| draft-ietf-ipsecme-rfc4307bis-18v3.original | draft-ietf-ipsecme-rfc4307bis-18v3.txt | |||
|---|---|---|---|---|
| skipping to change at page 2, line 33 | skipping to change at page 2, line 33 | |||
| 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 | 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 | |||
| 1.2. Updating Algorithm Implementation Requirements and Usage | 1.2. Updating Algorithm Implementation Requirements and Usage | |||
| Guidance . . . . . . . . . . . . . . . . . . . . . . . . 3 | Guidance . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.3. Updating Algorithm Requirement Levels . . . . . . . . . . 4 | 1.3. Updating Algorithm Requirement Levels . . . . . . . . . . 4 | |||
| 1.4. Document Audience . . . . . . . . . . . . . . . . . . . . 5 | 1.4. Document Audience . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 5 | 2. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1. Type 1 - IKEv2 Encryption Algorithm Transforms . . . . . 5 | 2.1. Type 1 - IKEv2 Encryption Algorithm Transforms . . . . . 5 | |||
| 2.2. Type 2 - IKEv2 Pseudo-random Function Transforms . . . . 7 | 2.2. Type 2 - IKEv2 Pseudo-random Function Transforms . . . . 7 | |||
| 2.3. Type 3 - IKEv2 Integrity Algorithm Transforms . . . . . . 8 | 2.3. Type 3 - IKEv2 Integrity Algorithm Transforms . . . . . . 8 | |||
| 2.4. Type 4 - IKEv2 Diffie-Hellman Group Transforms . . . . . 9 | 2.4. Type 4 - IKEv2 Diffie-Hellman Group Transforms . . . . . 9 | |||
| 2.5. Summary of Changes from RFC 4307 . . . . . . . . . . . . 10 | 2.5. Summary of Changes from RFC 4307 . . . . . . . . . . . . 11 | |||
| 3. IKEv2 Authentication . . . . . . . . . . . . . . . . . . . . 11 | 3. IKEv2 Authentication . . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.1. IKEv2 Authentication Method . . . . . . . . . . . . . . . 11 | 3.1. IKEv2 Authentication Method . . . . . . . . . . . . . . . 12 | |||
| 3.1.1. Recommendations for RSA key length . . . . . . . . . 12 | 3.1.1. Recommendations for RSA key length . . . . . . . . . 12 | |||
| 3.2. Digital Signature Recommendations . . . . . . . . . . . . 12 | 3.2. Digital Signature Recommendations . . . . . . . . . . . . 13 | |||
| 4. Algorithms for Internet of Things . . . . . . . . . . . . . . 13 | 4. Algorithms for Internet of Things . . . . . . . . . . . . . . 14 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 16 | 8.2. Informative References . . . . . . . . . . . . . . . . . 17 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 1. Introduction | 1. Introduction | |||
| The Internet Key Exchange (IKE) protocol [RFC7296] is used to | The Internet Key Exchange (IKE) protocol [RFC7296] is used to | |||
| negotiate the parameters of the IPsec SA, such as the encryption and | negotiate the parameters of the IPsec SA, such as the encryption and | |||
| authentication algorithms and the keys for the protected | authentication algorithms and the keys for the protected | |||
| communications between the two endpoints. The IKE protocol itself is | communications between the two endpoints. The IKE protocol itself is | |||
| also protected by cryptographic algorithms which are negotiated | also protected by cryptographic algorithms which are negotiated | |||
| between the two endpoints using IKE. Different implementations of | between the two endpoints using IKE. Different implementations of | |||
| IKE may negotiate different algorithms based on their individual | IKE may negotiate different algorithms based on their individual | |||
| skipping to change at page 6, line 16 | skipping to change at page 6, line 16 | |||
| | Name | Status | AEAD? | Comment | | | Name | Status | AEAD? | Comment | | |||
| +------------------------+----------+-------+---------+ | +------------------------+----------+-------+---------+ | |||
| | ENCR_AES_CBC | MUST | No | (1) | | | ENCR_AES_CBC | MUST | No | (1) | | |||
| | ENCR_CHACHA20_POLY1305 | SHOULD | Yes | | | | ENCR_CHACHA20_POLY1305 | SHOULD | Yes | | | |||
| | ENCR_AES_GCM_16 | SHOULD | Yes | (1) | | | ENCR_AES_GCM_16 | SHOULD | Yes | (1) | | |||
| | ENCR_AES_CCM_8 | SHOULD | Yes | (IoT) | | | ENCR_AES_CCM_8 | SHOULD | Yes | (IoT) | | |||
| | ENCR_3DES | MAY | No | | | | ENCR_3DES | MAY | No | | | |||
| | ENCR_DES | MUST NOT | No | | | | ENCR_DES | MUST NOT | No | | | |||
| +------------------------+----------+-------+---------+ | +------------------------+----------+-------+---------+ | |||
| (1) - This requirement level is for 128-bit and 256-bit keys. | (1) - This requirement level is for 128-bit and 256-bit keys. | |||
| 192-bit keys remain at MAY level. (IoT) - This requirement is for | ||||
| interoperability with IoT. Only 128-bit keys are at SHOULD level. | 192-bit keys remain at MAY level. (IoT) - This requirement is | |||
| 192-bit and 256-bit remain at the MAY level. | for | |||
| interoperability with IoT. Only 128-bit keys are at | ||||
| SHOULD level. 192-bit and 256-bit remain at the MAY | ||||
| level. | ||||
| ENCR_AES_CBC is raised from SHOULD+ for 128-bit keys and MAY for | ENCR_AES_CBC is raised from SHOULD+ for 128-bit keys and MAY for | |||
| 256-bit keys in [RFC4307] to MUST. 192-bit keys remain at the MAY | 256-bit keys in [RFC4307] to MUST. 192-bit keys remain at the MAY | |||
| level. ENCR_AES_CBC is the only shared mandatory-to-implement | level. ENCR_AES_CBC is the only shared mandatory-to-implement | |||
| algorithm with RFC4307 and as a result it is necessary for | algorithm with RFC4307 and as a result it is necessary for | |||
| interoperability with IKEv2 implementation compatible with RFC4307. | interoperability with IKEv2 implementation compatible with RFC4307. | |||
| ENCR_CHACHA20_POLY1305 was not ready to be considered at the time of | ENCR_CHACHA20_POLY1305 was not ready to be considered at the time of | |||
| RFC4307. It has been recommended by the Crypto Forum Research Group | RFC4307. It has been recommended by the Crypto Forum Research Group | |||
| (CFRG) of the IRTF as an alternative to AES-CBC and AES-GCM. It is | (CFRG) of the IRTF as an alternative to AES-CBC and AES-GCM. It is | |||
| skipping to change at page 9, line 31 | skipping to change at page 10, line 5 | |||
| exchange provides keys for the session. If an attacker can retrieve | exchange provides keys for the session. If an attacker can retrieve | |||
| one of the private numbers (a or b) and the complementary public | one of the private numbers (a or b) and the complementary public | |||
| value (g**b or g**a), then the attacker can compute the secret and | value (g**b or g**a), then the attacker can compute the secret and | |||
| the keys used and decrypt the exchange and IPsec SA created inside | the keys used and decrypt the exchange and IPsec SA created inside | |||
| the IKEv2 SA. Such an attack can be performed off-line on a | the IKEv2 SA. Such an attack can be performed off-line on a | |||
| previously recorded communication, years after the communication | previously recorded communication, years after the communication | |||
| happened. This differs from attacks that need to be executed during | happened. This differs from attacks that need to be executed during | |||
| the authentication which must be performed online and in near real- | the authentication which must be performed online and in near real- | |||
| time. | time. | |||
| +--------+---------------------------------------------+------------+ | +--------+----------------------------------------+------------+ | |||
| | Number | Description | Status | | | Number | Description | Status | | |||
| +--------+---------------------------------------------+------------+ | +--------+----------------------------------------+------------+ | |||
| | 14 | 2048-bit MODP Group | MUST | | | 14 | 2048-bit MODP Group | MUST | | |||
| | 19 | 256-bit random ECP group | SHOULD | | | 19 | 256-bit random ECP group | SHOULD | | |||
| | 5 | 1536-bit MODP Group | SHOULD NOT | | | 5 | 1536-bit MODP Group | SHOULD NOT | | |||
| | 2 | 1024-bit MODP Group | SHOULD NOT | | | 2 | 1024-bit MODP Group | SHOULD NOT | | |||
| | 1 | 768-bit MODP Group | MUST NOT | | | 1 | 768-bit MODP Group | MUST NOT | | |||
| | 22 | 1024-bit MODP Group with 160-bit Prime | MUST NOT | | | 22 | 1024-bit MODP Group with 160-bit Prime | MUST NOT | | |||
| | | Order Subgroup | | | | | Order Subgroup | | | |||
| | 23 | 2048-bit MODP Group with 224-bit Prime | SHOULD NOT | | | 23 | 2048-bit MODP Group with 224-bit Prime | SHOULD NOT | | |||
| | | Order Subgroup | | | | | Order Subgroup | | | |||
| | 24 | 2048-bit MODP Group with 256-bit Prime | SHOULD NOT | | | 24 | 2048-bit MODP Group with 256-bit Prime | SHOULD NOT | | |||
| | | Order Subgroup | | | | | Order Subgroup | | | |||
| +--------+---------------------------------------------+------------+ | +--------+----------------------------------------+------------+ | |||
| Group 14 or 2048-bit MODP Group is raised from SHOULD+ in RFC4307 to | Group 14 or 2048-bit MODP Group is raised from SHOULD+ in RFC4307 to | |||
| MUST as a replacement for 1024-bit MODP Group. Group 14 is widely | MUST as a replacement for 1024-bit MODP Group. Group 14 is widely | |||
| implemented and considered secure. | implemented and considered secure. | |||
| Group 19 or 256-bit random ECP group was not specified in RFC4307, as | Group 19 or 256-bit random ECP group was not specified in RFC4307, as | |||
| this group was not defined at that time. Group 19 is widely | this group was not defined at that time. Group 19 is widely | |||
| implemented and considered secure and therefore has been promoted to | implemented and considered secure and therefore has been promoted to | |||
| the SHOULD level. | the SHOULD level. | |||
| skipping to change at page 11, line 4 | skipping to change at page 11, line 17 | |||
| Since Group 23 and 24 have small subgroups, the checks specified in | Since Group 23 and 24 have small subgroups, the checks specified in | |||
| "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section 2.2 | "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section 2.2 | |||
| first bullet point MUST be done when these groups are used. | first bullet point MUST be done when these groups are used. | |||
| 2.5. Summary of Changes from RFC 4307 | 2.5. Summary of Changes from RFC 4307 | |||
| The following table summarizes the changes from RFC 4307. | The following table summarizes the changes from RFC 4307. | |||
| RFC EDITOR: PLEASE REMOVE THIS PARAGRAPH AND REPLACE XXXX IN THE | RFC EDITOR: PLEASE REMOVE THIS PARAGRAPH AND REPLACE XXXX IN THE | |||
| TABLE BELOW WITH THE NUMBER OF THIS RFC | TABLE BELOW WITH THE NUMBER OF THIS RFC | |||
| +---------------------+------------------+------------+ | +---------------------+------------------+------------+ | |||
| | Algorithm | RFC 4307 | RFC XXXX | | | Algorithm | RFC 4307 | RFC XXXX | | |||
| +---------------------+------------------+------------+ | +---------------------+------------------+------------+ | |||
| | ENCR_3DES | MUST- | MAY | | | ENCR_3DES | MUST- | MAY | | |||
| | ENCR_NULL | MUST NOT[errata] | MUST NOT | | | ENCR_NULL | MUST NOT[errata] | MUST NOT | | |||
| | ENCR_AES_CBC | SHOULD+ | MUST | | | ENCR_AES_CBC | SHOULD+ | MUST | | |||
| | ENCR_AES_CTR | SHOULD | (*) | | | ENCR_AES_CTR | SHOULD | (*) | | |||
| | PRF_HMAC_MD5 | MAY | MUST NOT | | | PRF_HMAC_MD5 | MAY | MUST NOT | | |||
| | PRF_HMAC_SHA1 | MUST | MUST- | | | PRF_HMAC_SHA1 | MUST | MUST- | | |||
| | PRF_AES128_XCBC | SHOULD+ | SHOULD | | | PRF_AES128_XCBC | SHOULD+ | SHOULD | | |||
| | AUTH_HMAC_MD5_96 | MAY | MUST NOT | | | AUTH_HMAC_MD5_96 | MAY | MUST NOT | | |||
| | AUTH_HMAC_SHA1_96 | MUST | MUST- | | | AUTH_HMAC_SHA1_96 | MUST | MUST- | | |||
| | AUTH_AES_XCBC_96 | SHOULD+ | SHOULD | | | AUTH_AES_XCBC_96 | SHOULD+ | SHOULD | | |||
| | Group 2 (1024-bit) | MUST- | SHOULD NOT | | | Group 2 (1024-bit) | MUST- | SHOULD NOT | | |||
| | Group 14 (2048-bit) | SHOULD+ | MUST | | | Group 14 (2048-bit) | SHOULD+ | MUST | | |||
| +---------------------+------------------+------------+ | +---------------------+------------------+------------+ | |||
| (*) This algorithm is not mentioned in the above sections, so it | (*) This algorithm is not mentioned in the above sections, so it | |||
| defaults to MAY. | defaults to MAY. | |||
| 3. IKEv2 Authentication | 3. IKEv2 Authentication | |||
| IKEv2 authentication may involve a signatures verification. | IKEv2 authentication may involve a signatures verification. | |||
| Signatures may be used to validate a certificate or to check the | Signatures may be used to validate a certificate or to check the | |||
| signature of the AUTH value. Cryptographic recommendations regarding | signature of the AUTH value. Cryptographic recommendations regarding | |||
| certificate validation are out of scope of this document. What is | certificate validation are out of scope of this document. What is | |||
| mandatory to implement is provided by the PKIX Community. This | mandatory to implement is provided by the PKIX Community. This | |||
| document is mostly concerned with signature verification and | document is mostly concerned with signature verification and | |||
| generation for the authentication. | generation for the authentication. | |||
| skipping to change at page 13, line 34 | skipping to change at page 13, line 46 | |||
| +------------------------------------+----------+---------+ | +------------------------------------+----------+---------+ | |||
| | RSASSA-PSS with SHA-256 | MUST | | | | RSASSA-PSS with SHA-256 | MUST | | | |||
| | ecdsa-with-sha256 | SHOULD | | | | ecdsa-with-sha256 | SHOULD | | | |||
| | sha1WithRSAEncryption | MUST NOT | | | | sha1WithRSAEncryption | MUST NOT | | | |||
| | dsa-with-sha1 | MUST NOT | | | | dsa-with-sha1 | MUST NOT | | | |||
| | ecdsa-with-sha1 | MUST NOT | | | | ecdsa-with-sha1 | MUST NOT | | | |||
| | RSASSA-PSS with Empty Parameters | MUST NOT | (*) | | | RSASSA-PSS with Empty Parameters | MUST NOT | (*) | | |||
| | RSASSA-PSS with Default Parameters | MUST NOT | (*) | | | RSASSA-PSS with Default Parameters | MUST NOT | (*) | | |||
| +------------------------------------+----------+---------+ | +------------------------------------+----------+---------+ | |||
| (*) Empty or Default parameters means it is using SHA1, which is at | (*) Empty or Default parameters means it is using SHA1, which is | |||
| level MUST NOT. | at | |||
| level MUST NOT. | ||||
| 4. Algorithms for Internet of Things | 4. Algorithms for Internet of Things | |||
| Some algorithms in this document are marked for use with the Internet | Some algorithms in this document are marked for use with the Internet | |||
| of Things (IoT). There are several reasons why IoT devices prefer a | of Things (IoT). There are several reasons why IoT devices prefer a | |||
| different set of algorithms from regular IKEv2 clients. IoT devices | different set of algorithms from regular IKEv2 clients. IoT devices | |||
| are usually very constrained, meaning the memory size and CPU power | are usually very constrained, meaning the memory size and CPU power | |||
| is so limited, that these clients only have resources to implement | is so limited, that these clients only have resources to implement | |||
| and run one set of algorithms. For example, instead of implementing | and run one set of algorithms. For example, instead of implementing | |||
| AES and SHA, these devices typically use AES_XCBC as integrity | AES and SHA, these devices typically use AES_XCBC as integrity | |||
| skipping to change at page 17, line 22 | skipping to change at page 17, line 40 | |||
| DOI 10.17487/RFC5529, April 2009, | DOI 10.17487/RFC5529, April 2009, | |||
| <http://www.rfc-editor.org/info/rfc5529>. | <http://www.rfc-editor.org/info/rfc5529>. | |||
| [IKEV2-IANA] | [IKEV2-IANA] | |||
| "Internet Key Exchange Version 2 (IKEv2) Parameters", | "Internet Key Exchange Version 2 (IKEv2) Parameters", | |||
| <http://www.iana.org/assignments/ikev2-parameters>. | <http://www.iana.org/assignments/ikev2-parameters>. | |||
| [TRANSCRIPTION] | [TRANSCRIPTION] | |||
| Bhargavan, K. and G. Leurent, "Transcript Collision | Bhargavan, K. and G. Leurent, "Transcript Collision | |||
| Attacks: Breaking Authentication in TLS, IKE, and SSH", | Attacks: Breaking Authentication in TLS, IKE, and SSH", | |||
| NDSS , feb 2016. | February 2016. | |||
| [IEEE-802-15-4] | [IEEE-802-15-4] | |||
| "IEEE Standard for Low-Rate Wireless Personal Area | "IEEE Standard for Low-Rate Wireless Personal Area | |||
| Networks (WPANs)", IEEE Standard 802.15.4, 2015. | Networks (WPANs)", IEEE Standard 802.15.4, 2015. | |||
| [IEEE-802-15-9] | [IEEE-802-15-9] | |||
| "IEEE Recommended Practice for Transport of Key Management | "IEEE Recommended Practice for Transport of Key Management | |||
| Protocol (KMP) Datagrams", IEEE Standard 802.15.9, 2016. | Protocol (KMP) Datagrams", IEEE Standard 802.15.9, 2016. | |||
| Authors' Addresses | Authors' Addresses | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| Tel Aviv 6789735 | Tel Aviv 6789735 | |||
| Israel | Israel | |||
| EMail: ynir.ietf@gmail.com | Email: ynir.ietf@gmail.com | |||
| Tero Kivinen | Tero Kivinen | |||
| INSIDE Secure | INSIDE Secure | |||
| Eerikinkatu 28 | Eerikinkatu 28 | |||
| HELSINKI FI-00180 | HELSINKI FI-00180 | |||
| FI | FI | |||
| EMail: kivinen@iki.fi | Email: kivinen@iki.fi | |||
| Paul Wouters | Paul Wouters | |||
| Red Hat | Red Hat | |||
| EMail: pwouters@redhat.com | Email: pwouters@redhat.com | |||
| Daniel Migault | Daniel Migault | |||
| Ericsson | Ericsson | |||
| 8400 boulevard Decarie | 8400 boulevard Decarie | |||
| Montreal, QC H4P 2N2 | Montreal, QC H4P 2N2 | |||
| Canada | Canada | |||
| Phone: +1 514-452-2160 | Phone: +1 514-452-2160 | |||
| EMail: daniel.migault@ericsson.com | Email: daniel.migault@ericsson.com | |||
| End of changes. 17 change blocks. | ||||
| 47 lines changed or deleted | 53 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||