idnits 2.17.1 draft-mcgrew-aes-gmac-esp-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 613. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 590. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 597. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 603. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 8, 2006) is 6623 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2407' is defined on line 508, but no explicit reference was found in the text == Unused Reference: 'RFC2410' is defined on line 530, but no explicit reference was found in the text == Unused Reference: 'RFC2675' is defined on line 533, but no explicit reference was found in the text == Unused Reference: 'RFC3610' is defined on line 536, but no explicit reference was found in the text == Unused Reference: 'RFC3686' is defined on line 539, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'GCM' ** Obsolete normative reference: RFC 2407 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 2409 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 4306 (Obsoleted by RFC 5996) Summary: 4 errors (**), 0 flaws (~~), 7 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. McGrew 3 Internet-Draft Cisco Systems, Inc. 4 Expires: September 9, 2006 J. Viega 5 Secure Software, Inc. 6 March 8, 2006 8 The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH 9 draft-mcgrew-aes-gmac-esp-02.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on September 9, 2006. 36 Copyright Notice 38 Copyright (C) The Internet Society (2006). 40 Abstract 42 This memo describes the use of the Advanced Encryption Standard (AES) 43 Galois Message Authentication Code (GMAC) as a mechanism to provide 44 data origin authentication, but not confidentiality, within the IPsec 45 Encapsulating Security Payload (ESP) and Authentication Header (AH). 46 GMAC is based on the Galois/Counter Mode (GCM) of operation, and can 47 be efficiently implemented in hardware for speeds of 10 gigabits per 48 second and above, and is also well-suited to software 49 implementations. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.1 History . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 1.2 Conventions Used In This Document . . . . . . . . . . . . 3 56 2. AES-GMAC . . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 3. The use of AES-GMAC in ESP . . . . . . . . . . . . . . . . . 5 58 3.1 Initialization Vector . . . . . . . . . . . . . . . . . . 5 59 3.2 Nonce Format . . . . . . . . . . . . . . . . . . . . . . . 5 60 3.3 AAD Construction . . . . . . . . . . . . . . . . . . . . . 6 61 3.4 Integrity Check Value (ICV) . . . . . . . . . . . . . . . 7 62 3.5 Differences with AES-GCM-ESP . . . . . . . . . . . . . . . 7 63 3.6 Packet Expansion . . . . . . . . . . . . . . . . . . . . . 8 64 4. The use of AES-GMAC in AH . . . . . . . . . . . . . . . . . 9 65 5. IKE Conventions . . . . . . . . . . . . . . . . . . . . . . 10 66 5.1 Phase 1 Identifier . . . . . . . . . . . . . . . . . . . . 10 67 5.2 Phase 2 Identifier . . . . . . . . . . . . . . . . . . . . 10 68 5.3 Key Length Attribute . . . . . . . . . . . . . . . . . . . 10 69 5.4 Keying Material and Salt Values . . . . . . . . . . . . . 10 70 6. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 12 71 7. Security Considerations . . . . . . . . . . . . . . . . . . 13 72 8. Design Rationale . . . . . . . . . . . . . . . . . . . . . . 15 73 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . 16 74 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 75 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 76 11.1 Normative References . . . . . . . . . . . . . . . . . . 18 77 11.2 Informative References . . . . . . . . . . . . . . . . . 18 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 19 79 Intellectual Property and Copyright Statements . . . . . . . 20 81 1. Introduction 83 This document describes the use of AES GMAC mode (AES-GMAC) as a 84 mechanism for data origin authentication in ESP [RFC4303] and AH 85 [RFC4302]. We refer to these methods as ENCR_NULL_AUTH_AES_GMAC and 86 AUTH_AES_GMAC, respectively. ENCR_NULL_AUTH_AES_GMAC is a companion 87 to the AES Galois/Counter Mode ESP [RFC4106], which provides 88 authentication as well as confidentiality. ENCR_NULL_AUTH_AES_GMAC 89 is intended for cases in which confidentiality is not desired. Like 90 GCM, GMAC is efficient and secure, and is amenable to high-speed 91 implementations in hardware. ENCR_NULL_AUTH_AES_GMAC and 92 AUTH_AES_GMAC are designed so that the incremental cost of 93 implementation, given an implementation is AES-GCM-ESP, is small. 95 This document does not cover implementation details of GCM or GMAC. 96 Those details can be found in [GCM], along with test vectors. 98 1.1 History 100 The original version of this document only described 101 ENCR_NULL_AUTH_AES_GMAC, and not AUTH_AES_GMAC. This version adds 102 support for AH, without making any changes to the normative ESP text 103 (other than editorial ones), except for a clarification about 104 transform identifiers and the IKE Key Length attribute. 106 1.2 Conventions Used In This Document 108 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 109 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 110 document are to be interpreted as described in [RFC2119]. 112 2. AES-GMAC 114 GMAC is a block cipher mode of operation providing data origin 115 authentication. It is defined in terms of the GCM authenticated 116 encryption operation as follows. The GCM authenticated encryption 117 operation has four inputs: a secret key, an initialization vector 118 (IV), a plaintext, and an input for additional authenticated data 119 (AAD). It has two outputs, a ciphertext whose length is identical to 120 the plaintext, and an authentication tag. GMAC is the special case 121 of GCM in which the plaintext has a length of zero. The (zero- 122 length) ciphertext output is ignored, of course, so that the only 123 output of the function is the Authentication Tag. In the following, 124 we describe how the GMAC IV and AAD are formed from the ESP and AH 125 fields, and how the ESP and AH packets are formed from the 126 Authentication Tag. 128 Below we refer to the AES-GMAC IV input as a nonce, in order to 129 distinguish it from the IV fields in the packets. The same nonce and 130 key combination MUST NOT be used more than once, since reusing an 131 nonce/key combination destroys the security guarantees of AES-GMAC 133 Because of this restriction, it can be difficult to use this mode 134 securely when using statically configured keys. For the sake of good 135 security, implementations MUST use an automated key management 136 system, such as the Internet Key Exchange (IKE) (either version two 137 [RFC4306] or version one [RFC2409]), to ensure that this requirement 138 is met. 140 3. The use of AES-GMAC in ESP 142 The AES GMAC algorithm for ESP is defined as an ESP "combined mode" 143 algorithm (see Section 3.2.3 of [RFC4303]), rather than an ESP 144 integrity algorithm. It is called ENCR_NULL_AUTH_AES_GMAC in order 145 to highlight the fact that it performs no encryption and provides no 146 confidentiality. 148 Rationale: ESP makes no provision for integrity transforms to 149 place an initialization vector within the Payload field; only 150 encryption transforms are expected to use IVs. Defining GMAC as 151 an encryption transform avoids this issue, and allows GMAC to 152 benefit from the same pipelining as does GCM. 154 Like all ESP combined modes, it is registered in IKEv2 as an 155 encryption transform, or "Type 1" transform. It MUST NOT be used in 156 conjunction with any other ESP encryption transform (within a 157 particular ESP encapsulation). If confidentiality is desired, then 158 GCM ESP [RFC4106] SHOULD be used instead. 160 3.1 Initialization Vector 162 With ENCR_NULL_AUTH_AES_GMAC, an explicit Initialization Vector (IV) 163 is included in the ESP Payload, at the outset of that field. The IV 164 MUST be eight octets long. For a given key, the IV MUST NOT repeat. 165 The most natural way to meet this requirement is to set the IV using 166 a counter, but implementations are free to set the IV field in any 167 way that guarantees uniqueness, such as a linear feedback shift 168 register (LFSR). Note that the sender can use any IV generation 169 method that meets the uniqueness requirement, without coordinating 170 with the receiver. 172 3.2 Nonce Format 174 The nonce passed to the AES-GMAC authentication algorithm has the 175 following layout: 177 0 1 2 3 178 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 179 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 180 | Salt | 181 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 182 | Initialization Vector | 183 | | 184 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 186 Figure 1: Nonce Format 188 The components of the nonce are as follows: 190 Salt 191 The salt field is a four-octet value that is assigned at the 192 beginning of the security association, and then remains constant 193 for the life of the security association. The salt SHOULD be 194 unpredictable (i.e., chosen at random) before it is selected, but 195 need not be secret. We describe how to set the salt for a 196 Security Association established via the Internet Key Exchange in 197 Section 5.4. 199 Initialization Vector 200 The IV field is described in Section Section 3.1. 202 3.3 AAD Construction 204 Data integrity and data origin authentication is provided for the 205 SPI, (Extended) Sequence Number, Authenticated Payload, Padding, Pad 206 Length, and Next Header fields. This is done by including those 207 fields in the AES-GMAC Additional Authenticated Data (AAD) field. 208 Two formats of the AAD are defined: one for 32-bit sequence numbers, 209 and one for 64-bit extended sequence numbers. The format with 32-bit 210 sequence numbers is shown in Figure 2, and the format with 64-bit 211 extended sequence numbers is shown in Figure 3. 213 0 1 2 3 214 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 215 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 216 | SPI | 217 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 218 | 32-bit Sequence Number | 219 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 220 | | 221 ~ Authenticated Payload (variable) ~ 222 | | 223 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 224 | Padding (0-255 bytes) | 225 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 226 | | Pad Length | Next Header | 227 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 229 Figure 2: AAD Format with 32-bit Sequence Number 231 0 1 2 3 232 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 233 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 234 | SPI | 235 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 236 | 64-bit Extended Sequence Number | 237 | | 238 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 239 | | 240 ~ Authenticated Payload (variable) ~ 241 | | 242 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 243 | Padding (0-255 bytes) | 244 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 245 | | Pad Length | Next Header | 246 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 248 Figure 3: AAD Format with 64-bit Extended Sequence Number 250 3.4 Integrity Check Value (ICV) 252 The ICV consists solely of the AES-GMAC Authentication Tag. The 253 Authentication Tag MUST NOT be truncated, so the length of the ICV is 254 16 octets. 256 3.5 Differences with AES-GCM-ESP 258 In this section we highlight the differences between this 259 specification and AES-GCM-ESP [RFC4106]. The essential difference is 260 that in this draft, the AAD consists of the SPI, Sequence Number, and 261 ESP Payload, and the AES-GCM plaintext is zero-length, while in AES- 262 GCM-ESP, the AAD consists only of the SPI and Sequence Number, and 263 the AES-GCM plaintext consists of the ESP Payload. These differences 264 are illustrated in Figure 4. This figure shows the case in which the 265 Extended Sequence Number option is not used. When that option is 266 exercised, the Sequence Number field in the figure would be replaced 267 with the Extended Sequence Number. 269 Importantly, ENCR_NULL_AUTH_AES_GMAC is *not* equivalent to AES-GCM- 270 ESP with encryption "turned off". However, the ICV computations 271 performed in both cases are similar, because of the structure of the 272 GHASH function [GCM]. 274 +-> +-----------------------+ <-+ 275 AES-GCM-ESP | | SPI | | 276 AAD -------+ +-----------------------+ | 277 | | Sequence Number | | 278 +-> +-----------------------+ | 279 | Authentication | | 280 | IV | | 281 +->+-> +-----------------------+ + 282 AES-GCM-ESP | | | | 283 Plaintext -+ ~ ESP Payload ~ | 284 | | | | 285 | +-----------+-----+-----+ | 286 | | Padding | PL | NH | | 287 +----> +-----------+-----+-----+ <-+ 288 | 289 ENCR_NULL_AUTH_AES_GMAC AAD --+ 291 Figure 4: Differences between ENCR_NULL_AUTH_AES_GMAC and AES-GCM- 292 ESP. 294 3.6 Packet Expansion 296 The IV adds an additional eight octets to the packet and the ICV adds 297 an additional 16 octets. These are the only sources of packet 298 expansion, other than the 10-13 bytes taken up by the ESP SPI, 299 Sequence Number, Padding, Pad Length, and Next Header fields (if the 300 minimal amount of padding is used). 302 4. The use of AES-GMAC in AH 304 In AUTH_AES_GMAC, the AH Authentication Data field consists of the IV 305 and the Authentication Tag, as shown in Figure 5. Unlike the usual 306 AH case, the Authentication Data field contains both an input to the 307 authentication algorithm (the IV) and the output of the 308 authentication algorithm (the tag). No padding is required in the 309 Authentication Data field, because its length is a multiple of 64 310 bits. 312 0 1 2 3 313 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 314 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 315 | Initialization Vector (IV) | 316 | (8 octets) | 317 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 318 | | 319 | Integrity Check Value (ICV) (16 octets) | 320 | | 321 | | 322 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 324 Figure 5: The AUTH_AES_GMAC Authentication Data format. 326 The IV is as described in Section Section 3.1. The Integrity Check 327 Value (ICV) is as described in Section Section 3.4. 329 The GMAC Nonce input is formed as described in Section 3.2. The GMAC 330 AAD input consists of the authenticated data as defined in Section 331 3.1 of [RFC4302]. These values are provided as to that algorithm, 332 along with the secret key, and the resulting authentication tag given 333 as output is used to form the ICV. 335 5. IKE Conventions 337 This section describes the conventions used to generate keying 338 material and salt values for use with ENCR_NULL_AUTH_AES_GMAC and 339 AUTH_AES_GMAC using the Internet Key Exchange (IKE) version one 340 [RFC2409] and two [RFC4306]. 342 5.1 Phase 1 Identifier 344 This document does not specify the conventions for using AES-GMAC for 345 IKE Phase 1 negotiations. For AES-GMAC to be used in this manner, a 346 separate specification would be needed, and an Encryption Algorithm 347 Identifier would need to be assigned. Implementations SHOULD use an 348 IKE Phase 1 cipher which is at least as strong as AES-GMAC. The use 349 of AES CBC [RFC3602] with the same AES key size as used by 350 ENCR_NULL_AUTH_AES_GMAC or AUTH_AES_GMAC is RECOMMENDED. 352 5.2 Phase 2 Identifier 354 For IKE Phase 2 negotiations, IANA has assigned identifiers as 355 described in Section 9. 357 5.3 Key Length Attribute 359 AES-GMAC can be used with any of the three AES key lengths. The way 360 that the key length is indicated is different for AH and ESP. 362 For AH, each key length has its own separate integrity transform 363 identifier and algorithm name (Section 9). The IKE Key length 364 attribute MUST NOT be used with these identifiers. This transform 365 MUST NOT be used with ESP. 367 For ESP, there is a single encryption transform identifier (which 368 represents the combined transform) (Section 9). The IKE Key Length 369 attribute MUST be used with each use of this identifier to indicate 370 the key length. The Key Length attribute MUST have a value of 128, 371 192, or 256. 373 5.4 Keying Material and Salt Values 375 IKE makes use of a pseudo-random function (PRF) to derive keying 376 material. The PRF is used iteratively to derive keying material of 377 arbitrary size, called KEYMAT. Keying material is extracted from the 378 output string without regard to boundaries. 380 The size of the KEYMAT for the ENCR_NULL_AUTH_AES_GMAC and 381 AUTH_AES_GMAC MUST be four octets longer than is needed for the 382 associated AES key. The keying material is used as follows: 384 ENCR_NULL_AUTH_AES_GMAC with a 128 bit key and and AUTH_AES_128_GMAC 386 The KEYMAT requested for each AES-GMAC key is 20 octets. The 387 first 16 octets are the 128-bit AES key, and the remaining four 388 octets are used as the salt value in the nonce. 390 ENCR_NULL_AUTH_AES_GMAC with a 192 bit key and AUTH_AES_192_GMAC 391 The KEYMAT requested for each AES-GMAC key is 28 octets. The 392 first 24 octets are the 192-bit AES key, and the remaining four 393 octets are used as the salt value in the nonce. 395 ENCR_NULL_AUTH_AES_GMAC with a 256 bit key and AUTH_AES_256_GMAC 396 The KEYMAT requested for each AES GMAC key is 36 octets. The 397 first 32 octets are the 256-bit AES key, and the remaining four 398 octets are used as the salt value in the nonce. 400 6. Test Vectors 402 Appendix B of [GCM] provides test vectors that will assist 403 implementers with AES-GMAC. 405 7. Security Considerations 407 Since the authentication coverage is different between AES GCM ESP 408 and this specification (see Figure 4), it is worth pointing out that 409 both specifications are secure. In ENCR_NULL_AUTH_AES_GMAC, the IV 410 is not included in either the plaintext nor the additional 411 authenticated data. This does not adversely affect security, because 412 the IV field only provides an input to the GMAC IV, which is not 413 required to be authenticated (see [GCM]). In AUTH_AES_GMAC, the IV 414 is included in the additional authenticated data. This fact has no 415 adverse effect on security; it follows from the property that GMAC is 416 secure even against attacks in which the adversary can manipulate 417 both the IV and the message. Even an adversary with these powerful 418 capabilities cannot forge an authentication tag for any message 419 (other than one that was submitted to the chosen-message oracle). 420 Since such an adversary could easily choose messages that contain the 421 IVs with which they correspond, there are no security problems with 422 the inclusion of the IV in the AAD. 424 GMAC is provably secure against adversaries that can adaptively 425 choose plaintexts, ICVs and the AAD field, under standard 426 cryptographic assumptions (roughly, that the output of the underlying 427 cipher under a randomly chosen key is indistinguishable from a 428 randomly selected output). Essentially, this means that, if used 429 within its intended parameters, a break of GMAC implies a break of 430 the underlying block cipher. The proof of security is available in 431 [GCMP]. 433 The most important security consideration is that the IV never repeat 434 for a given key. In part, this is handled by disallowing the use of 435 AES-GMAC when using statically configured keys, as discussed in 436 Section 2. 438 When IKE is used to establish fresh keys between two peer entities, 439 separate keys are established for the two traffic flows. If a 440 different mechanism is used to establish fresh keys, one that 441 establishes only a single key to protect packets, then there is a 442 high probability that the peers will select the same IV values for 443 some packets. Thus, to avoid counter block collisions, ESP or AH 444 implementations that permit use of the same key for protecting 445 packets with the same peer MUST ensure that the two peers assign 446 different salt values to the security association (SA). 448 The other consideration is that, as with any block cipher mode of 449 operation, the security of all data protected under a given security 450 association decreases slightly with each message. 452 To protect against this problem, implementations MUST generate a 453 fresh key before processing 2^64 blocks of data with a given key. 454 Note that it is impossible to reach this limit when using 32-bit 455 Sequence Numbers. 457 Note that, for each message, GMAC calls the block cipher only once. 459 8. Design Rationale 461 This specification was designed to be as similar to AES-GCM-ESP 462 [RFC4106] as possible. We re-use the design and implementation 463 experience from that specification. We include all three AES key 464 sizes since AES-GCM-ESP supports all of those sizes, and the larger 465 key sizes provide future users with more high-security options. 467 9. IANA Considerations 469 IANA has assigned the following IKEv2 parameters. For the use of AES 470 GMAC in AH, the following integrity (type 2) transform identifiers 471 have been assigned: 473 "TBD1" for AUTH_AES_128_GMAC 475 "TBD2" for AUTH_AES_192_GMAC 477 "TBD3" for AUTH_AES_256_GMAC 479 For the use of AES GMAC in ESP, the following encryption (type 1) 480 transform identifier has been assigned: 482 "TBD4" for ENCR_NULL_AUTH_AES_GMAC 484 10. Acknowledgements 486 Our discussions with Fabio Maino and David Black significantly 487 improved this specification, and Tero Kivinen provided us with useful 488 comments. Steve Kent provided guidance on ESP interactions. This 489 work is closely modeled after AES-GCM, which itself is closely 490 modeled after Russ Housley's AES-CCM transform [RFC4309]. 491 Additionally, the GCM mode of operation was originally conceived as 492 an improvement to the CWC mode [CWC] in which Doug Whiting and Yoshi 493 Kohno participated. We express our thanks to Fabio, David, Tero, 494 Steve, Russ, Doug, and Yoshi. 496 11. References 498 11.1 Normative References 500 [GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of 501 Operation (GCM)", Submission to NIST. http:// 502 csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/ 503 gcm-spec.pdf, January 2004. 505 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 506 Requirement Levels", BCP 14, RFC 2119, March 1997. 508 [RFC2407] Piper, D., "The Internet IP Security Domain of 509 Interpretation for ISAKMP", RFC 2407, November 1998. 511 [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher 512 Algorithm and Its Use with IPsec", RFC 3602, 513 September 2003. 515 11.2 Informative References 517 [CWC] Kohno, T., Viega, J., and D. Whiting, "CWC: A high- 518 performance conventional authenticated encryption mode", 519 Fast Software 520 Encryption. http://eprint.iacr.org/2003/106.pdf, 521 February 2004. 523 [GCMP] McGrew, D. and J. Viega, "The Security and Performance of 524 the Galois/Counter Mode (GCM)", Proceedings of INDOCRYPT 525 '04, http://eprint.iacr.org/2004/193, December 2004. 527 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 528 (IKE)", RFC 2409, November 1998. 530 [RFC2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm and 531 Its Use With IPsec", RFC 2410, November 1998. 533 [RFC2675] Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms", 534 RFC 2675, August 1999. 536 [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with 537 CBC-MAC (CCM)", RFC 3610, September 2003. 539 [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) 540 Counter Mode With IPsec Encapsulating Security Payload 541 (ESP)", RFC 3686, January 2004. 543 [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode 544 (GCM) in IPsec Encapsulating Security Payload (ESP)", 545 RFC 4106, June 2005. 547 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, 548 December 2005. 550 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 551 RFC 4303, December 2005. 553 [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", 554 RFC 4306, December 2005. 556 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 557 Mode with IPsec Encapsulating Security Payload (ESP)", 558 RFC 4309, December 2005. 560 Authors' Addresses 562 David A. McGrew 563 Cisco Systems, Inc. 564 510 McCarthy Blvd. 565 Milpitas, CA 95035 566 US 568 Phone: (408) 525 8651 569 Email: mcgrew@cisco.com 570 URI: http://www.mindspring.com/~dmcgrew/dam.htm 572 John Viega 573 Secure Software, Inc. 574 4100 Lafayette Center Dr., Suite 100 575 Chantilly, VA 20151 576 US 578 Phone: (703) 814 4402 579 Email: viega@securesoftware.com 581 Intellectual Property Statement 583 The IETF takes no position regarding the validity or scope of any 584 Intellectual Property Rights or other rights that might be claimed to 585 pertain to the implementation or use of the technology described in 586 this document or the extent to which any license under such rights 587 might or might not be available; nor does it represent that it has 588 made any independent effort to identify any such rights. Information 589 on the procedures with respect to rights in RFC documents can be 590 found in BCP 78 and BCP 79. 592 Copies of IPR disclosures made to the IETF Secretariat and any 593 assurances of licenses to be made available, or the result of an 594 attempt made to obtain a general license or permission for the use of 595 such proprietary rights by implementers or users of this 596 specification can be obtained from the IETF on-line IPR repository at 597 http://www.ietf.org/ipr. 599 The IETF invites any interested party to bring to its attention any 600 copyrights, patents or patent applications, or other proprietary 601 rights that may cover technology that may be required to implement 602 this standard. Please address the information to the IETF at 603 ietf-ipr@ietf.org. 605 Disclaimer of Validity 607 This document and the information contained herein are provided on an 608 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 609 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 610 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 611 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 612 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 613 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 615 Copyright Statement 617 Copyright (C) The Internet Society (2006). This document is subject 618 to the rights, licenses and restrictions contained in BCP 78, and 619 except as set forth therein, the authors retain all their rights. 621 Acknowledgment 623 Funding for the RFC Editor function is currently provided by the 624 Internet Society.