idnits 2.17.1 draft-ietf-ipsec-esp-v3-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-25) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 78 instances of too long lines in the document, the longest one being 7 characters in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 170: '...specific use and MUST NOT be sent on t...' RFC 2119 keyword, line 171: '...t implementation MAY use the zero SPI ...' RFC 2119 keyword, line 182: '...receiver, i.e., the sender MUST always...' RFC 2119 keyword, line 192: '...ter and the receiver's counter MUST be...' RFC 2119 keyword, line 202: '..., then this data MAY be carried explic...' (50 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 80 has weird spacing: '... before an en...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (2 October 1997) is 9702 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'IP' is mentioned on line 370, but not defined == Missing Reference: 'AH' is mentioned on line 370, but not defined == Missing Reference: 'ESP' is mentioned on line 370, but not defined == Unused Reference: 'Bel89' is defined on line 818, but no explicit reference was found in the text == Unused Reference: 'CERT95' is defined on line 828, but no explicit reference was found in the text == Unused Reference: 'DH95' is defined on line 833, but no explicit reference was found in the text == Unused Reference: 'IB93' is defined on line 836, but no explicit reference was found in the text == Unused Reference: 'ISO92' is defined on line 841, but no explicit reference was found in the text == Unused Reference: 'Ken91' is defined on line 851, but no explicit reference was found in the text == Unused Reference: 'NIST77' is defined on line 863, but no explicit reference was found in the text == Unused Reference: 'NIST80' is defined on line 867, but no explicit reference was found in the text == Unused Reference: 'NIST81' is defined on line 873, but no explicit reference was found in the text == Unused Reference: 'NIST88' is defined on line 878, but no explicit reference was found in the text == Unused Reference: 'Sch94' is defined on line 885, but no explicit reference was found in the text == Unused Reference: 'SDNS89' is defined on line 888, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1827 (ref. 'ATK95') (Obsoleted by RFC 2406) -- Possible downref: Non-RFC (?) normative reference: ref. 'Bel89' -- Possible downref: Non-RFC (?) normative reference: ref. 'Bel96' -- Possible downref: Non-RFC (?) normative reference: ref. 'CERT95' ** Obsolete normative reference: RFC 1883 (ref. 'DH95') (Obsoleted by RFC 2460) -- Possible downref: Non-RFC (?) normative reference: ref. 'IB93' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO92' -- Possible downref: Non-RFC (?) normative reference: ref. 'KA97a' -- Possible downref: Non-RFC (?) normative reference: ref. 'KA97b' ** Downref: Normative reference to an Historic RFC: RFC 1108 (ref. 'Ken91') -- Possible downref: Non-RFC (?) normative reference: ref. 'MD97' -- Possible downref: Non-RFC (?) normative reference: ref. 'MG97a' -- Possible downref: Non-RFC (?) normative reference: ref. 'MG97b' -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST77' -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST80' -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST81' -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST88' -- Possible downref: Non-RFC (?) normative reference: ref. 'STD-2' -- Possible downref: Non-RFC (?) normative reference: ref. 'Sch94' -- Possible downref: Non-RFC (?) normative reference: ref. 'SDNS89' Summary: 14 errors (**), 0 flaws (~~), 17 warnings (==), 19 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Stephen Kent, BBN Corp 2 Internet Draft Randall Atkinson, @Home Network 3 draft-ietf-ipsec-esp-v3-00.txt 2 October 1997 5 IP Encapsulating Security Payload (ESP) 7 Status of This Memo 9 This document is an Internet Draft. Internet Drafts are working 10 documents of the Internet Engineering Task Force (IETF), its Areas, 11 and its working groups. Note that other groups may also distribute 12 working documents as Internet Drafts. 14 Internet Drafts are draft documents valid for a maximum of 6 months. 15 Internet Drafts may be updated, replaced, or obsoleted by other 16 documents at any time. It is not appropriate to use Internet Drafts 17 as reference material or to cite them other than as "work in 18 progress". 20 This particular Internet Draft is a product of the IETF's IPsec 21 working group. It is intended that a future version of this draft be 22 submitted to the IPng Area Directors and the IESG for possible 23 publication as a standards-track protocol. 25 Security Payload (ESP) 27 Table of Contents 29 1. Introduction......................................................3 30 2. Encapsulating Security Payload Packet Format......................4 31 2.1 Security Parameters Index....................................4 32 2.2 Sequence Number .............................................5 33 2.3 Payload Data.................................................5 34 2.4 Padding (for Encryption).....................................6 35 2.5 Pad Length...................................................7 36 2.6 Next Header..................................................7 37 2.7 Authentication Data..........................................7 38 3. Encapsulating Security Protocol Processing........................7 39 3.1 ESP Header Location..........................................7 40 3.2 Algorithms..................................................10 41 3.2.1 Encryption Algorithms..................................10 42 3.2.2 Authentication Algorithms..............................10 43 3.3 Outbound Packet Processing..................................11 44 3.3.1 Security Association Lookup............................11 45 3.3.2 Packet Encryption......................................11 46 3.3.3 Sequence Number Generation.............................12 47 3.3.4 Integrity Check Value Calculation......................12 48 3.3.5 Fragmentation..........................................13 49 3.4 Inbound Packet Processing...................................13 50 3.4.1 Reassembly.............................................13 51 3.4.2 Security Association Lookup............................13 52 3.4.3 Sequence Number Verification...........................14 53 3.4.4 Integrity Check Value Verification.....................15 54 3.4.5 Packet Decryption......................................15 55 4. Auditing.........................................................17 56 5. Conformance Requirements.........................................17 57 6. Security Considerations..........................................17 58 7. Differences from RFC 1827........................................18 59 Acknowledgements....................................................18 60 References..........................................................18 61 Disclaimer..........................................................20 62 Author Information..................................................20 63 Security Payload (ESP) 65 1. Introduction 67 The Encapsulating Security Payload (ESP) header is designed to 68 provide a mix of security services in IPv4 and IPv6. ESP may be 69 applied alone, in combination with the IP Authentication Header (AH) 70 [KA97b], or in a nested fashion, e.g., through the use of tunnel mode 71 (see 'Security Architecture for the Internet Protocol' [KA97a], 72 hereafter referred to as the Security Architecture document). 73 Security services can be provided between a pair of communicating 74 hosts, between a pair of communicating security gateways, or between 75 a security gateway and a host. For more details on how to use ESP 76 and AH in various network environments, see the Security Architecture 77 document [KA97a]. 79 The ESP header is inserted after the IP header and before the upper 80 layer protocol header (transport mode) or before an encapsulated IP 81 header (tunnel mode). These modes are described in more detail 82 below. 84 ESP is used to provide confidentiality, data origin authentication, 85 connectionless integrity, an anti-replay service (a form of partial 86 sequence integrity), and limited traffic flow confidentiality. The 87 set of services provided depends on options selected at the time of 88 Security Association establishment and on the placement of the 89 implementation. Confidentiality may be selected independent of all 90 other services. However, use of confidentiality without 91 integrity/authentication (either in ESP or separately in AH) may 92 subject traffic to certain forms of active attacks that could 93 undermine the confidentiality service (see [Bel96]. Data origin 94 authentication and connectionless integrity are joint services 95 (hereafter referred to jointly as 'authentication') and are offered as 96 an option in conjunction with confidentiality. The anti-replay 97 service may be selected only if data origin authentication is 98 selected, and its election is solely at the discretion of the 99 receiver. Traffic flow confidentiality requires selection of tunnel 100 mode, and is most effective if implemented at a security gateway, 101 where traffic aggregation may be able to mask true source-destination 102 patterns. 104 It is assumed that the reader is familiar with the terms and concepts 105 described in the Security Architecture document. In particular, the 106 reader should be familiar with the definitions of security services 107 offered by ESP and AH, the concept of Security Associations, the ways 108 in which ESP can be used in conjunction with the Authentication 109 Header (AH), and the different key management options available for 110 ESP and AH. (With regard to the last topic, the current key 111 management options required for both AH and ESP are manual keying and 112 Security Payload (ESP) 114 automated keying via Oakley/ISAKMP.) 116 2. Encapsulating Security Payload Packet Format 118 The protocol header (IPv4, IPv6, or Extension) immediately preceding the 119 ESP header will contain the value 50 in its Protocol (IPv4) or Next 120 Header (IPv6, Extension) field [STD-2]. 122 0 1 2 3 123 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 124 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---- 125 | Security Parameters Index (SPI) | ^ 126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Auth. 127 | Sequence Number | |Coverage 128 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ----- 129 | Payload Data* (variable) | | ^ 130 ~ ~ | | 131 | | | | 132 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Confid. 133 | | Padding (0-255 bytes) | |Coverage* 134 +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | 135 | | Pad Length | Next Header | v v 136 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------- 137 | Authentication Data (variable) | 138 ~ ~ 139 | | 140 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 142 * If included in the Payload field, cryptographic synchronization 143 data, e.g., an IV, usually is not encrypted per se, although it 144 often is referred to as being part of the ciphertext. 146 The following subsections define the fields in the header format. 147 "Optional" means that the field is omitted if the option is not 148 selected, i.e., it is present in neither the packet as transmitted 149 nor as formatted for computation of an ICV. Whether or not an option 150 is selected is defined as part of Security Association (SA) 151 establishment. Thus the format of ESP packets for a given SA is 152 fixed, for the duration of the SA. In contrast, "mandatory" fields 153 are always present in the ESP packet format, for all SAs. 155 2.1 Security Parameters Index 157 The SPI is an arbitrary 32-bit value that, in combination with the 158 destination IP address and security protocol, uniquely identifies the 159 Security Payload (ESP) 161 Security Association for this datagram. The set of SPI values in the 162 range 1 through 255 are reserved by the Internet Assigned Numbers 163 Authority (IANA) for future use; a reserved SPI value will not 164 normally be assigned by IANA unless the use of the assigned SPI value 165 is specified in an RFC. It is ordinarily selected by the destination 166 system upon establishment of an SA (see the Security Architecture 167 document for more details). The SPI field is mandatory. 169 The SPI value of zero (0) is reserved for local, implementation- 170 specific use and MUST NOT be sent on the wire. For example, a key 171 management implementation MAY use the zero SPI value to mean "No 172 Security Association Exists" during the period when the IPsec 173 implementation has requested that its key management entity establish 174 a new SA, but the SA has not yet been established. 176 2.2 Sequence Number 178 This unsigned 32-bit field contains a monotonically increasing 179 counter value (sequence number). It is mandatory and is always 180 present even if the receiver does not elect to enable the anti-replay 181 service for a specific SA. Processing of the Sequence Number field 182 is at the discretion of the receiver, i.e., the sender MUST always 183 transmit this field, but the receiver need not act upon it (see the 184 discussion of Sequence Number Verification in the "Inbound Packet 185 Processing" section below). 187 The sender's counter and the receiver's counter are initialized to 0 188 when an SA is established. (The first packet sent using a given SA 189 will have a Sequence Number of 1; see Section 3.3.3 for more details 190 on how the Sequence Number is generated.) If anti-replay has been 191 enabled, the transmitted Sequence Number must never be allowed to 192 cycle. Thus, the sender's counter and the receiver's counter MUST be 193 reset (by establishing a new SA and thus a new key) prior to the 194 transmission of the 2^32nd packet on an SA. 196 2.3 Payload Data 198 Payload Data is a variable-length field containing data described by 199 the Next Header field. The Payload Data field is mandatory and is an 200 integral number of bytes in length. If the algorithm used to encrypt 201 the payload requires cryptographic synchronization data, e.g., an 202 Initialization Vector (IV), then this data MAY be carried explicitly 203 in the Payload field. Any encryption algorithm that requires such 204 explicit, per-packet synchronization data MUST indicate the length, 205 any structure for such data, and the location of this data as part of 206 an RFC specifying how the algorithm is used with ESP. If such 207 synchronization data is implicit, the algorithm for deriving the data 208 Security Payload (ESP) 210 MUST be part of the RFC. 212 2.4 Padding (for Encryption) 214 Several factors require or motivate use of the Padding field. 216 If an encryption algorithm is employed that requires the 217 plaintext to be a multiple of some number of bytes, e.g., the 218 block size of a block cipher, the Padding field is used to fill 219 the plaintext (consisting of the Payload Data, Pad Length and 220 Next Header fields, as well as the Padding) to the size required 221 by the algorithm. 223 Padding also may be required, irrespective of encryption 224 algorithm requirements, to ensure that the resulting ciphertext 225 terminates on a 4-byte boundary. Specifically, the Pad Length 226 and Next Header fields must be right aligned within a 4-byte 227 word, as illustrated in the ESP packet format figure above. 229 Padding beyond that required for the algorithm or alignment 230 reasons cited above, may be used to conceal the actual length of 231 the payload, in support of (partial) traffic flow 232 confidentiality. However, inclusion of such additional padding 233 has adverse bandwidth implications and thus its use should be 234 undertaken with care. 236 The transmitter MAY add 0-255 bytes of padding. Inclusion of the 237 Padding field in an ESP packet is optional, but all implementations 238 MUST support generation and consumption of padding. 240 If Padding bytes are needed but the encryption algorithm does not 241 specify the padding contents, then the following default processing 242 MUST be used. The Padding bytes are initialized with a series of 243 (unsigned, 1-byte) integer values. The first padding byte appended 244 to the plaintext is numbered 1, with subsequent padding bytes making 245 up a monotonically increasing sequence: 1, 2, 3, ... When this 246 padding scheme is employed, the receiver SHOULD inspect the Padding 247 field. (This scheme was selected because of its relative simplicity, 248 ease of implementation in hardware, and because it offers limited 249 protection against certain forms of "cut and paste" attacks in the 250 absence of other integrity measures, if the receiver checks the 251 padding values upon decryption.) 253 Any encryption algorithm that requires Padding other than the default 254 described above, MUST define the Padding contents (e.g., zeros or 255 Security Payload (ESP) 257 random data) and any required receiver processing of these Padding 258 bytes in an RFC specifying how the algorithm is used with ESP. In 259 such circumstances, the content of the Padding field will be 260 determined by the encryption algorithm and mode selected and defined 261 in the corresponding algorithm RFC. The relevant algorithm RFC MAY 262 specify that a receiver MUST inspect the Padding field or that a 263 receiver MUST inform senders of how the receiver will handle the 264 Padding field. 266 2.5 Pad Length 268 The Pad Length field indicates the number of pad bytes immediately 269 preceding it. The range of valid values is 0-255, where a value of 270 zero indicates that no Padding bytes are present. The Pad Length 271 field is mandatory. 273 2.6 Next Header 275 The Next Header is an 8-bit field that identifies the type of data 276 contained in the Payload Data field, e.g., an extension header in 277 IPv6 or an upper layer protocol identifier. The value of this field 278 is chosen from the set of IP Protocol Numbers defined in the most 279 recent "Assigned Numbers" [STD-2] RFC from the Internet Assigned 280 Numbers Authority (IANA). The Next Header field is mandatory. 282 2.7 Authentication Data 284 The Authentication Data is a variable-length field containing an 285 Integrity Check Value (ICV) computed over the ESP packet minus the 286 Authentication Data. The length of the field depends upon the 287 authentication function selected. However, where the algorithm 288 yields more than 96 bits, the output of the computation is truncated 289 to the leftmost 96 bits. The Authentication Data field is optional, 290 and is included only if the authentication service has been selected 291 for the SA in question. 293 3. Encapsulating Security Protocol Processing 295 3.1 ESP Header Location 297 Like AH, ESP may be employed in two ways: transport mode or tunnel 298 mode. The former mode is applicable only to host implementations and 299 provides protection for upper layer protocols, but not the IP header. 300 (In this mode, note that for "bump-in-the-stack" or "bump-in-the- 301 wire" implementations, as defined in the Security Architecture 302 document, inbound and outbound IP fragments may require an IPsec 303 implementation to perform extra IP reassembly/fragmentation in order 304 Security Payload (ESP) 306 to both conform to this specification and provide transparent IPsec 307 support. Special care is required to perform such operations within 308 these implementations when multiple interfaces are in use.) 310 In transport mode, ESP is inserted after the IP header and before an 311 upper layer protocol, e.g., TCP, UDP, ICMP, etc. or before any other 312 IPsec headers that have already been inserted. In the context of 313 IPv4, this translates to placing ESP after the IP header (and any 314 options that it contains), but before the upper layer protocol. 315 (Note that the term "transport" mode should not be misconstrued as 316 restricting its use to TCP and UDP. For example, an ICMP message MAY 317 be sent using either "transport" mode or "tunnel" mode.) The 318 following diagram illustrates ESP transport mode positioning for a 319 typical IPv4 packet, on a "before and after" basis. (The "ESP 320 trailer" encompasses any Padding, plus the Pad Length, and Next 321 Header fields.) 323 BEFORE APPLYING ESP 324 ---------------------------- 325 IPv4 |orig IP hdr | | | 326 |(any options)| TCP | Data | 327 ---------------------------- 329 AFTER APPLYING ESP 330 ------------------------------------------------- 331 IPv4 |orig IP hdr | ESP | | | ESP | ESP| 332 |(any options)| Hdr | TCP | Data | Trailer |Auth| 333 ------------------------------------------------- 334 |<----- encrypted ---->| 335 |<------ authenticated ----->| 337 In the IPv6 context, ESP is viewed as an end-to-end payload, and thus 338 should appear after hop-by-hop, routing, and fragmentation extension 339 headers. The destination options extension header(s) could appear 340 either before or after the ESP header depending on the semantics 341 desired. However, since ESP protects only fields after the ESP 342 header, it generally may be desirable to place the destination 343 options header(s) after the ESP header. The following diagram 344 illustrates ESP transport mode positioning for a typical IPv6 packet. 346 Security Payload (ESP) 348 BEFORE APPLYING ESP 349 --------------------------------------- 350 IPv6 | | ext hdrs | | | 351 | orig IP hdr |if present| TCP | Data | 352 --------------------------------------- 354 AFTER APPLYING ESP 355 --------------------------------------------------------- 356 IPv6 | orig |hop-by-hop,dest*,| |dest| | | ESP | ESP| 357 |IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer|Auth| 358 --------------------------------------------------------- 359 |<---- encrypted ---->| 360 |<---- authenticated ---->| 362 * = if present, could be before ESP, after ESP, or both 364 If more than one IPsec header/extension is required: 365 o the order of application of the security headers MUST be 366 defined by security policy 367 o The following 3 cases MUST be supported: 368 1. [IP][AH][upper] 369 2. [IP][ESP][upper] 370 3. [IP][AH][ESP][upper] 371 o arbitrary nesting is allowed -- Senders MAY generate 372 arbitrary nestings of IPsec headers and Receivers SHOULD 373 accept arbitrary nestings of IPsec headers. 375 Tunnel mode ESP may be employed in either hosts or security gateways. 376 When ESP is implemented in a security gateway (to protect subscriber 377 transit traffic), tunnel mode must be used. In tunnel mode, the 378 "inner" IP header carries the ultimate source and destination 379 addresses, while an "outer" IP header may contain distinct IP 380 addresses, e.g., addresses of security gateways. In tunnel mode, ESP 381 protects the entire inner IP packet, including the entire inner IP 382 header. The position of ESP in tunnel mode, relative to the outer IP 383 header, is the same as for ESP in transport mode. The following 384 diagram illustrates ESP tunnel mode positioning for typical IPv4 and 385 IPv6 packets. 387 Security Payload (ESP) 389 ----------------------------------------------------------- 390 IPv4 | new IP hdr* | | orig IP hdr* | | | ESP | ESP| 391 |(any options)| ESP | (any options) |TCP|Data|Trailer|Auth| 392 ----------------------------------------------------------- 393 |<--------- encrypted ---------->| 394 |<----------- authenticated ---------->| 396 --------------------------------------------------------------- 397 IPv6 | new* | ext hdrs*| | orig*| ext hdrs*| | | ESP | ESP| 398 |IP hdr|if present|ESP|IP hdr|if present|TCP|Data|Trailer|Auth| 399 --------------------------------------------------------------- 400 |<---------- encrypted ----------->| 401 |<----------- authenticated ---------->| 403 * = construction of outer IP hdr/extensions and modification 404 of inner IP hdr/extensions is discussed below. 406 3.2 Algorithms 408 The mandatory-to-implement algorithms are described in Section 5, 409 "Conformance Requirements". Other algorithms MAY be supported. 411 3.2.1 Encryption Algorithms 413 The encryption algorithm employed is specified by the SA. ESP is 414 designed for use with symmetric encryption algorithms. Because IP 415 packets may arrive out of order, each packet must carry any data 416 required to allow the receiver to establish cryptographic 417 synchronization for decryption. This data may be carried explicitly 418 in the payload field, e.g., as an IV (as described above), or the 419 data may be derived from the packet header. Since ESP makes 420 provision for padding of the plaintext, encryption algorithms 421 employed with ESP may exhibit either block or stream mode 422 characteristics. 424 3.2.2 Authentication Algorithms 426 The authentication algorithm employed for the ICV computation is 427 specified by the SA. For point-to-point communication, suitable 428 authentication algorithms include keyed Message Authentication Codes 429 (MACs) based on symmetric encryption algorithms (e.g., DES) or on 430 one-way hash functions (e.g., MD5 or SHA-1). For multicast 431 communication, one-way hash algorithms combined with asymmetric 432 signature algorithms are appropriate, though performance and space 433 considerations currently preclude use of such algorithms. Note: Where 434 an algorithm yields more than 96 bits, the output of the computation 435 Security Payload (ESP) 437 is truncated to the leftmost 96 bits. 439 3.3 Outbound Packet Processing 441 In transport mode, the transmitter encapsulates the upper layer 442 protocol information in the ESP header/trailer, and retains the 443 specified IP header (and any IP extension headers in the IPv6 444 context). In tunnel mode, the outer and inner IP header/extensions 445 can be inter-related in a variety of ways. The construction of the 446 outer IP header/extensions during the encapsulation process is 447 described in the Security Architecture document. If there is more 448 than one IPsec header/extension required by security policy, the 449 order of the application of the security headers MUST be defined by 450 security policy. 452 3.3.1 Security Association Lookup 454 ESP is applied to an outbound packet only after an IPsec 455 implementation determines that the packet is associated with an SA 456 that calls for ESP processing. The process of determining what, if 457 any, IPsec processing is applied to outbound traffic is described in 458 the Security Architecture document. 460 3.3.2 Packet Encryption 462 The transmitter: 463 1. encapsulates (into the ESP Payload field): 464 - for transport mode -- just the original upper layer 465 protocol information. 466 - for tunnel mode -- the entire original IP datagram. 467 2. adds any necessary padding. 468 3. encrypts the result (Payload Data, Padding, Pad Length, and 469 Next Header) using the key, encryption algorithm, algorithm 470 mode indicated by the SA and cryptographic synchronization 471 data (if any). 472 - If explicit cryptographic synchronization data, e.g., 473 an IV, is indicated, it is input to the decryption 474 algorithm per the algorithm specification and placed 475 in the Payload field. 476 - If implicit cryptographic synchronication data, e.g., 477 an IV, is indicated, it is constructed and input to 478 the decryption algorithm as per the algorithm 479 specification. 481 The exact steps for constructing the outer IP header depend on the 482 mode (transport or tunnel) and are described in the Security 483 Architecture document. 485 Security Payload (ESP) 487 If authentication is selected, encryption is performed first, before 488 the authentication, and the encryption does not encompass the 489 Authentication Data field. This order of processing facilitates 490 rapid detection and rejection of replayed or bogus packets by the 491 receiver, prior to decrypting the packet, hence potentially reducing 492 the impact of denial of service attacks. It also allows for the 493 possibility of parallel processing of packets at the receiver, i.e., 494 decryption can take place in parallel with authentication. Note that 495 since the Authentication Data is not protected by encryption, a keyed 496 authentication algorithm must be employed to compute the ICV. 498 3.3.3 Sequence Number Generation 500 The sender's counter is initialized to 0 when an SA is established. 501 The transmitter increments the Sequence Number for this SA and 502 inserts the new value into the Sequence Number field. Thus the first 503 packet sent using a given SA will have a Sequence Number of 1. 505 If anti-replay has been enabled, the transmitter checks to ensure 506 that the counter has not cycled before inserting the new value in the 507 Sequence Number field. In other words, the transmitter MUST NOT send 508 a packet on an SA if doing so would cause the Sequence Number to 509 cycle. An attempt to transmit a packet that would result in Sequence 510 Number overflow is an auditable event. (Note that this approach to 511 Sequence Number management does not require use of modular 512 arithmetic.) 514 If anti-replay has not been enabled, the sender does not need to 515 monitor or reset the counter, e.g., in the case of manual key 516 management. NOTE: If the receiver does NOT notify the sender that 517 anti-replay is enabled, then the sender may overflow the counter and 518 may send packets that the receiver will reject. 520 3.3.4 Integrity Check Value Calculation 522 If authentication is selected for the SA, the transmitter computes 523 the ICV over the ESP packet minus the Authentication Data. Thus the 524 SPI, Sequence Number, Payload Data, Padding (if present), Pad Length, 525 and Next Header are all encompassed by the ICV computation. Note 526 that the last 4 fields will be in ciphertext form, since encryption 527 is performed prior to authentication. 529 For some authentication algorithms, the byte string over which the 530 ICV computation is performed must be a multiple of a blocksize 531 specified by the algorithm. If the length of this byte string does 532 not match the blocksize requirements for the algorithm, implicit 533 padding MUST be appended to the end of the ESP packet, prior to ICV 534 Security Payload (ESP) 536 computation. The padding octets MUST have a value of zero. The 537 blocksize (and hence the length of the padding) is specified by the 538 algorithm specification. This padding is not transmitted with the 539 packet. 541 3.3.5 Fragmentation 543 If necessary, fragmentation is performed after ESP processing within 544 an IPsec implementation. Thus, transport mode ESP is applied only to 545 whole IP datagrams (not to IP fragments). An IP packet to which ESP 546 has been applied may itself be fragmented by routers en route, and 547 such fragments must be reassembled prior to ESP processing at a 548 receiver. In tunnel mode, ESP is applied to an IP packet, the 549 payload of which may be a fragmented IP packet. For example, a 550 security gateway or a "bump-in-the-stack" or "bump-in-the-wire" IPsec 551 implementation (as defined in the Security Architecture document) may 552 apply tunnel mode ESP to such fragments. 554 3.4 Inbound Packet Processing 556 3.4.1 Reassembly 558 If required, reassembly is performed prior to ESP processing. If a 559 packet offered to ESP for processing appears to be an IP fragment, 560 i.e., the OFFSET field is non-zero or the MORE FRAGMENTS flag is set, 561 the receiver MUST discard the packet; this is an auditable event. The 562 audit log entry for this event SHOULD include the SPI value, 563 date/time, Source Address, Destination Address, and (in IPv6) the 564 Flow ID. 566 3.4.2 Security Association Lookup 568 Upon receipt of a (reassembled) packet containing an ESP Header, the 569 receiver determines the appropriate (unidirectional) SA, based on the 570 destination IP address, security protocol (ESP), and the SPI. (This 571 process is described in more detail in the Security Architecture 572 document.) The SA indicates whether the Sequence Number field will 573 be checked, whether the Authentication Data field should be present, 574 and it will specify the algorithms and keys to be employed for 575 decryption and ICV computations (if applicable). 577 If no valid Security Association exists for this session (for 578 example, the receiver has no key), the receiver MUST discard the 579 packet; this is an auditable event. The audit log entry for this 580 event SHOULD include the SPI value, date/time, Source Address, 581 Destination Address, and (in IPv6) the cleartext Flow ID. 583 Security Payload (ESP) 585 3.4.3 Sequence Number Verification 587 All ESP implementations MUST support the anti-replay service, though 588 its use may be enabled or disabled on a per-SA basis. This service 589 MUST NOT be enabled unless the authentication service also is enabled 590 for the SA, since otherwise the Sequence Number field has not been 591 integrity protected. (Note that there are no provisions for managing 592 transmitted Sequence Number values among multiple senders directing 593 traffic to a single, multicast SA. Thus the anti-replay service 594 SHOULD NOT be used in a multi-sender multicast environment that 595 employs a single, multicast SA.) 597 If the receiver does not enable anti-replay for an SA, no checks are 598 performed on the inbound Sequence Number. If an SA establishment 599 protocol such as Oakley/ISAKMP is employed, then the receiver SHOULD 600 notify the transmitter, during SA establishment, if the receiver will 601 provide anti-replay protection. 603 If the receiver has enabled the anti-replay service for this SA, the 604 receive packet counter for the SA MUST be initialized to zero when 605 the SA is established. For each received packet, the receiver MUST 606 verify that the packet contains a Sequence Number that does not 607 duplicate the Sequence Number of any other packets received during 608 the life of this SA. This SHOULD be the first ESP check applied to a 609 packet after it has been matched to an SA, to speed rejection of 610 duplicate packets. 612 Duplicates are rejected through the use of a sliding receive window. 613 (How the window is implemented is a local matter, but the following 614 text describes the functionality that the implementation must 615 exhibit.) A MINIMUM window size of 32 MUST be supported; but a 616 window size of 64 is preferred and SHOULD be employed as the default. 617 Another window size (larger than the MINIMUM) MAY be chosen by the 618 receiver. (The receiver does NOT notify the sender of the window 619 size.) 621 The "right" edge of the window represents the highest, validated 622 Sequence Number value received on this SA. Packets that contain 623 Sequence Numbers lower than the "left" edge of the window are 624 rejected. Packets falling within the window are checked against a 625 list of received packets within the window. An efficient means for 626 performing this check, based on the use of a bit mask, is described 627 in the Security Architecture document. 629 If the received packet falls within the window and is new, or if the 630 packet is to the right of the window, then the receiver proceeds to 631 ICV verification. If the ICV validation fails, the receiver MUST 632 Security Payload (ESP) 634 discard the received IP datagram as invalid; this is an auditable 635 event. The audit log entry for this event SHOULD include the SPI 636 value, date/time, Source Address, Destination Address, the Sequence 637 Number, and (in IPv6) the Flow ID. The receive window is updated 638 only if the ICV verification succeeds. 640 DISCUSSION: 642 Note that if the packet is either inside the window and new, or is 643 outside the window on the "right" side, the receiver MUST 644 authenticate the packet before updating the Sequence Number window 645 data. 647 3.4.4 Integrity Check Value Verification 649 If authentication has been selected, the receiver computes the ICV 650 over the ESP packet minus the Authentication Data using the specified 651 authentication algorithm and verifies that it is the same as the ICV 652 included in the Authentication Data field of the packet. Details of 653 the computation are provided below. 655 If the computed and received ICV's match, then the datagram is valid, 656 and it is accepted. If the test fails, then the receiver MUST 657 discard the received IP datagram as invalid; this is an auditable 658 event. The log data SHOULD include the SPI value, date/time 659 received, Source Address, Destination Address, and (in IPv6) the 660 cleartext Flow ID. 662 DISCUSSION: 664 Begin by removing and saving the ICV value (Authentication Data 665 field). Next check the overall length of the ESP packet minus the 666 Authentication Data. If implicit padding is required, based on 667 the blocksize of the authentication algorithm, append zero-filled 668 bytes to the end of the ESP packet directly after the Next Header 669 field. Perform the ICV computation and compare the result with 670 the saved value. Note that if the output of the authentication 671 algorithm is greater than 96 bits, the output should be truncated 672 to the leftmost 96 bits. (If a digital signature and one-way hash 673 are used for the ICV computation, the matching process is more 674 complex and will be described in the algorithm specification.) 676 3.4.5 Packet Decryption 678 The receiver: 679 1. decrypts the ESP Payload Data, Padding, Pad Length, and Next 680 Security Payload (ESP) 682 Header using the key, encryption algorithm, algorithm mode, 683 and cryptographic synchronization data (if any), indicated by 684 the SA. 685 - If explicit cryptographic synchronization data, e.g., 686 an IV, is indicated, it is taken from the Payload 687 field and input to the decryption algorithm as per the 688 algorithm specification. 689 - If implicit cryptographic synchronization data, e.g., 690 an IV, is indicated, a local version of the IV is 691 constructed and input to the decryption algorithm as 692 per the algorithm specification. 693 2. removes/ignores any padding 694 3. reconstructs the original IP datagram from: 695 - for transport mode -- original IP header plus the 696 original upper layer protocol information in the ESP 697 Payload field 698 - for tunnel mode -- tunnel IP header + the entire IP 699 datagram in the ESP Payload field. 701 The exact steps for reconstructing the original datagram depend on 702 the mode (transport or tunnel) and are described in the Security 703 Architecture document. At a minimum, in an IPv6 context, the 704 receiver SHOULD ensure that the decrypted data is 8-byte aligned, to 705 facilitate processing by the protocol identified in the Next Header 706 field. 708 If authentication has been selected, ICV verification SHOULD be 709 performed before decryption. This order of processing facilitates 710 rapid detection and rejection of replayed or bogus packets by the 711 receiver, prior to decrypting the packet, hence potentially reducing 712 the impact of denial of service attacks. Note: The receiver MAY 713 start decryption in parallel with authentication, but care must be 714 taken to avoid possible race conditions with regard to packet access 715 and reconstruction of the decrypted packet. 717 Note that there are two ways in which the decryption can "fail". 718 o The selected SA may not be correct. 719 o The encrypted ESP packet could be corrupted. 721 The latter case would be detected if authentication is selected for 722 the SA, as would tampering with the SPI. However, an SA mismatch 723 might still occur due to tampering with the IP Destination Address. 724 In either case, the erroneous result of the decryption operation (an 725 invalid IP datagram or transport-layer frame) will not necessarily be 726 detected by IPsec, and is the responsibility of later protocol 727 processing. 729 Security Payload (ESP) 731 4. Auditing 733 Not all systems that implement ESP will implement auditing. However, 734 if ESP is incorporated into a system that supports auditing, then the 735 ESP implementation MUST also support auditing and MUST allow a system 736 administrator to enable or disable auditing for ESP. For the most 737 part, the granularity of auditing is a local matter. However, 738 several auditable events are identified in this specification and for 739 each of these events a minimum set of information that SHOULD be 740 included in an audit log is defined. Additional information also MAY 741 be included in the audit log for each of these events, and additional 742 events, not explicitly called out in this specification, also MAY 743 result in audit log entries. There is no requirement for the 744 receiver to transmit any message to the purported transmitter in 745 response to the detection of an auditable event, because of the 746 potential to induce denial of service via such action. 748 5. Conformance Requirements 750 Implementations that claim conformance or compliance with this 751 specification MUST implement the ESP syntax and processing described 752 here and MUST comply with all requirements of the Security 753 Architecture document. If the key used to compute an ICV is manually 754 distributed, correct provision of the anti-replay service would 755 require correct maintenance of the counter state at the transmitter, 756 until the key is replaced, and there likely would be no automated 757 recovery provision if counter overflow were imminent. Thus a 758 compliant implementation SHOULD NOT provide this service in 759 conjunction with SAs that are manually keyed. A compliant ESP 760 implementation MUST support the following mandatory-to-implement 761 algorithms: 763 - DES in CBC mode [MD97] 764 - HMAC with MD5 [MG97a] 765 - HMAC with SHA-1 [MG97b] 767 6. Security Considerations 769 Security is central to the design of this protocol, and thus security 770 considerations permeate the specification. Additional security- 771 relevant aspects of using the IPsec protocol are discussed in the 772 Security Architecture document. 774 Security Payload (ESP) 776 7. Differences from RFC 1827 778 This document differs from RFC 1827 [ATK95] in several significant 779 ways. The major difference is that, this document attempts to 780 specify a complete framework and context for ESP, whereas RFC 1827 781 provided a "shell" that was completed through the definition of 782 transforms. The combinatorial growth of transforms motivated the 783 reformulation of the ESP specification as a more complete document, 784 with options for security services that may be offered in the context 785 of ESP. Thus, fields previously defined in transform documents are 786 now part of this base ESP specification. For example, the fields 787 necessary to support authentication (and anti-replay) are now defined 788 here, even though the provision of this service is an option. The 789 fields used to support padding for encryption, and for next protocol 790 identification, are now defined here as well. Packet processing 791 consistent with the definition of these fields also is included in 792 the document. 794 Acknowledgements 796 Many of the concepts embodied in this specification were derived from 797 or influenced by the US Government's SP3 security protocol, ISO/IEC's 798 NLSP, or from the proposed swIPe security protocol. [SDNS89, ISO92, 799 IB93]. 801 For over 2 years, this document has evolved through multiple versions 802 and iterations. During this time, many people have contributed 803 significant ideas and energy to the process and the documents 804 themselves. The authors would like to thank Karen Seo for providing 805 extensive help in the review, editing, background research, and 806 coordination for this version of the specification. The authors 807 would also like to thank the members of the IPSEC and IPng working 808 groups, with special mention of the efforts of (in alphabetic order): 809 Steve Bellovin, Steve Deering, Phil Karn, Perry Metzger, David 810 Mihelcic, Hilarie Orman, Norman Shulman, William Simpson and Nina 811 Yuan. 813 References 815 [ATK95] R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 816 1827, August 1997. 818 [Bel89] Steven M. Bellovin, "Security Problems in the TCP/IP 819 Protocol Suite", ACM Computer Communications Review, Vol. 820 19, No. 2, March 1989. 822 Security Payload (ESP) 824 [Bel96] Steven M. Bellovin, "Problem Areas for the IP Security 825 Protocols", Proceedings of the Sixth Usenix Unix Security 826 Symposium, July, 1996. 828 [CERT95] Computer Emergency Response Team (CERT), "IP Spoofing 829 Attacks and Hijacked Terminal Connections", CA-95:01, 830 January 1995. Available via anonymous ftp from 831 info.cert.org. 833 [DH95] Steve Deering & Robert Hinden, Internet Protocol Version 6 834 (IPv6) Specification, RFC 1883, December 1995. 836 [IB93] John Ioannidis & Matt Blaze, "Architecture and 837 Implementation of Network-layer Security Under Unix", 838 Proceedings of the USENIX Security Symposium, Santa Clara, 839 CA, October 1993. 841 [ISO92] ISO/IEC JTC1/SC6, Network Layer Security Protocol, ISO-IEC 842 DIS 11577, International Standards Organisation, Geneva, 843 Switzerland, 29 November 1992. 845 [KA97a] Steve Kent, Randall Atkinson, "Security Architecture for 846 the Internet Protocol", Internet Draft, ?? 1997. 848 [KA97b] Steve Kent, Randall Atkinson, "IP Authentication Header", 849 Internet Draft, ?? 1997. 851 [Ken91] Steve Kent, "US DoD Security Options for the Internet 852 Protocol (IPSO)", RFC-1108, November 1991. 854 [MD97] C. Madson & N. Doraswamy, "The ESP DES-CBC Cipher Algorithm 855 With Explicit IV", Internet Draft, 07/02/1997." 857 [MG97a] C. Madson & R. Glenn, "The Use of HMAC-MD5-96 within ESP 858 and AH", Internet Draft, 7/2/97. 860 [MG97b] C. Madson & R. Glenn, "The Use of HMAC-SHA-1-96 within ESP 861 and AH", Internet Draft, 7/2/97. 863 [NIST77] US National Bureau of Standards, "Data Encryption 864 Standard", Federal Information Processing Standard (FIPS) 865 Publication 46, January 1977. 867 [NIST80] US National Bureau of Standards, "DES Modes of Operation" 868 Federal Information Processing Standard (FIPS) Publication 869 81, December 1980. 871 Security Payload (ESP) 873 [NIST81] US National Bureau of Standards, "Guidelines for 874 Implementing and Using the Data Encryption Standard", 875 Federal Information Processing Standard (FIPS) Publication 876 74, April 1981. 878 [NIST88] US National Bureau of Standards, "Data Encryption 879 Standard", Federal Information Processing Standard (FIPS) 880 Publication 46-1, January 1988. 882 [STD-2] J. Reynolds and J. Postel, "Assigned Numbers", STD-2, 20 883 October 1994. 885 [Sch94] Bruce Schneier, Applied Cryptography, John Wiley & Sons, 886 New York, NY, 1994. ISBN 0-471-59756-2 888 [SDNS89] SDNS Secure Data Network System, Security Protocol 3, SP3, 889 Document SDN.301, Revision 1.5, 15 May 1989, as published 890 in NIST Publication NIST-IR-90-4250, February 1990. 892 Disclaimer 894 The views and specification here are those of the authors and are not 895 necessarily those of their employers. The authors and their 896 employers specifically disclaim responsibility for any problems 897 arising from correct or incorrect implementation or use of this 898 specification. 900 Author Information 902 Stephen Kent 903 BBN Corporation 904 70 Fawcett Street 905 Cambridge, MA 02140 906 USA 907 E-mail: kent@bbn.com 908 Telephone: +1 (617) 873-3988 910 Randall Atkinson 911 @Home Network 912 425 Broadway, 913 Redwood City, CA 94063 914 USA 915 E-mail: rja@inet.org