idnits 2.17.1 draft-ietf-ipsecme-ikev1-algo-to-historic-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC8247, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC7296, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC8221, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (27 April 2021) is 1088 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2407 (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2408 (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2409 (Obsoleted by RFC 4306) ** Downref: Normative reference to an Informational RFC: RFC 3740 ** Obsolete normative reference: RFC 4306 (Obsoleted by RFC 5996) Summary: 5 errors (**), 0 flaws (~~), 1 warning (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network P. Wouters, Ed. 3 Internet-Draft No Hats 4 Updates: 7296, 8221, 8247 (if approved) 27 April 2021 5 Intended status: Standards Track 6 Expires: 29 October 2021 8 Deprecation of IKEv1 and obsoleted algorithms 9 draft-ietf-ipsecme-ikev1-algo-to-historic-00 11 Abstract 13 Internet Key Exchange version 1 (IKEv1) is deprecated. Accordingly, 14 IKEv1 has been moved to Historic status. A number of old algorithms 15 that are associated with IKEv1, and not widely implemented for IKEv2 16 are deprecated as well. This document adds a Status column to the 17 IANA IKEv2 Transform Type registries. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on 29 October 2021. 36 Copyright Notice 38 Copyright (c) 2021 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 43 license-info) in effect on the date of publication of this document. 44 Please review these documents carefully, as they describe your rights 45 and restrictions with respect to this document. Code Components 46 extracted from this document must include Simplified BSD License text 47 as described in Section 4.e of the Trust Legal Provisions and are 48 provided without warranty as described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 54 3. RFC 2409 to Historic . . . . . . . . . . . . . . . . . . . . 3 55 4. IKEv1 feature equivalents for IKEv2 . . . . . . . . . . . . . 3 56 4.1. IKEv2 postquantum support . . . . . . . . . . . . . . . . 3 57 4.2. IKEv2 Labeled IPsec support . . . . . . . . . . . . . . . 4 58 4.3. IKEv2 Group SA / Multicast support . . . . . . . . . . . 4 59 5. Deprecating obsolete algorithms . . . . . . . . . . . . . . . 4 60 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 61 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 62 8. Normative References . . . . . . . . . . . . . . . . . . . . 6 63 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 65 1. Introduction 67 IKEv1 [RFC2409] and its related documents for ISAKMP [RFC2408] and 68 IPsec DOI [RFC2407] were obsoleted by IKEv2 [RFC4306] in December 69 2005. The latest version of IKEv2 at the time of writing was 70 published in 2014 in [RFC7296]. The Internet Key Exchange (IKE) 71 version 2 has replaced version 1 over 15 years ago. IKEv2 has now 72 seen wide deployment and provides a full replacement for all IKEv1 73 functionality. No new modifications or new algorithms have been 74 accepted for IKEv1 for at least a decade. IKEv2 addresses various 75 issues present in IKEv1, such as IKEv1 being vulnerable to 76 amplification attacks. IKEv1 has been moved to Historic status. 78 Algorithm implementation requirements and usage guidelines for IKEv2 79 [RFC8247] and ESP/AH [RFC8223] gives guidance to implementors but 80 limits that guidance to avoid broken or weak algorithms. It does not 81 deprecate algorithms that have aged and are not in use, but leave 82 these algorithms in a state of "MAY be used". This document 83 deprecates those algorithms that are no longer advised but for which 84 there are no known attacks resulting in their earlier deprecation. 86 2. Requirements Language 88 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 89 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 90 "OPTIONAL" in this document are to be interpreted as described in BCP 91 14 [RFC2119] [RFC8174] when, and only when, they appear in all 92 capitals, as shown here. 94 3. RFC 2409 to Historic 96 IKEv1 is deprecated. Systems running IKEv1 should be upgraded and 97 reconfigured to run IKEv2. Systems that support IKEv1 but not IKEv2 98 are most likely also unsuitable candidates for continued operation: 100 * A number of IKEv1 systems have reached their End of Life and 101 therefor will never be patched by the vendor if a vulnerability is 102 found. 104 * A number of vendors still provide updates for their equipment that 105 supports IKEv1 and IKEv2, but have "frozen" their IKEv1 106 implementation, and will never make any changes to it. This also 107 results in running unmaintained code and its associated security 108 risks. 110 * IKEv1 systems can be abused for packet amplification attacks, see 111 CVE-2016-5361. 113 * IKEv1 systems most likely do not support modern cryptographic 114 algorithms. AES-GCM is only defined for ESP and not IKE, and 115 often not implemented for ESP. And CHACHA20_POLY1305 is not 116 defined for IKEv1. Often, IKEv1 is configured with the very weak 117 Diffie-Hellman Groups 2 and 5 and some implementatipons do not 118 support any stronger alternatives. 120 IKEv2 is a more secure protocol than IKEv1 in every aspect. 121 IKEv1-only systems should be upgraded or replaced by systems 122 supporting IKEv2. IKEv1 configurations SHOULD NOT be directly 123 translated to IKEv2 configurations without updating the cryptographic 124 algorithms used. 126 4. IKEv1 feature equivalents for IKEv2 128 A few notably IKEv1 features are not present in the IKEv2 core 129 specification [RFC7296] but are available for IKEv2 via an additional 130 specification: 132 4.1. IKEv2 postquantum support 134 IKEv1 and its way of using Preshared Keys (PSKs) protects against 135 quantum computer based attacks. IKEv2 updated its use of PSK to 136 improve the error reporting, but at the expense of post-quantum 137 security. If post-quantum security is required, these systems should 138 be migrated to use IKEv2 Postquantum Preshared Keys (PPK) [RFC8784] 140 4.2. IKEv2 Labeled IPsec support 142 Some IKEv1 implementations support Labeled IPsec, a method to 143 negotiate an addition Security Context selector to the SPD, but this 144 method was never standarized in IKEv1. Those IKEv1 systems that 145 require Labeled IPsec should migrate to an IKEv2 system supporting 146 Labeled IPsec as specified in [draft-ietf-ipsecme-labeled-ipsec]. 148 4.3. IKEv2 Group SA / Multicast support 150 In IKEv1, [RFC6407], [RFC3740], [RFC5374] define the support for 151 Group SA and Multicast support. For IKEv2, this work is currently in 152 progress via [draft-ietf-ipsecme-g-ikev2] 154 5. Deprecating obsolete algorithms 156 This document deprecates the following algorithms: 158 * Encryption Algorithms: RC5, IDEA, CAST, Blowfish, and the 159 unspecified 3IDEA, ENCR_DES_IV64 and ENCR_DES_IV32 161 * PRF Algorithms: the unspecified PRF_HMAC_TIGER 163 * Integrity Algorithms: HMAC-MD5-128 165 * Diffie-Hellman groups: none 167 6. Security Considerations 169 There are only security benefits by deprecating IKEv1 for IKEv2. 171 The deprecated algorithms have long been in disuse and are no longer 172 actively deployed or researched. It presents an unknown security 173 risk that is best avoided. Additionally, these algorithms not being 174 supported in implementations simplifies those implementations and 175 reduces the accidental use of these deprecated algorithms through 176 misconfiguration or downgrade attacks. 178 7. IANA Considerations 180 This document instructs IANA to add an additional Status column to 181 the IKEv2 Transform Type registries and mark the following entries as 182 DEPRECATED: 184 Transform Type 1 - Encryption Algorithm IDs 186 Number Name Status 187 ------ --------------- ------ 188 1 ENCR_DES_IV64 DEPRECATED [this document] 189 2 ENCR_DES DEPRECATED [RFC8247] 190 4 ENCR_RC5 DEPRECATED [this document] 191 5 ENCR_IDEA DEPRECATED [this document] 192 6 ENCR_CAST DEPRECATED [this document] 193 7 ENCR_BLOWFISH DEPRECATED [this document] 194 8 ENCR_3IDEA DEPRECATED [this document] 195 9 ENCR_DES_IV32 DEPRECATED [this document] 197 Figure 1 199 Transform Type 2 - Pseudorandom Function Transform IDs 201 Number Name Status 202 ------ ------------ ---------- 203 1 PRF_HMAC_MD5 DEPRECATED [RFC8247] 204 1 PRF_HMAC_TIGER DEPRECATED [this document] 206 Figure 2 208 Transform Type 3 - Integrity Algorithm Transform IDs 210 Number Name Status 211 ------ ----------------- ---------- 212 1 AUTH_HMAC_MD5_96 DEPRECATED [RFC8247] 213 3 AUTH_DES_MAC DEPRECATED [RFC8247] 214 4 AUTH_KPDK_MD5 DEPRECATED [RFC8247] 215 6 AUTH_HMAC_MD5_128 DEPRECATED [this document] 216 7 AUTH_HMAC_SHA1_160 DEPRECATED [this document] 218 Figure 3 220 Transform Type 4 - Diffie Hellman Group Transform IDs 222 Number Name Status 223 ------ ---------------------------- ---------- 224 1 768-bit MODP Group DEPRECATED [RFC8247] 225 22 1024-bit MODP Group with 226 160-bit Prime Order Subgroup DEPRECATED [RFC8247] 228 Figure 4 230 All entries not mentioned here should receive no value in the new 231 Status field. 233 8. Normative References 235 [draft-ietf-ipsecme-g-ikev2] 236 Smyslov, V. and B. Weis, "Group Key Management using 237 IKEv2", Work in Progress, Internet-Draft, draft-ietf- 238 ipsecme-labeled-ipsec, 11 January 2021, 239 . 242 [draft-ietf-ipsecme-labeled-ipsec] 243 Wouters, P. and S. Prasad, "Labeled IPsec Traffic Selector 244 support for IKEv2", Work in Progress, Internet-Draft, 245 draft-ietf-ipsecme-labeled-ipsec, 30 October 2020, 246 . 249 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 250 Requirement Levels", BCP 14, RFC 2119, 251 DOI 10.17487/RFC2119, March 1997, 252 . 254 [RFC2407] Piper, D., "The Internet IP Security Domain of 255 Interpretation for ISAKMP", RFC 2407, 256 DOI 10.17487/RFC2407, November 1998, 257 . 259 [RFC2408] Maughan, D., Schertler, M., Schneider, M., and J. Turner, 260 "Internet Security Association and Key Management Protocol 261 (ISAKMP)", RFC 2408, DOI 10.17487/RFC2408, November 1998, 262 . 264 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 265 (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, 266 . 268 [RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security 269 Architecture", RFC 3740, DOI 10.17487/RFC3740, March 2004, 270 . 272 [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) 273 Protocol", RFC 4306, DOI 10.17487/RFC4306, December 2005, 274 . 276 [RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast 277 Extensions to the Security Architecture for the Internet 278 Protocol", RFC 5374, DOI 10.17487/RFC5374, November 2008, 279 . 281 [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain 282 of Interpretation", RFC 6407, DOI 10.17487/RFC6407, 283 October 2011, . 285 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 286 Kivinen, "Internet Key Exchange Protocol Version 2 287 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 288 2014, . 290 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 291 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 292 May 2017, . 294 [RFC8223] Esale, S., Torvi, R., Jalil, L., Chunduri, U., and K. 295 Raza, "Application-Aware Targeted LDP", RFC 8223, 296 DOI 10.17487/RFC8223, August 2017, 297 . 299 [RFC8247] Nir, Y., Kivinen, T., Wouters, P., and D. Migault, 300 "Algorithm Implementation Requirements and Usage Guidance 301 for the Internet Key Exchange Protocol Version 2 (IKEv2)", 302 RFC 8247, DOI 10.17487/RFC8247, September 2017, 303 . 305 [RFC8784] Fluhrer, S., Kampanakis, P., McGrew, D., and V. Smyslov, 306 "Mixing Preshared Keys in the Internet Key Exchange 307 Protocol Version 2 (IKEv2) for Post-quantum Security", 308 RFC 8784, DOI 10.17487/RFC8784, June 2020, 309 . 311 Author's Address 313 Paul Wouters (editor) 314 No Hats 316 Email: paul@nohats.ca