Online Certificate Status Protocol (OCSP) Extensions to IKEv2

Version 2 of the Internet Key Exchange (IKE) protocol supports a range of authentication mechanisms, including the use of public key based authentication. Confirmation of certificate reliability is essential in order to achieve the security assurances public key cryptography provides. One fundamental element of such confirmation is reference to certificate revocation status (see for additional detail). The traditional means of determining certificate revocation status is through the use of Certificate Revocation Lists (CRLs). IKEv2 allows CRLs to be exchanged in-band via the CERT payload. However, CRLs can grow unbounded in size. Many real-world examples exist to demonstrate the impracticality of including a multi-megabyte file in an IKE exchange. This constraint is particularly acute in bandwidth-limited environments (e.g., mobile communications). The net effect is exclusion of in-band CRLs in favor of out-of-band (OOB) acquisition of these data, should they even be used at all. Reliance on OOB methods can be further complicated if access to revocation data requires use of IPsec (and therefore IKE) to establish secure and authorized access to the CRLs of an IKE participant. Such network access deadlock further contributes to a reduced reliance on the status of certificate revocations in favor of blind trust. OCSP offers a useful alternative. The size of an OCSP response is bounded and small and therefore suitable for in-band IKEv2 signaling of a certificate's revocation status. This document defines an extension to IKEv2 that enables the use of OCSP for in-band signaling of certificate revocation status. A new content encoding is defined for use in the CERTREQ and CERT payloads. A CERTREQ payload with "OCSP Content" identifies zero or more trusted OCSP responders and is a request for inclusion of an OCSP response in the IKEv2 handshake. A cooperative recipient of such a request responds with a CERT payload containing the appropriate OCSP response. This content is recognizable via the same "OCSP Content" identifier.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. This document defines the following terms: An OCSP request refers to the CERTREQ payload that contains a new content encoding, referred to as OCSP Content, that conforms to the definition and behavior specified in . An OCSP response refers to the CERT payload that contains a new content encoding, referred to as OCSP Content, that conforms to the definition and behavior specified in . The term OCSP responder refers to the entity that accepts requests from an OCSP client and returns responses as defined in . Note that the OCSP responder does not refer to the party that sends the CERT message.

With reference to Section 3.6 of , the values for the Cert Encoding field of the CERT payload are extended as follows (see also the IANA Considerations section of this document):

A value of OCSP Content (14) in the Cert Encoding field of a CERTREQ Payload indicates the presence of zero or more OCSP responder certificate hashes in the Certificate Authority field of the CERTREQ payload. Section 2.2 of defines responses, which belong to one of the following three groups: the CA who issued the certificate a Trusted Responder whose public key is trusted by the requester a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA In case of (a), the use of hashes in the CERTREQ message is not needed since the OCSP response is signed by the CA who issued the certificate. In case of (c), the OCSP response is signed by the CA Designated Responder whereby the sender of the CERTREQ message does not know the public key in advance. The presence of OCSP Content in a CERTREQ message will identify one or more OCSP responders trusted by the sender in case of (b). The presence of OCSP Content (14) in a CERTREQ message: identifies zero or more OCSP responders trusted by the sender; notifies the recipient of sender's support for the OCSP extension to IKEv2; and notifies the recipient of sender's desire to receive OCSP confirmation in a subsequent CERT payload.

A value of OCSP Content (14) in the Cert Encoding field of a CERT Payload indicates the presence of an OCSP response in the Certificate Data field of the CERT payload. Correlation between an OCSP response CERT payload and a corresponding CERT payload carrying a certificate can be achieved by matching the OCSP response CertID field to the certificate. See for the definition of OCSP response content.

Section 3.7 of allows for the concatenation of trust anchor hashes as the Certification Authority value of a single CERTREQ message. There is no means however to indicate which among those hashes, if present, relates to the certificate of a trusted OCSP responder. Therefore, an OCSP request, as defined in above, is transmitted separate from any other CERTREQ payloads in an IKEv2 exchange. Where it is useful to identify more than one trusted OCSP responder, each such identification SHALL be concatenated in a manner identical to the method documented in Section 3.7 of regarding the assembly of multiple trust anchor hashes. The Certification Authority value in an OCSP request CERTREQ SHALL be computed and produced in a manner identical to that of trust anchor hashes as documented in Section 3.7 of . Upon receipt of an OCSP response CERT payload corresponding to a prior OCSP request CERTREQ, the CERTREQ sender SHALL incorporate the OCSP response into path validation logic defined by . Note that the lack of an OCSP response CERT payload after sending an OCSP request CERT payload might be an indication that this OCSP extension is not supported. As a result, it is recommended that nodes be configured to require a response only if it is known that all peers do in fact support this extension. Otherwise, it is recommended that the nodes be configured to try OCSP and, if there is no response, attempt to determine certificate revocation status by some other means.

Upon receipt of an OCSP request CERTREQ payload, the recipient SHOULD acquire the related OCSP-based assertion and produce and transmit an OCSP response CERT payload corresponding to the certificate needed to verify its signature on IKEv2 payloads. An OCSP response CERT payload is transmitted separate from any other CERT payload in an IKEv2 exchange. The means by which an OCSP response may be acquired for production of an OCSP response CERT payload is out of scope of this document. The Certificate Data field of an OCSP response CERT payload SHALL contain a DER-encoded OCSPResponse structure as defined in .

This section shows the standard IKEv2 message examples with both peers, the initiator and the responder, using public key based authentication, CERTREQ and CERT payloads. The first instance corresponds to Section 1.2 of , the illustrations of which are reproduced below for reference.

Application of the IKEv2 extensions defined in this document to the peer-to-peer exchange defined in Section 1.2 of is as follows. Messages are numbered for ease of reference.

(2) <-- HDR, SAr1, KEr, Nr, CERTREQ(OCSP Request) (3) HDR, SK {IDi, CERT(certificate),--> CERT(OCSP Response), CERTREQ(OCSP Request), [IDr,] AUTH, SAi2, TSi, TSr} (4) <-- HDR, SK {IDr, CERT(certificate), CERT(OCSP Response), AUTH, SAr2, TSi, TSr} ]]> In (2), Responder sends an OCSP request CERTREQ payload identifying zero or more OCSP responders trusted by the Responder. In response, Initiator sends in (3) both a CERT payload carrying its certificate and an OCSP response CERT payload covering that certificate. In (3), Initiator also requests an OCSP response via the OCSP request CERTREQ payload. In (4), the Responder returns its certificate and a separate OCSP response CERT payload covering that certificate. It is important to note that in this scenario, the Responder in (2) does not yet possess the Initiator's certificate and therefore cannot form an OCSP request as defined in . To bypass this problem, hashes are used as defined in . In such instances, OCSP Requests are simply index values into these data. Thus, it is easily inferred that OCSP responses can be produced in the absence of a corresponding request (provided that OCSP nonces are not used, see ). It is also important in extending IKEv2 toward OCSP in this scenario that the Initiator has certain knowledge that the Responder is capable of and willing to participate in the extension. Yet the Responder will only trust one or more OCSP responder signatures. These factors motivate the definition of OCSP responder hash extension.

Another scenario of pressing interest is the use of EAP to accommodate multiple end users seeking enterprise access to an IPsec gateway. Note that OCSP is used for the certificate status check of the server side IKEv2 certificate and not for certificates that may be used within EAP methods (either by the EAP peer or the EAP server). As with the preceding section, the following illustration is extracted from . In the event of a conflict between this document and regarding these illustrations, SHALL dominate.

(2) <-- HDR, SAr1, KEr, Nr (3) HDR, SK {IDi, --> CERTREQ(OCSP Request), [IDr,] AUTH, SAi2, TSi, TSr} (4) <-- HDR, SK {IDr, CERT(certificate), CERT(OCSP Response), AUTH, EAP} (5) HDR, SK {EAP} --> (6) <-- HDR, SK {EAP (success)} (7) HDR, SK {AUTH} --> (8) <-- HDR, SK {AUTH, SAr2, TSi, TSr } ]]> In the EAP scenario, messages (5) through (8) are not relevant to this document.

For the reasons noted above, an OCSP request, as defined in Section 3.1, is used in place of an OCSP request syntax to trigger production and transmission of an OCSP response. OCSP, as defined in , may contain a nonce request extension to improve security against replay attacks (see Section 4.4.1 of for further details). The OCSP request defined by this document cannot accommodate nonces. deals with this aspect by allowing pre-produced responses. points to this replay vulnerability and indicates: "The use of precomputed responses allows replay attacks in which an old (good) response is replayed prior to its expiration date but after the certificate has been revoked. Deployments of OCSP should carefully evaluate the benefit of precomputed responses against the probability of a replay attack and the costs associated with its successful execution." Nodes SHOULD make the required freshness of an OCSP response configurable.

This document defines one new field type for use in the IKEv2 Cert Encoding field of the Certificate Payload format. Official assignment of the "OCSP Content" extension to the Cert Encoding table of Section 3.6 of has been acquired from IANA.

The authors would like to thank Russ Housley for his support. Additionally, we would like to thank Pasi Eronen, Nicolas Williams, Liqiang (Larry) Zhu, Lakshminath Dondeti, and Paul Hoffman for their review. Pasi gave us invaluable last-call comments. We would also like to thank Tom Taylor for his Gen-ART review. Jari Arkko gave us IESG review comments.