draft-ietf-ipsecme-aes-ctr-ikev2-04.txt   draft-ietf-ipsecme-aes-ctr-ikev2-05.txt 
IPSECME S. Shen IPSECME S. Shen
Internet-Draft Huawei Internet-Draft Huawei
Updates: RFC4307 Y. Mao Updates: RFC4307 Y. Mao
(if approved) H3C (if approved) H3C
Intended status: Standards Track NSS. Murthy Intended status: Standards Track NSS. Murthy
Expires: June 7, 2010 Freescale Semiconductor Expires: September 3, 2010 Freescale Semiconductor
December 4, 2009 March 2, 2010
Using Advanced Encryption Standard (AES) Counter Mode with IKEv2 Using Advanced Encryption Standard (AES) Counter Mode with IKEv2
draft-ietf-ipsecme-aes-ctr-ikev2-04 draft-ietf-ipsecme-aes-ctr-ikev2-05
Abstract Abstract
This document describes the usage of Advanced Encryption Standard This document describes the usage of Advanced Encryption Standard
Counter Mode (AES-CTR), with an explicit initialization vector, by Counter Mode (AES-CTR), with an explicit initialization vector, by
IKEv2 for encrypting the IKEv2 exchanges that follow the IKE_SA_INIT IKEv2 for encrypting the IKEv2 exchanges that follow the IKE_SA_INIT
exchange. exchange.
Status of this Memo Status of this Memo
skipping to change at page 1, line 42 skipping to change at page 1, line 42
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 7, 2010. This Internet-Draft will expire on September 3, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the BSD License. described in the BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions Used In This Document . . . . . . . . . . . . 3 1.1. Conventions Used In This Document . . . . . . . . . . . . 3
2. AES Counter Mode . . . . . . . . . . . . . . . . . . . . . . . 4 2. IKEv2 Encrypted Payload . . . . . . . . . . . . . . . . . . . 4
3. IKEv2 Encrypted Payload . . . . . . . . . . . . . . . . . . . 7 3. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Initialization Vector (IV) . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
3.2. Integrity Checksum Data . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
3.3. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 7 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8
4. Counter Block Format . . . . . . . . . . . . . . . . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . . 9
5.1. Keying Material and Nonces . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . . 9
5.2. Encryption identifier . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
5.3. Key Length Attribute . . . . . . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
9.1. Normative References . . . . . . . . . . . . . . . . . . . 15
9.2. Informative References . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
IKEv2 [RFC4306] is a component of IPsec used for performing mutual IKEv2 [RFC4306] is a component of IPsec used for performing mutual
authentication and establishing and maintaining security associations authentication and establishing and maintaining security associations
(SAs). [RFC4307] defines the set of algorithms that are mandatory to (SAs). [RFC4307] defines the set of algorithms that are mandatory to
implement as part of IKEv2, as well as algorithms that should be implement as part of IKEv2, as well as algorithms that should be
implemented because they may be promoted to mandatory at some future implemented because they may be promoted to mandatory at some future
time. [RFC4307] requires that an implementation "SHOULD" support time. [RFC4307] requires that an implementation "SHOULD" support
Advanced Encryption Standard [AES] in Counter Mode [MODES] (AES-CTR) Advanced Encryption Standard [AES] in Counter Mode [MODES] (AES-CTR)
as a Transform Type 1 Algorithm (encryption). as a Transform Type 1 Algorithm (encryption).
Although the [RFC4307] specifies that the AES-CTR encryption Although the [RFC4307] specifies that the AES-CTR encryption
algorithm feature SHOULD be supported by IKEv2, no existing document algorithm feature SHOULD be supported by IKEv2, no existing document
specifies how IKEv2 can support the feature. This document provides specifies how IKEv2 can support the feature. This document provides
the specification and usage of AES-CTR counter mode by IKEv2. the specification and usage of AES-CTR counter mode by IKEv2.
All the IKEv2 messages that follow the initial exchange (IKE_SA_INIT)
are cryptographically protected using the cryptographic algorithms
and keys negotiated in the first two messages of the IKEv2 exchange.
These subsequent messages use the syntax of the IKEv2 Encrypted
Payload as explained in [RFC4306].
This document explains how IKEv2 makes use of the AES-CTR algorithm
for encrypting IKE messages that follow the initial exchange: The
second pair of messages (IKE_AUTH) in the initial exchange, messages
in CREATE_CHILD_SA exchanges, messages in INFORMATIONAL exchanges.
1.1. Conventions Used In This Document 1.1. Conventions Used In This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. AES Counter Mode 2. IKEv2 Encrypted Payload
This section briefly describes AES and AES Counter Mode and cites the
algorithm description part in Section 2.1 of [RFC3686].
AES [AES] is a symmetric block cipher that processes data blocks of
128 bits, using cipher keys with lengths of 128, 192, or 256 bits.
The use of AES algorithm operations in IKEv2 is as defined in [AES].
AES in Counter Mode (AES-CTR) is used in IEKv2 in the same way as it
is used to encrypt ESP payloads [RFC3686].
NIST has defined five modes of operation for AES and other FIPS-
approved block ciphers [MODES]. Each of these modes has different
characteristics. The five modes are: ECB (Electronic Code Book), CBC
(Cipher Block Chaining), CFB (Cipher FeedBack), OFB (Output
FeedBack), and CTR (Counter).
Only AES Counter mode (AES-CTR) is discussed in this specification.
AES-CTR requires the encryptor to generate a unique per-packet value
and communicate this value to the decryptor. This specification
calls this per-packet value an initialization vector (IV). The same
IV and key combination MUST NOT be used more than once. The
encryptor can generate the IV in any manner that ensures uniqueness.
Common approaches to IV generation include incrementing a counter for
each packet and linear feedback shift registers (LFSRs).
This specification calls for the use of a nonce for additional
protection against precomputation attacks. The nonce value need not
be secret. However, the nonce MUST be unpredictable prior to the
establishment of the IKE security association that is making use of
AES-CTR.
AES-CTR has many properties that make it an attractive encryption
algorithm for use in high-speed networking. AES-CTR uses the AES
block cipher to create a stream cipher. Data is encrypted and
decrypted by XORing with the key stream produced by encrypting
sequential counter block values with AES. AES-CTR is easy to
implement, and AES-CTR can be pipelined and parallelized. AES-CTR
also supports key stream precomputation.
Pipelining is possible because AES internally has multiple rounds. A
hardware implementation (and some software implementations) can
create a pipeline by unwinding the loop implied by this round
structure. For example, after a 16-octet block has been input, one
round later another 16-octet block can be input, and so on. In AES-
CTR, these inputs are the sequential counter block values used to
generate the key stream.
Multiple independent AES encrypt implementations can also be used to
improve performance. For example, one could use two AES encrypt
implementations in parallel to process a sequence of counter block
values, doubling the effective throughput.
The sender can precompute the key stream. Since the key stream does
not depend on any data in the packet, the key stream can be
precomputed once the nonce and IV are assigned. This precomputation
can reduce packet latency. The receiver cannot perform similar
precomputation because the IV will not be known before the packet
arrives.
AES-CTR uses only the AES encrypt operation (for both encryption and
decryption), making AES-CTR implementations smaller than
implementations of many other AES modes.
When used correctly, AES-CTR provides a high level of
confidentiality. Unfortunately, AES-CTR is easy to use incorrectly.
Being a stream cipher, any reuse of the per-packet value, called the
IV, with the same nonce and key is catastrophic. An IV collision
immediately leaks information about the plaintext in both packets.
For this reason, it is inappropriate to use this mode of operation
with static keys. Extraordinary measures would be needed to prevent
reuse of an IV value with the static key across power cycles. To be
safe, implementations MUST use fresh keys with AES-CTR. The initial
exchange of the IKEv2 protocol [RFC4306] can be used to establish
fresh keys for an IKEv2 SA, and it also provides the nonce value.
With AES-CTR, it is trivial to use a valid ciphertext to forge other
(valid to the decryptor) ciphertexts. Thus, it is equally
catastrophic to use AES-CTR without a companion authentication
function. Implementations MUST use AES-CTR in conjunction with an
authentication function, such as HMAC-SHA-1-96 [RFC2404].
To encrypt a payload with AES-CTR, the encryptor partitions the
plaintext, PT, into 128-bit blocks. The final block need not be 128
bits; it can be less.
PT = PT[1] PT[2] ... PT[n]
Each PT block is XORed with a block of the key stream to generate the
ciphertext, CT. The AES encryption of each counter block results in
128 bits of key stream. The most significant 96 bits of the counter
block are set to the nonce value, which is 32 bits, followed by the
per-packet IV value, which is 64 bits. The least significant 32 bits
of the counter block are initially set to one. This counter value is
incremented by one to generate subsequent counter blocks, each
resulting in another 128 bits of key stream. The encryption of n
plaintext blocks can be summarized as:
CTRBLK := NONCE || IV || ONE
FOR i := 1 to n-1 DO
CT[i] := PT[i] XOR AES(CTRBLK)
CTRBLK := CTRBLK + 1
END
CT[n] := PT[n] XOR TRUNC(AES(CTRBLK))
The AES() function performs AES encryption with the fresh key.
The TRUNC() function truncates the output of the AES encrypt
operation to the same length as the final plaintext block, returning
the most significant bits.
Decryption is similar. The decryption of n ciphertext blocks can be
summarized as:
CTRBLK := NONCE || IV || ONE
FOR i := 1 to n-1 DO
PT[i] := CT[i] XOR AES(CTRBLK)
CTRBLK := CTRBLK + 1
END
PT[n] := CT[n] XOR TRUNC(AES(CTRBLK))
3. IKEv2 Encrypted Payload
Section 3.14 of IKEv2 [RFC4306] explains the IKEv2 Encrypted Payload. Section 3.14 of IKEv2 [RFC4306] explains the IKEv2 Encrypted Payload.
The encrypted Payload, denoted SK{...} contains other IKEv2 payloads The encrypted Payload, denoted SK{...} contains other IKEv2 payloads
in encrypted form. in encrypted form.
The payload includes an Initialization Vector (IV) whose length is The payload includes an Initialization Vector (IV) whose length is
defined by the encryption algorithm negotiated. It also includes defined by the encryption algorithm negotiated. It also includes
Integrity Checksum data. These two fields are not encrypted. Integrity Checksum data. These two fields are not encrypted.
3.1. Initialization Vector (IV) The IV field MUST be 8 octets when the AES-CTR algorithm is used for
IKEv2 encryption. Requirements for this IV are same as what is
The IV field MUST be eight octets when the AES-CTR algorithm is used specified in Section 3.1 of [RFC3686].
for encryption. The IV MUST be chosen by the encryptor in a manner
that ensures that the same IV value is NOT used more than once with a
given encryption key. The encryptor can generate the IV in any
manner that ensures uniqueness. See Section 4 for how the IV is used
to construct counter blocks for AES-CTR use within IKEv2.
3.2. Integrity Checksum Data
Since it is trivial to construct a forgery AES-CTR ciphertext from a
valid AES-CTR ciphertext, an integrity algorithm must be used when
using AES-CTR. IKEv2 does require Integrity Check Data for the
Encrypted Payload as described in section 3.14 of [RFC4306]. The
choice of integrity algorithms in IKEv2 is defined in [RFC4307] or
its future update documents.
3.3. Padding
AES-CTR does not require the plaintext to be padded to a multiple of
the block size. For the Padding field in the Encrypted Payload, as
required in [RFC4306]: the sender SHOULD set the Pad Length to the
minimum value that makes the combination of the Payloads, the
Padding, and the Pad Length a multiple of the block size, but the
recipient MUST accept any length that results in proper alignment.
In this case when AES-CTR is used in IKEv2, the Padding field of the
Encrypted Payload SHOULD be empty, and the Pad Length field SHOULD be
zero.
It should be noticed that the ESP [RFC4303] Encrypted Payload
requires alignment on a 4-byte boundary while the IKEv2 [RFC4306]
Encrypted Payload does not have such a requirement.
4. Counter Block Format IKEv2 requires Integrity Check Data for the Encrypted Payload as
described in section 3.14 of [RFC4306]. The choice of integrity
algorithms in IKEv2 is defined in [RFC4307] or its future update
documents.
All the IKEv2 messages following the initial exchange are When AES-CTR is used in IKEv2, no padding is required. The Padding
cryptographically protected using the cryptographic algorithms and field of the Encrypted Payload SHOULD be empty and the Pad Length
keys negotiated in the first two messages of the IKEv2 exchange. field SHOULD be zero. However, according to [RFC4306], the recipient
These subsequent messages use the syntax of the IKEv2 Encrypted MUST accept any length that results in proper alignment. It should
Payload. be noticed that the ESP [RFC4303] Encrypted Payload requires
alignment on a 4-byte boundary while the IKEv2 [RFC4306] Encrypted
Payload does not have such a requirement.
The Encrypted Payload is the XOR of the plaintext and key stream. The Encrypted Payload is the XOR of the plaintext and key stream.
The key stream is generated by inputing Counter Blocks into the AES The key stream is generated by inputting Counter Blocks into the AES
algorithm. The AES counter block cipher block is 128 bits. Counter algorithm. The AES counter block cipher block is 128 bits. The
Blocks are defined as in Figure 1. counter block is constructed same as what is specified in Section 4
of [RFC3686].
All messages carry the IV that is necessary to construct the sequence
of counter blocks used to generate the key stream necessary to
decrypt the payload.
Figure 1 shows the format of the counter block.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector (IV) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Counter |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Counter Block Format
The components of the counter block are as follows:
Nonce
The Nonce field is 32 bits. As the name implies, the nonce is a
single use value. That is, a fresh nonce value MUST be assigned
for each security association. It MUST be assigned at the
beginning of the security association. The nonce value need not
be secret, but it MUST be unpredictable prior to the beginning of
the security association.
Initialization Vector (IV)
The IV field is 64 bits. The IV MUST be chosen by the encryptor
in a manner that ensures that the same IV value is used only once
for a given encryption key. The encryptor includes the IV in the
IKEv2 message containing encrypted payloads.
Block Counter
The block counter field is the least significant 32 bits of the
counter block. The block counter begins with the value of one,
and it is incremented to generate subsequent portions of the key
stream. The block counter is a 32-bit big-endian integer value.
Section 2 provides references to other documents for implementing the
AES-CTR encryption/decryption process.
5. IKEv2 Conventions
This section describes the conventions used by the IKEv2 protocol to
generate encryption keys and nonces for use with the AES-CTR
algorithm in IKE-SA negotiations. The identifiers and attributes
related to AES-CTR required during IKE-SA and Child-SA negotiation
are also defined.
AES supports three key sizes: 128 bits, 192 bits, and 256 bits. All
IKEv2 implementations that implement AES-CTR MUST support the 128-bit
key size. An IKEv2 implementation MAY support key sizes of 192 and
256 bits.
5.1. Keying Material and Nonces
IKEv2 can be used to establish fresh keys and nonces, as the same
combination of IV and encryption key values MUST NOT be reused when
the AES-CTR algorithm is used for encryption. This section describes
the conventions for generating an unpredictable and secret Nonce and
an encryption key of required lengths using IKEv2.
IKEv2 negotiates four cryptographic algorithms with its peer using
the IKE_SA_INIT exchange. They include an encryption algorithm and a
pseudo-random function (PRF). All the payloads of IKEv2 messages
that follow the IKE_SA_INIT exchange are encrypted using the
negotiated encryption algorithm. The PRF is used to generate the
keying material required for the encryption algorithm.
The AES-CTR encryption algorithm needs an encryption key and a nonce.
The two directions of traffic flow use different encryption keys and
nonces. Section 2.14 of [RFC4306] details the process of generating
the keying material. SK_ei and SK_er represent the key material to
be used for encryption purposes in the two directions.
The size of the key material (SK_ei and SK_er) to be generated for
the AES-CTR algorithm for different key lengths is as follows:
AES-CTR with a 128 bit key
The key material required is 20 octets. The first 16 octets are
the 128-bit AES key, and the remaining four octets are used as the
nonce value in the counter block.
AES-CTR with a 192 bit key
The key material required is 28 octets. The first 24 octets are
the 192-bit AES key, and the remaining four octets are used as the
nonce value in the counter block.
AES-CTR with a 256 bit key
The key material required is 36 octets. The first 32 octets are
the 256-bit AES key, and the remaining four octets are used as the
nonce value in the counter block.
5.2. Encryption identifier
IKEv2 uses the IANA allocated encryption identifier value of 13 for
ENCR_AES_CTR with an explicit IV as the transform ID during IKE-SA
and Child-SA negotiation.
5.3. Key Length Attribute 3. IKEv2 Conventions
Since the AES-CTR algorithm supports three key lengths, the Key The use of AES-CTR for the IKE SA is negotiated the same way as AES-
Length attribute MUST be specified in both the IKE-SA and Child-SA CTR for ESP. The Transform ID (ENCR_AES_CTR) is the same; the key
negotiations. The Key Length attribute MUST have a value of 128, length transform attribute is used in the same way; and the keying
192, or 256. material (consisting of the actual key and the nonce) is derived the
same way. Check Section 5 of [RFC3686] for the detail descriptions.
6. Security Considerations 4. Security Considerations
Security considerations explained in section 7 of [RFC3686] are Security considerations explained in section 7 of [RFC3686] are
entirely relevant for this draft also. entirely relevant for this draft also. The security considerations
on fresh keys and integrity protection in section 7 of [RFC3686] are
AES-CTR provides high confidentiality when used properly. However, totally applicable on using AES-CTR in IKEv2; see [RFC3686] for
as a stream mode cipher, the security will be lost when AES-CTR is details. Due to this reasons, static keys are never used for the IKE
misused. SA and the IKE_SA always uses integrity protection.
Generally, a stream cipher should not use static keys. This is
because key streams will be easily canceled when two ciphertexts use
the same key stream (check the detailed description of this attack in
[RFC3686]). Therefore, IKEv2 should avoid an identical key being
used for different IKE SAs or the same key stream being used on
different blocks of plaintext. Proper use of Nonce and counter as
defined in Section 4 can successfully avoid the risk.
A stream cipher like AES-CTR is also vulnerable to data forgery
attacks (check [RFC3686] for a demonstration of this attack).
However, when integrity protection is provided as Section 3.2
requires, this risk is avoided.
Additionally, since AES has a 128-bit block size, regardless of the Additionally, since AES has a 128-bit block size, regardless of the
mode employed, the ciphertext generated by AES encryption becomes mode employed, the ciphertext generated by AES encryption becomes
distinguishable from random values after 2^64 blocks are encrypted distinguishable from random values after 2^64 blocks are encrypted
with a single key. Since IKEv2 is not likely to carry traffic in with a single key. Since IKEv2 is not likely to carry traffic in
such a high quantity, this won't be a big concern here. However, such a high quantity compared with ESP, this won't be a big concern
when a large amount of traffic appears in the future or under here. However, when a large amount of traffic appears in the future
abnormal circumstances, implementations SHOULD generate a fresh key or under abnormal circumstances, implementations SHOULD generate a
before 2^64 blocks are encrypted with the same key. fresh key before 2^64 blocks are encrypted with the same key.
For generic attacks on AES, such as brute force or precalculations, For generic attacks on AES, such as brute force or precalculations,
the requirement of key size provides reasonable security the requirement of key size provides reasonable security
[Recommendations]. [Recommendations].
7. IANA Considerations 5. IANA Considerations
IANA [IANA-Para] has assigned 13 as the "IKEv2 Encryption Transform IANA [IANA-Para] has assigned Encryption Transform ID for for AES-CTR
ID" to the name "ENCR_AES_CTR" for AES-CTR encryption with an encryption with an explicit IV for IKEv2: 13 as the number and
explicit IV, in the IANA "Internet Key Exchange Version 2 (IKEv2) ENCR_AES_CTR as the name. IANA is asked to add a reference to this
Parameters" registry. This document specifies how to use this RFC in that entry.
transform during IKE_SA negotiations. Hence IANA should add to that
entry a reference to this RFC.
8. Acknowledgments 6. Acknowledgments
The authors thank Yaron Sheffer, Paul Hoffman, Tero Kivinen and The authors thank Yaron Sheffer, Paul Hoffman, Tero Kivinen and
Alfred Hoenes for their direction and comments on this document. Alfred Hoenes for their direction and comments on this document.
9. References This document specifies usage of AES-CTR with IKEv2, similarly as
usage of AES-CTR with ESP as specified in [RFC3686]. [RFC3686] is
referred for the same descriptions and definitions. The authors
thank Russ Housley for providing the document.
9.1. Normative References During the production and modification of this document, both Huawei
and CNNIC supported one of the author, Sean Shen. Both are
appreciated as affiliations of the author.
7. References
7.1. Normative References
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005. RFC 4306, December 2005.
[RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the [RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the
Internet Key Exchange Version 2 (IKEv2)", RFC 4307, Internet Key Exchange Version 2 (IKEv2)", RFC 4307,
December 2005. December 2005.
[AES] National Institute of Standards and Technology, "Advanced [AES] National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", FIPS PUB 197, November 2001, < Encryption Standard (AES)", FIPS PUB 197, November 2001, <
skipping to change at page 15, line 31 skipping to change at page 9, line 31
[IANA-Para] [IANA-Para]
Internet Assigned Numbers Authority, "Internet Key Internet Assigned Numbers Authority, "Internet Key
Exchange Version 2 (IKEv2) Parameters", September 2009, Exchange Version 2 (IKEv2) Parameters", September 2009,
<http://www.iana.org/assignments/ikev2-parameters>. <http://www.iana.org/assignments/ikev2-parameters>.
[MODES] Dworkin, M., "Recommendation for Block Cipher Modes of [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation Methods and Techniques", NIST Special Operation Methods and Techniques", NIST Special
Publication 800-38A, December 2001, <http://csrc.nist.gov/ Publication 800-38A, December 2001, <http://csrc.nist.gov/
publications/nistpubs/800-38a/sp800-38a.pdf>. publications/nistpubs/800-38a/sp800-38a.pdf>.
9.2. Informative References 7.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
ESP and AH", RFC 2404, November 1998. ESP and AH", RFC 2404, November 1998.
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode With IPsec Encapsulating Security Payload Counter Mode With IPsec Encapsulating Security Payload
(ESP)", RFC 3686, January 2004. (ESP)", RFC 3686, January 2004.
skipping to change at page 16, line 24 skipping to change at page 10, line 24
Yu Mao Yu Mao
H3C Tech. Co., Ltd H3C Tech. Co., Ltd
Oriental Electronic Bld. Oriental Electronic Bld.
No.2 Chuangye Road No.2 Chuangye Road
Shang-Di Information Industry Shang-Di Information Industry
Hai-Dian District Hai-Dian District
Beijing 100085 Beijing 100085
China China
Email: maoyu@h3c.com Email: yumao9@gmail.com
N S Srinivasa Murthy N S Srinivasa Murthy
Freescale Semiconductor Freescale Semiconductor
UMA PLAZA, NAGARJUNA CIRCLE, PUNJAGUTTA UMA PLAZA, NAGARJUNA CIRCLE, PUNJAGUTTA
HYDERABAD 500082 HYDERABAD 500082
INDIA INDIA
Email: ssmurthy.nittala@freescale.com Email: ssmurthy.nittala@freescale.com
 End of changes. 23 change blocks. 
346 lines changed or deleted 68 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/