draft-ietf-ipsecme-dh-checks-02.txt		draft-ietf-ipsecme-dh-checks-03.txt
	ipsecme Y. Sheffer		ipsecme Y. Sheffer
	Internet-Draft Porticor		Internet-Draft Porticor
	Updates: 5996 (if approved) S. Fluhrer		Updates: 5996 (if approved) S. Fluhrer
	Intended status: Standards Track Cisco		Intended status: Standards Track Cisco
	Expires: October 22, 2013 April 20, 2013		Expires: October 24, 2013 April 22, 2013
	Additional Diffie-Hellman Tests for IKEv2		Additional Diffie-Hellman Tests for IKEv2
	draft-ietf-ipsecme-dh-checks-02		draft-ietf-ipsecme-dh-checks-03
	Abstract		Abstract
	This document adds a small number of mandatory tests required for the		This document adds a small number of mandatory tests required for the
	secure operation of IKEv2 with elliptic curve groups. No change is		secure operation of IKEv2 with elliptic curve groups. No change is
	required to IKE implementations that use modular exponential groups,		required to IKE implementations that use modular exponential groups,
	other than a few rarely used so-called DSA groups. This document		other than a few rarely used so-called DSA groups. This document
	updates the IKEv2 protocol, RFC 5996.		updates the IKEv2 protocol, RFC 5996.
	Status of this Memo		Status of this Memo
	skipping to change at page 1, line 35		skipping to change at page 1, line 35
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on October 22, 2013.		This Internet-Draft will expire on October 24, 2013.
	Copyright Notice		Copyright Notice
	Copyright (c) 2013 IETF Trust and the persons identified as the		Copyright (c) 2013 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 2, line 28		skipping to change at page 2, line 28
	4.1. DH Key Reuse and Multiple Peers . . . . . . . . . . . 6		4.1. DH Key Reuse and Multiple Peers . . . . . . . . . . . 6
	4.2. DH Key Reuse: Variants . . . . . . . . . . . . . . . . 7		4.2. DH Key Reuse: Variants . . . . . . . . . . . . . . . . 7
	4.3. Groups not covered by this RFC . . . . . . . . . . . . 7		4.3. Groups not covered by this RFC . . . . . . . . . . . . 7
	4.4. Behavior Upon Test Failure . . . . . . . . . . . . . . 7		4.4. Behavior Upon Test Failure . . . . . . . . . . . . . . 7
	5. IANA Considerations . . . . . . . . . . . . . . . . . 8		5. IANA Considerations . . . . . . . . . . . . . . . . . 8
	6. Acknowledgements . . . . . . . . . . . . . . . . . . . 8		6. Acknowledgements . . . . . . . . . . . . . . . . . . . 8
	7. References . . . . . . . . . . . . . . . . . . . . . . 9		7. References . . . . . . . . . . . . . . . . . . . . . . 9
	7.1. Normative References . . . . . . . . . . . . . . . . . 9		7.1. Normative References . . . . . . . . . . . . . . . . . 9
	7.2. Informative References . . . . . . . . . . . . . . . . 9		7.2. Informative References . . . . . . . . . . . . . . . . 9
	Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . . 10		Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . . 10
	A.1. -02 . . . . . . . . . . . . . . . . . . . . . . . . . 10		A.1. -03 . . . . . . . . . . . . . . . . . . . . . . . . . 10
	A.2. -01 . . . . . . . . . . . . . . . . . . . . . . . . . 10		A.2. -02 . . . . . . . . . . . . . . . . . . . . . . . . . 10
	A.3. -00 . . . . . . . . . . . . . . . . . . . . . . . . . 10		A.3. -01 . . . . . . . . . . . . . . . . . . . . . . . . . 10
			A.4. -00 . . . . . . . . . . . . . . . . . . . . . . . . . 10
	Authors' Addresses . . . . . . . . . . . . . . . . . . 10		Authors' Addresses . . . . . . . . . . . . . . . . . . 10
	1. Introduction		1. Introduction
	IKEv2 [RFC5996] consists of the establishment of a shared secret		IKEv2 [RFC5996] consists of the establishment of a shared secret
	using the Diffie-Hellman (DH) protocol, followed by authentication of		using the Diffie-Hellman (DH) protocol, followed by authentication of
	the two peers. Existing implementations typically use modular		the two peers. Existing implementations typically use modular
	exponential (MODP) DH groups, such as those defined in [RFC3526].		exponential (MODP) DH groups, such as those defined in [RFC3526].
	IKEv2 does not require that any tests be performed by a peer		IKEv2 does not require that any tests be performed by a peer
	skipping to change at page 8, line 21		skipping to change at page 8, line 21
	case.		case.
	5. IANA Considerations		5. IANA Considerations
	This document requests that IANA should add a column named "Recipient		This document requests that IANA should add a column named "Recipient
	Tests" to the IKEv2 DH Group Transform IDs Registry		Tests" to the IKEv2 DH Group Transform IDs Registry
	[IANA-DH-Registry].		[IANA-DH-Registry].
	This column should initially be populated as per the following table.		This column should initially be populated as per the following table.
	+-----------------------------+---------------------+		+------------------------------------+---------------------+
	| Number | Recipient Tests |		| Number | Recipient Tests |
	+-----------------------------+---------------------+		+------------------------------------+---------------------+
	| 1, 2, 5, 14, 15, 16, 17, 18 | [current], Sec. 2.1 |		| 1, 2, 5, 14, 15, 16, 17, 18 | [current], Sec. 2.1 |
	| 22, 23, 24 | [current], Sec. 2.2 |		| 22, 23, 24 | [current], Sec. 2.2 |
	| 19, 20, 21, 25, 26 | [current], Sec. 2.3 |		| 19, 20, 21, 25, 26, 27, 28, 29, 30 | [current], Sec. 2.3 |
	+-----------------------------+---------------------+		+------------------------------------+---------------------+
	Note to RFC Editor: please replace [current] by the RFC number		Note to RFC Editor: please replace [current] by the RFC number
	assigned to this document.		assigned to this document.
			Groups 27-30 have been recently defined in
			[I-D.merkle-ikev2-ke-brainpool].
	Future documents that define new DH groups for IKEv2 are REQUIRED to		Future documents that define new DH groups for IKEv2 are REQUIRED to
	provide this information for each new group, possibly by referring to		provide this information for each new group, possibly by referring to
	the current document.		the current document.
	6. Acknowledgements		6. Acknowledgements
	We would like to thank Dan Harkins who initially raised this issue on		We would like to thank Dan Harkins who initially raised this issue on
	the ipsec mailing list. Thanks to Tero Kivinen and Rene Struik for		the ipsec mailing list. Thanks to Tero Kivinen and Rene Struik for
	their useful comments.		their useful comments.
	skipping to change at page 9, line 30		skipping to change at page 9, line 30
	RFC 3526, May 2003.		RFC 3526, May 2003.
	[RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman		[RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman
	Groups for Use with IETF Standards", RFC 5114,		Groups for Use with IETF Standards", RFC 5114,
	January 2008.		January 2008.
	[RFC5903] Fu, D. and J. Solinas, "Elliptic Curve Groups modulo a		[RFC5903] Fu, D. and J. Solinas, "Elliptic Curve Groups modulo a
	Prime (ECP Groups) for IKE and IKEv2", RFC 5903,		Prime (ECP Groups) for IKE and IKEv2", RFC 5903,
	June 2010.		June 2010.
			[I-D.merkle-ikev2-ke-brainpool]
			Merkle, J. and M. Lochter, "Using the ECC Brainpool Curves
			for IKEv2 Key Exchange",
			draft-merkle-ikev2-ke-brainpool-04 (work in progress),
			April 2013.
	[NIST-800-56A]		[NIST-800-56A]
	National Institute of Standards and Technology (NIST),		National Institute of Standards and Technology (NIST),
	"Recommendation for Pair-Wise Key Establishment Schemes		"Recommendation for Pair-Wise Key Establishment Schemes
	Using Discrete Logarithm Cryptography (Revised)", NIST PUB		Using Discrete Logarithm Cryptography (Revised)", NIST PUB
	800-56A, March 2007.		800-56A, March 2007.
	[Kocher] Kocher, P., "Timing Attacks on Implementations of Diffie-		[Kocher] Kocher, P., "Timing Attacks on Implementations of Diffie-
	Hellman, RSA, DSS, and Other Systems", December 1996,		Hellman, RSA, DSS, and Other Systems", December 1996,
	<http://www.cryptography.com/timingattack/paper.html>.		<http://www.cryptography.com/timingattack/paper.html>.
	skipping to change at page 10, line 9		skipping to change at page 10, line 13
	[IANA-DH-Registry]		[IANA-DH-Registry]
	IANA, "Internet Key Exchange Version 2 (IKEv2) Parameters,		IANA, "Internet Key Exchange Version 2 (IKEv2) Parameters,
	Transform Type 4 - Diffie-Hellman Group Transform IDs",		Transform Type 4 - Diffie-Hellman Group Transform IDs",
	Jan. 2005, <http://www.iana.org/assignments/		Jan. 2005, <http://www.iana.org/assignments/
	ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-8>.		ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-8>.
	Appendix A. Appendix: Change Log		Appendix A. Appendix: Change Log
	Note to RFC Editor: please remove this section before publication.		Note to RFC Editor: please remove this section before publication.
	A.1. -02		A.1. -03
			o Added the Brainpool curves to the IANA registration table.
			A.2. -02
	o Based on Tero's review: Improved the protocol behavior, and		o Based on Tero's review: Improved the protocol behavior, and
	mentioned that these checks apply to Create Child SA. Added a		mentioned that these checks apply to Create Child SA. Added a
	discussion of DH timing attacks, stolen from RFC 2412.		discussion of DH timing attacks, stolen from RFC 2412.
	A.2. -01		A.3. -01
	o Corrected an author's name that was misspelled.		o Corrected an author's name that was misspelled.
	o Added recipient behavior if a test fails, and the related security		o Added recipient behavior if a test fails, and the related security
	considerations.		considerations.
	A.3. -00		A.4. -00
	o First WG document.		o First WG document.
	o Clarified IANA actions.		o Clarified IANA actions.
	o Discussion of potential future groups not covered here.		o Discussion of potential future groups not covered here.
	o Clarification re: practicality of recipient tests for DSA groups.		o Clarification re: practicality of recipient tests for DSA groups.
	Authors' Addresses		Authors' Addresses
	Yaron Sheffer		Yaron Sheffer
	Porticor		Porticor
End of changes. 10 change blocks.
	16 lines changed or deleted		30 lines changed or added
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/