| < draft-ietf-ipsecme-rfc4307bis-09.txt | draft-ietf-ipsecme-rfc4307bis-10.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Obsoletes: 4307 (if approved) T. Kivinen | Obsoletes: 4307 (if approved) T. Kivinen | |||
| Updates: 7296 (if approved) INSIDE Secure | Updates: 7296 (if approved) INSIDE Secure | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: November 14, 2016 Red Hat | Expires: January 21, 2017 Red Hat | |||
| D. Migault | D. Migault | |||
| Ericsson | Ericsson | |||
| May 13, 2016 | July 20, 2016 | |||
| Algorithm Implementation Requirements and Usage Guidance for IKEv2 | Algorithm Implementation Requirements and Usage Guidance for IKEv2 | |||
| draft-ietf-ipsecme-rfc4307bis-09 | draft-ietf-ipsecme-rfc4307bis-10 | |||
| Abstract | Abstract | |||
| The IPsec series of protocols makes use of various cryptographic | The IPsec series of protocols makes use of various cryptographic | |||
| algorithms in order to provide security services. The Internet Key | algorithms in order to provide security services. The Internet Key | |||
| Exchange (IKE) protocol is used to negotiate the IPsec Security | Exchange (IKE) protocol is used to negotiate the IPsec Security | |||
| Association (IPsec SA) parameters, such as which algorithms should be | Association (IPsec SA) parameters, such as which algorithms should be | |||
| used. To ensure interoperability between different implementations, | used. To ensure interoperability between different implementations, | |||
| it is necessary to specify a set of algorithm implementation | it is necessary to specify a set of algorithm implementation | |||
| requirements and usage guidance to ensure that there is at least one | requirements and usage guidance to ensure that there is at least one | |||
| algorithm that all implementations support. This document defines | algorithm that all implementations support. This document defines | |||
| the current algorithm implementation requirements and usage guidance | the current algorithm implementation requirements and usage guidance | |||
| for IKEv2. This document does not update the algorithms used for | for IKEv2 and does minor cleaning up of IKEv2 IANA registry. This | |||
| packet encryption using IPsec Encapsulated Security Payload (ESP). | document does not update the algorithms used for packet encryption | |||
| using IPsec Encapsulated Security Payload (ESP). | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 14, 2016. | This Internet-Draft will expire on January 21, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 40 ¶ | skipping to change at page 2, line 40 ¶ | |||
| 3.2. Type 2 - IKEv2 Pseudo-random Function Transforms . . . . 7 | 3.2. Type 2 - IKEv2 Pseudo-random Function Transforms . . . . 7 | |||
| 3.3. Type 3 - IKEv2 Integrity Algorithm Transforms . . . . . . 8 | 3.3. Type 3 - IKEv2 Integrity Algorithm Transforms . . . . . . 8 | |||
| 3.4. Type 4 - IKEv2 Diffie-Hellman Group Transforms . . . . . 9 | 3.4. Type 4 - IKEv2 Diffie-Hellman Group Transforms . . . . . 9 | |||
| 4. IKEv2 Authentication . . . . . . . . . . . . . . . . . . . . 10 | 4. IKEv2 Authentication . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.1. IKEv2 Authentication Method . . . . . . . . . . . . . . . 10 | 4.1. IKEv2 Authentication Method . . . . . . . . . . . . . . . 10 | |||
| 4.1.1. Recommendations for RSA key length . . . . . . . . . 11 | 4.1.1. Recommendations for RSA key length . . . . . . . . . 11 | |||
| 4.2. Digital Signature Recommendations . . . . . . . . . . . . 12 | 4.2. Digital Signature Recommendations . . . . . . . . . . . . 12 | |||
| 5. Algorithms for Internet of Things . . . . . . . . . . . . . . 12 | 5. Algorithms for Internet of Things . . . . . . . . . . . . . . 12 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 15 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 15 | 9.2. Informative References . . . . . . . . . . . . . . . . . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 1. Introduction | 1. Introduction | |||
| The Internet Key Exchange (IKE) protocol [RFC7296] is used to | The Internet Key Exchange (IKE) protocol [RFC7296] is used to | |||
| negotiate the parameters of the IPsec SA, such as the encryption and | negotiate the parameters of the IPsec SA, such as the encryption and | |||
| authentication algorithms and the keys for the protected | authentication algorithms and the keys for the protected | |||
| communications between the two endpoints. The IKE protocol itself is | communications between the two endpoints. The IKE protocol itself is | |||
| also protected by cryptographic algorithms which are negotiated | also protected by cryptographic algorithms which are negotiated | |||
| between the two endpoints using IKE. Different implementations of | between the two endpoints using IKE. Different implementations of | |||
| IKE may negotiate different algorithms based on their individual | IKE may negotiate different algorithms based on their individual | |||
| skipping to change at page 6, line 5 ¶ | skipping to change at page 6, line 5 ¶ | |||
| 3.1. Type 1 - IKEv2 Encryption Algorithm Transforms | 3.1. Type 1 - IKEv2 Encryption Algorithm Transforms | |||
| The algorithms in the below table are negotiated in the SA payload | The algorithms in the below table are negotiated in the SA payload | |||
| and used for the Encrypted Payload. References to the specification | and used for the Encrypted Payload. References to the specification | |||
| defining these algorithms and the ones in the following subsections | defining these algorithms and the ones in the following subsections | |||
| are in the IANA registry [IKEV2-IANA]. Some of these algorithms are | are in the IANA registry [IKEV2-IANA]. Some of these algorithms are | |||
| Authenticated Encryption with Associated Data (AEAD - [RFC5282]). | Authenticated Encryption with Associated Data (AEAD - [RFC5282]). | |||
| Algorithms that are not AEAD MUST be used in conjunction with an | Algorithms that are not AEAD MUST be used in conjunction with an | |||
| integrity algorithms in Section 3.3. | integrity algorithms in Section 3.3. | |||
| +-----------------------------+----------+-------+----------+ | +------------------------+----------+-------+----------+ | |||
| | Name | Status | AEAD? | Comment | | | Name | Status | AEAD? | Comment | | |||
| +-----------------------------+----------+-------+----------+ | +------------------------+----------+-------+----------+ | |||
| | ENCR_AES_CBC | MUST- | No | [1] | | | ENCR_AES_CBC | MUST | No | [1] | | |||
| | ENCR_CHACHA20_POLY1305 | SHOULD | Yes | | | | ENCR_CHACHA20_POLY1305 | SHOULD | Yes | | | |||
| | AES-GCM with a 16 octet ICV | SHOULD | Yes | [1] | | | ENCR_AES_GCM_16 | SHOULD | Yes | [1] | | |||
| | ENCR_AES_CCM_8 | SHOULD | Yes | [1][IoT] | | | ENCR_AES_CCM_8 | SHOULD | Yes | [1][IoT] | | |||
| | ENCR_3DES | MAY | No | | | | ENCR_3DES | MAY | No | | | |||
| | ENCR_DES | MUST NOT | No | | | | ENCR_DES | MUST NOT | No | | | |||
| +-----------------------------+----------+-------+----------+ | +------------------------+----------+-------+----------+ | |||
| [1] - This requirement level is for 128-bit keys. 256-bit keys are at | [1] - This requirement level is for 128-bit keys. 256-bit keys are at | |||
| SHOULD. 192-bit keys can safely be ignored. [IoT] - This requirement | SHOULD. 192-bit keys can safely be ignored. [IoT] - This requirement | |||
| is for interoperability with IoT. | is for interoperability with IoT. | |||
| ENCR_AES_CBC is raised from SHOULD+ in [RFC4307] to MUST. It is the | ENCR_AES_CBC is raised from SHOULD+ in [RFC4307] to MUST. It is the | |||
| only shared mandatory-to-implement algorithm with RFC4307 and as a | only shared mandatory-to-implement algorithm with RFC4307 and as a | |||
| result it is necessary for interoperability with IKEv2 implementation | result it is necessary for interoperability with IKEv2 implementation | |||
| compatible with RFC4307. | compatible with RFC4307. | |||
| ENCR_CHACHA20_POLY1305 was not ready to be considered at the time of | ENCR_CHACHA20_POLY1305 was not ready to be considered at the time of | |||
| RFC4307. It has been recommended by the CRFG and others as an | RFC4307. It has been recommended by the CRFG and others as an | |||
| alternative to AES-CBC and AES-GCM. It is also being standardized | alternative to AES-CBC and AES-GCM. It is also being standardized | |||
| for IPsec for the same reasons. At the time of writing, there were | for IPsec for the same reasons. At the time of writing, there were | |||
| not enough IKEv2 implementations supporting ENCR_CHACHA20_POLY1305 to | not enough IKEv2 implementations supporting ENCR_CHACHA20_POLY1305 to | |||
| be able to introduce it at the SHOULD+ level. | be able to introduce it at the SHOULD+ level. | |||
| AES-GCM with a 16 octet ICV was not considered in RFC4307. At the | ENCR_AES_GCM_16 was not considered in RFC4307. At the time RFC4307 | |||
| time RFC4307 was written, AES-GCM was not defined in an IETF | was written, AES-GCM was not defined in an IETF document. AES-GCM | |||
| document. AES-GCM was defined for ESP in [RFC4106] and later for | was defined for ESP in [RFC4106] and later for IKEv2 in [RFC5282]. | |||
| IKEv2 in [RFC5282]. The main motivation for adopting AES-GCM for ESP | The main motivation for adopting AES-GCM for ESP is encryption | |||
| is encryption performance and key longevity compared to AES-CBC. | performance and key longevity compared to AES-CBC. This resulted in | |||
| This resulted in AES-GCM being widely implemented for ESP. As the | AES-GCM being widely implemented for ESP. As the computation load of | |||
| computation load of IKEv2 is relatively small compared to ESP, many | IKEv2 is relatively small compared to ESP, many IKEv2 implementations | |||
| IKEv2 implementations have not implemented AES-GCM. For this reason, | have not implemented AES-GCM. For this reason, AES-GCM is not | |||
| AES-GCM is not promoted to a greater status than SHOULD. The reason | promoted to a greater status than SHOULD. The reason for promotion | |||
| for promotion from MAY to SHOULD is to promote the slightly more | from MAY to SHOULD is to promote the slightly more secure AEAD method | |||
| secure AEAD method over the traditional encrypt+auth method. Its | over the traditional encrypt+auth method. Its status is expected to | |||
| status is expected to be raised once widely implemented. As the | be raised once widely implemented. As the advantage of the shorter | |||
| advantage of the shorter (and weaker) ICVs is minimal, the 8 and 12 | (and weaker) ICVs is minimal, the 8 and 12 octet ICV's remain at the | |||
| octet ICV's remain at the MAY level. | MAY level. | |||
| ENCR_AES_CCM_8 was not considered in RFC4307. This document | ENCR_AES_CCM_8 was not considered in RFC4307. This document | |||
| considers it as SHOULD be implemented in order to be able to interact | considers it as SHOULD be implemented in order to be able to interact | |||
| with Internet of Things devices. As this case is not a general use | with Internet of Things devices. As this case is not a general use | |||
| case for non-IoT VPNs, its status is expected to remain as SHOULD. | case for non-IoT VPNs, its status is expected to remain as SHOULD. | |||
| The 8 octet size of the ICV is expected to be sufficient for most use | The 8 octet size of the ICV is expected to be sufficient for most use | |||
| cases of IKEv2, as far less packets are exchanged on those cases, and | cases of IKEv2, as far less packets are exchanged on those cases, and | |||
| IoT devices want to make packets as small as possible. When | IoT devices want to make packets as small as possible. When | |||
| implemented, ENCR_AES_CCM_8 MUST be implemented for key length 128 | implemented, ENCR_AES_CCM_8 MUST be implemented for key length 128 | |||
| and MAY be implemented for key length 256. | and MAY be implemented for key length 256. | |||
| skipping to change at page 14, line 14 ¶ | skipping to change at page 14, line 14 ¶ | |||
| "mandatory-to-implement" algorithms. The algorithms identified in | "mandatory-to-implement" algorithms. The algorithms identified in | |||
| this document as "MUST implement" or "SHOULD implement" are not known | this document as "MUST implement" or "SHOULD implement" are not known | |||
| to be broken at the current time, and cryptographic research so far | to be broken at the current time, and cryptographic research so far | |||
| leads us to believe that they will likely remain secure into the | leads us to believe that they will likely remain secure into the | |||
| foreseeable future. However, this isn't necessarily forever and it | foreseeable future. However, this isn't necessarily forever and it | |||
| is expected that new revisions of this document will be issued from | is expected that new revisions of this document will be issued from | |||
| time to time to reflect the current best practice in this area. | time to time to reflect the current best practice in this area. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document makes no requests of IANA. | This document renames some of the names in the "Transform Type 1 - | |||
| Encryption Algorithm Transform IDs" registry of the "Internet Key | ||||
| Exchange Version 2 (IKEv2) Parameters". All the other names have | ||||
| ENCR_ prefix except 3, and all other entries use names in format of | ||||
| uppercase words separated with underscores except 6. This document | ||||
| changes those names to match others. | ||||
| This document requests IANA to rename following entries: | ||||
| +---------------------------------------+----------------------+ | ||||
| | Old name | New name | | ||||
| +---------------------------------------+----------------------+ | ||||
| | AES-GCM with a 8 octet ICV | ENCR_AES_GCM_8 | | ||||
| | AES-GCM with a 12 octet ICV | ENCR_AES_GCM_12 | | ||||
| | AES-GCM with a 16 octet ICV | ENCR_AES_GCM_16 | | ||||
| | ENCR_CAMELLIA_CCM with an 8-octet ICV | ENCR_CAMELLIA_CCM_8 | | ||||
| | ENCR_CAMELLIA_CCM with a 12-octet ICV | ENCR_CAMELLIA_CCM_12 | | ||||
| | ENCR_CAMELLIA_CCM with a 16-octet ICV | ENCR_CAMELLIA_CCM_16 | | ||||
| +---------------------------------------+----------------------+ | ||||
| In addition to add this RFC as reference to both ESP Reference and | ||||
| IKEv2 Reference columns for ENCR_AES_GCM entries, keeping the current | ||||
| references there also, and also add this RFC as reference to the ESP | ||||
| Reference column for ENCR_CAMELLIA_CCM entries, keeping the current | ||||
| reference there also. | ||||
| The final registry entries should be: | ||||
| Number Name ESP Reference IKEv2 Reference | ||||
| ... | ||||
| 18 ENCR_AES_GCM_8 [RFC4106][RFCXXXX] [RFC5282][RFCXXXX] | ||||
| 19 ENCR_AES_GCM_12 [RFC4106][RFCXXXX] [RFC5282][RFCXXXX] | ||||
| 20 ENCR_AES_GCM_16 [RFC4106][RFCXXXX] [RFC5282][RFCXXXX] | ||||
| ... | ||||
| 25 ENCR_CAMELLIA_CCM_8 [RFC5529][RFCXXXX] - | ||||
| 26 ENCR_CAMELLIA_CCM_12 [RFC5529][RFCXXXX] - | ||||
| 27 ENCR_CAMELLIA_CCM_16 [RFC5529][RFCXXXX] - | ||||
| 8. Acknowledgements | 8. Acknowledgements | |||
| The first version of this document was RFC 4307 by Jeffrey I. | The first version of this document was RFC 4307 by Jeffrey I. | |||
| Schiller of the Massachusetts Institute of Technology (MIT). Much of | Schiller of the Massachusetts Institute of Technology (MIT). Much of | |||
| the original text has been copied verbatim. | the original text has been copied verbatim. | |||
| We would like to thank Paul Hoffman, Yaron Sheffer, John Mattsson and | We would like to thank Paul Hoffman, Yaron Sheffer, John Mattsson and | |||
| Tommy Pauly for their valuable feedback. | Tommy Pauly for their valuable feedback. | |||
| End of changes. 10 change blocks. | ||||
| 35 lines changed or deleted | 72 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||