Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption
draft-ietf-ipsecme-ikev2-resumption-09
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
09 | (System) | post-migration administrative database adjustment to the Yes position for Jari Arkko |
2012-08-22
|
09 | (System) | post-migration administrative database adjustment to the No Objection position for Tim Polk |
2009-11-03
|
09 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2009-11-03
|
09 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2009-11-03
|
09 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2009-11-03
|
09 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2009-10-30
|
09 | Cindy Morgan | State Changes to RFC Ed Queue from Approved-announcement sent by Cindy Morgan |
2009-10-30
|
09 | (System) | IANA Action state changed to In Progress |
2009-10-30
|
09 | Amy Vezza | IESG state changed to Approved-announcement sent |
2009-10-30
|
09 | Amy Vezza | IESG has approved the document |
2009-10-30
|
09 | Amy Vezza | Closed "Approve" ballot |
2009-10-30
|
09 | Amy Vezza | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Amy Vezza |
2009-10-29
|
09 | Tim Polk | [Ballot Position Update] Position for Tim Polk has been changed to No Objection from Undefined by Tim Polk |
2009-10-29
|
09 | Tim Polk | [Ballot Position Update] Position for Tim Polk has been changed to Undefined from Discuss by Tim Polk |
2009-10-21
|
09 | Jari Arkko | [Ballot Position Update] Position for Jari Arkko has been changed to Yes from Discuss by Jari Arkko |
2009-10-21
|
09 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2009-10-21
|
09 | (System) | New version available: draft-ietf-ipsecme-ikev2-resumption-09.txt |
2009-10-09
|
09 | (System) | Removed from agenda for telechat - 2009-10-08 |
2009-10-08
|
09 | Cindy Morgan | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Cindy Morgan |
2009-10-08
|
09 | Lisa Dusseault | [Ballot Position Update] New position, No Objection, has been recorded by Lisa Dusseault |
2009-10-08
|
09 | Jari Arkko | [Ballot discuss] This is a well written specification and I was about to vote Yes on it. However, I thought I saw a few small … [Ballot discuss] This is a well written specification and I was about to vote Yes on it. However, I thought I saw a few small errors and I wanted to talk to you to see if we can determine if these really are errors and whether we need to correct them. 1. The document says: > Specifically, the SK_xx values are required to > protect the IKE_AUTH payloads. At this point in the text, SK_xx has not been defined (I suppose you mean "any shared key values established by IKEv2"), or even any specific SK value mentioned. This came out of the blue for me at least. Please clarify what you meant. Also, > AUTH = prf(SK_px, ) > > Each of the initiator and responder uses its own SK_p value, taken > from the newly generated IKE SA, Section 5.1. SK_px does not appear in the document, what is it? Neither SK_px or SK_xx have been used in RFC 4306 either. What about SK_p, do you mean SK_pr and SK_pi? Again, please be specific in what you actually mean. Listing which SK values you actually mean here along with their references might be helpful. 2. The document says: > When passing a ticket by value to the client, the ticket content MUST > be integrity protected and encrypted. > > A ticket by reference does not need to be encrypted, as it does not > contain any sensitive material, such as keying material There are multiple levels of crypto here, perhaps you want to be more explicit here. You mean that the encryption above is for the ticket content, but for sure the IKE exchange where you receive the ticket has to be encrypted, because otherwise it would be easier to open up a DoS attack where you can create half-ready resumption IKE SAs if you saw a ticket fly by. The document did say this earlier: Although the IKE SA is not fully valid until the completion of the IKE_AUTH exchange, the peers must create much of the SA state (Section 5) now. Specifically, the SK_xx values are required to protect the IKE_AUTH payloads. 3. The document says: > A man-in-the-middle may try to eavesdrop on an exchange to obtain a > ticket by value and use it to establish a session with the IKEv2 > responder. Since all exchanges where the client obtains a ticket are > encrypted, this is only possible by listening in on a client's use of > the ticket to resume a session. However, since the ticket's contents > are encrypted and the attacker does not know the corresponding secret > key, a stolen ticket cannot be used by an attacker to successfully > resume a session. An IKEv2 responder MUST use strong encryption and > integrity protection of the ticket to prevent an attacker from > obtaining the ticket's contents, e.g., by using a brute force attack. > > A ticket by reference does not need to be encrypted. When an > adversary is able to eavesdrop on a resumption attempt, as described > in the previous paragraph, then the ticket by reference may be > obtained. A ticket by reference cannot be used by an attacker to > successfully resume a session, for the same reasons as for a ticket > by value. Moreover, the adversary MUST NOT be able to resolve the > ticket via the reference, i.e., access control MUST be enforced to > ensure disclosure only to authorized entities. This text does not explain the issue that I brought up in item 3. I would like to see that the half-created state problem is mentioned in the security considerations text. |
2009-10-08
|
09 | Jari Arkko | [Ballot Position Update] New position, Discuss, has been recorded by Jari Arkko |
2009-10-08
|
09 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded by Adrian Farrel |
2009-10-08
|
09 | Adrian Farrel | [Ballot comment] I'm assuming that the malicious corrpution or deletion of stored tickets has only a small disruptive affect on session recovery. That is, an … [Ballot comment] I'm assuming that the malicious corrpution or deletion of stored tickets has only a small disruptive affect on session recovery. That is, an attempt will be made to recover the ticket before dropping abck to the current processing rules (pre-this-draft). --- The use of ! rather than | in protocol object figures is unusual, but not illegal. --- Section 7 identifies the different notification messages by "notification numbers" but the subsequent subsections (7.1 etc.) use the term "Notify Message Type". According to the IANA section and the registry, the latter term is correct. |
2009-10-08
|
09 | Dan Romascanu | [Ballot comment] Michael Sneed notes in his OPS-DIR review the following: Section 9.1 of the "Security Considerations" could use some clarification: the inability of an … [Ballot comment] Michael Sneed notes in his OPS-DIR review the following: Section 9.1 of the "Security Considerations" could use some clarification: the inability of an attacker to use a stolen unencrypted "ticket by reference" is explained as "for the same reasons as for a ticket by value", but for a "ticket by value" the explanation is that the ticket is encrypted. |
2009-10-08
|
09 | Dan Romascanu | [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu |
2009-10-07
|
09 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon |
2009-10-07
|
09 | Cullen Jennings | [Ballot Position Update] New position, No Objection, has been recorded by Cullen Jennings |
2009-10-07
|
09 | Tim Polk | [Ballot discuss] This is a good document, and I support its publication. There is one issue that I would suggest addressing - probably in the … [Ballot discuss] This is a good document, and I support its publication. There is one issue that I would suggest addressing - probably in the security considerations - before publication, though. When an IKEv2 responder decides to provide a ticket for session resumption to an IKEv2 initiator, they are implicitly trusting the initiator to manage this ticket to ensure that new sessions are not created for a different user. Specifically, Section 6.2 states that "when credentials associated with the IKE SA are invalidated (e.g. when a user logs out), the ticket MUST be deleted." This requirement can only be enforced by the responder, so a rogue IKEv2 responder could misuse the ticket without user knowledge. It seems the IKEv2 responder is extending greater trust to the initiator when providing a ticket than when they accept the initial connection. I have no problem with that, but suspect it should be highlighted somewhere. |
2009-10-07
|
09 | Lars Eggert | [Ballot comment] INTRODUCTION, paragraph 13: > Abstract Is long, and overlaps with the introduction a lot. |
2009-10-07
|
09 | Lars Eggert | [Ballot Position Update] New position, No Objection, has been recorded by Lars Eggert |
2009-10-06
|
09 | Ron Bonica | [Ballot Position Update] New position, No Objection, has been recorded by Ron Bonica |
2009-10-06
|
09 | Robert Sparks | [Ballot Position Update] New position, No Objection, has been recorded by Robert Sparks |
2009-10-06
|
09 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded by Russ Housley |
2009-10-06
|
09 | Tim Polk | [Ballot discuss] This is a good document, and I support its publication. There is one issue that I might need to be addressed - probably … [Ballot discuss] This is a good document, and I support its publication. There is one issue that I might need to be addressed - probably in the security considerations - before publication, though. When an IKEv2 responder decides to provide a ticket for session resumption to an IKEv2 initiator, they are implicitly trusting the initiator to manage this ticket to ensure that new sessions are not created for a different user. Specifically, Section 6.2 states that "when credentials associated with the IKE SA are invalidated (e.g. when a user logs out), the ticket MUST be deleted." This requirement can only be enforced by the responder, so a rogue IKEv2 responder could misuse the ticket without user knowledge. It seems the IKEv2 responder is extending greater trust to the initiator when providing a ticket than when they accept the initial connection. I have no problem with that, but suspect it should be highlighted somewhere. |
2009-10-06
|
09 | Tim Polk | [Ballot Position Update] New position, Discuss, has been recorded by Tim Polk |
2009-10-06
|
09 | Ralph Droms | [Ballot Position Update] New position, No Objection, has been recorded by Ralph Droms |
2009-10-06
|
09 | Ralph Droms | [Ballot comment] Well-written and understandable doc. I have one small editorial comment: From section 5: Note 1: The authenticated peer identity used for policy … [Ballot comment] Well-written and understandable doc. I have one small editorial comment: From section 5: Note 1: The authenticated peer identity used for policy lookups may not be the same as the IDi payload (see Sec. 3.5 of [RFC4718]), and if so, MUST be included in the ticket. Note that the client may not have access to this value. What is the condition to be checked by "if so" and what is to be included based on that condition? It would be clearer to include text that explicitly describes the condition and what is to be included. |
2009-10-04
|
09 | Alexey Melnikov | [Ballot Position Update] New position, No Objection, has been recorded by Alexey Melnikov |
2009-10-04
|
09 | Alexey Melnikov | [Ballot comment] This is a useful document. Some minor comments/questions below: 4.3.1. Prologue Tickets are intended for one-time use, i.e. a client MUST NOT … [Ballot comment] This is a useful document. Some minor comments/questions below: 4.3.1. Prologue Tickets are intended for one-time use, i.e. a client MUST NOT reuse a ticket. A reused ticket SHOULD be rejected by a gateway. Note that a ticket is considered as used only when an IKE SA has been established successfully with it. Isn't this a recipe for DoS attacks? 7.1. TICKET_LT_OPAQUE Notify Payload The data for the TICKET_LT_OPAQUE Notify payload consists of the Notify message header, a Lifetime field and the ticket itself. The four octet Lifetime field contains a relative time value, the number of seconds until the ticket expires (encoded as an unsigned integer). I suggest saying that the Lifetime is encoded in network byte order. |
2009-10-04
|
09 | Alexey Melnikov | [Ballot comment] 4.3.1. Prologue Tickets are intended for one-time use, i.e. a client MUST NOT reuse a ticket. A reused ticket SHOULD be … [Ballot comment] 4.3.1. Prologue Tickets are intended for one-time use, i.e. a client MUST NOT reuse a ticket. A reused ticket SHOULD be rejected by a gateway. Note that a ticket is considered as used only when an IKE SA has been established successfully with it. Isn't this a recipe for DoS attacks? 7.1. TICKET_LT_OPAQUE Notify Payload The data for the TICKET_LT_OPAQUE Notify payload consists of the Notify message header, a Lifetime field and the ticket itself. The four octet Lifetime field contains a relative time value, the number of seconds until the ticket expires (encoded as an unsigned integer). I suggest saying that the Lifetime is encoded in network byte order. |
2009-09-22
|
09 | Pasi Eronen | Placed on agenda for telechat - 2009-10-08 by Pasi Eronen |
2009-09-22
|
09 | Pasi Eronen | State Changes to IESG Evaluation from Waiting for AD Go-Ahead::AD Followup by Pasi Eronen |
2009-09-22
|
09 | Pasi Eronen | [Ballot Position Update] New position, Yes, has been recorded for Pasi Eronen |
2009-09-22
|
09 | Pasi Eronen | Ballot has been issued by Pasi Eronen |
2009-09-22
|
09 | Pasi Eronen | Created "Approve" ballot |
2009-09-21
|
09 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2009-09-21
|
08 | (System) | New version available: draft-ietf-ipsecme-ikev2-resumption-08.txt |
2009-09-18
|
09 | Samuel Weiler | Request for Last Call review by SECDIR Completed. Reviewer: Sean Turner. |
2009-09-17
|
09 | Pasi Eronen | State Changes to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead by Pasi Eronen |
2009-09-14
|
09 | (System) | State has been changed to Waiting for AD Go-Ahead from In Last Call by system |
2009-09-10
|
09 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Sean Turner |
2009-09-10
|
09 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Sean Turner |
2009-09-10
|
09 | Samuel Weiler | Assignment of request for Last Call review by SECDIR to Hannes Tschofenig was rejected |
2009-09-10
|
09 | Amanda Baber | IANA comments: Upon approval of this document, IANA will make the following assignments in the "Internet Key Exchange Version 2 (IKEv2) Parameters" registry at http://www.iana.org/assignments/ikev2-parameters … IANA comments: Upon approval of this document, IANA will make the following assignments in the "Internet Key Exchange Version 2 (IKEv2) Parameters" registry at http://www.iana.org/assignments/ikev2-parameters ACTION 1: In the "IKEv2 Exchange Types" registry: Value Exchange Type Reference -------- -------------------------- --------- TBD IKE_SESSION_RESUME [RFC-ipsecme-ikev2-resumption-07] ACTION 2: In the "IKEv2 Notify Message Types - Status Types" registry: Value NOTIFY MESSAGES - STATUS TYPES Reference ------------ -------------------------------- --------- TBD TICKET_LT_OPAQUE [RFC-ipsecme-ikev2-resumption-07] TBD TICKET_REQUEST [RFC-ipsecme-ikev2-resumption-07] TBD TICKET_ACK [RFC-ipsecme-ikev2-resumption-07] TBD TICKET_NACK [RFC-ipsecme-ikev2-resumption-07] TBD TICKET_OPAQUE [RFC-ipsecme-ikev2-resumption-07] |
2009-09-03
|
09 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Hannes Tschofenig |
2009-09-03
|
09 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Hannes Tschofenig |
2009-08-31
|
09 | Amy Vezza | Last call sent |
2009-08-31
|
09 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2009-08-31
|
09 | Pasi Eronen | State Changes to Last Call Requested from AD Evaluation::AD Followup by Pasi Eronen |
2009-08-31
|
09 | Pasi Eronen | Last Call was requested by Pasi Eronen |
2009-08-31
|
09 | (System) | Ballot writeup text was added |
2009-08-31
|
09 | (System) | Last call text was added |
2009-08-31
|
09 | (System) | Ballot approval text was added |
2009-08-21
|
09 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2009-08-21
|
07 | (System) | New version available: draft-ietf-ipsecme-ikev2-resumption-07.txt |
2009-08-14
|
09 | Pasi Eronen | State Changes to AD Evaluation::Revised ID Needed from AD Evaluation by Pasi Eronen |
2009-08-10
|
09 | Pasi Eronen | State Changes to AD Evaluation from Publication Requested by Pasi Eronen |
2009-08-10
|
09 | Pasi Eronen | [Note]: 'Paul Hoffman (paul.hoffman@vpnc.org) is the document shepherd.' added by Pasi Eronen |
2009-06-23
|
09 | Amy Vezza | Here is my document shepherd write-up for IKEv2 Session Resumption (draft-ietf-ipsecme-ikev2-resumption-06.txt). Please consider it for publication. --Paul Hoffman I am the document shepherd … Here is my document shepherd write-up for IKEv2 Session Resumption (draft-ietf-ipsecme-ikev2-resumption-06.txt). Please consider it for publication. --Paul Hoffman I am the document shepherd for this document, inasmuch as I am the co-chair of the IPsecME WG, and the other co-chair is the lead editor on the document. I have personally reviewed this version of the document and, in particular, believe this version is ready for forwarding to the IESG for publication. The document was reviewed heavily in the WG and went through many significant revisions and re-reviews. I would note that the WG Last Call got almost no comments, but I feel comfortable with the level from the earlier reviews. That is, I do not have concern that it needs more review before IETF LC. I know of no IPR statements on the work. The WG consensus for this work is fairly strong, although two WG members have expressed (repeated) support for a version with one less round trip that had more security issues. As the responsible co-chair, I asked a few times to be sure that there were no other supporters, and heard none. Yes, it passes I-D nits. Yes, the references are sane and no downrefs are needed. The IANA considerations point to the sections of the document where new entries need to be added to already-existing registries, and no new registries are needed. Technical Summary This document describes an efficient way to resume an IKEv2 session after it has been closed. This avoids having to re-run the key exchange protocol from scratch, which can be onerous if EAP authentication is involved. The protocol uses an opaque ticket that can be stored by the client or in a centralized storage location. Working Group Summary The document has rough consensus of the IPsecME WG. Document Quality There was interest in this protocol from many vendors, but none have come forward to say that they have implemented it. |
2009-06-23
|
09 | Amy Vezza | Draft Added by Amy Vezza in state Publication Requested |
2009-06-23
|
09 | Amy Vezza | [Note]: 'Paul Hoffman (paul.hoffman@vpnc.org) is the document shepherd.' added by Amy Vezza |
2009-06-18
|
06 | (System) | New version available: draft-ietf-ipsecme-ikev2-resumption-06.txt |
2009-06-16
|
05 | (System) | New version available: draft-ietf-ipsecme-ikev2-resumption-05.txt |
2009-05-15
|
04 | (System) | New version available: draft-ietf-ipsecme-ikev2-resumption-04.txt |
2009-05-01
|
03 | (System) | New version available: draft-ietf-ipsecme-ikev2-resumption-03.txt |
2009-03-09
|
02 | (System) | New version available: draft-ietf-ipsecme-ikev2-resumption-02.txt |
2009-01-24
|
01 | (System) | New version available: draft-ietf-ipsecme-ikev2-resumption-01.txt |
2008-11-17
|
00 | (System) | New version available: draft-ietf-ipsecme-ikev2-resumption-00.txt |