[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 and SCTP support

IKEv2 does not seem to currently support SCTP along the lines of the 
soon-to-be-issued RFC 3554 (which describes how to do SCTP support in IKEv1).

Briefly, there are two issues:

a) The traffic selectors must allow for a list of addresses to be associated
with each endpoint. This is in fact supported by IKEv2.

b) The IKE and IPsec SAs must be linked to all of the peer's remote addresses.
This means that IKEv2 cannot just use the peer's IP address, but has to either
extract all the addresses from the Traffic Selector or be told explicitly via
the ID payload. IKEv1/SCTP used the latter approach, specifying the ID_LIST
payload for including a list of IP addresses associated with the peer. I
recommend that said payload be included in the IKEv2 draft, and the relevant
language be copied from RFC 3554.

Furthermore, per soon-to-be-issued RFC 3554, the receiver must verify that
the peer actually owns the relevant addresses in the TS payload. This typically
means that these addresses must be contained in the certificate contained in 
CERT payload, or some policy/configuration mechanism be consulted.