idnits 2.17.1 draft-ietf-ipsecme-rfc4307bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 18, 2015) is 3111 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 158 == Missing Reference: 'IKEv2' is mentioned on line 199, but not defined Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group Y. Nir 3 Internet-Draft Check Point 4 Intended status: Standards Track T. Kivinen 5 Expires: April 20, 2016 INSIDE Secure 6 P. Wouters 7 Red Hat 8 D. Migault 9 Ericsson 10 October 18, 2015 12 Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 13 (IKEv2) 14 draft-ietf-ipsecme-rfc4307bis-00 16 Abstract 18 The IPsec series of protocols makes use of various cryptographic 19 algorithms in order to provide security services. The Internet Key 20 Exchange protocol provides a mechanism to negotiate which algorithms 21 should be used in any given association. However, to ensure 22 interoperability between disparate implementations, it is necessary 23 to specify a set of mandatory-to-implement algorithms to ensure that 24 there is at least one algorithm that all implementations will have 25 available. This document defines the current set of algorithms that 26 are mandatory to implement as part of IKEv2, as well as algorithms 27 that should be implemented because they may be promoted to mandatory 28 at some future time. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at http://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on April 20, 2016. 47 Copyright Notice 49 Copyright (c) 2015 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (http://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 65 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 66 3. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 3 67 3.1. IKEv2 Transform Type 1 Algorithms . . . . . . . . . . . . 3 68 3.2. IKEv2 Transform Type 3 Algorithms . . . . . . . . . . . . 4 69 3.3. IKEv2 Transform Type 2 Algorithms . . . . . . . . . . . . 4 70 3.4. Diffie-Hellman Groups . . . . . . . . . . . . . . . . . . 5 71 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 72 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 73 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 74 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 75 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 76 7.2. Informative References . . . . . . . . . . . . . . . . . 6 78 1. Introduction 80 The Internet Key Exchange protocol [RFC7296] provides for the 81 negotiation of cryptographic algorithms between both endpoints of a 82 cryptographic association. Different implementations of IPsec and 83 IKE may provide different algorithms. However, the IETF desires that 84 all implementations should have some way to interoperate. In 85 particular, this requires that IKE define a set of mandatory-to- 86 implement algorithms because IKE itself uses such algorithms as part 87 of its own negotiations. This requires that some set of algorithms 88 be specified as "mandatory-to-implement" for IKE. 90 The nature of cryptography is that new algorithms surface 91 continuously and existing algorithms are continuously attacked. An 92 algorithm believed to be strong today may be demonstrated to be weak 93 tomorrow. Given this, the choice of mandatory-to-implement algorithm 94 should be conservative so as to minimize the likelihood of it being 95 compromised quickly. Thought should also be given to performance 96 considerations as many uses of IPsec will be in environments where 97 performance is a concern. 99 Finally, we need to recognize that the mandatory-to-implement 100 algorithm(s) may need to change over time to adapt to the changing 101 world. For this reason, the selection of mandatory-to-implement 102 algorithms was removed from the main IKEv2 specification and placed 103 in this document. As the choice of algorithm changes, only this 104 document should need to be updated. 106 Ideally, the mandatory-to-implement algorithm of tomorrow should 107 already be available in most implementations of IPsec by the time it 108 is made mandatory. To facilitate this, we will attempt to identify 109 those algorithms (that are known today) in this document. There is 110 no guarantee that the algorithms we believe today may be mandatory in 111 the future will in fact become so. All algorithms known today are 112 subject to cryptographic attack and may be broken in the future. 114 2. Conventions Used in This Document 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in [RFC2119]. 120 We define some additional terms here: 122 SHOULD+ This term means the same as SHOULD. However, it is likely 123 that an algorithm marked as SHOULD+ will be promoted at 124 some future time to be a MUST. 125 SHOULD- This term means the same as SHOULD. However, an algorithm 126 marked as SHOULD- may be deprecated to a MAY in a future 127 version of this document. 128 MUST- This term means the same as MUST. However, we expect at 129 some point that this algorithm will no longer be a MUST in 130 a future document. Although its status will be determined 131 at a later time, it is reasonable to expect that if a 132 future revision of a document alters the status of a MUST- 133 algorithm, it will remain at least a SHOULD or a SHOULD-. 135 3. Algorithm Selection 137 3.1. IKEv2 Transform Type 1 Algorithms 139 The algorithms in the below table are negotiated in the SA payload 140 and used in the ENCR payload. References to the specifications 141 defining these algorithms and the ones in the following subsections 142 are in the IANA registry [IKEV2-IANA]. Some of these algorithms are 143 Authenticated Encryption with Associated Data (AEAD - [RFC5282]). 144 Algorithms that are not AEAD MUST be used in conjunction with the 145 integrity algorithms in Section 3.2. 147 +-----------------------------+----------+-------+---------+ 148 | Name | Status | AEAD? | Comment | 149 +-----------------------------+----------+-------+---------+ 150 | ENCR_AES_CBC | MUST | No | [1] | 151 | ENCR_CHACHA20_POLY1305 | SHOULD | Yes | | 152 | AES-GCM with a 16 octet ICV | SHOULD | Yes | [1] | 153 | ENCR_AES_CCM_8 | SHOULD | Yes | [1] | 154 | ENCR_3DES | MAY | No | | 155 | ENCR_DES | MUST NOT | No | | 156 +-----------------------------+----------+-------+---------+ 158 [1] - Both 256-bit and 128-bit keys should be supported at the same 159 level of requirement. 161 3.2. IKEv2 Transform Type 3 Algorithms 163 The algorithms in the below table are negotiated in the SA payload 164 and used in the ENCR payload. References to the specifications 165 defining these algorithms are in the IANA registry. When an AEAD 166 algorithm (see Section 3.1) is used, no algorithm from this table 167 needs to be used. 169 +------------------------+---------+ 170 | Name | Status | 171 +------------------------+---------+ 172 | AUTH_HMAC_SHA2_256_128 | MUST | 173 | AUTH_HMAC_SHA2_384_192 | SHOULD+ | 174 | AUTH_HMAC_SHA1_96 | MUST- | 175 | AUTH_AES_128_GMAC | MAY | 176 | AUTH_AES_XCBC_96 | MAY | 177 | AUTH_HMAC_MD5_96 | MAY | 178 +------------------------+---------+ 180 3.3. IKEv2 Transform Type 2 Algorithms 182 Transform Type 2 Algorithms are pseudo-random functions used to 183 generate random values when needed. 185 +-------------------+---------+ 186 | Name | Status | 187 +-------------------+---------+ 188 | PRF_HMAC_SHA2_256 | MUST | 189 | PRF_HMAC_SHA2_384 | SHOULD+ | 190 | PRF_HMAC_SHA1 | MUST- | 191 | PRF_AES128_CBC | MAY | 192 | PRF_HMAC_MD5 | MAY | 193 +-------------------+---------+ 195 3.4. Diffie-Hellman Groups 197 There are several Modular Exponential (MODP) groups and several 198 Elliptic Curve groups (ECC) that are defined for use in IKEv2. They 199 are defined in both the [IKEv2] base document and in extensions 200 documents. They are identified by group number. 202 +--------+--------------------------+------------+ 203 | Number | Description | Status | 204 +--------+--------------------------+------------+ 205 | 14 | 2048-bit MODP Group | MUST | 206 | 19 | 256-bit random ECP group | SHOULD | 207 | 20 | 384-bit random ECP group | MAY | 208 | 2 | 1024-bit MODP Group | SHOULD NOT | 209 +--------+--------------------------+------------+ 211 4. Security Considerations 213 The security of cryptographic-based systems depends on both the 214 strength of the cryptographic algorithms chosen and the strength of 215 the keys used with those algorithms. The security also depends on 216 the engineering of the protocol used by the system to ensure that 217 there are no non-cryptographic ways to bypass the security of the 218 overall system. 220 This document concerns itself with the selection of cryptographic 221 algorithms for the use of IKEv2, specifically with the selection of 222 "mandatory-to-implement" algorithms. The algorithms identified in 223 this document as "MUST implement" or "SHOULD implement" are not known 224 to be broken at the current time, and cryptographic research so far 225 leads us to believe that they will likely remain secure into the 226 foreseeable future. However, this isn't necessarily forever. We 227 would therefore expect that new revisions of this document will be 228 issued from time to time that reflect the current best practice in 229 this area. 231 5. IANA Considerations 233 This document makes no requests of IANA. 235 6. Acknowledgements 237 The first version of this document was RFC 4307 by Jeffrey I. 238 Schiller of the Massachusetts Institute of Technology (MIT). Much of 239 the text has been copied verbatim. 241 7. References 243 7.1. Normative References 245 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 246 Requirement Levels", BCP 14, RFC 2119, March 1997. 248 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 249 Kivinen, "Internet Key Exchange Protocol Version 2 250 (IKEv2)", STD 79, RFC 7296, October 2014. 252 [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption 253 Algorithms with the Encrypted Payload of the Internet Key 254 Exchange version 2 (IKEv2) Protocol", RFC 5282, DOI 255 10.17487/RFC5282, August 2008, 256 . 258 7.2. Informative References 260 [IKEV2-IANA] 261 "Internet Key Exchange Version 2 (IKEv2) Parameters", 262 . 264 Authors' Addresses 266 Yoav Nir 267 Check Point Software Technologies Ltd. 268 5 Hasolelim st. 269 Tel Aviv 6789735 270 Israel 272 EMail: ynir.ietf@gmail.com 273 Tero Kivinen 274 INSIDE Secure 275 Eerikinkatu 28 276 HELSINKI FI-00180 277 FI 279 EMail: kivinen@iki.fi 281 Paul Wouters 282 Red Hat 284 EMail: pwouters@redhat.com 286 Daniel Migault 287 Ericsson 288 8400 boulevard Decarie 289 Montreal, QC H4P 2N2 290 Canada 292 Phone: +1 514-452-2160 293 EMail: daniel.migault@ericsson.com