draft-ietf-ipsecme-rfc4307bis-15.txt   draft-ietf-ipsecme-rfc4307bis-16.txt 
Network Working Group Y. Nir Network Working Group Y. Nir
Internet-Draft Check Point Internet-Draft Check Point
Obsoletes: 4307 (if approved) T. Kivinen Obsoletes: 4307 (if approved) T. Kivinen
Updates: 7296 (if approved) INSIDE Secure Updates: 7296 (if approved) INSIDE Secure
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: April 23, 2017 Red Hat Expires: August 20, 2017 Red Hat
D. Migault D. Migault
Ericsson Ericsson
October 20, 2016 February 16, 2017
Algorithm Implementation Requirements and Usage Guidance for IKEv2 Algorithm Implementation Requirements and Usage Guidance for IKEv2
draft-ietf-ipsecme-rfc4307bis-15 draft-ietf-ipsecme-rfc4307bis-16
Abstract Abstract
The IPsec series of protocols makes use of various cryptographic The IPsec series of protocols makes use of various cryptographic
algorithms in order to provide security services. The Internet Key algorithms in order to provide security services. The Internet Key
Exchange (IKE) protocol is used to negotiate the IPsec Security Exchange (IKE) protocol is used to negotiate the IPsec Security
Association (IPsec SA) parameters, such as which algorithms should be Association (IPsec SA) parameters, such as which algorithms should be
used. To ensure interoperability between different implementations, used. To ensure interoperability between different implementations,
it is necessary to specify a set of algorithm implementation it is necessary to specify a set of algorithm implementation
requirements and usage guidance to ensure that there is at least one requirements and usage guidance to ensure that there is at least one
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 23, 2017. This Internet-Draft will expire on August 20, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 6, line 38 skipping to change at page 6, line 38
RFC4307. It has been recommended by the CRFG as an alternative to RFC4307. It has been recommended by the CRFG as an alternative to
AES-CBC and AES-GCM. It is also being standardized for IPsec for the AES-CBC and AES-GCM. It is also being standardized for IPsec for the
same reasons. At the time of writing, there were not enough IKEv2 same reasons. At the time of writing, there were not enough IKEv2
implementations supporting ENCR_CHACHA20_POLY1305 to be able to implementations supporting ENCR_CHACHA20_POLY1305 to be able to
introduce it at the SHOULD+ level. introduce it at the SHOULD+ level.
ENCR_AES_GCM_16 was not considered in RFC4307. At the time RFC4307 ENCR_AES_GCM_16 was not considered in RFC4307. At the time RFC4307
was written, AES-GCM was not defined in an IETF document. AES-GCM was written, AES-GCM was not defined in an IETF document. AES-GCM
was defined for ESP in [RFC4106] and later for IKEv2 in [RFC5282]. was defined for ESP in [RFC4106] and later for IKEv2 in [RFC5282].
The main motivation for adopting AES-GCM for ESP is encryption The main motivation for adopting AES-GCM for ESP is encryption
performance and key longevity compared to AES-CBC. This resulted in performance compared to AES-CBC. This resulted in AES-GCM being
AES-GCM being widely implemented for ESP. As the computation load of widely implemented for ESP. As the computation load of IKEv2 is
IKEv2 is relatively small compared to ESP, many IKEv2 implementations relatively small compared to ESP, many IKEv2 implementations have not
have not implemented AES-GCM. For this reason, AES-GCM is not implemented AES-GCM. For this reason, AES-GCM is not promoted to a
promoted to a greater status than SHOULD. The reason for promotion greater status than SHOULD. The reason for promotion from MAY to
from MAY to SHOULD is to promote the slightly more secure AEAD method SHOULD is to promote the slightly more secure AEAD method over the
over the traditional encrypt+auth method. Its status is expected to traditional encrypt+auth method. Its status is expected to be raised
be raised once widely implemented. As the advantage of the shorter once widely implemented. As the advantage of the shorter (and
(and weaker) ICVs is minimal, the 8 and 12 octet ICV's remain at the weaker) ICVs is minimal, the 8 and 12 octet ICV's remain at the MAY
MAY level. level.
ENCR_AES_CCM_8 was not considered in RFC4307. This document ENCR_AES_CCM_8 was not considered in RFC4307. This document
considers it as SHOULD be implemented in order to be able to interact considers it as SHOULD be implemented in order to be able to interact
with Internet of Things devices. As this case is not a general use with Internet of Things devices. As this case is not a general use
case for non-IoT VPNs, its status is expected to remain as SHOULD. case for non-IoT VPNs, its status is expected to remain as SHOULD.
The 8 octet size of the ICV is expected to be sufficient for most use The 8 octet size of the ICV is expected to be sufficient for most use
cases of IKEv2, as far less packets are exchanged on those cases, and cases of IKEv2, as far less packets are exchanged on those cases, and
IoT devices want to make packets as small as possible. The SHOULD IoT devices want to make packets as small as possible. The SHOULD
level is for 128-bit keys, 256-bit keys remains at MAY level. level is for 128-bit keys, 256-bit keys remains at MAY level.
skipping to change at page 9, line 22 skipping to change at page 9, line 22
to collision attacks, for example as mentioned in [TRANSCRIPTION]. to collision attacks, for example as mentioned in [TRANSCRIPTION].
3.4. Type 4 - IKEv2 Diffie-Hellman Group Transforms 3.4. Type 4 - IKEv2 Diffie-Hellman Group Transforms
There are several Modular Exponential (MODP) groups and several There are several Modular Exponential (MODP) groups and several
Elliptic Curve groups (ECC) that are defined for use in IKEv2. These Elliptic Curve groups (ECC) that are defined for use in IKEv2. These
groups are defined in both the [RFC7296] base document and in groups are defined in both the [RFC7296] base document and in
extensions documents and are identified by group number. Note that extensions documents and are identified by group number. Note that
it is critical to enforce a secure Diffie-Hellman exchange as this it is critical to enforce a secure Diffie-Hellman exchange as this
exchange provides keys for the session. If an attacker can retrieve exchange provides keys for the session. If an attacker can retrieve
the private numbers (a, or b) and the public values (g**a, and g**b), one of the private numbers (a or b) and the complementary public
then the attacker can compute the secret and the keys used and value (g**a or g**b), then the attacker can compute the secret and
decrypt the exchange and IPsec SA created inside the IKEv2 SA. Such the keys used and decrypt the exchange and IPsec SA created inside
an attack can be performed off-line on a previously recorded the IKEv2 SA. Such an attack can be performed off-line on a
communication, years after the communication happened. This differs previously recorded communication, years after the communication
from attacks that need to be executed during the authentication which happened. This differs from attacks that need to be executed during
must be performed online and in near real-time. the authentication which must be performed online and in near real-
time.
+--------+---------------------------------------------+------------+ +--------+---------------------------------------------+------------+
| Number | Description | Status | | Number | Description | Status |
+--------+---------------------------------------------+------------+ +--------+---------------------------------------------+------------+
| 14 | 2048-bit MODP Group | MUST | | 14 | 2048-bit MODP Group | MUST |
| 19 | 256-bit random ECP group | SHOULD | | 19 | 256-bit random ECP group | SHOULD |
| 5 | 1536-bit MODP Group | SHOULD NOT | | 5 | 1536-bit MODP Group | SHOULD NOT |
| 2 | 1024-bit MODP Group | SHOULD NOT | | 2 | 1024-bit MODP Group | SHOULD NOT |
| 1 | 768-bit MODP Group | MUST NOT | | 1 | 768-bit MODP Group | MUST NOT |
| 22 | 1024-bit MODP Group with 160-bit Prime | MUST NOT | | 22 | 1024-bit MODP Group with 160-bit Prime | MUST NOT |
 End of changes. 7 change blocks. 
22 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/