1.3 Overview

The Authenticated Internet Protocol (AuthIP) is a keying protocol that is similar to Internet Key Exchange (IKE) version 1 (IKEv1) described in [RFC2409] and Internet Key Exchange (IKEv2)  as specified in [RFC4306]. The Authenticated Internet Protocol uses the same basic protocol constructs and message formats as IKEv1 and IKEv2 and serves the same purpose: peer authentication and keying of authentication header (AH) [RFC4302] and Encapsulating Security Payload (ESP) [RFC4303] security associations (SAs).

The Authenticated Internet Protocol does not interoperate with IKEv1 or IKEv2. The main differences between the Authenticated Internet Protocol, and IKEv1 and IKEv2 are:

  • Two rounds of authentication: The Authenticated Internet Protocol adds an extended mode (EM) exchange to IKE during which a second set of credentials (for example, user credentials) can be negotiated. IKEv1 allows only a single round of authentication. IKEv2 can support multiple rounds of authentication by using the Extensible Authentication Protocol (EAP) described in [RFC4306] section 3.16.

  • Credentials are negotiated per flow: The Authenticated Internet Protocol allows credentials to be negotiated on a per-flow basis. IKEv1 and IKEv2 allow only a single set of credentials for all flows between two peers.

  • Authentication method retry: All the mutually acceptable authentication methods are tried in sequence until one succeeds or all fail. In IKEv1, the first authentication failure causes the entire negotiation to fail. IKEv2 has the same behavior for the non-EAP methods. Authentication retry for EAP is implementation dependent.

  • One-way trust: The Authenticated Internet Protocol allows one-way trust between peers. IKEv1 always requires mutual authentication. IKEv2 can support one-way authentication by using EAP methods that support one-way authentication.

  • Optimized exchanges: The quick mode exchange can overlap with the end of the main mode (MM) exchange. In the optimal configuration, two roundtrips are sufficient to establish quick mode security associations (SAs). IKEv1 requires three roundtrips for the same negotiation. IKEv2 requires only two roundtrips in the optimal configuration.

  • NAT traversal: The Authenticated Internet Protocol uses [RFC3947] when operating over Internet Protocol (IP) v4 and when one or both peers are behind a network address translation (NAT).

In both the Authenticated Internet Protocol and IKE, each negotiation is composed of a series of one or more exchanges. An exchange consists of one request from the initiator, followed by one response from the responder. The initiator starts all exchanges. The roles do not reverse during a negotiation. The initiator and responder go through successive exchanges until the protocol successfully terminates (and quick mode security associations are created); or until the protocol fails (and all corresponding states are deleted). During phase 1, as specified in the Internet Key Exchange of the protocol, a main mode security association (MM SA) is established. The MM SA is used to encrypt additional Authenticated Internet Protocol and IKE traffic. Multiple negotiations can occur over the lifetime of an MM SA.

In both the Authenticated Internet Protocol and IKE, the initiator and responder roles are dynamically determined based on higher-layer events and local policy. After an MM SA is established between peers, either peer can function as the initiator or the responder in subsequent negotiations over the lifetime of the MM SA. Unlike IKE, the Authenticated Internet Protocol maintains the initial initiator or responder relationship over an MM SA lifetime. This is required when AuthIP performs user authentication.

An Authenticated Internet Protocol implementation can support the Internet Key Exchange Protocol Extensions: IKE fragmentation, fast failover, negotiation discovery, dead peer detection, and denial of service protection described in [MS-IKEE].<1>