| < draft-ietf-ipsecme-esp-ah-reqts-01.txt | draft-ietf-ipsecme-esp-ah-reqts-02.txt > | |||
|---|---|---|---|---|
| Network Working Group D. McGrew | Network Working Group D. McGrew | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Intended status: Standards Track W. Feghali | Obsoletes: 4835 (if approved) W. Feghali | |||
| Expires: March 10, 2014 Intel Corp. | Intended status: Standards Track Intel Corp. | |||
| P. Hoffman | Expires: September 4, 2014 P. Hoffman | |||
| VPN Consortium | VPN Consortium | |||
| September 06, 2013 | March 3, 2014 | |||
| Cryptographic Algorithm Implementation Requirements and Usage Guidance | Cryptographic Algorithm Implementation Requirements and Usage Guidance | |||
| for Encapsulating Security Payload (ESP) and Authentication Header (AH) | for Encapsulating Security Payload (ESP) and Authentication Header (AH) | |||
| draft-ietf-ipsecme-esp-ah-reqts-01 | draft-ietf-ipsecme-esp-ah-reqts-02 | |||
| Abstract | Abstract | |||
| This Internet Draft is standards track proposal to update to the | This Internet Draft is standards track proposal to update to the | |||
| Cryptographic Algorithm Implementation Requirements for ESP and AH; | Cryptographic Algorithm Implementation Requirements for ESP and AH; | |||
| it also adds usage guidance to help in the selection of these | it also adds usage guidance to help in the selection of these | |||
| algorithms. | algorithms. | |||
| The Encapsulating Security Payload (ESP) and Authentication Header | The Encapsulating Security Payload (ESP) and Authentication Header | |||
| (AH) protocols makes use of various cryptographic algorithms to | (AH) protocols makes use of various cryptographic algorithms to | |||
| skipping to change at page 2, line 4 ¶ | skipping to change at page 2, line 4 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 10, 2014. | This Internet-Draft will expire on September 4, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Implementation Requirements . . . . . . . . . . . . . . . . . 4 | 2. Implementation Requirements . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. ESP Authenticated Encryption (Combined Mode Algorithms) . 4 | 2.1. ESP Authenticated Encryption (Combined Mode Algorithms) . 4 | |||
| 2.2. ESP Encryption Algorithms . . . . . . . . . . . . . . . . 4 | 2.2. ESP Encryption Algorithms . . . . . . . . . . . . . . . . 4 | |||
| 2.3. ESP Authentication Algorithms . . . . . . . . . . . . . . 4 | 2.3. ESP Authentication Algorithms . . . . . . . . . . . . . . 4 | |||
| 2.4. AH Authentication Algorithms . . . . . . . . . . . . . . 5 | 2.4. AH Authentication Algorithms . . . . . . . . . . . . . . 4 | |||
| 2.5. Summary of Changes . . . . . . . . . . . . . . . . . . . 5 | 2.5. Summary of Changes . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Usage Guidance . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Usage Guidance . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. Authenticated Encryption . . . . . . . . . . . . . . . . 6 | 4.1. Authenticated Encryption . . . . . . . . . . . . . . . . 6 | |||
| 4.2. Encryption Transforms . . . . . . . . . . . . . . . . . . 6 | 4.2. Encryption Transforms . . . . . . . . . . . . . . . . . . 6 | |||
| 4.3. Authentication Transforms . . . . . . . . . . . . . . . . 7 | 4.3. Authentication Transforms . . . . . . . . . . . . . . . . 7 | |||
| 5. Algorithm Diversity . . . . . . . . . . . . . . . . . . . . . 7 | 5. Algorithm Diversity . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 10 | 9.2. Informative References . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Introduction | 1. Introduction | |||
| The Encapsulating Security Payload (ESP) [RFC4303] and the | The Encapsulating Security Payload (ESP) [RFC4303] and the | |||
| Authentication Header (AH) [RFC4302] are the mechanisms for applying | Authentication Header (AH) [RFC4302] are the mechanisms for applying | |||
| cryptographic protection to data being sent over an IPsec Security | cryptographic protection to data being sent over an IPsec Security | |||
| Association (SA) [RFC4301]. | Association (SA) [RFC4301]. | |||
| To ensure interoperability between disparate implementations, it is | To ensure interoperability between disparate implementations, it is | |||
| necessary to specify a set of mandatory-to-implement algorithms. | necessary to specify a set of mandatory-to-implement algorithms. | |||
| skipping to change at page 5, line 29 ¶ | skipping to change at page 5, line 26 ¶ | |||
| SHOULD MAY AES-CTR [RFC3686] | SHOULD MAY AES-CTR [RFC3686] | |||
| 3. Usage Guidance | 3. Usage Guidance | |||
| Since ESP and AH can be used in several different ways, this document | Since ESP and AH can be used in several different ways, this document | |||
| provides guidance on the best way to utilize these mechanisms. | provides guidance on the best way to utilize these mechanisms. | |||
| ESP can provide confidentiality, data origin authentication, or the | ESP can provide confidentiality, data origin authentication, or the | |||
| combination of both of those security services. AH provides only | combination of both of those security services. AH provides only | |||
| data origin authentication. Background information on those security | data origin authentication. Background information on those security | |||
| services is available [RFC4949]. In the following, we shorten `data | services is available [RFC4949]. In the following, we shorten "data | |||
| origin authentication' to `authentication'. | origin authentication" to "authentication". | |||
| Both confidentiality and authentication SHOULD be provided. If | Both confidentiality and authentication SHOULD be provided. If | |||
| confidentiality is not needed, then authentication MAY be provided. | confidentiality is not needed, then authentication MAY be provided. | |||
| Confidentiality without authentication is not effective [DP07] and | Confidentiality without authentication is not effective [DP07] and | |||
| SHOULD NOT be used. We describe each of these cases in more detail | SHOULD NOT be used. We describe each of these cases in more detail | |||
| below. | below. | |||
| To provide confidentiality and authentication, an authenticated | To provide confidentiality and authentication, an authenticated | |||
| encryption transform SHOULD be used in ESP, in conjunction with NULL | encryption transform SHOULD be used in ESP, in conjunction with NULL | |||
| authentication. Alternatively, an ESP encryption transform and ESP | authentication. Alternatively, an ESP encryption transform and ESP | |||
| skipping to change at page 9, line 23 ¶ | skipping to change at page 9, line 27 ¶ | |||
| issued from time to time that reflect the current best practice in | issued from time to time that reflect the current best practice in | |||
| this area. | this area. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within | ||||
| ESP and AH", RFC 2403, November 1998. | ||||
| [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within | ||||
| ESP and AH", RFC 2404, November 1998. | ||||
| [RFC2405] Madson, C. and N. Doraswamy, "The ESP DES-CBC Cipher | ||||
| Algorithm With Explicit IV", RFC 2405, November 1998. | ||||
| [RFC2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm and | ||||
| Its Use With IPsec", RFC 2410, November 1998. | ||||
| [RFC3566] Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96 Algorithm | ||||
| and Its Use With IPsec", RFC 3566, September 2003. | ||||
| [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher | ||||
| Algorithm and Its Use with IPsec", RFC 3602, September | ||||
| 2003. | ||||
| [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) | ||||
| Counter Mode With IPsec Encapsulating Security Payload | ||||
| (ESP)", RFC 3686, January 2004. | ||||
| [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode | ||||
| (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC | ||||
| 4106, June 2005. | ||||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, December 2005. | Internet Protocol", RFC 4301, December 2005. | |||
| [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December | [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December | |||
| 2005. | 2005. | |||
| [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC | [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC | |||
| 4303, December 2005. | 4303, December 2005. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [B96] Bellovin, S., "Problem areas for the IP security protocols | [B96] Bellovin, S., "Problem areas for the IP security protocols | |||
| (Proceedings of the Sixth Usenix Unix Security | (Proceedings of the Sixth Usenix Unix Security | |||
| Symposium)", 1996. | Symposium)", 1996. | |||
| [DP07] Degabriele, J. and K. Paterson, "Attacking the IPsec | [DP07] Degabriele, J. and K. Paterson, "Attacking the IPsec | |||
| Standards in Encryption-only Configurations (IEEE | Standards in Encryption-only Configurations (IEEE | |||
| Symposium on Privacy and Security)", 2007. | Symposium on Privacy and Security)", 2007. | |||
| [H10] Hoban, A., "Using Intel AES New Instructions and PCLMULQDQ | [H10] Hoban, A., "Using Intel AES New Instructions and PCLMULQDQ | |||
| to Significantly Improve IPSec Performance on Linux ", | to Significantly Improve IPSec Performance on Linux", | |||
| 2010. | 2010. | |||
| [KKGEGD] Kounavis, M., Kang, X., Grewal, K., Eszenyi, M., Gueron, | [KKGEGD] Kounavis, M., Kang, X., Grewal, K., Eszenyi, M., Gueron, | |||
| S., and D. Durham, "Encrypting the Internet (SIGCOMM)", | S., and D. Durham, "Encrypting the Internet (SIGCOMM)", | |||
| 2010. | 2010. | |||
| [M13] McGrew, D., "Impossible plaintext cryptanalysis and | [M13] McGrew, D., "Impossible plaintext cryptanalysis and | |||
| probable-plaintext collision attacks of 64-bit block | probable-plaintext collision attacks of 64-bit block | |||
| cipher modes ", 2012. | cipher modes", 2012. | |||
| [PD10] Paterson, K. and J. Degabriele, "On the (in)security of | [PD10] Paterson, K. and J. Degabriele, "On the (in)security of | |||
| IPsec in MAC-then-encrypt configurations (ACM Conference | IPsec in MAC-then-encrypt configurations (ACM Conference | |||
| on Computer and Communications Security, ACM CCS)", 2010. | on Computer and Communications Security, ACM CCS)", 2010. | |||
| [RFC4305] Eastlake, D., "Cryptographic Algorithm Implementation | [RFC4305] Eastlake, D., "Cryptographic Algorithm Implementation | |||
| Requirements for Encapsulating Security Payload (ESP) and | Requirements for Encapsulating Security Payload (ESP) and | |||
| Authentication Header (AH)", RFC 4305, December 2005. | Authentication Header (AH)", RFC 4305, December 2005. | |||
| [RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the | [RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the | |||
| Internet Key Exchange Version 2 (IKEv2)", RFC 4307, | Internet Key Exchange Version 2 (IKEv2)", RFC 4307, | |||
| December 2005. | December 2005. | |||
| [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM | ||||
| Mode with IPsec Encapsulating Security Payload (ESP)", RFC | ||||
| 4309, December 2005. | ||||
| [RFC4835] Manral, V., "Cryptographic Algorithm Implementation | [RFC4835] Manral, V., "Cryptographic Algorithm Implementation | |||
| Requirements for Encapsulating Security Payload (ESP) and | Requirements for Encapsulating Security Payload (ESP) and | |||
| Authentication Header (AH)", RFC 4835, April 2007. | Authentication Header (AH)", RFC 4835, April 2007. | |||
| [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC | |||
| 4949, August 2007. | 4949, August 2007. | |||
| [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| Encryption", RFC 5116, January 2008. | Encryption", RFC 5116, January 2008. | |||
| End of changes. 13 change blocks. | ||||
| 46 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||