Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731






Network Working Group                                           G. Huang
Request for Comments: 3706                                   S. Beaulieu
Category: Informational                                     D. Rochefort
                                                     Cisco Systems, Inc.
                                                           February 2004


           A Traffic-Based Method of Detecting Dead Internet
                       Key Exchange (IKE) Peers

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   This document describes the method detecting a dead Internet Key
   Exchange (IKE) peer that is presently in use by a number of vendors.
   The method, called Dead Peer Detection (DPD) uses IPSec traffic
   patterns to minimize the number of IKE messages that are needed to
   confirm liveness.  DPD, like other keepalive mechanisms, is needed to
   determine when to perform IKE peer failover, and to reclaim lost
   resources.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Document Roadmap . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Rationale for Periodic Message Exchange for Proof of
       Liveliness . . . . . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Keepalives vs.  Heartbeats . . . . . . . . . . . . . . . . . .  3
       4.1.  Keepalives . . . . . . . . . . . . . . . . . . . . . . .  3
       4.2.  Heartbeats . . . . . . . . . . . . . . . . . . . . . . .  5
   5.  DPD Protocol . . . . . . . . . . . . . . . . . . . . . . . . .  6
       5.1.  DPD Vendor ID. . . . . . . . . . . . . . . . . . . . . .  7
       5.2.  Message Exchanges. . . . . . . . . . . . . . . . . . . .  7
       5.3.  NOTIFY(R-U-THERE/R-U-THERE-ACK) Message Format . . . . .  8
       5.4.  Impetus for DPD Exchange . . . . . . . . . . . . . . . .  9
       5.5.  Implementation Suggestion. . . . . . . . . . . . . . . .  9
       5.6.  Comparisons. . . . . . . . . . . . . . . . . . . . . . . 10
   6.  Resistance to Replay Attack and False Proof of Liveliness. . . 10
       6.1.  Sequence Number in DPD Messages. . . . . . . . . . . . . 10



Huang, et al.                Informational                      [Page 1]

RFC 3706                Detecting Dead IKE Peers           February 2004


       6.2.  Selection and Maintenance of Sequence Numbers. . . . . . 11
   7.  Security Considerations. . . . . . . . . . . . . . . . . . . . 11
   8.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 12
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
       9.1.  Normative Reference. . . . . . . . . . . . . . . . . . . 12
       9.2.  Informative References . . . . . . . . . . . . . . . . . 12
   10. Editors' Addresses . . . . . . . . . . . . . . . . . . . . . . 12
   11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13

1.  Introduction

   When two peers communicate with IKE [2] and IPSec [3], the situation
   may arise in which connectivity between the two goes down
   unexpectedly.  This situation can arise because of routing problems,
   one host rebooting, etc., and in such cases, there is often no way
   for IKE and IPSec to identify the loss of peer connectivity.  As
   such, the SAs can remain until their lifetimes naturally expire,
   resulting in a "black hole" situation where packets are tunneled to
   oblivion.  It is often desirable to recognize black holes as soon as
   possible so that an entity can failover to a different peer quickly.
   Likewise, it is sometimes necessary to detect black holes to recover
   lost resources.

   This problem of detecting a dead IKE peer has been addressed by
   proposals that require sending periodic HELLO/ACK messages to prove
   liveliness.  These schemes tend to be unidirectional (a HELLO only)
   or bidirectional (a HELLO/ACK pair).  For the purpose of this
   document, the term "heartbeat" will refer to a unidirectional message
   to prove liveliness.  Likewise, the term "keepalive" will refer to a
   bidirectional message.

   The problem with current heartbeat and keepalive proposals is their
   reliance upon their messages to be sent at regular intervals.  In the
   implementation, this translates into managing some timer to service
   these message intervals.  Similarly, because rapid detection of the
   dead peer is often desired, these messages must be sent with some
   frequency, again translating into considerable overhead for message
   processing.  In implementations and installations where managing
   large numbers of simultaneous IKE sessions is of concern, these
   regular heartbeats/keepalives prove to be infeasible.

   To this end, a number of vendors have implemented their own approach
   to detect peer liveliness without needing to send messages at regular
   intervals.  This informational document describes the current
   practice of those implementations.  This scheme, called Dead Peer
   Detection (DPD), relies on IKE Notify messages to query the
   liveliness of an IKE peer.




Huang, et al.                Informational                      [Page 2]

RFC 3706                Detecting Dead IKE Peers           February 2004


   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119 [1].

2.  Document Roadmap

   As mentioned above, there are already proposed solutions to the
   problem of detecting dead peers.  Section 3 elaborates the rationale
   for using an IKE message exchange to query a peer's liveliness.
   Section 4 examines a keepalives-based approach as well as a
   heartbeats-based approach.  Section 5 presents the DPD proposal
   fully, highlighting differences between DPD and the schemes presented
   in Section 4 and emphasizing scalability issues.  Section 6 examines
   security issues surrounding replayed messages and false liveliness.

3.  Rationale for Periodic Message Exchange for Proof of Liveliness

   As the introduction mentioned, it is often necessary to detect that a
   peer is unreachable as soon as possible.  IKE provides no way for
   this to occur -- aside from waiting until the rekey period, then
   attempting (and failing the rekey).  This would result in a period of
   loss connectivity lasting the remainder of the lifetime of the
   security association (SA), and in most deployments, this is
   unacceptable.  As such, a method is needed for checking up on a
   peer's state at will.  Different methods have arisen, usually using
   an IKE Notify to query the peer's liveliness.  These methods rely on
   either a bidirectional "keepalive" message exchange (a HELLO followed
   by an ACK), or a unidirectional "heartbeat" message exchange (a HELLO
   only).  The next section considers both of these schemes.

4.  Keepalives vs. Heartbeats

4.1.  Keepalives:

   Consider a keepalives scheme in which peer A and peer B require
   regular acknowledgements of each other's liveliness.  The messages
   are exchanged by means of an authenticated notify payload.  The two
   peers must agree upon the interval at which keepalives are sent,
   meaning that some negotiation is required during Phase 1.  For any
   prompt failover to be possible, the keepalives must also be sent at
   rather frequent intervals -- around 10 seconds or so.  In this
   hypothetical keepalives scenario, peers A and B agree to exchange
   keepalives every 10 seconds.  Essentially, every 10 seconds, one peer
   must send a HELLO to the other.  This HELLO serves as proof of
   liveliness for the sending entity.  In turn, the other peer must
   acknowledge each keepalive HELLO.  If the 10 seconds elapse, and one
   side has not received a HELLO, it will send the HELLO message itself,
   using the peer's ACK as proof of liveliness.  Receipt of either a



Huang, et al.                Informational                      [Page 3]

RFC 3706                Detecting Dead IKE Peers           February 2004


   HELLO or ACK causes an entity's keepalive timer to reset. Failure to
   receive an ACK in a certain period of time signals an error.  A
   clarification is presented below:

   Scenario 1:
   Peer A's 10-second timer elapses first, and it sends a HELLO to B.
   B responds with an ACK.

   Peer A:                              Peer B:
   10 second timer fires;  ------>
   wants to know that B is alive;
   sends HELLO.
                                      Receives HELLO; acknowledges
                                      A's liveliness;
                            <------   resets keepalive timer, sends
                                      ACK.
   Receives ACK as proof of
   B's liveliness; resets timer.

   Scenario 2:
   Peer A's 10-second timer elapses first, and it sends a HELLO to B.
   B fails to respond.  A can retransmit, in case its initial HELLO is
   lost.  This situation describes how peer A detects its peer is dead.

   Peer A:                              Peer B (dead):

   10 second timer fires;  ------X
   wants to know that B is
   alive; sends HELLO.

   Retransmission timer    ------X
   expires; initial message
   could have been lost in
   transit; A increments
   error counter and
   sends another HELLO.

   ---

   After some number of errors, A assumes B is dead; deletes SAs and
   possibly initiates failover.

   An advantage of this scheme is that the party interested in the other
   peer's liveliness begins the message exchange.  In Scenario 1, peer A
   is interested in peer B's liveliness, and peer A consequently sends






Huang, et al.                Informational                      [Page 4]

RFC 3706                Detecting Dead IKE Peers           February 2004


   the HELLO.  It is conceivable in such a scheme that peer B would
   never be interested in peer A's liveliness.  In such a case, the onus
   would always lie on peer A to initiate the exchange.

4.2.  Heartbeats:

   By contrast, consider a proof-of-liveliness scheme involving
   unidirectional (unacknowledged) messages.  An entity interested in
   its peer's liveliness would rely on the peer itself to send periodic
   messages demonstrating liveliness.  In such a scheme, the message
   exchange might look like this:

   Scenario 3: Peer A and Peer B are interested in each other's
   liveliness.  Each peer depends on the other to send periodic HELLOs.


   Peer A:                              Peer B:
   10 second timer fires;  ------>
   sends HELLO.  Timer also
   signals expectation of
   B's HELLO.
                                         Receives HELLO as proof of A's
                                         liveliness.

                               <------   10 second timer fires; sends
                                         HELLO.
   Receives HELLO as proof
   of B's liveliness.

   Scenario 4:
   Peer A fails to receive HELLO from B and marks the peer dead.  This
   is how an entity detects its peer is dead.

   Peer A:                              Peer B (dead):
   10 second timer fires;  ------X
   sends HELLO.  Timer also
   signals expectation of
   B's HELLO.

   ---

   Some time passes and A assumes B is dead.

   The disadvantage of this scheme is the reliance upon the peer to
   demonstrate liveliness.  To this end, peer B might never be
   interested in peer A's liveliness.  Nonetheless, if A is interested
   B's liveliness, B must be aware of this, and maintain the necessary
   state information to send periodic HELLOs to A.  The disadvantage of



Huang, et al.                Informational                      [Page 5]

RFC 3706                Detecting Dead IKE Peers           February 2004


   such a scheme becomes clear in the remote-access scenario.  Consider
   a VPN aggregator that terminates a large number of sessions (on the
   order of 50,000 peers or so).  Each peer requires fairly rapid
   failover, therefore requiring the aggregator to send HELLO packets
   every 10 seconds or so.  Such a scheme simply lacks scalability, as
   the aggregator must send 50,000 messages every few seconds.

   In both of these schemes (keepalives and heartbeats), some
   negotiation of message interval must occur, so that each entity can
   know how often its peer expects a HELLO.  This immediately adds a
   degree of complexity.  Similarly, the need to send periodic messages
   (regardless of other IPSec/IKE activity), also increases
   computational overhead to the system.

5.  DPD Protocol

   DPD addresses the shortcomings of IKE keepalives- and heartbeats-
   schemes by introducing a more reasonable logic governing message
   exchange.  Essentially, keepalives and heartbeats mandate exchange of
   HELLOs at regular intervals.  By contrast, with DPD, each peer's DPD
   state is largely independent of the other's.  A peer is free to
   request proof of liveliness when it needs it -- not at mandated
   intervals.  This asynchronous property of DPD exchanges allows fewer
   messages to be sent, and this is how DPD achieves greater
   scalability.

   As an elaboration, consider two DPD peers A and B.  If there is
   ongoing valid IPSec traffic between the two, there is little need for
   proof of liveliness.  The IPSec traffic itself serves as the proof of
   liveliness.  If, on the other hand, a period of time lapses during
   which no packet exchange occurs, the liveliness of each peer is
   questionable.  Knowledge of the peer's liveliness, however, is only
   urgently necessary if there is traffic to be sent.  For example, if
   peer A has some IPSec packets to send after the period of idleness,
   it will need to know if peer B is still alive.  At this point, peer A
   can initiate the DPD exchange.

   To this end, each peer may have different requirements for detecting
   proof of liveliness.  Peer A, for example, may require rapid
   failover, whereas peer B's requirements for resource cleanup are less
   urgent.  In DPD, each peer can define its own "worry metric" - an
   interval that defines the urgency of the DPD exchange. Continuing the
   example, peer A might define its DPD interval to be 10 seconds.
   Then, if peer A sends outbound IPSec traffic, but fails to receive
   any inbound traffic for 10 seconds, it can initiate a DPD exchange.






Huang, et al.                Informational                      [Page 6]

RFC 3706                Detecting Dead IKE Peers           February 2004


   Peer B, on the other hand, defines its less urgent DPD interval to be
   5 minutes.  If the IPSec session is idle for 5 minutes, peer B can
   initiate a DPD exchange the next time it sends IPSec packets to A.

   It is important to note that the decision about when to initiate a
   DPD exchange is implementation specific.  An implementation might
   even define the DPD messages to be at regular intervals following
   idle periods.  See section 5.5 for more implementation suggestions.

5.1.  DPD Vendor ID

   To demonstrate DPD capability, an entity must send the DPD vendor ID.
   Both peers of an IKE session MUST send the DPD vendor ID before DPD
   exchanges can begin.  The format of the DPD Vendor ID is:

                                     1
                0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
                +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                !                           !M!M!
                !      HASHED_VENDOR_ID     !J!N!
                !                           !R!R!
                +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   where HASHED_VENDOR_ID = {0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1,
   0xC9, 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57}, and MJR and MNR correspond
   to the current major and minor version of this protocol (1 and 0
   respectively).  An IKE peer MUST send the Vendor ID if it wishes to
   take part in DPD exchanges.

5.2.  Message Exchanges

   The DPD exchange is a bidirectional (HELLO/ACK) Notify message.  The
   exchange is defined as:

            Sender                                      Responder
           --------                                    -----------
   HDR*, NOTIFY(R-U-THERE), HASH   ------>

                                 <------    HDR*, NOTIFY(R-U-THERE-
                                            ACK), HASH











Huang, et al.                Informational                      [Page 7]

RFC 3706                Detecting Dead IKE Peers           February 2004


   The R-U-THERE message corresponds to a "HELLO" and the R-U-THERE-ACK
   corresponds to an "ACK."  Both messages are simply ISAKMP Notify
   payloads, and as such, this document defines these two new ISAKMP
   Notify message types:

      Notify                      Message Value
      R-U-THERE                   36136
      R-U-THERE-ACK               36137

   An entity that has sent the DPD Vendor ID MUST respond to an R-U-
   THERE query.  Furthermore, an entity MUST reject unencrypted R-U-
   THERE and R-U-THERE-ACK messages.

5.3.  NOTIFY(R-U-THERE/R-U-THERE-ACK) Message Format

   When sent, the R-U-THERE message MUST take the following form:

                       1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   ! Next Payload  !   RESERVED    !         Payload Length        !
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   !              Domain of Interpretation  (DOI)                  !
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   !  Protocol-ID  !    SPI Size   !      Notify Message Type      !
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   !                                                               !
   ~                Security Parameter Index (SPI)                 ~
   !                                                               !
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   !                    Notification Data                          !
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   As this message is an ISAKMP NOTIFY, the Next Payload, RESERVED, and
   Payload Length fields should be set accordingly.  The remaining
   fields are set as:

   -  Domain of Interpretation (4 octets) - SHOULD be set to IPSEC-DOI.

   -  Protocol ID (1 octet) - MUST be set to the protocol ID for ISAKMP.

   -  SPI Size (1 octet) - SHOULD be set to sixteen (16), the length of
      two octet-sized ISAKMP cookies.

   -  Notify Message Type (2 octets) - MUST be set to R-U-THERE






Huang, et al.                Informational                      [Page 8]

RFC 3706                Detecting Dead IKE Peers           February 2004


   -  Security Parameter Index (16 octets) - SHOULD be set to the
      cookies of the Initiator and Responder of the IKE SA (in that
      order)

   -  Notification Data (4 octets) - MUST be set to the sequence number
      corresponding to this message

   The format of the R-U-THERE-ACK message is the same, with the
   exception that the Notify Message Type MUST be set to R-U-THERE-ACK.
   Again, the Notification Data MUST be sent to the sequence number
   corresponding to the received R-U-THERE message.

5.4.  Impetus for DPD Exchange

   Again, rather than relying on some negotiated time interval to force
   the exchange of messages, DPD does not mandate the exchange of R-U-
   THERE messages at any time.  Instead, an IKE peer SHOULD send an R-
   U-THERE query to its peer only if it is interested in the liveliness
   of this peer.  To this end, if traffic is regularly exchanged between
   two peers, either peer SHOULD use this traffic as proof of
   liveliness, and both peers SHOULD NOT initiate a DPD exchange.

   A peer MUST keep track of the state of a given DPD exchange.  That
   is, once it has sent an R-U-THERE query, it expects an ACK in
   response within some implementation-defined period of time.  An
   implementation SHOULD retransmit R-U-THERE queries when it fails to
   receive an ACK.  After some number of retransmitted messages, an
   implementation SHOULD assume its peer to be unreachable and delete
   IPSec and IKE SAs to the peer.

5.5.  Implementation Suggestion

   Since the liveliness of a peer is only questionable when no traffic
   is exchanged, a viable implementation might begin by monitoring
   idleness.  Along these lines, a peer's liveliness is only important
   when there is outbound traffic to be sent.  To this end, an
   implementation can initiate a DPD exchange (i.e., send an R-U-THERE
   message) when there has been some period of idleness, followed by the
   desire to send outbound traffic.  Likewise, an entity can initiate a
   DPD exchange if it has sent outbound IPSec traffic, but not received
   any inbound IPSec packets in response.  A complete DPD exchange
   (i.e., transmission of R-U-THERE and receipt of corresponding R-U-
   THERE-ACK) will serve as proof of liveliness until the next idle
   period.

   Again, since DPD does not mandate any interval, this "idle period"
   (or "worry metric") is left as an implementation decision.  It is not
   a negotiated value.



Huang, et al.                Informational                      [Page 9]

RFC 3706                Detecting Dead IKE Peers           February 2004


5.6.  Comparisons

   The performance benefit that DPD offers over traditional keepalives-
   and heartbeats-schemes comes from the fact that regular messages do
   not need to be sent.  Returning to the examples presented in section
   4.1, a keepalive implementation such as the one presented would
   require one timer to signal when to send a HELLO message and another
   timer to "timeout" the ACK from the peer (this could also be the
   retransmit timer).  Similarly, a heartbeats scheme such as the one
   presented in section 4.2 would need to keep one timer to signal when
   to send a HELLO, as well as another timer to signal the expectation
   of a HELLO from the peer.  By contrast a DPD scheme needs to keep a
   timestamp to keep track of the last received traffic from the peer
   (thus marking beginning of the "idle period").  Once a DPD R-U-THERE
   message has been sent, an implementation need only maintain a timer
   to signal retransmission.  Thus, the need to maintain active timer
   state is reduced, resulting in a scalability improvement (assuming
   maintaining a timestamp is less costly than an active timer).
   Furthermore, since a DPD exchange only occurs if an entity has not
   received traffic recently from its peer, the number of IKE messages
   to be sent and processed is also reduced.  As a consequence, the
   scalability of DPD is much better than keepalives and heartbeats.

   DPD maintains the HELLO/ACK model presented by keepalives, as it
   follows that an exchange is initiated only by an entity interested in
   the liveliness of its peer.

6.  Resistance to Replay Attack and False Proof of Liveliness

6.1.  Sequence Number in DPD Messages

   To guard against message replay attacks and false proof of
   liveliness, a 32-bit sequence number MUST be presented with each R-
   U-THERE message.  A responder to an R-U-THERE message MUST send an
   R-U-THERE-ACK with the same sequence number.  Upon receipt of the R-
   U-THERE-ACK message, the initial sender SHOULD check the validity of
   the sequence number.  The initial sender SHOULD reject the R-U-
   THERE-ACK if the sequence number fails to match the one sent with the
   R-U-THERE message.

   Additionally, both the receiver of the R-U-THERE and the R-U-THERE-
   ACK message SHOULD check the validity of the Initiator and Responder
   cookies presented in the SPI field of the payload.








Huang, et al.                Informational                     [Page 10]

RFC 3706                Detecting Dead IKE Peers           February 2004


6.2.  Selection and Maintenance of Sequence Numbers

   As both DPD peers can initiate a DPD exchange (i.e., both peers can
   send R-U-THERE messages), each peer MUST maintain its own sequence
   number for R-U-THERE messages.  The first R-U-THERE message sent in a
   session MUST be a randomly chosen number.  To prevent rolling past
   overflowing the 32-bit boundary, the high-bit of the sequence number
   initially SHOULD be set to zero.  Subsequent R-U-THERE messages MUST
   increment the sequence number by one.  Sequence numbers MAY reset at
   the expiry of the IKE SA, moving to a newly chosen random number.
   Each entity SHOULD also maintain its peer's R-U-THERE sequence
   number, and an entity SHOULD reject the R-U-THERE message if it fails
   to match the expected sequence number.

   Implementations MAY maintain a window of acceptable sequence numbers,
   but this specification makes no assumptions about how this is done.
   Again, it is an implementation specific detail.

7.  Security Considerations

   As the previous section highlighted, DPD uses sequence numbers to
   ensure liveliness.  This section describes the advantages of using
   sequence numbers over random nonces to ensure liveliness.

   While sequence numbers do require entities to keep per-peer state,
   they also provide an added method of protection in certain replay
   attacks.  Consider a case where peer A sends peer B a valid DPD R-U-
   THERE message.  An attacker C can intercept this message and flood B
   with multiple copies of the messages.  B will have to decrypt and
   process each packet (regardless of whether sequence numbers or nonces
   are in use).  With sequence numbers B can detect that the packets are
   replayed: the sequence numbers in these replayed packets will not
   match the incremented sequence number that B expects to receive from
   A.  This prevents B from needing to build, encrypt, and send ACKs.
   By contrast, if the DPD protocol used nonces, it would provide no way
   for B to detect that the messages are replayed (unless B maintained a
   list of recently received nonces).

   Another benefit of sequence numbers is that it adds an extra
   assurance of the peer's liveliness.  As long as a receiver verifies
   the validity of a DPD R-U-THERE message (by verifying its incremented
   sequence number), then the receiver can be assured of the peer's
   liveliness by the very fact that the sender initiated the query.
   Nonces, by contrast, cannot provide this assurance.







Huang, et al.                Informational                     [Page 11]

RFC 3706                Detecting Dead IKE Peers           February 2004


8.  IANA Considerations

   There is no IANA action required for this document.  DPD uses notify
   numbers from the private range.

9.  References

9.1.  Normative Reference

   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

9.2.  Informative References

   [2]  Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
        RFC 2409, November 1998.

   [3]  Kent, S. and R. Atkinson, "Security Architecture for the
        Internet Protocol", RFC 2401, November 1998.

10.  Editors' Addresses

   Geoffrey Huang
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, CA 95134

   Phone: (408) 525-5354
   EMail: ghuang@cisco.com


   Stephane Beaulieu
   Cisco Systems, Inc.
   2000 Innovation Drive
   Kanata, ON
   Canada, K2K 3E8

   Phone: (613) 254-3678
   EMail: stephane@cisco.com


   Dany Rochefort
   Cisco Systems, Inc.
   124 Grove Street, Suite 205
   Franklin, MA 02038

   Phone: (508) 553-8644
   EMail: danyr@cisco.com



Huang, et al.                Informational                     [Page 12]

RFC 3706                Detecting Dead IKE Peers           February 2004


11.  Full Copyright Statement

   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78 and
   except as set forth therein, the authors retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed
   to pertain to the implementation or use of the technology
   described in this document or the extent to which any license
   under such rights might or might not be available; nor does it
   represent that it has made any independent effort to identify any
   such rights.  Information on the procedures with respect to
   rights in RFC documents can be found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository
   at http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention
   any copyrights, patents or patent applications, or other
   proprietary rights that may cover technology that may be required
   to implement this standard.  Please address the information to the
   IETF at ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.









Huang, et al.                Informational                     [Page 13]