Announcing Supported Authentication Methods in IKEv2
draft-smyslov-ipsecme-ikev2-auth-announce-02

Document Type Active Internet-Draft (individual)
Author Valery Smyslov 
Last updated 2020-09-09
Stream (None)
Intended RFC status (None)
Formats plain text pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         V. Smyslov
Internet-Draft                                                ELVIS-PLUS
Intended status: Standards Track                       September 9, 2020
Expires: March 13, 2021

          Announcing Supported Authentication Methods in IKEv2
              draft-smyslov-ipsecme-ikev2-auth-announce-02

Abstract

   This specification defines a mechanism that allows the Internet Key
   Exchange version 2 (IKEv2) implementations to indicate the list of
   supported authentication methods to their peers while establishing
   IKEv2 Security Association (SA).  This mechanism improves
   interoperability when IKEv2 partners are configured with multiple
   different credentials to authenticate each other.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 13, 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Smyslov                  Expires March 13, 2021                 [Page 1]
Internet-Draft      Announcing Supported Auth Methods     September 2020

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology and Notation  . . . . . . . . . . . . . . . . . .   3
   3.  Protocol Details  . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Exchanges . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.2.  SUPPORTED_AUTH_METHODS Notify . . . . . . . . . . . . . .   4
       3.2.1.  2-octet Announcement  . . . . . . . . . . . . . . . .   5
       3.2.2.  3-octet Announcement  . . . . . . . . . . . . . . . .   6
       3.2.3.  Multi-octet Announcement  . . . . . . . . . . . . . .   7
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   The Internet Key Exchange version 2 (IKEv2) protocol, defined in
   [RFC7296], performs authenticated key exchange in IPsec.  IKEv2,
   unlike its predecessor IKEv1, defined in [RFC2409], doesn't include a
   mechanism to negotiate an authentication method that the peers would
   use to authenticate each other.  It is assumed that each peer selects
   whatever authentication method it thinks is appropriate, depending on
   authentication credentials it has.

   This approach generally works well when there is no ambiguity in
   selecting authentication credentials.  The problem may arise when
   there are several credentials of different type configured on one
   peer, while only some of them are supported on the other peer.
   Another problem situation is when a single credential may be used to
   produce different types of authentication tokens (e.g. signatures of
   different formats).  Emerging post-quantum signature algorithms may
   bring additional challenges for implementations, especially if so
   called hybrid schemes are used (e.g. see
   [I-D.ounsworth-pq-composite-sigs]).

   This specification defines an extension to the IKEv2 protocol that
   allows peers to announce their supported authentication methods, thus
   decreasing risks of SA establishment failure in situations when there
   are several ways for the peers to authenticate themselves.

Smyslov                  Expires March 13, 2021                 [Page 2]
Internet-Draft      Announcing Supported Auth Methods     September 2020
Show full document text