Technical Summary
This document describes a method to transport Internet Key Exchange
Protocol (IKE) and IPsec packets over a TCP connection for traversing
network middleboxes that may block IKE negotiation over UDP. This
method, referred to as "TCP encapsulation", involves sending both IKE
packets for Security Association establishment and Encapsulating
Security Payload (ESP) packets over a TCP connection. This method is
intended to be used as a fallback option when IKE cannot be
negotiated over UDP.
TCP encapsulation for IKE and IPsec was defined in RFC 8229. This
document updates the specification for TCP encapsulation by including
additional clarifications obtained during implementation and
deployment of this method. This documents obsoletes RFC 8229.
Working Group Summary
This work started in 2018 with document "Clarifications and Implementation
Guidelines for using TCP Encapsulation in IKEv2", but during the process
IPsecME WG decided to make bis document of RFC8229 instead as some of the
clarifications were actually modifying the protocol. The first version of
the rfc8229bis document was published as individual draft in May 2020 as
individual draft, and it was adopted by the WG in April 2021.
Updates were made in response to AD Review, GENART, TSV, and SECDIR review.
Document Quality
There are several implementations of the RFC8229 and during those
implementations few issues were found that required modifications. Because
of that this RFC8229bis document was created, when it was obvious that
simple clarifications are not enough. There are already some
implementations implementing changes described in this bis document.
Personnel
Shepherd: Tero Kivinen
Responsible AD: Roman Danyliw