Header and Payload Formats

The IKE Header Each IKE message begins with the IKE header IKE-SA Initiator’s SPI IKE-SA Responder’s SPI Flags Exchange Type MnVer MjVer Next Payload Message ID Length

The IKE Header The message begins with the IKE header followed by one or more IKE payloads Payloads are processed in the order they appear in the IKE message

The IKE Header Fields Initiator’s SPI¹ (8 octets) – chosen by the Initiator to identify a unique IKE SA. must not be zero Responder’s SPI (8 octets) – chosen by the responder to identify a unique IKE SA. must be zero in the first message of the Initial Exchange and must not be zero in any other message 1. SPI – Security Parameter Index

The IKE Header Fields Next Payload (1 octet) – indicates the type of payload that immediately follows the header Major Version (4 bits) – indicates the major version of the IKE protocol in use. Implementations based on version 2 must reject (or ignore) messages containing a version number greater than 2.

The IKE Header Fields Minor Version (4 octets) – indicates the minor version of the IKE protocol in use. Exchange Type (1 octets) – indicates the type of exchange being used. This dictates the payloads sent in each message and message orderings in the exchanges

The IKE Header Fields Flags (1 octet) R(eserved) (bits 0-2) I(nitiator) (bit 3) – set when the message is from the Original Initiator of the IKE-SA, and cleared otherwise. Used by the recipient to determine whether the message is a request or a response. V(ersion) (bit 4) – indicates that the transmitter is capable of speaking a higher major version number than the one indicated in the major version number field R(eserved) (bits 5-7)

The IKE Header Fields Message Id (4 octets) – used to control retransmission of lost packets and matching requests and responses Length (4 octets) – length of the total message (header + payloads) in octets.

Generic Payload header Length RESERVED C Next Each IKE payload (that will be discussed later) begins with a generic header The construction and processing of the generic payload header is identical for each payload

Generic Payload header Fields Next payload (1 octet) – indicates the type of the next payload in the message In the last payload in the message the field is zero Critical (1 bit) – indicates if the sender wants the receiver to skip (set to 0) or to reject (set to 1) this payload if he doesn’t understand the payload type code. If the recipient understands the code he should ignore this field

Generic Payload header Fields RESERVED (7 bits) Payload Length (2 octets) – length in octets of the current payload, including the generic payload header

SA (Security Association) Payload Used to negotiate attributes of a security association May contain multiple proposals Each proposal includes a Suite-ID which implies one or more protocols and the associated cryptographic algorithms

Proposal Structure Contains a Proposal # , a Suite-ID and the sending entity SPI(s) When the SA is accepted, the SA payload send back must contain a single proposal and its number must match the number in the accepted proposal

KE (Key Exchange) Payload Used to exchange Diffie-Hellman public numbers as part of a DH key exchange The length of the DH public value must be equal to the length of the prime modulus over which the exponentiation was performed (prepending zero bits if necessary)

KE (Key Exchange) Payload Alice sends her DH value in the IKE_SA_INIT, so she must guess the DH group that Bob will select from her list If she guesses wrong, Bob will reply with a Notify payload indicating the selected suite

ID (Identification) payload Allows peers to assert an identity to one another Names the identity to be authenticated with the AUTH payload Assigned values for the ID Type field contain: ID_IPV4_ADDR, ID_IPV6_ADDR, ID_FQDN (a fully-qualified domain name string), ID_KEY_ID (may be used to pass vendor-specific information) and more

CERT (Certificate) Payload Provides a means to transport certificates or other certificate-related information via IKE CERT payloads should be included in an exchange if certificates are available to the sender Certificate Encoding field indicates the type of certificate contained in the Certificate Data field.

CERTREQ (Certificate Request) Payload Provides a means to request preferred certificates via IKE Can appear in the first, second, or third message of Phase 1 CERTREQ payloads should be included in an exchange whenever the peer may have multiple certificates, some of which might be trusted while others not

CERTREQ Payload Processing Certificate Encoding has doesn’t have Certificate Authority has doesn’t have no processing send it Not an error condition of the protocol

AUTH (Authentication) Payload Contains data used for authentication purposes Auth Method field specifies the method of authentication used: Digital Signature (1) or Shared Key Message Integrity Code (2) Authentication Data field contains the results from applying the method to the IKE state If the specified authentication method is not supported or validation fails an error must be sent and the connection closed

Nonce Payload Ni – Initiator’s nonce Nr – Responder’s nonce Contains random data used: In IKE_SA_INIT as inputs to cryptographic functions In CREATE_CHILD_SA to add freshness to the key derivation technique used to obtain keys for CHILD-SAs Nonce values must not be reused

N (Notify) Payload Used to transmit informational data: error conditions and state transitions May appear in a response message (usually specifying why a request was rejected), or in an Informational Exchange

N (Notify) Payload Fields Protocol-Id (1 octet) – specifies the protocol about which this notification is being sent. For phase 2 will contain an IPsec protocol (AH or ESP), in other cases must be zero SPI Size (1 octet) Notify message type (2 octets) – the type of the notification message (next slide) SPI (variable length) Notification Data (variable length) – informational or error data transmitted in addition to the Notify Message Type

Notify Messages – Error Types UNSUPPORTED-CRITICAL-PAYLOAD sent if the payload has the “critical” bit set and the payload type is not recognized INVALID-SPI indicates an IKE message was received with an unrecognized destination SPI (usually indicates that the recipient has rebooted and forgotten the existence of an IKE-SA)

Notify Messages – Error Types INVALID-SYNTAX Indicates that the message was invalid (type, length, or value out of range or the request was rejected for policy reasons) To avoid DOS attack using forged messages, this status may only be returned for and in a (valid) encrypted packet INVALID-MESSAGE-ID sent when received a MESSAGE-ID outside the supported window

Notify Messages – Error Types NO-PROPOSAL-CHOSEN none of the proposed crypto suites was acceptable AUTHENTICATION-FAILED sent in response to an IKE_AUTH message when the authentication failed NO-ADDITIONAL-SAS indicates that Phase 2 SA request is unacceptable because the Responder is unwilling to accept any more CHILD-SAs on this IKE-SA.

Notify Messages – Status Types INITIAL-CONTACT asserts that this IKE-SA is the only IKE-SA currently active between the authenticated identities SET-WINDOW-SIZE sends the size of the window

D (Delete) Payload ESP and AH SAs always exist in pairs To delete an SA, an Informational Exchange with one or more Delete Payloads is sent, listing the SPIs of the SAs to be deleted May be deletion of IKE-SA or of a CHILD-SA

Vendor ID Payload Contains a vendor defined constant the constant is used by vendors to identify and recognize remote instances of their implementations allows a vendor to experiment with new features, while maintaining backwards compatibility

TS (Traffic Selector) Payload Allows endpoints to communicate some of the information from their SPD to their peers 2 TS payloads appear in each of the messages in the exchange that creates the CHILD-SA pair Each traffic selector consists of an address range, a port range and a protocol ID

Encrypted Payload Contains other payloads in encrypted form Must be the last payload in message often it is the only payload in a message

CP (Configuration Payload) Used to exchange configuration information between IKE peers

Some more …

Rekeying SAs should be used for a limited time and protect limited amount of data Rekeying means reestablishment of SAs to take place of ones which expire Done to IKE-SA and CHILD-SA An IKE-SA created inherits all of the original IKE-SA’s CHILD-SAs The new SA should be established before the old one expires and becomes unusable

Error Handling Errors that occur before a cryptographically protected IKE-SA is established must be handled very carefully because it can be a part of a DOS attack based on forged messages The frequency of liveliness tests for IKE-SA should be limited to avoid being tricked into participating in a Denial Of Service attack

THE END