RSIP Support for End-to-end IPsec
RFC 3104
Document Type RFC - Experimental (October 2001; Errata)
Authors Michael Borella  , Gabriel Montenegro 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state RFC 3104 (Experimental)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                      G. Montenegro
Request for Comments: 3104                        Sun Microsystems, Inc.
Category: Experimental                                        M. Borella
                                                               CommWorks
                                                            October 2001

                   RSIP Support for End-to-end IPsec

Status of this Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

IESG Note

   The IESG notes that the set of documents describing the RSIP
   technology imply significant host and gateway changes for a complete
   implementation.  In addition, the floating of port numbers can cause
   problems for some applications, preventing an RSIP-enabled host from
   interoperating transparently with existing applications in some cases
   (e.g., IPsec).  Finally, there may be significant operational
   complexities associated with using RSIP.  Some of these and other
   complications are outlined in section 6 of the RFC 3102, as well as
   in the Appendices of RFC 3104.  Accordingly, the costs and benefits
   of using RSIP should be carefully weighed against other means of
   relieving address shortage.

Abstract

   This document proposes mechanisms that enable Realm Specific IP
   (RSIP) to handle end-to-end IPsec (IP Security).

Montenegro & Borella          Experimental                      [Page 1]
RFC 3104           RSIP Support for End-to-end IPsec        October 2001

Table of Contents

   1. Introduction ..................................................  2
   2. Model .........................................................  2
   3. Implementation Notes ..........................................  3
   4. IKE Handling and Demultiplexing ...............................  4
   5. IPsec Handling and Demultiplexing .............................  5
   6. RSIP Protocol Extensions ......................................  6
      6.1 IKE Support in RSIP .......................................  6
      6.2 IPsec Support in RSIP .....................................  7
   7. IANA Considerations ........................................... 10
   8. Security Considerations ....................................... 10
   9. Acknowledgements .............................................. 10
   References ....................................................... 11
   Authors' Addresses ............................................... 12
   Appendix A: On Optional Port Allocation to RSIP Clients .......... 13
   Appendix B: RSIP Error Numbers for IKE and IPsec Support ......... 14
   Appendix C: Message Type Values for IPsec Support ................ 14
   Appendix D: A Note on Flow Policy Enforcement .................... 14
   Appendix E: Remote Host Rekeying ................................. 14
   Appendix F: Example Application Scenarios ........................ 15
   Appendix G: Thoughts on Supporting Incoming Connections .......... 17
   Full Copyright Statement ......................................... 19

1. Introduction

   This document specifies RSIP extensions to enable end-to-end IPsec.
   It assumes the RSIP framework as presented in [RSIP-FW], and
   specifies extensions to the RSIP protocol defined in [RSIP-P].  Other
   terminology follows [NAT-TERMS].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119.

2. Model

   For clarity, the discussion below assumes this model:

   RSIP client              RSIP server                   Host

      Xa                    Na   Nb                       Yb
            +------------+       Nb1  +------------+
   [X]------| Addr space |----[N]-----| Addr space |-------[Y]
            |  A         |       Nb2  |  B         |
            +------------+       ...  +------------+

Montenegro & Borella          Experimental                      [Page 2]
RFC 3104           RSIP Support for End-to-end IPsec        October 2001

   Hosts X and Y belong to different address spaces A and B,
   respectively, and N is an RSIP server.  N has two addresses:  Na on
   address space A, and Nb on address space B.  For example, A could be
   a private address space, and B the public address space of the
   general Internet.  Additionally, N may have a pool of addresses in
   address space B which it can assign to or lend to X.

   This document proposes RSIP extensions and mechanisms to enable an
   RSIP client X to initiate IKE and IPsec sessions to a legacy IKE and
   IPsec node Y.  In order to do so, X exchanges RSIP protocol messages
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools