURE_2 ) [, ECHO_REQUEST ]) 5.2.1.2. Modifications in I2 The ESP_INFO contains the sender's SPI for this association as well as the KEYMAT index from where the ESP SA keys will be drawn. The old SPI value is set to zero. The ESP_TRANSFORM contains the ESP mode selected by the sender of R1. All implementations MUST support AES-128-CBC [RFC3602] withHMAC- SHA-256HMAC-SHA-256 [RFC4868]. The following figure shows the resulting I2 packet layout. The HIP parameters for the I2 packet: IP ( HIP ( ESP_INFO, [R1_COUNTER,] SOLUTION, DIFFIE_HELLMAN, HIP_CIPHER, ESP_TRANSFORM, ENCRYPTED { HOST_ID }, [ ECHO_RESPONSE ,] HMAC, HIP_SIGNATURE [, ECHO_RESPONSE] ) ) 5.2.1.3. Modifications in R2 The R2 contains an ESP_INFO parameter, which has the SPI value of the sender of the R2 for this association. The ESP_INFO also has the KEYMAT index value specifying where the ESP SA keys are drawn. The following figure shows the resulting R2 packet layout. The HIP parameters for the R2 packet: IP ( HIP ( ESP_INFO, HMAC_2, HIP_SIGNATURE ) ) 5.3. HIP ESP Rekeying In this section, the procedure for rekeying an existing ESP SA is presented. Conceptually, the process can be represented by the following message sequence using the host names I' and R' defined in Section 3.3.2. For simplicity, HMAC and HIP_SIGNATURE are not depicted, and DIFFIE_HELLMAN keys are optional. The UPDATE with ACK_I need not be piggybacked with the UPDATE with SEQ_R; it may be ACKed separately (in which case the sequence would include four packets). I' R' UPDATE(ESP_INFO, SEQ_I, [DIFFIE_HELLMAN]) -----------------------------------> UPDATE(ESP_INFO, SEQ_R, ACK_I, [DIFFIE_HELLMAN]) <----------------------------------- UPDATE(ACK_R) -----------------------------------> Below, the first two packets in this figure are explained. 5.3.1. Initializing Rekeying When HIP is used with ESP, the UPDATE packet is used to initiate rekeying. The UPDATE packet MUST carry an ESP_INFO and MAY carry a DIFFIE_HELLMAN parameter. Intermediate systems that use the SPI will have to inspect HIP packets for those that carry rekeying information. The packet is signed for the benefit of the intermediate systems. Since intermediate systems may need the new SPI values, the contents cannot be encrypted. The following figure shows the contents of a rekeying initialization UPDATE packet. The HIP parameters for the UPDATE packet initiating rekeying: IP ( HIP ( ESP_INFO, SEQ, [DIFFIE_HELLMAN, ] HMAC, HIP_SIGNATURE ) ) 5.3.2. Responding to the Rekeying Initialization The UPDATE ACK is used to acknowledge the received UPDATE rekeying initialization. The acknowledgment UPDATE packet MUST carry an ESP_INFO and MAY carry a DIFFIE_HELLMAN parameter. Intermediate systems that use the SPI will have to inspect HIP packets for packets carrying rekeying information. The packet is signed for the benefit of the intermediate systems. Since intermediate systems may need the new SPI values, the contents cannot be encrypted. The following figure shows the contents of a rekeying acknowledgment UPDATE packet. The HIP parameters for the UPDATE packet: IP ( HIP ( ESP_INFO, SEQ, ACK, [ DIFFIE_HELLMAN, ] HMAC, HIP_SIGNATURE ) ) 5.4. ICMP Messages ICMP message handling is mainly described in the HIP base specification[I-D.ietf-hip-rfc5201-bis].[RFC7401]. In this section, we describe the actions related to ESP security associations. 5.4.1. Unknown SPI If a HIP implementation receives an ESP packet that has an unrecognized SPI number, it MAY respond (subject to rate limiting the responses) with an ICMP packet with type "Parameter Problem", with the pointer pointing to the beginning of the SPI field in the ESP header. 6. Packet Processing Packet processing is mainly defined in the HIP base specification[I-D.ietf-hip-rfc5201-bis].[RFC7401]. This section describes the changes and new requirements for packet handling when the ESP transport format is used. Note that all HIP packets (currently protocol 139) MUST bypass ESP processing. 6.1. Processing Outgoing Application Data Outgoing application data handling is specified in the HIP base specification[I-D.ietf-hip-rfc5201-bis].[RFC7401]. When the ESP transport format is used, and there is an active HIP session for the given < source, destination > HIT pair, the outgoing datagram is protected using the ESP security association. The following additional steps define the conceptual processing rules for outgoing ESP protected datagrams. 1. Detect the proper ESP SA using the HITs in the packet header or other information associated with thepacketpacket. 2. Process the packet normally, as if the SA was a transport mode SA. 3. Ensure that the outgoing ESP protected packet has proper IP headerformatformat, depending on the used IP address family, and proper IP addresses in its IP header, e.g., by replacing HITs left by the ESP processing. Note that this placement of proper IP addresses MAY also be performed at some other point in the stack, e.g., before ESP processing. 6.2. Processing Incoming Application Data Incoming HIP user data packets arrive as ESP protected packets. In the usual case, the receiving host has a corresponding ESP security association, identified by the SPI and destination IP address in the packet. However, if the host has crashed or otherwise lost its HIP state, it may not have such an SA. The basic incoming data handling is specified in the HIP base specification. Additional steps are required when ESP is used for protecting the data traffic. The following steps define the conceptual processing rules for incoming ESP protected datagrams targeted to an ESP security association created with HIP. 1. Detect the proper ESP SA using the SPI. If the resulting SA is a non-HIP ESP SA, process the packet according to standard IPsec rules. If there are no SAs identified with the SPI, the host MAY send an ICMP packet as defined in Section 5.4. How to handle lost state is an implementation issue. 2. If the SPI matches with an active HIP-based ESP SA, the IP addresses in the datagram are replaced with the HITs associated with the SPI. Note that this IP-address-to-HIT conversion step MAY also be performed at some other point in the stack, e.g., after ESP processing. Note also that if the incoming packet has IPv4 addresses, the packet must be converted to IPv6 format before replacing the addresses with HITs (such that the transport checksum will pass if there are no errors). 3. The transformed packet is next processed normally by ESP, as if the packet were a transport mode packet. The packet may be dropped by ESP, as usual. In a typical implementation, the result of successful ESP decryption and verification is a datagram with the associated HITs as source and destination. 4. The datagram is delivered to the upper layer. Demultiplexing the datagram to the rightupper layerupper-layer socket is performed as usual, except that the HITs are used in place of IP addresses during the demultiplexing. 6.3. HMAC and SIGNATURE Calculation and Verification The new HIP parameters described in this document, ESP_INFO and ESP_TRANSFORM, must be protected using HMAC and signature calculations. In a typical implementation, they are included in R1, I2, R2, and UPDATE packet HMAC and SIGNATURE calculations as described in[I-D.ietf-hip-rfc5201-bis].[RFC7401]. 6.4. Processing Incoming ESP SA Initialization (R1) The ESP SA setup is initialized in the R1 message. The receiving host (Initiator) selects one of the ESP transforms from the presented values. If no suitable value is found, the negotiation is terminated. The selected values are subsequently used when generating and using encryption keys, and when sending the reply packet. If the proposed alternatives are not acceptable to the system, it may abandon the ESP SA establishment negotiation, or it may resend the I1 message within the retry bounds. After selecting the ESP transform and performing other R1 processing, the system prepares and creates an incoming ESP security association. It may also prepare a security association for outgoing traffic, but since it does not have the correct SPI value yet, it cannot activate it. 6.5. Processing Incoming Initialization Reply (I2) The following steps are required to process the incoming ESP SA initialization replies in I2. The steps below assume that the I2 has been accepted for processing (e.g., has not been dropped due to HIT comparisons as described in[I-D.ietf-hip-rfc5201-bis]).[RFC7401]). o The ESP_TRANSFORM parameter isverifiedverified, and it MUST contain a single value in theparameter,parameter; and it MUST match one of the values offered in the initialization packet. o The ESP_INFO NEW SPI field is parsed to obtain the SPI that will be used for the Security Association outbound from the Responder and inbound to the Initiator. For this initial ESP SA establishment, the old SPI value MUST be zero. The KEYMAT Index field MUST contain the index value to the KEYMAT from where the ESP SA keys are drawn. o The system prepares and creates both incoming and outgoing ESP security associations. o Upon successful processing of the initialization reply message, the possible old Security Associations (as left over from an earlier incarnation of the HIP association) are dropped and the new ones are installed, and a finalizing packet, R2, is sent. Possible ongoing rekeying attempts are dropped. 6.6. Processing Incoming ESP SA Setup Finalization (R2) Before the ESP SA can be finalized, the ESP_INFO NEW SPI field is parsed to obtain the SPI that will be used for the ESP Security Association inbound to the sender of the finalization message R2. The system uses this SPI to create or activate the outgoing ESP security association used for sending packets to the peer. 6.7. Dropping HIP Associations When the system drops a HIP association, as described in the HIP base specification, the associated ESP SAs MUST also be dropped. 6.8. Initiating ESP SA Rekeying During ESP SA rekeying, the hosts draw new keys from the existing keying material, or new keying material is generated from where the new keys are drawn. A system may initiate the SA rekeying procedure at any time. It MUST initiate a rekey if its incoming ESP sequence counter is about to overflow. The system MUST NOT replace its keying material until the rekeying packet exchange successfully completes. Optionally, a system may include a new Diffie-Hellman key for use in new KEYMAT generation. New KEYMAT generation occurs prior to drawing the new keys. The rekeying procedure uses the UPDATE mechanism defined in[I-D.ietf-hip-rfc5201-bis].[RFC7401]. Because each peer must update its half of the security association pair (including new SPI creation), the rekeying process requires that each side both send and receive an UPDATE. A system will then rekey the ESP SA when it has sent parameters to the peer and has received both an ACK of the relevant UPDATE message and corresponding peer's parameters. It may be that the ACK and the required HIP parameters arrive in different UPDATE messages. This is always true if a system does not initiate an ESP SA update but responds to an update request from the peer, and may also occur if two systems initiate update nearly simultaneously. In such a case, if the system has an outstanding update request, it saves the one parameter and waits for the other before completing rekeying. The following steps define the processing rules for initiating an ESP SA update: 1. The system decides whether to continue to use the existing KEYMAT or to generate a new KEYMAT. In the latter case, the system MUST generate a new Diffie-Hellman public key. 2. The system creates an UPDATE packet, which contains the ESP_INFO parameter. In addition, the host may include the optional DIFFIE_HELLMAN parameter. If the UPDATE contains the DIFFIE_HELLMAN parameter, the KEYMAT Index in the ESP_INFO parameter MUST be zero, and the Diffie-HellmangroupGroup ID must be unchanged from that used in the initial handshake. If the UPDATE does not contain DIFFIE_HELLMAN, the ESP_INFO KEYMAT Index MUST be greater than or equal to the index of the next byte to be drawn from the current KEYMAT. 3. The system sends the UPDATE packet. For reliability, the underlying UPDATE retransmission mechanism MUST be used. 4. The system MUST NOT delete its existing SAs, but continue using them if its policy still allows. The rekeying procedure SHOULD be initiated early enough to make sure that the SA replay counters do not overflow. 5. In case a protocol error occurs and the peer system acknowledges the UPDATE but does not itself send an ESP_INFO, the system may not finalize the outstanding ESP SA update request. To guard against this, a system MAY re-initiate the ESP SA update procedure after some time waiting for the peer to respond, or it MAY decide to abort the ESP SA after waiting for an implementation-dependent time. The system MUST NOT keep an outstanding ESP SA update request for an indefinite time. To simplify the state machine, a host MUST NOT generate new UPDATEs while it has an outstanding ESP SA update request, unless it is restarting the update process. 6.9. Processing Incoming UPDATE Packets When a system receives an UPDATE packet, it must be processed if the following conditions hold (in addition to the generic conditions specified for UPDATE processing in Section 6.12 of[I-D.ietf-hip-rfc5201-bis]):[RFC7401]): 1. A corresponding HIP association must exist. This is usually ensured by the underlying UPDATE mechanism. 2. The state of the HIP association is ESTABLISHED or R2-SENT. If the above conditions hold, the following steps define the conceptual processing rules for handling the received UPDATE packet: 1. If the received UPDATE contains a DIFFIE_HELLMAN parameter, the received KEYMAT Index MUST be zero and the Group ID must match the Group ID in use on the association. If this test fails, the packet SHOULD be dropped and the system SHOULD log an error message. 2. If there is no outstanding rekeying request, the packet processing continues as specified in Section 6.9.1. 3. If there is an outstanding rekeying request, the UPDATE MUST be acknowledged, the received ESP_INFO (and possibly DIFFIE_HELLMAN) parameters must be saved, and the packet processing continues as specified in Section 6.10. 6.9.1. Processing UPDATE Packet: No Outstanding Rekeying Request The following steps define the conceptual processing rules for handling a received UPDATE packet with the ESP_INFO parameter: 1. The system consults its policy to see if it needs to generate a new Diffie-Hellman key, and generates a new key (with same Group ID) if needed. The system records any newly generated or received Diffie-Hellman keys for use in KEYMAT generation upon finalizing the ESP SA update. 2. If the system generated a new Diffie-Hellman key in the previous step, or if it received a DIFFIE_HELLMAN parameter, it sets the ESP_INFO KEYMAT Index to zero. Otherwise, the ESP_INFO KEYMAT Index MUST be greater than or equal to the index of the next byte to be drawn from the current KEYMAT. In this case, it is RECOMMENDED that the host use the KEYMAT Index requested by the peer in the received ESP_INFO. 3. The system creates an UPDATE packet, which contains an ESP_INFO parameter and the optional DIFFIE_HELLMAN parameter. This UPDATE would also typically acknowledge the peer's UPDATE with an ACK parameter, although a separate UPDATE ACK may be sent. 4. The system sends the UPDATE packet and stores any received ESP_INFO and DIFFIE_HELLMAN parameters. At this point, it only needs to receive an acknowledgment for the newly sent UPDATE to finish the ESP SA update. In the usual case, the acknowledgment is handled by the underlying UPDATE mechanism. 6.10. Finalizing Rekeying A system finalizes rekeying when it has both received the corresponding UPDATE acknowledgment packet from the peer andit hassuccessfully received the peer's UPDATE. The following steps are taken: 1. If the received UPDATE messages contain a new Diffie-Hellman key, the system has a new Diffie-Hellman key due to initiating an ESP SA update, or both, the system generates a new KEYMAT. If there is only one new Diffie-Hellman key, the old existing key is used as the other key. 2. If the system generated a new KEYMAT in the previous step, it sets the KEYMAT Index to zero, independent of whether the received UPDATE included a Diffie-Hellman key or not. If the system did not generate a new KEYMAT, it uses the greater KEYMAT Index of the two (sent and received) ESP_INFO parameters. 3. The system draws keys for new incoming and outgoing ESP SAs, starting from the KEYMAT Index, and prepares new incoming and outgoing ESP SAs. The SPI for the outgoing SA is the new SPI value received in an ESP_INFO parameter. The SPI for the incoming SA was generated when the ESP_INFO was sent to the peer. The order of the keys retrieved from the KEYMAT during the rekeying process is similar to that described in Section 7.Note,Note that only IPsec ESP keys are retrieved during the rekeying process, not the HIP keys. 4. The system starts to send to the new outgoing SA and prepares to start receiving data on the new incoming SA. Once the system receives data on the new incoming SA, it may safely delete the old SAs. 6.11. Processing NOTIFY Packets The processing of NOTIFY packets is described in the HIP base specification. 7. Keying Material The keying material is generated as described in the HIP base specification. During the base exchange, the initial keys are drawn from the generated material. After the HIP association keys have been drawn, the ESP keys are drawn in the following order: SA-gl ESP encryption key for HOST_g's outgoing traffic SA-gl ESP authentication key for HOST_g's outgoing traffic SA-lg ESP encryption key for HOST_l's outgoing traffic SA-lg ESP authentication key for HOST_l's outgoing traffic HOST_g denotes the host with the greater HIT value, and HOST_l denotes the host with the lower HIT value. When HIT values are compared, they are interpreted as positive (unsigned) 128-bit integers in network byte order. The four HIP keys are only drawn from KEYMAT during a HIP I1->R2 exchange. Subsequent rekeys using UPDATE will only draw the four ESP keys from KEYMAT. Section 6.9 describes the rules for reusing or regenerating KEYMAT based on the rekeying. The number of bits drawn for a given algorithm is the "natural" size of the keys, as specified in Section 6.5 of[I-D.ietf-hip-rfc5201-bis].[RFC7401]. 8. Security Considerations In this document, the usage of ESP [RFC4303] between HIP hosts to protect data traffic is introduced. TheSecurity Considerationssecurity considerations for ESP are discussed in the ESP specification. There are different ways to establish an ESP Security Association between two nodes. This can be done, e.g., using IKE[RFC5996].[RFC7296]. This document specifies how the Host Identity Protocol is used to establish ESP Security Associations. The following issues are new or have changed from the standard ESP usage: o Initial keying material generation o Updating the keying material The initial keying material is generated using the Host Identity Protocol[I-D.ietf-hip-rfc5201-bis][RFC7401] using the Diffie-Hellman procedure. This document extends the usage of the UPDATE packet, defined in the base specification, to modify existing ESP SAs. The hosts may rekey, i.e., force the generation of new keying material using the Diffie-Hellman procedure. The initial setup of ESPSASAs between the hosts is done during the base exchange, and the message exchange is protected using methods provided by the base exchange. Changes in connection parametersmeansbasically mean that the old ESP SA is removed and a new one is generated once the UPDATE message exchange has been completed. The message exchange is protected using the HIP association keys. Both HMAC and signing of packetsisare used. 9. IANA Considerations The following changes to the "Host Identity Protocol (HIP) Parameters" registriesare requested.have been made. In all cases, the changesrequired are to updateupdated the reference from [RFC5202] to this specification. This document defines two Parameter Types and two NOTIFY Message Types for the Host Identity Protocol[I-D.ietf-hip-rfc5201-bis].[RFC7401]. The parameters and their type numbers are defined inSectionSections 5.1.1 andSection5.1.2, and they have been added to theParameter Type"Parameter Types" namespace created by[I-D.ietf-hip-rfc5201-bis].[RFC7401]. No new action regarding these valuesareis required by this specification, other than updating the reference from [RFC5202] to this specification. The newNOTIFYNOTIFICATION error types and their values are defined in Section 5.1.3, and they have been added to theNotify"Notify MessageTypeTypes" namespace created by[I-D.ietf-hip-rfc5201-bis].[RFC7401]. No new action regarding these valuesareis required by this specification, other than updating the reference from [RFC5202] to this specification.10. Acknowledgments ThisSection 5.1.2 of this documentwas separated from the base "Host Identity Protocol" specificationdefines values for "ESP Transform Suite IDs", which are registered inthe beginning of 2005. Since then,anumber of people have contributed to the text by providing comments and modification proposals. The list of people include Tom Henderson, Jeff Ahrenholz, Jan Melen, Jukka Ylitalo, and Miika Komu. Especially, the authors want to thank Pekka Nikandernew IANA registry, with an "IETF Review" registration procedure [RFC5226] forhis invaluable contributions to the document since the first draft version. The authors want to thank also Charlie Kaufmannew values. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words forreviewing the document with his eye on the usage of crypto algorithms. Dueuse in RFCs tothe history of this document, most of the ideas are inherited from the base "Host Identity Protocol" specification. Thus, the list of people in the Acknowledgments section of that specification is also valid for this document. Many people have given valuable feedback, and our apologies to anyone whose name is missing. 11. References 11.1. Normative references [I-D.ietf-hip-rfc5201-bis] Moskowitz, R., Heer, T., Jokela, P., and T. Henderson, "Host Identity Protocol Version 2 (HIPv2)", draft-ietf- hip-rfc5201-bis-14 (work in progress), October 2013. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2404] Madson, C. and R. Glenn, "The UseIndicate Requirement Levels", BCP 14, RFC 2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404, November1998.1998, <http://www.rfc-editor.org/info/rfc2404>. [RFC2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm and Its Use With IPsec", RFC 2410, November1998.1998, <http://www.rfc-editor.org/info/rfc2410>. [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher Algorithm and Its Use with IPsec", RFC 3602, September2003.2003, <http://www.rfc-editor.org/info/rfc3602>. [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, June2005.2005, <http://www.rfc-editor.org/ info/rfc4106>. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December2005.2005, <http://www.rfc-editor.org/ info/rfc4303>. [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", RFC 4309, December2005.2005, <http://www.rfc-editor.org/ info/rfc4309>. [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The AES-CMAC Algorithm", RFC 4493, June2006.2006, <http://www.rfc-editor.org/info/rfc4493>. [RFC4494] Song, JH., Poovendran, R., and J. Lee, "The AES-CMAC-96 Algorithm and Its Use with IPsec", RFC 4494, June2006.2006, <http://www.rfc-editor.org/info/rfc4494>. [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, May2006.2006, <http://www.rfc-editor.org/info/rfc4543>. [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256,HMAC-SHA- 384,HMAC-SHA-384, and HMAC-SHA-512 with IPsec", RFC 4868, May2007. 11.2.2007, <http://www.rfc-editor.org/info/rfc4868>. [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. Henderson, "Host Identity Protocol Version 2 (HIPv2)", RFC 7401, April 2015, <http://www.rfc-editor.org/ info/rfc7401>. 10.2. Informativereferences [I-D.ietf-hip-rfc4423-bis]References [HIP-ARCH] Moskowitz,R.R., Ed., and M. Komu, "Host Identity Protocol Architecture",draft-ietf-hip-rfc4423-bis-08 (workWork inprogress), AprilProgress, draft-ietf-hip-rfc4423-bis-09, October 2014. [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September1981.1981, <http://www.rfc-editor.org/info/rfc791>. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December2005.2005, <http://www.rfc-editor.org/info/rfc4301>. [RFC5202] Jokela, P., Moskowitz, R., and P. Nikander, "Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)", RFC 5202, April2008.2008, <http://www.rfc-editor.org/info/rfc5202>. [RFC5206] Nikander, P., Henderson, T., Vogt, C., and J. Arkko,"End- Host"End-Host Mobility and Multihoming with the Host Identity Protocol", RFC 5206, April2008.2008, <http://www.rfc-editor.org/info/rfc5206>. [RFC5207] Stiemerling, M., Quittek, J., and L. Eggert, "NAT and Firewall Traversal Issues of Host Identity Protocol (HIP) Communication", RFC 5207, April2008.2008, <http://www.rfc-editor.org/info/rfc5207>. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May2008.2008, <http://www.rfc-editor.org/info/rfc5226>. [RFC5770] Komu, M., Henderson, T., Tschofenig, H., Melen, J., and A. Keranen, "Basic Host Identity Protocol (HIP) Extensions for Traversal of Network Address Translators", RFC 5770, April2010. [RFC5996]2010, <http://www.rfc-editor.org/info/rfc5770>. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y.,and P.Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC5996, September 2010.7296, October 2014, <http://www.rfc-editor.org/info/rfc7296>. Appendix A. A Note on Implementation Options It is possible to implement this specification in multiple different ways. As noted above, one possible way of implementing this is to rewrite IP headers below IPsec. In such an implementation, IPsec is used as if it was processing IPv6 transport mode packets, with the IPv6 header containing HITs instead of IP addresses in the source and destination address fields. In outgoing packets, after IPsec processing, the HITs are replaced with actual IP addresses, based on the HITs and the SPI. In incoming packets, before IPsec processing, the IP addresses are replaced with HITs, based on the SPI in the incoming packet. In such an implementation, all IPsec policies are based on HITs and the upper layers only see packets with HITs in the place of IP addresses. Consequently, support of HIP does not conflict with other uses of IPsec as long as the SPI spaces are kept separate. Appendix B describes another way to implement this specification. Appendix B. Bound End-to-End TunnelmodeMode for ESP This section introduces an alternative way of implementing the necessary functions for HIP ESP transport. Compared to the option of implementing the required address rewrites outside of IPsec, BEET has oneimplementation levelimplementation-level benefit. InBEET-way of implementing,a BEET-mode-based implementation, theaddress rewritingaddress-rewriting information is kept in one place, at the SAD. On the other hand, when address rewriting is implemented separately, the implementation MUST make sure that the information in the SAD and the information in the separateaddress rewriting DBaddress-rewriting database are kept in synchrony. As a result, the BEET-mode-based way of implementing this specification is RECOMMENDED over the separateimplementationimplementation, as itkeeps thebinds the identities,encryptionencryption, and locators tightly together. It should be noted that implementing BEET mode doesn't require that corresponding hosts implementitit, as the behavior is only visible internally in a host.TheBEET mode is a combination of IPsec tunnel and transportmodesmodes, and it provides some of the features from both.TheHIP uses HITs as the "inner" addresses and IP addresses as "outer" addresses, like IP addresses are used inthetunnel mode. Instead of tunneling packets between hosts, a conversion between inner and outer addresses is made atend-hostsend hosts, and the inner address is never sent on the wire after the initial HIP negotiation. BEET provides IPsec transport mode syntax (no inner headers) with limited tunnel mode semantics (fixed logical inner addresses--- the HITs--- and changeable outer IP addresses). B.1. ProtocoldefinitionDefinition In thissectionsection, we define the exact protocol formats and operations. B.1.1. Changes to Security Associationdata structuresData Structures A BEET mode Security Association contains the same data as a regular tunnel mode Security Association, with the exception that the inner selectors must be single addresses and cannot be subnets. The data includes the following: o A pair of inner IP addresses. o A pair of outer IP addresses. o Cryptographic keys and other data as defined inRFC4301 [RFC4301]Section4.4.2.4.4.2 of RFC 4301 [RFC4301]. A conforming implementation MAY store the data in a way similar to a regular tunnel mode Security Association. Note that in a conforming implementation the inner and outer addresses MAY belong to different address families. All implementations that support both IPv4 and IPv6 SHOULD support both IPv4-over-IPv6 and IPv6-over-IPv4 tunneling. B.1.2. PacketformatFormat The wire packet format is identical to the ESP transport mode wire format as defined in[RFC4303]Section3.1.1.3.1.1 of [RFC4303]. However, the resulting packet contains outer IP addresses instead of the inner IP addresses received from the upper layer. The construction of the outer headers is defined inRFC4301 [RFC4301]Section5.1.2.5.1.2 of RFC 4301 [RFC4301]. The following diagram illustrates ESP BEET mode positioning for typical IPv4 and IPv6 packets. IPv4 INNER ADDRESSES -------------------- BEFORE APPLYING ESP ------------------------------ | inner IP hdr | | | | | TCP | Data | ------------------------------ AFTER APPLYING ESP, OUTER v4 ADDRESSES ---------------------------------------------------- | outer IP hdr | | | | ESP | ESP | | (any options) | ESP | TCP | Data | Trailer | ICV | ---------------------------------------------------- |<---- encryption ---->| |<-------- integrity ------->| AFTER APPLYING ESP, OUTER v6 ADDRESSES ------------------------------------------------------ | outer | new ext | | | | ESP | ESP | | IP hdr |hdrs.hdrs | ESP | TCP | Data | Trailer| ICV | ------------------------------------------------------ |<--- encryption ---->| |<------- integrity ------->| IPv4 INNER ADDRESSES with options --------------------------------- BEFORE APPLYING ESP ------------------------------ | inner IP hdr | | | | + options | TCP | Data | ------------------------------ AFTER APPLYING ESP, OUTER v4 ADDRESSES ---------------------------------------------------------- | outer IP hdr | | | | | ESP | ESP | | (any options) | ESP | PH | TCP | Data | Trailer | ICV | ---------------------------------------------------------- |<------- encryption ------->| |<----------- integrity ---------->| AFTER APPLYING ESP, OUTER v6 ADDRESSES ------------------------------------------------------------ | outer | new ext | | | | | ESP | ESP | | IP hdr |hdrs.hdrs | ESP | PH | TCP | Data | Trailer| ICV | ------------------------------------------------------------ |<------ encryption ------->| |<---------- integrity ---------->| PH Pseudo Header for IPv4 options IPv6 INNER ADDRESSES -------------------- BEFORE APPLYING ESP ------------------------------------------ | | ext hdrs | | | | inner IP hdr | if present | TCP | Data | ------------------------------------------ AFTER APPLYING ESP, OUTER v6 ADDRESSES -------------------------------------------------------------- | outer | new ext | | dest | | | ESP | ESP | | IP hdr |hdrs.hdrs | ESP | opts.| TCP | Data | Trailer | ICV | -------------------------------------------------------------- |<---- encryption ---->| |<------- integrity ------>| AFTER APPLYING ESP, OUTER v4 ADDRESSES ---------------------------------------------------- | outer | | dest | | | ESP | ESP | | IP hdr | ESP | opts.| TCP | Data | Trailer | ICV | ---------------------------------------------------- |<------- encryption -------->| |<----------- integrity ----------->| B.1.3. CryptographicprocessingProcessing The outgoing packets MUST be protected exactly as in ESP transport mode [RFC4303]. That is, theupper layerupper-layer protocol packet is wrapped into an ESP header, encrypted, and authenticated exactly as if regular transport mode was used. The resulting ESP packet is subject to IP header processing as defined inAppendixAppendices B.1.4 andAppendixB.1.5. The incoming ESP protected messages are verified and decrypted exactly as if regular transport mode was used. The resultingclear textcleartext packet is subject to IP header processing as defined inAppendixAppendices B.1.4 andAppendixB.1.6. B.1.4. IPheader processingHeader Processing The biggest difference betweentheBEET mode and the other two modes is in IP header processing. In the regular transportmodemode, the IP header is kept intact. In the regular tunnelmodemode, an outer IP header is created on output and discarded on input. IntheBEETmodemode, the IP header is replaced with another one on both input and output. On the BEET mode output side, the IP header processing MUST first ensure that the IP addresses in the original IP header contain the inner addresses as specified in the SA. This MAY be ensured by proper policy processing, and it is possible that no checks are needed at the time of SAprocessing time.processing. Once the IP header has been verified to contain the right IP inner addresses, it is discarded. A new IP header is created, using the fields of the discarded inner headeras a hint for other fields but(except the IPaddresses.addresses) to populate the fields of the new outer header. The IP addresses in the new header MUST be the outer tunnel addresses. On the input side, the received IP header is simply discarded. Since the packet has been decrypted and verified, no further checks are necessary. A new IPheader,header corresponding to atunnelBEET mode innerheader,header is created, using the fields of the discarded outer headeras a hint for other fields but(except the IPaddresses.addresses) to populate the fields of the new inner header. The IP addresses in the new header MUST be the inner addresses. As the outer header fields are used as a hint for creating the inner header, it must be noted that the inner header differs as compared totunnel-modea tunnel mode inner header. In BEETmodemode, the inner header will have theTTL, DF-bitTime to Live (TTL), Don't Fragment (DF) bit, and other option values from the outer header. The TTL,DF-bitDF bit, and other option values of the inner header MUST be processed by the stack. B.1.5. Handling ofoutgoing packetsOutgoing Packets The outgoing BEET mode packets are processed as follows: 1. The system MUST verify that the IP header contains the inner source and destination addresses, exactly as defined in the SA. This verification MAY be explicit, or it MAY be implicit, for example, as a result of prior policy processing. Note that in some implementations there may be no real IP header at this time but the source and destination addresses may be carriedout-of-out of band.In caseIf the source address is still unassigned, it SHOULD be ensured that the designated inner source address would be selected at a later stage. 2. The IP payload (the contents of the packet beyond the IP header) is wrapped into an ESP header as defined in[RFC4303]Section3.3.3.3 of [RFC4303]. 3. A new IP header is constructed, replacing the original one. The new IP header MUST contain the outer source and destination addresses, as defined in the SA. Note that in some implementations there may be no real IP header at this time but the source and destination addresses may be carriedout-of-band.out of band. In the case where the source address must be left unassigned, it SHOULD bemade sureensured that the right source address is selected at a later stage. Other than the addresses, it is RECOMMENDED that the new IP header copies the fields from the original IP header. 4. If there are any IPv4 options in the original packet, it is RECOMMENDED that they are discarded. If the inner header contains one or more options that need to be transported between the tunnelend-points,endpoints, the sender MUST encapsulate the options as defined in AppendixB.1.7B.1.7. Instead of literally discarding the IP header and constructing a new one, a conforming implementation MAY simply replace the addresses in an existing header. However, if the RECOMMENDED feature of allowing the inner and outer addresses from different address families is used, this simple strategy does not work. B.1.6. Handling ofincoming packetsIncoming Packets The incoming BEET mode packets are processed as follows: 1. The system MUST verify and decrypt the incoming packet successfully, as defined in[RFC4303] section 3.4.Section 3.4 of [RFC4303]. If the verification or decryption fails, the packet MUST be discarded. 2. The original IP header is simply discarded, without any checks. Since the ESP verification succeeded, the packet can be safely assumed to have arrived from the right sender. 3. A new IP header is constructed, replacing the original one. The new IP header MUST contain the inner source and destination addresses, as defined in the SA. If the sender has set the ESPnext protocolNext Header field to 94 and included the pseudo header as described in Appendix B.1.7, the receiver MUST include the options after the constructed IP header.Note,Note that in some implementations the real IP header may have already been discarded and the source and destination addresses are carriedout-of-band.out of band. In suchcasea case, the out-of-band addresses MUST be the inner addresses. Other than the addresses, it is RECOMMENDED that the new IP header copies the fields from the original IP header. Instead of literally discarding the IP header and constructing a newoneone, a conforming implementation MAY simply replace the addresses in an existing header. However, if the RECOMMENDED feature of allowing the inner and outer addresses from different address families is used, this simple strategy does not work. B.1.7. Handling of IPv4options handlingOptions In BEET mode, if IPv4 options are transported inside the tunnel, the sender MUST include apseudo-headerpseudo header after the ESP header. Thepseudo-pseudo headeridentifiesindicates that IPv4 options from the original packet are to be appliedonto the packet on the input side. The sender MUST set thenext protocolNext Header fieldonin the ESP headerasto 94. The resulting pseudoheaderheader, including the IPv4optionsoptions, MUST be padded to8 octetan 8-octet boundary. The padding length is expressed inoctets,octets; valid padding lengths are 0 or 4octetsoctets, as the original IPv4 options are already padded to4 octeta 4-octet boundary. The padding MUST be filled withNOPNo Operation (NOP) options as defined inInternet Protocol [RFC0791] sectionSection 3.1Internet header format.("Internet Header Format") of [RFC0791] ("Internet Protocol"). The padding is added in front of the original options to ensure that the receiver is able to reconstruct the original IPv4 datagram. The Header Length field contains the length of the IPv4 options, and padding in8 octets8-octet units. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Header Len | Pad Len | Reserved | +---------------+---------------+-------------------------------+ | Padding (if needed) | +---------------------------------------------------------------+ | IPv4 options ... | | | +---------------------------------------------------------------+ Next HeaderIdentifiesidentifies the data following thisheaderheader. Length in octets 8-bit unsigned integer. Length of the pseudo header in 8-octet units, not including the first 8 octets. The receiver MUST remove thispseudo-headerpseudo header and padding as a part of BEET processing, in order to reconstruct the original IPv4 datagram. The IPv4 options includedintoin thepseudo-headerpseudo header MUST be added after the reconstructed IPv4 (inner) header on the receiving side. Acknowledgments This document was separated from the base Host Identity Protocol specification in the beginning of 2005. Since then, a number of people have contributed to the text by providing comments and modification proposals. The list of people includes Tom Henderson, Jeff Ahrenholz, Jan Melen, Jukka Ylitalo, and Miika Komu. Especially, the authors want to thank Pekka Nikander for his invaluable contributions to the document since the first draft version. The authors also want to thank Charlie Kaufman for reviewing the document with his eye on the usage of crypto algorithms. Due to the history of this document, most of the ideas are inherited from the base Host Identity Protocol specification. Thus, the list of people in the Acknowledgments section of that specification is also valid for this document. Many people have given valuable feedback, and our apologies to anyone whose name is missing. Authors' Addresses Petri Jokela Ericsson Research NomadicLab JORVAS FIN-02420FINLANDFinland Phone: +358 9 299 1 EMail: petri.jokela@nomadiclab.com Robert MoskowitzVerizon Telcom and Business 1000 Bent Creek Blvd, Suite 200 Mechanicsburg, PA USAHTT Consulting Oak Park, MI United States EMail:rgm@icsalabs.comrgm@labs.htt-consult.com Jan Melen Ericsson Research NomadicLab JORVAS FIN-02420FINLANDFinland Phone: +358 9 299 1 EMail: jan.melen@nomadiclab.com