TCP Encapsulation of Internet Key Exchange Protocol and IPsec Packets
RFC 9329, “TCP Encapsulation of Internet Key Exchange Protocol and IPsec Packets”, is a Proposed Standard document published in November 2022 by T. Pauly, V. Smyslov. It obsoletes RFC 8229. The canonical text is published by the RFC Editor.
Abstract
This document describes a method to transport Internet Key Exchange Protocol (IKE) and IPsec packets over a TCP connection for traversing network middleboxes that may block IKE negotiation over UDP. This method, referred to as "TCP encapsulation", involves sending both IKE packets for Security Association (SA) establishment and Encapsulating Security Payload (ESP) packets over a TCP connection. This method is intended to be used as a fallback option when IKE cannot be negotiated over UDP.
TCP encapsulation for IKE and IPsec was defined in RFC 8229. This document clarifies the specification for TCP encapsulation by including additional clarifications obtained during implementation and deployment of this method. This documents obsoletes RFC 8229.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 9329 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9328 RTP Payload Format for Versatile Video Coding
- RFC 9327 Control Messages Protocol for Use with Network Time Protocol Version 4
- RFC 9326 In Situ Operations, Administration, and Maintenance Direct Exporting
- RFC 9325 Recommendations for Secure Use of Transport Layer Security and Datagram Transport Layer Security
- RFC 9324 Policy Based on the Resource Public Key Infrastructure without Route Refresh
- RFC 9323 A Profile for RPKI Signed Checklists
- RFC 9322 In Situ Operations, Administration, and Maintenance Loopback and Active Flags
- RFC 9336 X.509 Certificate General-Purpose Extended Key Usage for Document Signing