RSIP Support for End-to-end IPsec
RFC 3104
Network Working Group G. Montenegro
Request for Comments: 3104 Sun Microsystems, Inc.
Category: Experimental M. Borella
CommWorks
October 2001
RSIP Support for End-to-end IPsec
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
IESG Note
The IESG notes that the set of documents describing the RSIP
technology imply significant host and gateway changes for a complete
implementation. In addition, the floating of port numbers can cause
problems for some applications, preventing an RSIP-enabled host from
interoperating transparently with existing applications in some cases
(e.g., IPsec). Finally, there may be significant operational
complexities associated with using RSIP. Some of these and other
complications are outlined in section 6 of the RFC 3102, as well as
in the Appendices of RFC 3104. Accordingly, the costs and benefits
of using RSIP should be carefully weighed against other means of
relieving address shortage.
Abstract
This document proposes mechanisms that enable Realm Specific IP
(RSIP) to handle end-to-end IPsec (IP Security).
Montenegro & Borella Experimental [Page 1]
RFC 3104 RSIP Support for End-to-end IPsec October 2001
Table of Contents
1. Introduction .................................................. 2
2. Model ......................................................... 2
3. Implementation Notes .......................................... 3
4. IKE Handling and Demultiplexing ............................... 4
5. IPsec Handling and Demultiplexing ............................. 5
6. RSIP Protocol Extensions ...................................... 6
6.1 IKE Support in RSIP ....................................... 6
6.2 IPsec Support in RSIP ..................................... 7
7. IANA Considerations ........................................... 10
8. Security Considerations ....................................... 10
9. Acknowledgements .............................................. 10
References ....................................................... 11
Authors' Addresses ............................................... 12
Appendix A: On Optional Port Allocation to RSIP Clients .......... 13
Appendix B: RSIP Error Numbers for IKE and IPsec Support ......... 14
Appendix C: Message Type Values for IPsec Support ................ 14
Appendix D: A Note on Flow Policy Enforcement .................... 14
Appendix E: Remote Host Rekeying ................................. 14
Appendix F: Example Application Scenarios ........................ 15
Appendix G: Thoughts on Supporting Incoming Connections .......... 17
Full Copyright Statement ......................................... 19
1. Introduction
This document specifies RSIP extensions to enable end-to-end IPsec.
It assumes the RSIP framework as presented in [RSIP-FW], and
specifies extensions to the RSIP protocol defined in [RSIP-P]. Other
terminology follows [NAT-TERMS].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
2. Model
For clarity, the discussion below assumes this model:
RSIP client RSIP server Host
Xa Na Nb Yb
+------------+ Nb1 +------------+
[X]------| Addr space |----[N]-----| Addr space |-------[Y]
| A | Nb2 | B |
+------------+ ... +------------+
Montenegro & Borella Experimental [Page 2]
RFC 3104 RSIP Support for End-to-end IPsec October 2001
Hosts X and Y belong to different address spaces A and B,
respectively, and N is an RSIP server. N has two addresses: Na on
address space A, and Nb on address space B. For example, A could be
a private address space, and B the public address space of the
general Internet. Additionally, N may have a pool of addresses in
address space B which it can assign to or lend to X.
This document proposes RSIP extensions and mechanisms to enable an
RSIP client X to initiate IKE and IPsec sessions to a legacy IKE and
IPsec node Y. In order to do so, X exchanges RSIP protocol messages
Show full document text