IKEv2 support for specifying a Delete notify reason

The IKEv2 protocol supports sending a Delete Notify message, but this message cannot convey the reason why a particular Child SA or IKE SA is being deleted. It can be useful to know why a certain IPsec IKE SA or Child SA was deleted by the peer. Sometimes, when the peer's operator notices a specific SA is down, they have no idea whether this is permanent or temporary problem, and have no idea how long an outage might last. The DELETE_REASON Notify message can be added to any exchange that contains a Delete (42) payload specifying an estimated duration and reason. The initial Delete Reason values are specified in .

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

All multi-octet fields representing integers are laid out in big endian order (also known as "most significant byte first", or "network byte order").

Whenever an IKE peer wishes to relay the reason for why it is deleting an IKE SA or one or more IPsec SAs, it MAY include a DELETE_REASON notify payload. The notify payload contains a Reason Type and an optional Reason Message Text. A DELETE_REASON payload MUST be ignored if the exchange does not contain a Delete payload. If multiple Delete payloads are present, the DELETE_REASON message applies to all of these. If separate different reasons should be conveyed for different Child SAs or IKE SA, those Delete messages and their accompanied DELETE_REASON messages should be sent in separate Informational Exchange messages.

(C)ritical bit - MUST be 0. Protocol ID (1 octet) - MUST be 0. MUST be ignored if not 0. SPI Size (1 octet) - MUST be 0. MUST be ignored if not 0. Notify Status Message Type (2 octets) - set to [TBD1] Downtime (2 octets) A value in seconds for the expected downtime. 0 means unspecified. Delete Reason Type (2 octets) - See Delete Reason Text - May be empty. Otherwise a non-NULL terminated UTF-8 or ASCII text.

The following table describes the initial IKEv2 Notify Message Delete Reason Registry values: There is no matching Type. Details should be in the Delete Reason Text field The IKE service is being shut down The IKE service is being restarted The host running the IKE service is being shut down The host running the IKE service is being restarted The Child SA was removed from the peer's configuration The IKE SA was removed from the peer's configuration The SA was brought down by the operator The SA was inactive and brought down automatically by the system A new IKE SA with this peer was established that signaled INITIAL_CONTACT The peers ended up rekeying at once, and this SA lost in favour of the other A new IKE SA with this peer was established for re-authentication purposes The redirection request was accepted and established, obsoleting this old SA The SA reached its local lifetime counter (bytes or seconds or packets) and was not rekeyed in time

Any timing information and reason should be treated as an informational "best effort" message from the peer's operator. A DELETE_REASON message SHOULD NOT change the behaviour of the IKE implementation other than logging the message or triggering an informational or alert message. As with all received free-form text data, the receiver MUST treat the DELETE_REASON notify data as untrusted. It SHOULD strip or replace any characters not deemd regular text, for example the dollar sign ($), braces, backticks and backslashes. The Reason Message MUST NOT be assumed to be safe to display. It MUST NOT be assumed to be NULL terminated, which means common string operations such as strlen() MUST NOT be used without precautions. After the data has been processed and confirmed safe, it can be used for logging or as messages in notification systems.

This document adds one new IKEv2 Notify Message Status Type value and one new IKEv2 registry.

The following Notify Message Status is added:

This document requests IANA create the IKEv2 Notify Message Delete Reason Registry under the Internet Key Exchange Version 2 (IKEv2) Parameters Registry with the following fields and initial values:

The registry values 0-255 are assigned using the Standards Track registration policy. The registry values 256-65279 are assigned using the First Come First Servce registration policy. The registry values 65280-65535 are reserved for Private Use and Experimental Use

The Designated Expert (DE) for this new registry should verify that the entry makes sense within the IKEv2 protocol context and is distinct from existing entries in the registry.

[Note to RFC Editor: Please remove this section and the reference to before publication.] This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to , "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". Authors are requested to add a note to the RFC Editor at the top of this section, advising the Editor to remove the entire section before publication, as well as the reference to .

The Libreswan Project https://libreswan.org/ An initial IKE implementation using the Private Use value 40960 for the Notify payload Beta Implements the draft's example reasons GPLv2 TBD Libreswan Development: swan-dev@libreswan.org