Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)
RFC 5202
Document | Type |
RFC - Experimental
(April 2008; Errata)
Obsoleted by RFC 7402
Was draft-ietf-hip-esp (hip WG)
|
|
---|---|---|---|
Authors | Pekka Nikander , Robert Moskowitz , Petri Jokela | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5202 (Experimental) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Mark Townsley | ||
Send notices to | (None) |
Network Working Group P. Jokela Request for Comments: 5202 Ericsson Research NomadicLab Category: Experimental R. Moskowitz ICSAlabs P. Nikander Ericsson Research NomadicLab April 2008 Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP) Status of This Memo This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. IESG Note The following issues describe IESG concerns about this document. The IESG expects that these issues will be addressed when future versions of HIP are designed. In case of complex Security Policy Databases (SPDs) and the co- existence of HIP and security-related protocols such as IKE, implementors may encounter conditions that are unspecified in these documents. For example, when the SPD defines an IP address subnet to be protected and a HIP host is residing in that IP address area, there is a possibility that the communication is encrypted multiple times. Readers are advised to pay special attention when running HIP with complex SPD settings. Future specifications should clearly define when multiple encryption is intended, and when it should be avoided. Abstract This memo specifies an Encapsulated Security Payload (ESP) based mechanism for transmission of user data packets, to be used with the Host Identity Protocol (HIP). Jokela, et al. Experimental [Page 1] RFC 5202 Using the ESP Transport Format with HIP April 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 3. Using ESP with HIP . . . . . . . . . . . . . . . . . . . . . . 4 3.1. ESP Packet Format . . . . . . . . . . . . . . . . . . . . 4 3.2. Conceptual ESP Packet Processing . . . . . . . . . . . . . 4 3.2.1. Semantics of the Security Parameter Index (SPI) . . . 5 3.3. Security Association Establishment and Maintenance . . . . 6 3.3.1. ESP Security Associations . . . . . . . . . . . . . . 6 3.3.2. Rekeying . . . . . . . . . . . . . . . . . . . . . . . 6 3.3.3. Security Association Management . . . . . . . . . . . 7 3.3.4. Security Parameter Index (SPI) . . . . . . . . . . . . 7 3.3.5. Supported Transforms . . . . . . . . . . . . . . . . . 7 3.3.6. Sequence Number . . . . . . . . . . . . . . . . . . . 8 3.3.7. Lifetimes and Timers . . . . . . . . . . . . . . . . . 8 3.4. IPsec and HIP ESP Implementation Considerations . . . . . 8 4. The Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.1. ESP in HIP . . . . . . . . . . . . . . . . . . . . . . . . 9 4.1.1. Setting Up an ESP Security Association . . . . . . . . 9 4.1.2. Updating an Existing ESP SA . . . . . . . . . . . . . 10 5. Parameter and Packet Formats . . . . . . . . . . . . . . . . . 10 5.1. New Parameters . . . . . . . . . . . . . . . . . . . . . . 11 5.1.1. ESP_INFO . . . . . . . . . . . . . . . . . . . . . . . 11 5.1.2. ESP_TRANSFORM . . . . . . . . . . . . . . . . . . . . 13 5.1.3. NOTIFY Parameter . . . . . . . . . . . . . . . . . . . 14 5.2. HIP ESP Security Association Setup . . . . . . . . . . . . 14 5.2.1. Setup During Base Exchange . . . . . . . . . . . . . . 14 5.3. HIP ESP Rekeying . . . . . . . . . . . . . . . . . . . . . 16 5.3.1. Initializing Rekeying . . . . . . . . . . . . . . . . 16 5.3.2. Responding to the Rekeying Initialization . . . . . . 17 5.4. ICMP Messages . . . . . . . . . . . . . . . . . . . . . . 17 5.4.1. Unknown SPI . . . . . . . . . . . . . . . . . . . . . 17 6. Packet Processing . . . . . . . . . . . . . . . . . . . . . . 18 6.1. Processing Outgoing Application Data . . . . . . . . . . . 18 6.2. Processing Incoming Application Data . . . . . . . . . . . 19 6.3. HMAC and SIGNATURE Calculation and Verification . . . . . 19 6.4. Processing Incoming ESP SA Initialization (R1) . . . . . . 19 6.5. Processing Incoming Initialization Reply (I2) . . . . . . 20 6.6. Processing Incoming ESP SA Setup Finalization (R2) . . . . 20 6.7. Dropping HIP Associations . . . . . . . . . . . . . . . . 20 6.8. Initiating ESP SA Rekeying . . . . . . . . . . . . . . . . 20Show full document text