Header and Payload Formats

The IKE Header

IKE-SA Initiator’s SPI

IKE-SA Responder’s SPI

NextPayload

MjVerMnVerExchange

TypeFlags

Message ID

Length

• Each IKE message begins with the IKE header

The IKE Header

• The message begins with the IKE headerfollowed by one or more IKE payloads

• Payloads are processed in the order they appear in the IKE message

The IKE Header Fields

• Initiator’s SPI¹ (8 octets) – chosen by the Initiator to identify a unique IKE SA.must not be zero

• Responder’s SPI (8 octets) – chosen by the responder to identify a unique IKE SA.must be zero in the first message of the Initial Exchange and must not be zero in any other message

1. SPI – Security Parameter Index

The IKE Header Fields

• Next Payload (1 octet) – indicates the type of payload that immediately follows the header

• Major Version (4 bits) – indicates the major version of the IKE protocol in use.Implementations based on version 2 must reject (or ignore) messages containing a version number greater than 2.

The IKE Header Fields

• Minor Version (4 octets) – indicates the minor version of the IKE protocol in use.

• Exchange Type (1 octets) – indicates the type of exchange being used. This dictates the payloads sent in each message and message orderings in the exchanges

The IKE Header Fields

• Flags (1 octet)– R(eserved) (bits 0-2) – I(nitiator) (bit 3) – set when the message is

from the Original Initiator of the IKE-SA, and cleared otherwise. Used by the recipient to determine whether the message is a request or a response.

– V(ersion) (bit 4) – indicates that the transmitter is capable of speaking a higher major version number than the one indicated in the major version number field

– R(eserved) (bits 5-7)

The IKE Header Fields

• Message Id (4 octets) – used to control retransmission of lost packets and matching requests and responses

• Length (4 octets) – length of the total message (header + payloads) in octets.

Generic Payload header

• Each IKE payload (that will be discussed later) begins with a generic header

• The construction and processing of the generic payload header is identical for each payload

Next

PayloadCRESERVED

Payload

Length

Generic Payload header Fields

• Next payload (1 octet) – indicates the type of the next payload in the messageIn the last payload in the message the field is zero

• Critical (1 bit) – indicates if the sender wants the receiver to skip (set to 0) or to reject (set to 1) this payload if he doesn’t understand the payload type code.If the recipient understands the code he should ignore this field

Generic Payload header Fields

• RESERVED (7 bits)

• Payload Length (2 octets) – length in octets of the current payload, including the generic payload header

SA (Security Association) Payload

• Used to negotiate attributes of a security association

• May contain multiple proposals

• Each proposal includes a Suite-ID which implies one or more protocols and the associated cryptographic algorithms

Proposal Structure

• Contains a Proposal # , a Suite-ID and the sending entity SPI(s)

• When the SA is accepted, the SA payload send back must contain a single proposal and its number must match the number in the accepted proposal

KE (Key Exchange) Payload

• Used to exchange Diffie-Hellman public numbers as part of a DH key exchange

• The length of the DH public value must be equal to the length of the prime modulus over which the exponentiation was performed (prepending zero bits if necessary)

KE (Key Exchange) Payload

• Alice sends her DH value in the IKE_SA_INIT, so she must guess the DH group that Bob will select from her list

• If she guesses wrong, Bob will reply with a Notify payload indicating the selected suite

ID (Identification) payload

• Allows peers to assert an identity to one another

• Names the identity to be authenticated with the AUTH payload

• Assigned values for the ID Type field contain: ID_IPV4_ADDR, ID_IPV6_ADDR, ID_FQDN (a fully-qualified domain name string), ID_KEY_ID (may be used to pass vendor-specific information) and more

CERT (Certificate) Payload

• Provides a means to transport certificates or other certificate-related information via IKE

• CERT payloads should be included in an exchange if certificates are available to the sender

• Certificate Encoding field indicates the type of certificate contained in the Certificate Data field.

CERTREQ (Certificate Request) Payload

• Provides a means to request preferred certificates via IKE

• Can appear in the first, second, or third message of Phase 1

• CERTREQ payloads should be included in an exchange whenever the peer may have multiple certificates,some of which might be trusted while others not

CERTREQ Payload Processing

Certificate Encoding

has

doesn’t have

no processing

Certificate Authority

send it

hasdoesn’t have

Not an error condition of the protocol

AUTH (Authentication) Payload

• Contains data used for authentication purposes • Auth Method field specifies the method of

authentication used: Digital Signature (1) or Shared Key Message Integrity Code (2)

• Authentication Data field contains the results from applying the method to the IKE state

• If the specified authentication method is not supported or validation fails an error must be sent and the connection closed

Nonce Payload

• Ni – Initiator’s nonce• Nr – Responder’s nonce• Contains random data used:

– In IKE_SA_INITas inputs to cryptographic functions

– In CREATE_CHILD_SA to add freshness to the key derivation technique used to obtain keys for CHILD-SAs

• Nonce values must not be reused

N (Notify) Payload

• Used to transmit informational data: error conditions and state transitions

• May appear in a response message (usually specifying why a request was rejected), or in an Informational Exchange

N (Notify) Payload Fields

• Protocol-Id (1 octet) – specifies the protocol about which this notification is being sent. For phase 2 will contain an IPsec protocol (AH or ESP), in other cases must be zero

• SPI Size (1 octet)• Notify message type (2 octets) – the type of the

notification message (next slide)• SPI (variable length)• Notification Data (variable length) –

informational or error data transmitted in addition to the Notify Message Type

Notify Messages – Error Types

• UNSUPPORTED-CRITICAL-PAYLOADsent if the payload has the “critical” bit set and the payload type is not recognized

• INVALID-SPIindicates an IKE message was received with an unrecognized destination SPI(usually indicates that the recipient has rebooted and forgotten the existence of an IKE-SA)

Notify Messages – Error Types

• INVALID-SYNTAXIndicates that the message was invalid (type, length, or value out of range or the request was rejected for policy reasons)To avoid DOS attack using forged messages, this status may only be returned for and in a (valid) encrypted packet

• INVALID-MESSAGE-IDsent when received a MESSAGE-ID outside the supported window

Notify Messages – Error Types

• NO-PROPOSAL-CHOSENnone of the proposed crypto suites was acceptable

• AUTHENTICATION-FAILEDsent in response to an IKE_AUTH message when the authentication failed

• NO-ADDITIONAL-SASindicates that Phase 2 SA request is unacceptable because the Responder is unwilling to accept any more CHILD-SAs on this IKE-SA.

Notify Messages – Status Types

• INITIAL-CONTACTasserts that this IKE-SA is the only IKE-SA currently active between the authenticated identities

• SET-WINDOW-SIZEsends the size of the window

D (Delete) Payload

• ESP and AH SAs always exist in pairs

• To delete an SA, an Informational Exchange with one or more Delete Payloads is sent, listing the SPIs of the SAs to be deleted

• May be deletion of IKE-SA or of a CHILD-SA

Vendor ID Payload

• Contains a vendor defined constant

• the constant is used by vendors to identify and recognize remote instances of their implementations

• allows a vendor to experiment with new features, while maintaining backwards compatibility

TS (Traffic Selector) Payload

• Allows endpoints to communicate some of the information from their SPD to their peers

• 2 TS payloads appear in each of the messages in the exchange that creates the CHILD-SA pair

• Each traffic selector consists of an address range, a port range and a protocol ID

Encrypted Payload

• Contains other payloads in encrypted form

• Must be the last payload in messageoften it is the only payload in a message

CP (Configuration Payload)

• Used to exchange configuration information between IKE peers

Some more…

Rekeying

• SAs should be used for a limited time and protect limited amount of data

• Rekeying means reestablishment of SAs to take place of ones which expire

• Done to IKE-SA and CHILD-SA• An IKE-SA created inherits all of the original

IKE-SA’s CHILD-SAs• The new SA should be established before the

old one expires and becomes unusable

Error Handling

• Errors that occur before a cryptographically protected IKE-SA is established must be handled very carefully because it can be a part of a DOS attack based on forged messages

• The frequency of liveliness tests for IKE-SA should be limited to avoid being tricked into participating in a Denial Of Service attack