IKEv2 features

The following table contains (almost :)) all the features for IKEv2 as specified in RFC4306 and RFC4301. For each feature we list current status in the implementation. Status can be Planned meaning, we have this item on the task list, In development if we are currently working on this item, Supported if support is already in IKEv2 daemon, and None in case we don't have any plans to support that feature.

General features

Feature Requirement Implementation in IKEv2

Randomly chosen nonces MUST Supported

At least 128 bit and half of the key size of the prf MUST Supported

Rekeying of the IKE SAs Supported

Reautentification of the IKE SAs Supported

Protection from DoS attack (COOKIE notify) SHOULD Supported

Window size greater than one MAY In development

Establishing multiple ESP and/or AH SAs within a single IKE_SA MAY Supported

Rekeying of the CHILD SAs MAY Supported

PAD implementation Supported

Explicit Congestion Notification (ECN) MUST Planned

Support for the ECN full-functionality options for tunnel-mode SAs MUST Planned

Liveness check MUST Supported

Delete messages for deleted SA and deleteing all child SAs MUST Supported

Refusing CREATE_CHILD_SA within IKE_SA MAY Supported

Processing incoming requests (for wsize>1) out of order SHOULD Planned

CHILD_SA

Multiple CHILD_SAs beetwen same peers MUST Supported

Interoperability with responder that has TSs configured
as a subset of initiator's TSs MUST Supported

Sending Delete payloads for deleted SAs MUST Supported

KE payload in CREATE_CHILD_SA MAY Planned

In-place rekeying of the SAS SHOULD _

Deleting SA replaced with the surviving rekeyed
SA from the rekeying initiator SHOULD Planned

Negotiation of the IP compression MAY Planned

Traffic selectors

Narrowing TSs to the the first TS if the reponder's
policy does not allow it to the entire initiator's TS set MUST Supported

Accepting some TS subset if responder's policy allow more subsets MUST Planned

First traffic selector in both TSi and TSr with
address from the packet that triggered request SHOULD N/A
(Linux kernel doesn't support PFP flag)

Encapsulating security payload

ESP NULL without authentification algorithm MUST NOT No

Notification payloads

Cookie payload in the IKE_SA_INIT repsonse MAY Supported

Extended Sequence Numbers (ESN)

Use of the ESN SHOULD Planned

Traffic Flow Confidentiality (TFC)

Use of the TFC SHOULD Planned

Perfect Forward Secrecy (PFS)

Forgetting keys and any information that could be used
to recompute keys after closing the connection MUST Planned

Remembering the exponential used by the other peer on
past exchanges to avoid second half of the calculations MAY Planned

Feature	Requirement	Implementation in IKEv2
Randomly chosen nonces	MUST	Supported
At least 128 bit and half of the key size of the prf	MUST	Supported
Rekeying of the IKE SAs		Supported
Reautentification of the IKE SAs		Supported
Protection from DoS attack (COOKIE notify)	SHOULD	Supported
Window size greater than one	MAY	In development
Establishing multiple ESP and/or AH SAs within a single IKE_SA	MAY	Supported
Rekeying of the CHILD SAs	MAY	Supported
PAD implementation		Supported
Explicit Congestion Notification (ECN)	MUST	Planned
Support for the ECN full-functionality options for tunnel-mode SAs	MUST	Planned
Liveness check	MUST	Supported
Delete messages for deleted SA and deleteing all child SAs	MUST	Supported
Refusing CREATE_CHILD_SA within IKE_SA	MAY	Supported
Processing incoming requests (for wsize>1) out of order	SHOULD	Planned
CHILD_SA
Multiple CHILD_SAs beetwen same peers	MUST	Supported
Interoperability with responder that has TSs configured as a subset of initiator's TSs	MUST	Supported
Sending Delete payloads for deleted SAs	MUST	Supported
KE payload in CREATE_CHILD_SA	MAY	Planned
In-place rekeying of the SAS	SHOULD	_
Deleting SA replaced with the surviving rekeyed SA from the rekeying initiator	SHOULD	Planned
Negotiation of the IP compression	MAY	Planned
Traffic selectors
Narrowing TSs to the the first TS if the reponder's policy does not allow it to the entire initiator's TS set	MUST	Supported
Accepting some TS subset if responder's policy allow more subsets	MUST	Planned
First traffic selector in both TSi and TSr with address from the packet that triggered request	SHOULD	N/A (Linux kernel doesn't support PFP flag)
Encapsulating security payload
ESP NULL without authentification algorithm	MUST NOT	No
Notification payloads
Cookie payload in the IKE_SA_INIT repsonse	MAY	Supported
Extended Sequence Numbers (ESN)
Use of the ESN	SHOULD	Planned
Traffic Flow Confidentiality (TFC)
Use of the TFC	SHOULD	Planned
Perfect Forward Secrecy (PFS)
Forgetting keys and any information that could be used to recompute keys after closing the connection	MUST	Planned
Remembering the exponential used by the other peer on past exchanges to avoid second half of the calculations	MAY	Planned

PSK based autentification

Feature (mandatory) Requirement Implementation in IKEv2

Shared key authentication where ID is either
ID_FQDN or ID_RFC822_ADDR MUST Supported

Feature (mandatory)	Requirement	Implementation in IKEv2
Shared key authentication where ID is either ID_FQDN or ID_RFC822_ADDR	MUST	Supported

Certificate based autentification

Feature (mandatory) Requirement Implementation in IKEv2

Hash and URL certificates SHOULD Supported

Authentication based on PKIX Certificates containing
signed RSA keys (1024 or 2048 bits) with ID any of ID_FQDN,
ID_RFC822_ADDR, ID_DER_ASN1_DN, ID_IPV4(6)_ADDR MUST Supported

Conformance with draft-ietf-pki4ipsec-ikecert-profile-12 MUST Supported

Mutual authentication where responder is authenticated
using Certificates and the initiator using shared key authentication MUST Supported

Implementation of PAD database to achieve PKIX authentication
in conformance with RFC4301 and
draft-ietf-pki4ipsec-ikecert-profile-12 MUST Supported

Matching of identity from the ID payload and identity from
PKIX certificate (Subject Name or subjectAltName extension) MUST Supported

Possibility to authenticate peer with his locally stored
PKIX certificate SHOULD Supported

Feature (mandatory)	Requirement	Implementation in IKEv2
Hash and URL certificates	SHOULD	Supported
Authentication based on PKIX Certificates containing signed RSA keys (1024 or 2048 bits) with ID any of ID_FQDN, ID_RFC822_ADDR, ID_DER_ASN1_DN, ID_IPV4(6)_ADDR	MUST	Supported
Conformance with draft-ietf-pki4ipsec-ikecert-profile-12	MUST	Supported
Mutual authentication where responder is authenticated using Certificates and the initiator using shared key authentication	MUST	Supported
Implementation of PAD database to achieve PKIX authentication in conformance with RFC4301 and draft-ietf-pki4ipsec-ikecert-profile-12	MUST	Supported
Matching of identity from the ID payload and identity from PKIX certificate (Subject Name or subjectAltName extension)	MUST	Supported
Possibility to authenticate peer with his locally stored PKIX certificate	SHOULD	Supported

EAP autentification

Feature Requirement Implementation in IKEv2

At least one of the methods MD5-Challenge or EAP-SIM MUST Supported (we support many
more EAP methods)

At least one authentication mechanism for IRAS
(local DB, RADIUS) MUST Supported (we support
RADIUS backend)

EAP used in conjunction with a public key signature
authentication MUST In development

Feature	Requirement	Implementation in IKEv2
At least one of the methods MD5-Challenge or EAP-SIM	MUST	Supported (we support many more EAP methods)
At least one authentication mechanism for IRAS (local DB, RADIUS)	MUST	Supported (we support RADIUS backend)
EAP used in conjunction with a public key signature authentication	MUST	In development

Automatic configuration

Feature Requirement Implementation in IKEv2

IRAC requesting the IRAS-controlled
address in the IKE_AUTH MAY In development

(for initiator)
and ignoring them (for responder) MAY Planned

Requesting a temporary IP address on the remote end of a tunnel MAY Planned

Feature	Requirement	Implementation in IKEv2
IRAC requesting the IRAS-controlled address in the IKE_AUTH	MAY	In development
(for initiator) and ignoring them (for responder)	MAY	Planned
Requesting a temporary IP address on the remote end of a tunnel	MAY	Planned

IPv6 specific support

Feature Requirement Implementation in IKEv2

Inserting CFG_REQUEST/CFG_SET in IKE request (for initiator)
and ignoring them (for responder) MAY Planned

Feature	Requirement	Implementation in IKEv2
Inserting CFG_REQUEST/CFG_SET in IKE request (for initiator) and ignoring them (for responder)	MAY	Planned

NAT traversal support

Feature (mandatory) Requirement Implementation in IKEv2

Listen on the port 500 or 4500 MUST Supported

Respond to the source IP address/port from the received IP packet. MUST Supported

Including NAT_DETECTION_SOURCE_IP and
NAT_DETECTION_DESTINATION_IP in the IKE_SA_INIT MUST Supported

Keepalive support MUST Supported

Negotiation of SAs through NAT and tunneling of the resulting
ESP SA over UDP MAY In development

Feature (mandatory)	Requirement	Implementation in IKEv2
Listen on the port 500 or 4500	MUST	Supported
Respond to the source IP address/port from the received IP packet.	MUST	Supported
Including NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP in the IKE_SA_INIT	MUST	Supported
Keepalive support	MUST	Supported
Negotiation of SAs through NAT and tunneling of the resulting ESP SA over UDP	MAY	In development

MOBIKE extensions

Feature Requirement Implementation in IKEv2

MOBIKE support Planned