| rfc9329v5.txt | rfc9329.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) T. Pauly | Internet Engineering Task Force (IETF) T. Pauly | |||
| Request for Comments: 9329 Apple Inc. | Request for Comments: 9329 Apple Inc. | |||
| Obsoletes: 8229 V. Smyslov | Obsoletes: 8229 V. Smyslov | |||
| Category: Standards Track ELVIS-PLUS | Category: Standards Track ELVIS-PLUS | |||
| ISSN: 2070-1721 October 2022 | ISSN: 2070-1721 November 2022 | |||
| TCP Encapsulation of Internet Key Exchange Protocol (IKE) and IPsec | TCP Encapsulation of Internet Key Exchange Protocol (IKE) and IPsec | |||
| Packets | Packets | |||
| Abstract | Abstract | |||
| This document describes a method to transport Internet Key Exchange | This document describes a method to transport Internet Key Exchange | |||
| Protocol (IKE) and IPsec packets over a TCP connection for traversing | Protocol (IKE) and IPsec packets over a TCP connection for traversing | |||
| network middleboxes that may block IKE negotiation over UDP. This | network middleboxes that may block IKE negotiation over UDP. This | |||
| method, referred to as "TCP encapsulation", involves sending both IKE | method, referred to as "TCP encapsulation", involves sending both IKE | |||
| skipping to change at line 1198 ¶ | skipping to change at line 1198 ¶ | |||
| 12.2. Informative References | 12.2. Informative References | |||
| [IPSECME-IKE-TCP] | [IPSECME-IKE-TCP] | |||
| Nir, Y., "A TCP transport for the Internet Key Exchange", | Nir, Y., "A TCP transport for the Internet Key Exchange", | |||
| Work in Progress, Internet-Draft, draft-ietf-ipsecme-ike- | Work in Progress, Internet-Draft, draft-ietf-ipsecme-ike- | |||
| tcp-01, 3 December 2012, | tcp-01, 3 December 2012, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme- | <https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme- | |||
| ike-tcp-01>. | ike-tcp-01>. | |||
| [TLS-RECOMMENDATIONS] | [RFC9325] Sheffer, Y., Saint-Andre, P., and T. Fossati, | |||
| Sheffer, Y., Saint-Andre, P., and T. Fossati, | ||||
| "Recommendations for Secure Use of Transport Layer | "Recommendations for Secure Use of Transport Layer | |||
| Security (TLS) and Datagram Transport Layer Security | Security (TLS) and Datagram Transport Layer Security | |||
| (DTLS)", Work in Progress, Internet-Draft, draft-ietf-uta- | (DTLS)", RFC 9325, DOI 10.17487/RFC9325, November 2022, | |||
| rfc7525bis-11, 16 August 2022, | <https://www.rfc-editor.org/info/rfc9325>. | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-uta- | ||||
| rfc7525bis-11>. | ||||
| [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - | [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - | |||
| Communication Layers", STD 3, RFC 1122, | Communication Layers", STD 3, RFC 1122, | |||
| DOI 10.17487/RFC1122, October 1989, | DOI 10.17487/RFC1122, October 1989, | |||
| <https://www.rfc-editor.org/info/rfc1122>. | <https://www.rfc-editor.org/info/rfc1122>. | |||
| [RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within | [RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within | |||
| HTTP/1.1", RFC 2817, DOI 10.17487/RFC2817, May 2000, | HTTP/1.1", RFC 2817, DOI 10.17487/RFC2817, May 2000, | |||
| <https://www.rfc-editor.org/info/rfc2817>. | <https://www.rfc-editor.org/info/rfc2817>. | |||
| skipping to change at line 1330 ¶ | skipping to change at line 1327 ¶ | |||
| recommended to improve efficiency in this case. | recommended to improve efficiency in this case. | |||
| The security of the IKE session is entirely derived from the IKE | The security of the IKE session is entirely derived from the IKE | |||
| negotiation and key establishment and not from the TLS session | negotiation and key establishment and not from the TLS session | |||
| (which, in this context, is only used for encapsulation purposes); | (which, in this context, is only used for encapsulation purposes); | |||
| therefore, when TLS is used on the TCP connection, both the TCP | therefore, when TLS is used on the TCP connection, both the TCP | |||
| Originator and the TCP Responder SHOULD allow the NULL cipher to be | Originator and the TCP Responder SHOULD allow the NULL cipher to be | |||
| selected for performance reasons. Note that TLS 1.3 only supports | selected for performance reasons. Note that TLS 1.3 only supports | |||
| AEAD algorithms and at the time of writing this document there was no | AEAD algorithms and at the time of writing this document there was no | |||
| recommended cipher suite for TLS 1.3 with the NULL cipher. It is | recommended cipher suite for TLS 1.3 with the NULL cipher. It is | |||
| RECOMMENDED to follow [TLS-RECOMMENDATIONS] when selecting parameters | RECOMMENDED to follow [RFC9325] when selecting parameters for TLS. | |||
| for TLS. | ||||
| Implementations should be aware that the use of TLS introduces | Implementations should be aware that the use of TLS introduces | |||
| another layer of overhead requiring more bytes to transmit a given | another layer of overhead requiring more bytes to transmit a given | |||
| IKE and IPsec packet. For this reason, direct ESP, UDP | IKE and IPsec packet. For this reason, direct ESP, UDP | |||
| encapsulation, or TCP encapsulation without TLS should be preferred | encapsulation, or TCP encapsulation without TLS should be preferred | |||
| in situations in which TLS is not required in order to traverse | in situations in which TLS is not required in order to traverse | |||
| middleboxes. | middleboxes. | |||
| Appendix B. Example Exchanges of TCP Encapsulation with TLS 1.3 | Appendix B. Example Exchanges of TCP Encapsulation with TLS 1.3 | |||
| End of changes. 4 change blocks. | ||||
| 9 lines changed or deleted | 5 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||