2 The IKE Header Each IKE message begins with the IKE header IKE-SA Initiator’s SPIIKE-SA Responder’s SPIFlagsExchange TypeMnVerMjVerNextPayloadMessage IDLength
3 The IKE HeaderThe message begins with the IKE header followed by one or more IKE payloadsPayloads are processed in the order they appear in the IKE message
4 The IKE Header FieldsInitiator’s SPI¹ (8 octets) – chosen by the Initiator to identify a unique IKE SA. must not be zeroResponder’s SPI (8 octets) – chosen by the responder to identify a unique IKE SA. must be zero in the first message of the Initial Exchange and must not be zero in any other message1. SPI – Security Parameter Index
5 The IKE Header FieldsNext Payload (1 octet) – indicates the type of payload that immediately follows the headerMajor Version (4 bits) – indicates the major version of the IKE protocol in use. Implementations based on version 2 must reject (or ignore) messages containing a version number greater than 2.
6 The IKE Header FieldsMinor Version (4 octets) – indicates the minor version of the IKE protocol in use.Exchange Type (1 octets) – indicates the type of exchange being used. This dictates the payloads sent in each message and message orderings in the exchanges
7 The IKE Header Fields Flags (1 octet) R(eserved) (bits 0-2) I(nitiator) (bit 3) – set when the message is from the Original Initiator of the IKE-SA, and cleared otherwise. Used by the recipient to determine whether the message is a request or a response.V(ersion) (bit 4) – indicates that the transmitter is capable of speaking a higher major version number than the one indicated in the major version number fieldR(eserved) (bits 5-7)
8 The IKE Header FieldsMessage Id (4 octets) – used to control retransmission of lost packets and matching requests and responsesLength (4 octets) – length of the total message (header + payloads) in octets.
9 Generic Payload header LengthRESERVEDCNextEach IKE payload (that will be discussed later) begins with a generic headerThe construction and processing of the generic payload header is identical for each payload
10 Generic Payload header Fields Next payload (1 octet) – indicates the type of the next payload in the message In the last payload in the message the field is zeroCritical (1 bit) – indicates if the sender wants the receiver to skip (set to 0) or to reject (set to 1) this payload if he doesn’t understand the payload type code. If the recipient understands the code he should ignore this field
11 Generic Payload header Fields RESERVED (7 bits)Payload Length (2 octets) – length in octets of the current payload, including the generic payload header
12 SA (Security Association) Payload Used to negotiate attributes of a security associationMay contain multiple proposalsEach proposal includes a Suite-ID which implies one or more protocols and the associated cryptographic algorithms
13 Proposal StructureContains a Proposal # , a Suite-ID and the sending entity SPI(s)When the SA is accepted, the SA payload send back must contain a single proposal and its number must match the number in the accepted proposal
14 KE (Key Exchange) Payload Used to exchange Diffie-Hellman public numbers as part of a DH key exchangeThe length of the DH public value must be equal to the length of the prime modulus over which the exponentiation was performed (prepending zero bits if necessary)
15 KE (Key Exchange) Payload Alice sends her DH value in the IKE_SA_INIT, so she must guess the DH group that Bob will select from her listIf she guesses wrong, Bob will reply with a Notify payload indicating the selected suite
16 ID (Identification) payload Allows peers to assert an identity to one anotherNames the identity to be authenticated with the AUTH payloadAssigned values for the ID Type field contain: ID_IPV4_ADDR, ID_IPV6_ADDR, ID_FQDN (a fully-qualified domain name string), ID_KEY_ID (may be used to pass vendor-specific information) and more
17 CERT (Certificate) Payload Provides a means to transport certificates or other certificate-related information via IKECERT payloads should be included in an exchange if certificates are available to the senderCertificate Encoding field indicates the type of certificate contained in the Certificate Data field.
18 CERTREQ (Certificate Request) Payload Provides a means to request preferred certificates via IKECan appear in the first, second, or third message of Phase 1CERTREQ payloads should be included in an exchange whenever the peer may have multiple certificates, some of which might be trusted while others not
19 CERTREQ Payload Processing Certificate Encodinghasdoesn’t haveCertificate Authorityhasdoesn’t haveno processingsend itNot an error condition of the protocol
20 AUTH (Authentication) Payload Contains data used for authentication purposesAuth Method field specifies the method of authentication used: Digital Signature (1) or Shared Key Message Integrity Code (2)Authentication Data field contains the results from applying the method to the IKE stateIf the specified authentication method is not supported or validation fails an error must be sent and the connection closed
21 Nonce Payload Ni – Initiator’s nonce Nr – Responder’s nonce Contains random data used:In IKE_SA_INIT as inputs to cryptographic functionsIn CREATE_CHILD_SA to add freshness to the key derivation technique used to obtain keys for CHILD-SAsNonce values must not be reused
22 N (Notify) PayloadUsed to transmit informational data: error conditions and state transitionsMay appear in a response message (usually specifying why a request was rejected), or in an Informational Exchange
23 N (Notify) Payload Fields Protocol-Id (1 octet) – specifies the protocol about which this notification is being sent. For phase 2 will contain an IPsec protocol (AH or ESP), in other cases must be zeroSPI Size (1 octet)Notify message type (2 octets) – the type of the notification message (next slide)SPI (variable length)Notification Data (variable length) – informational or error data transmitted in addition to the Notify Message Type
24 Notify Messages – Error Types UNSUPPORTED-CRITICAL-PAYLOAD sent if the payload has the “critical” bit set and the payload type is not recognizedINVALID-SPI indicates an IKE message was received with an unrecognized destination SPI (usually indicates that the recipient has rebooted and forgotten the existence of an IKE-SA)
25 Notify Messages – Error Types INVALID-SYNTAX Indicates that the message was invalid (type, length, or value out of range or the request was rejected for policy reasons) To avoid DOS attack using forged messages, this status may only be returned for and in a (valid) encrypted packetINVALID-MESSAGE-ID sent when received a MESSAGE-ID outside the supported window
26 Notify Messages – Error Types NO-PROPOSAL-CHOSEN none of the proposed crypto suites was acceptableAUTHENTICATION-FAILED sent in response to an IKE_AUTH message when the authentication failedNO-ADDITIONAL-SAS indicates that Phase 2 SA request is unacceptable because the Responder is unwilling to accept any more CHILD-SAs on this IKE-SA.
27 Notify Messages – Status Types INITIAL-CONTACT asserts that this IKE-SA is the only IKE-SA currently active between the authenticated identitiesSET-WINDOW-SIZE sends the size of the window
28 D (Delete) Payload ESP and AH SAs always exist in pairs To delete an SA, an Informational Exchange with one or more Delete Payloads is sent, listing the SPIs of the SAs to be deletedMay be deletion of IKE-SA or of a CHILD-SA
29 Vendor ID Payload Contains a vendor defined constant the constant is used by vendors to identify and recognize remote instances of their implementationsallows a vendor to experiment with new features, while maintaining backwards compatibility
30 TS (Traffic Selector) Payload Allows endpoints to communicate some of the information from their SPD to their peers2 TS payloads appear in each of the messages in the exchange that creates the CHILD-SA pairEach traffic selector consists of an address range, a port range and a protocol ID
31 Encrypted Payload Contains other payloads in encrypted form Must be the last payload in message often it is the only payload in a message
32 CP (Configuration Payload) Used to exchange configuration information between IKE peers
34 RekeyingSAs should be used for a limited time and protect limited amount of dataRekeying means reestablishment of SAs to take place of ones which expireDone to IKE-SA and CHILD-SAAn IKE-SA created inherits all of the original IKE-SA’s CHILD-SAsThe new SA should be established before the old one expires and becomes unusable
35 Error HandlingErrors that occur before a cryptographically protected IKE-SA is established must be handled very carefully because it can be a part of a DOS attack based on forged messagesThe frequency of liveliness tests for IKE-SA should be limited to avoid being tricked into participating in a Denial Of Service attack