Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation

Smyslov, Valery

doi:10.17487/rfc7383

“…IKEv2 fragmentation is specified in RFC 7383 [42]. The main difference with the IKEv1 vendor-specific implementations of fragmentation is that IKEv2 fragments are encrypted.…”

Section: Ike Fragmentationmentioning

confidence: 99%

Guide to IPsec VPNs

Barker¹,

Dang²,

Frankel³

et al. 2020

View full text Add to dashboard Cite

This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

show abstract

“…IKEv2 fragmentation is specified in RFC 7383 [36]. The main difference with the IKEv1 vendor-specific implementations is that IKEv2 fragments are encrypted.…”

Section: Ike Fragmentationmentioning

confidence: 99%

“…• The source and destination port ranges (0 for all) 36 • A link to the associated SA state • Direction (inbound, outbound, or forward 37 )…”

Section: The Security Policy Database (Spd)mentioning

confidence: 99%

Guide to IPsec VPNs

2019

Preprint

1

0

View full text Add to dashboard Cite

This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

show abstract

“…IKE message fragmentation [RFC7383] is not required when using TCP encapsulation, since a TCP stream already handles the fragmentation of its contents across packets. Since fragmentation is redundant in this case, implementations might choose to not negotiate IKE fragmentation.…”

Section: Using Ike Message Fragmentation With Tcp Encapsulationmentioning

confidence: 99%

TCP Encapsulation of IKE and IPsec Packets

Mantha¹,

Touati²,

Pauly³

2017

View full text Add to dashboard Cite

This document describes a method to transport Internet Key Exchange Protocol (IKE) and IPsec packets over a TCP connection for traversing network middleboxes that may block IKE negotiation over UDP. This method, referred to as "TCP encapsulation", involves sending both IKE packets for Security Association establishment and Encapsulating Security Payload (ESP) packets over a TCP connection. This method is intended to be used as a fallback option when IKE cannot be negotiated over UDP.

show abstract

Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation

Cited by 5 publications

References 5 publications

Guide to IPsec VPNs

Guide to IPsec VPNs

Guide to IPsec VPNs

TCP Encapsulation of IKE and IPsec Packets

Contact Info

Product

Resources

About