< draft-ietf-ipsecme-rfc4307bis-12.txt   draft-ietf-ipsecme-rfc4307bis-13.txt >
Network Working Group Y. Nir Network Working Group Y. Nir
Internet-Draft Check Point Internet-Draft Check Point
Obsoletes: 4307 (if approved) T. Kivinen Obsoletes: 4307 (if approved) T. Kivinen
Updates: 7296 (if approved) INSIDE Secure Updates: 7296 (if approved) INSIDE Secure
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: March 13, 2017 Red Hat Expires: March 16, 2017 Red Hat
D. Migault D. Migault
Ericsson Ericsson
September 9, 2016 September 12, 2016
Algorithm Implementation Requirements and Usage Guidance for IKEv2 Algorithm Implementation Requirements and Usage Guidance for IKEv2
draft-ietf-ipsecme-rfc4307bis-12 draft-ietf-ipsecme-rfc4307bis-13
Abstract Abstract
The IPsec series of protocols makes use of various cryptographic The IPsec series of protocols makes use of various cryptographic
algorithms in order to provide security services. The Internet Key algorithms in order to provide security services. The Internet Key
Exchange (IKE) protocol is used to negotiate the IPsec Security Exchange (IKE) protocol is used to negotiate the IPsec Security
Association (IPsec SA) parameters, such as which algorithms should be Association (IPsec SA) parameters, such as which algorithms should be
used. To ensure interoperability between different implementations, used. To ensure interoperability between different implementations,
it is necessary to specify a set of algorithm implementation it is necessary to specify a set of algorithm implementation
requirements and usage guidance to ensure that there is at least one requirements and usage guidance to ensure that there is at least one
algorithm that all implementations support. This document defines algorithm that all implementations support. This document updates
the current algorithm implementation requirements and usage guidance RFC 7296 and obsoletes RFC 4307 in defining the current algorithm
for IKEv2 and does minor cleaning up of IKEv2 IANA registry. This implementation requirements and usage guidance for IKEv2, and does
document does not update the algorithms used for packet encryption minor cleaning up of the IKEv2 IANA registry. This document does not
using IPsec Encapsulated Security Payload (ESP). update the algorithms used for packet encryption using IPsec
Encapsulated Security Payload (ESP).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 13, 2017. This Internet-Draft will expire on March 16, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 27 skipping to change at page 4, line 27
downgraded from MUST to MUST- or SHOULD, instead of MUST NOT. downgraded from MUST to MUST- or SHOULD, instead of MUST NOT.
Similarly, an algorithm that has not been mentioned as mandatory-to- Similarly, an algorithm that has not been mentioned as mandatory-to-
implement is expected to be introduced with a SHOULD instead of a implement is expected to be introduced with a SHOULD instead of a
MUST. MUST.
The current trend toward Internet of Things and its adoption of IKEv2 The current trend toward Internet of Things and its adoption of IKEv2
requires this specific use case to be taken into account as well. requires this specific use case to be taken into account as well.
IoT devices are resource constrained devices and their choice of IoT devices are resource constrained devices and their choice of
algorithms are motivated by minimizing the footprint of the code, the algorithms are motivated by minimizing the footprint of the code, the
computation effort and the size of the messages to send. This computation effort and the size of the messages to send. This
document indicates "[IoT]" when a specified algorithm is specifically document indicates "(IoT)" when a specified algorithm is specifically
listed for IoT devices. Requirement levels that are marked as "IoT" listed for IoT devices. Requirement levels that are marked as "IoT"
apply to IoT devices and to server-side implementations that might apply to IoT devices and to server-side implementations that might
presumably need to interoperate with them, including any general- presumably need to interoperate with them, including any general-
purpose VPN gateways. purpose VPN gateways.
1.3. Document Audience 1.3. Document Audience
The recommendations of this document mostly target IKEv2 implementers The recommendations of this document mostly target IKEv2 implementers
as implementations need to meet both high security expectations as as implementations need to meet both high security expectations as
well as high interoperability between various vendors and with well as high interoperability between various vendors and with
skipping to change at page 6, line 8 skipping to change at page 6, line 8
and used for the Encrypted Payload. References to the specification and used for the Encrypted Payload. References to the specification
defining these algorithms and the ones in the following subsections defining these algorithms and the ones in the following subsections
are in the IANA registry [IKEV2-IANA]. Some of these algorithms are are in the IANA registry [IKEV2-IANA]. Some of these algorithms are
Authenticated Encryption with Associated Data (AEAD - [RFC5282]). Authenticated Encryption with Associated Data (AEAD - [RFC5282]).
Algorithms that are not AEAD MUST be used in conjunction with an Algorithms that are not AEAD MUST be used in conjunction with an
integrity algorithms in Section 3.3. integrity algorithms in Section 3.3.
+------------------------+----------+-------+---------+ +------------------------+----------+-------+---------+
| Name | Status | AEAD? | Comment | | Name | Status | AEAD? | Comment |
+------------------------+----------+-------+---------+ +------------------------+----------+-------+---------+
| ENCR_AES_CBC | MUST | No | [1] | | ENCR_AES_CBC | MUST | No | (1) |
| ENCR_CHACHA20_POLY1305 | SHOULD | Yes | | | ENCR_CHACHA20_POLY1305 | SHOULD | Yes | |
| ENCR_AES_GCM_16 | SHOULD | Yes | [1] | | ENCR_AES_GCM_16 | SHOULD | Yes | (1) |
| ENCR_AES_CCM_8 | SHOULD | Yes | [IoT] | | ENCR_AES_CCM_8 | SHOULD | Yes | (IoT) |
| ENCR_3DES | MAY | No | | | ENCR_3DES | MAY | No | |
| ENCR_DES | MUST NOT | No | | | ENCR_DES | MUST NOT | No | |
+------------------------+----------+-------+---------+ +------------------------+----------+-------+---------+
[1] - This requirement level is for 128-bit and 256-bit keys. (1) - This requirement level is for 128-bit and 256-bit keys.
192-bit keys remain at MAY level. [IoT] - This requirement is for 192-bit keys remain at MAY level. (IoT) - This requirement is for
interoperability with IoT. Only 128-bit keys are at MUST level. interoperability with IoT. Only 128-bit keys are at MUST level.
192-bit and 256-bit keys are at the MAY level. 192-bit and 256-bit keys are at the MAY level.
ENCR_AES_CBC is raised from SHOULD+ in [RFC4307] to MUST. It is the ENCR_AES_CBC is raised from SHOULD+ in [RFC4307] to MUST. It is the
only shared mandatory-to-implement algorithm with RFC4307 and as a only shared mandatory-to-implement algorithm with RFC4307 and as a
result it is necessary for interoperability with IKEv2 implementation result it is necessary for interoperability with IKEv2 implementation
compatible with RFC4307. compatible with RFC4307.
ENCR_CHACHA20_POLY1305 was not ready to be considered at the time of ENCR_CHACHA20_POLY1305 was not ready to be considered at the time of
RFC4307. It has been recommended by the CRFG and others as an RFC4307. It has been recommended by the CRFG and others as an
skipping to change at page 7, line 33 skipping to change at page 7, line 33
If an algorithm is selected as the integrity algorithm, it SHOULD If an algorithm is selected as the integrity algorithm, it SHOULD
also be used as the PRF. When using an AEAD cipher, a choice of PRF also be used as the PRF. When using an AEAD cipher, a choice of PRF
needs to be made. The table below lists the recommended algorithms. needs to be made. The table below lists the recommended algorithms.
+-------------------+----------+---------+ +-------------------+----------+---------+
| Name | Status | Comment | | Name | Status | Comment |
+-------------------+----------+---------+ +-------------------+----------+---------+
| PRF_HMAC_SHA2_256 | MUST | | | PRF_HMAC_SHA2_256 | MUST | |
| PRF_HMAC_SHA2_512 | SHOULD+ | | | PRF_HMAC_SHA2_512 | SHOULD+ | |
| PRF_HMAC_SHA1 | MUST- | | | PRF_HMAC_SHA1 | MUST- | |
| PRF_AES128_XCBC | SHOULD | [IoT] | | PRF_AES128_XCBC | SHOULD | (IoT) |
| PRF_HMAC_MD5 | MUST NOT | | | PRF_HMAC_MD5 | MUST NOT | |
+-------------------+----------+---------+ +-------------------+----------+---------+
[IoT] - This requirement is for interoperability with IoT (IoT) - This requirement is for interoperability with IoT
PRF_HMAC_SHA2_256 was not mentioned in RFC4307, as no SHA2 based PRF_HMAC_SHA2_256 was not mentioned in RFC4307, as no SHA2 based
transforms were mentioned. PRF_HMAC_SHA2_256 MUST be implemented in transforms were mentioned. PRF_HMAC_SHA2_256 MUST be implemented in
order to replace SHA1 and PRF_HMAC_SHA1. order to replace SHA1 and PRF_HMAC_SHA1.
PRF_HMAC_SHA2_512 SHOULD be implemented as a future replacement for PRF_HMAC_SHA2_512 SHOULD be implemented as a future replacement for
PRF_HMAC_SHA2_256 or when stronger security is required. PRF_HMAC_SHA2_256 or when stronger security is required.
PRF_HMAC_SHA2_512 is preferred over PRF_HMAC_SHA2_384, as the PRF_HMAC_SHA2_512 is preferred over PRF_HMAC_SHA2_384, as the
additional overhead of PRF_HMAC_SHA2_512 is negligible. additional overhead of PRF_HMAC_SHA2_512 is negligible.
skipping to change at page 8, line 31 skipping to change at page 8, line 31
defining these algorithms are in the IANA registry. When an AEAD defining these algorithms are in the IANA registry. When an AEAD
algorithm (see Section 3.1) is proposed, this algorithm transform algorithm (see Section 3.1) is proposed, this algorithm transform
type is not in use. type is not in use.
+------------------------+----------+---------+ +------------------------+----------+---------+
| Name | Status | Comment | | Name | Status | Comment |
+------------------------+----------+---------+ +------------------------+----------+---------+
| AUTH_HMAC_SHA2_256_128 | MUST | | | AUTH_HMAC_SHA2_256_128 | MUST | |
| AUTH_HMAC_SHA2_512_256 | SHOULD | | | AUTH_HMAC_SHA2_512_256 | SHOULD | |
| AUTH_HMAC_SHA1_96 | MUST- | | | AUTH_HMAC_SHA1_96 | MUST- | |
| AUTH_AES_XCBC_96 | SHOULD | [IoT] | | AUTH_AES_XCBC_96 | SHOULD | (IoT) |
| AUTH_HMAC_MD5_96 | MUST NOT | | | AUTH_HMAC_MD5_96 | MUST NOT | |
| AUTH_DES_MAC | MUST NOT | | | AUTH_DES_MAC | MUST NOT | |
| AUTH_KPDK_MD5 | MUST NOT | | | AUTH_KPDK_MD5 | MUST NOT | |
+------------------------+----------+---------+ +------------------------+----------+---------+
[IoT] - This requirement is for interoperability with IoT (IoT) - This requirement is for interoperability with IoT
AUTH_HMAC_SHA2_256_128 was not mentioned in RFC4307, as no SHA2 based AUTH_HMAC_SHA2_256_128 was not mentioned in RFC4307, as no SHA2 based
transforms were mentioned. AUTH_HMAC_SHA2_256_128 MUST be transforms were mentioned. AUTH_HMAC_SHA2_256_128 MUST be
implemented in order to replace AUTH_HMAC_SHA1_96. implemented in order to replace AUTH_HMAC_SHA1_96.
AUTH_HMAC_SHA2_512_256 SHOULD be implemented as a future replacement AUTH_HMAC_SHA2_512_256 SHOULD be implemented as a future replacement
of AUTH_HMAC_SHA2_256_128 or when stronger security is required. of AUTH_HMAC_SHA2_256_128 or when stronger security is required.
This value has been preferred over AUTH_HMAC_SHA2_384, as the This value has been preferred over AUTH_HMAC_SHA2_384, as the
additional overhead of AUTH_HMAC_SHA2_512 is negligible. additional overhead of AUTH_HMAC_SHA2_512 is negligible.
skipping to change at page 9, line 19 skipping to change at page 9, line 19
in RFC4307 so their default status ware MAY. They have been in RFC4307 so their default status ware MAY. They have been
downgraded to MUST NOT. There is an industry-wide trend to deprecate downgraded to MUST NOT. There is an industry-wide trend to deprecate
DES and MD5. MD5 support is being removed from cryptographic DES and MD5. MD5 support is being removed from cryptographic
libraries in general because its non-HMAC use is known to be subject libraries in general because its non-HMAC use is known to be subject
to collision attacks, for example as mentioned in [TRANSCRIPTION]. to collision attacks, for example as mentioned in [TRANSCRIPTION].
3.4. Type 4 - IKEv2 Diffie-Hellman Group Transforms 3.4. Type 4 - IKEv2 Diffie-Hellman Group Transforms
There are several Modular Exponential (MODP) groups and several There are several Modular Exponential (MODP) groups and several
Elliptic Curve groups (ECC) that are defined for use in IKEv2. These Elliptic Curve groups (ECC) that are defined for use in IKEv2. These
groups are defined in both the [IKEv2] base document and in groups are defined in both the [RFC7296] base document and in
extensions documents and are identified by group number. Note that extensions documents and are identified by group number. Note that
it is critical to enforce a secure Diffie-Hellman exchange as this it is critical to enforce a secure Diffie-Hellman exchange as this
exchange provides keys for the session. If an attacker can retrieve exchange provides keys for the session. If an attacker can retrieve
the private numbers (a, or b) and the public values (g**a, and g**b), the private numbers (a, or b) and the public values (g**a, and g**b),
then the attacker can compute the secret and the keys used and then the attacker can compute the secret and the keys used and
decrypt the exchange and IPsec SA created inside the IKEv2 SA. Such decrypt the exchange and IPsec SA created inside the IKEv2 SA. Such
an attack can be performed off-line on a previously recorded an attack can be performed off-line on a previously recorded
communication, years after the communication happened. This differs communication, years after the communication happened. This differs
from attacks that need to be executed during the authentication which from attacks that need to be executed during the authentication which
must be performed online and in near real-time. must be performed online and in near real-time.
skipping to change at page 11, line 8 skipping to change at page 11, line 8
3.5. Summary of Changes from RFC 4307 3.5. Summary of Changes from RFC 4307
The following table summarizes the changes from RFC 4307. The following table summarizes the changes from RFC 4307.
RFC EDITOR: PLEASE REMOVE THIS PARAGRAPH AND REPLACE XXXX IN THE RFC EDITOR: PLEASE REMOVE THIS PARAGRAPH AND REPLACE XXXX IN THE
TABLE BELOW WITH THE NUMBER OF THIS RFC TABLE BELOW WITH THE NUMBER OF THIS RFC
+---------------------+------------------+------------+ +---------------------+------------------+------------+
| Algorithm | RFC 4307 | RFC XXXX | | Algorithm | RFC 4307 | RFC XXXX |
+---------------------+------------------+------------+ +---------------------+------------------+------------+
| ENCR_3DES | MUST- | MAY | | ENCR_3DES | MUST- | MAY |
| ENCR_NULL | MUST NOT[errata] | (*) | | ENCR_NULL | MUST NOT[errata] | MUST NOT |
| ENCR_AES_CBC | SHOULD+ | MUST | | ENCR_AES_CBC | SHOULD+ | MUST |
| ENCR_AES_CTR | SHOULD | (*) | | ENCR_AES_CTR | SHOULD | (*) |
| PRF_HMAC_MD5 | MAY | MUST NOT | | PRF_HMAC_MD5 | MAY | MUST NOT |
| PRF_HMAC_SHA1 | MUST | MUST- | | PRF_HMAC_SHA1 | MUST | MUST- |
| PRF_AES128_XCBC | SHOULD+ | SHOULD | | PRF_AES128_XCBC | SHOULD+ | SHOULD |
| AUTH_HMAC_MD5_96 | MAY | MUST NOT | | AUTH_HMAC_MD5_96 | MAY | MUST NOT |
| AUTH_HMAC_SHA1_96 | MUST | MUST- | | AUTH_HMAC_SHA1_96 | MUST | MUST- |
| AUTH_AES_XCBC_96 | SHOULD+ | SHOULD | | AUTH_AES_XCBC_96 | SHOULD+ | SHOULD |
| Group 2 (1024-bit) | MUST- | SHOULD NOT | | Group 2 (1024-bit) | MUST- | SHOULD NOT |
| Group 14 (2048-bit) | SHOULD+ | MUST | | Group 14 (2048-bit) | SHOULD+ | MUST |
+---------------------+------------------+------------+ +---------------------+------------------+------------+
(*) These algorithms are not mentioned in the above sections, so they (*) This algorithm is not mentioned in the above sections, so it
default to MAY. defaults to MAY.
4. IKEv2 Authentication 4. IKEv2 Authentication
IKEv2 authentication may involve a signatures verification. IKEv2 authentication may involve a signatures verification.
Signatures may be used to validate a certificate or to check the Signatures may be used to validate a certificate or to check the
signature of the AUTH value. Cryptographic recommendations regarding signature of the AUTH value. Cryptographic recommendations regarding
certificate validation are out of scope of this document. What is certificate validation are out of scope of this document. What is
mandatory to implement is provided by the PKIX Community. This mandatory to implement is provided by the PKIX Community. This
document is mostly concerned on signature verification and generation document is mostly concerned on signature verification and generation
for the authentication. for the authentication.
skipping to change at page 15, line 14 skipping to change at page 15, line 14
7. IANA Considerations 7. IANA Considerations
This document renames some of the names in the "Transform Type 1 - This document renames some of the names in the "Transform Type 1 -
Encryption Algorithm Transform IDs" registry of the "Internet Key Encryption Algorithm Transform IDs" registry of the "Internet Key
Exchange Version 2 (IKEv2) Parameters". All the other names have Exchange Version 2 (IKEv2) Parameters". All the other names have
ENCR_ prefix except 3, and all other entries use names in format of ENCR_ prefix except 3, and all other entries use names in format of
uppercase words separated with underscores except 6. This document uppercase words separated with underscores except 6. This document
changes those names to match others. changes those names to match others.
This document requests IANA to rename following entries: This document requests IANA to rename following entries for the AES-
GCM cipher [RFC4106] and the Camellia cipher [RFC5529]:
+---------------------------------------+----------------------+ +---------------------------------------+----------------------+
| Old name | New name | | Old name | New name |
+---------------------------------------+----------------------+ +---------------------------------------+----------------------+
| AES-GCM with a 8 octet ICV | ENCR_AES_GCM_8 | | AES-GCM with a 8 octet ICV | ENCR_AES_GCM_8 |
| AES-GCM with a 12 octet ICV | ENCR_AES_GCM_12 | | AES-GCM with a 12 octet ICV | ENCR_AES_GCM_12 |
| AES-GCM with a 16 octet ICV | ENCR_AES_GCM_16 | | AES-GCM with a 16 octet ICV | ENCR_AES_GCM_16 |
| ENCR_CAMELLIA_CCM with an 8-octet ICV | ENCR_CAMELLIA_CCM_8 | | ENCR_CAMELLIA_CCM with an 8-octet ICV | ENCR_CAMELLIA_CCM_8 |
| ENCR_CAMELLIA_CCM with a 12-octet ICV | ENCR_CAMELLIA_CCM_12 | | ENCR_CAMELLIA_CCM with a 12-octet ICV | ENCR_CAMELLIA_CCM_12 |
| ENCR_CAMELLIA_CCM with a 16-octet ICV | ENCR_CAMELLIA_CCM_16 | | ENCR_CAMELLIA_CCM with a 16-octet ICV | ENCR_CAMELLIA_CCM_16 |
skipping to change at page 17, line 5 skipping to change at page 17, line 10
[RFC6989] Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman [RFC6989] Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman
Tests for the Internet Key Exchange Protocol Version 2 Tests for the Internet Key Exchange Protocol Version 2
(IKEv2)", RFC 6989, DOI 10.17487/RFC6989, July 2013, (IKEv2)", RFC 6989, DOI 10.17487/RFC6989, July 2013,
<http://www.rfc-editor.org/info/rfc6989>. <http://www.rfc-editor.org/info/rfc6989>.
[RFC7815] Kivinen, T., "Minimal Internet Key Exchange Version 2 [RFC7815] Kivinen, T., "Minimal Internet Key Exchange Version 2
(IKEv2) Initiator Implementation", RFC 7815, (IKEv2) Initiator Implementation", RFC 7815,
DOI 10.17487/RFC7815, March 2016, DOI 10.17487/RFC7815, March 2016,
<http://www.rfc-editor.org/info/rfc7815>. <http://www.rfc-editor.org/info/rfc7815>.
[RFC5529] Kato, A., Kanda, M., and S. Kanno, "Modes of Operation for
Camellia for Use with IPsec", RFC 5529,
DOI 10.17487/RFC5529, April 2009,
<http://www.rfc-editor.org/info/rfc5529>.
[IKEV2-IANA] [IKEV2-IANA]
"Internet Key Exchange Version 2 (IKEv2) Parameters", "Internet Key Exchange Version 2 (IKEv2) Parameters",
<http://www.iana.org/assignments/ikev2-parameters>. <http://www.iana.org/assignments/ikev2-parameters>.
[TRANSCRIPTION] [TRANSCRIPTION]
Bhargavan, K. and G. Leurent, "Transcript Collision Bhargavan, K. and G. Leurent, "Transcript Collision
Attacks: Breaking Authentication in TLS, IKE, and SSH", Attacks: Breaking Authentication in TLS, IKE, and SSH",
NDSS , feb 2016. NDSS , feb 2016.
[IEEE-802-15-4] [IEEE-802-15-4]
 End of changes. 18 change blocks. 
24 lines changed or deleted 31 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/