draft-ietf-ipsecme-esp-ah-reqts-07.txt   draft-ietf-ipsecme-esp-ah-reqts-08.txt 
Network Working Group D. McGrew Network Working Group D. McGrew
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Obsoletes: 4835 (if approved) P. Hoffman Obsoletes: 4835 (if approved) P. Hoffman
Intended status: Standards Track VPN Consortium Intended status: Standards Track VPN Consortium
Expires: October 20, 2014 April 18, 2014 Expires: November 16, 2014 May 15, 2014
Cryptographic Algorithm Implementation Requirements and Usage Guidance Cryptographic Algorithm Implementation Requirements and Usage Guidance
for Encapsulating Security Payload (ESP) and Authentication Header (AH) for Encapsulating Security Payload (ESP) and Authentication Header (AH)
draft-ietf-ipsecme-esp-ah-reqts-07 draft-ietf-ipsecme-esp-ah-reqts-08
Abstract Abstract
This Internet Draft is a standards track proposal to update the This Internet Draft is a standards track proposal to update the
Cryptographic Algorithm Implementation Requirements for ESP and AH; Cryptographic Algorithm Implementation Requirements for ESP and AH;
it also adds usage guidance to help in the selection of these it also adds usage guidance to help in the selection of these
algorithms. algorithms.
The Encapsulating Security Payload (ESP) and Authentication Header The Encapsulating Security Payload (ESP) and Authentication Header
(AH) protocols make use of various cryptographic algorithms to (AH) protocols make use of various cryptographic algorithms to
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 20, 2014. This Internet-Draft will expire on November 16, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 30 skipping to change at page 2, line 30
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Implementation Requirements . . . . . . . . . . . . . . . . . 4 2. Implementation Requirements . . . . . . . . . . . . . . . . . 4
2.1. ESP Authenticated Encryption (Combined Mode Algorithms) . 4 2.1. ESP Authenticated Encryption (Combined Mode Algorithms) . 4
2.2. ESP Encryption Algorithms . . . . . . . . . . . . . . . . 4 2.2. ESP Encryption Algorithms . . . . . . . . . . . . . . . . 4
2.3. ESP Authentication Algorithms . . . . . . . . . . . . . . 4 2.3. ESP Authentication Algorithms . . . . . . . . . . . . . . 4
2.4. AH Authentication Algorithms . . . . . . . . . . . . . . 5 2.4. AH Authentication Algorithms . . . . . . . . . . . . . . 5
2.5. Summary of Changes . . . . . . . . . . . . . . . . . . . 5 2.5. Summary of Changes from RFC 4835 . . . . . . . . . . . . 5
3. Usage Guidance . . . . . . . . . . . . . . . . . . . . . . . 5 3. Usage Guidance . . . . . . . . . . . . . . . . . . . . . . . 5
4. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Authenticated Encryption . . . . . . . . . . . . . . . . 6 4.1. Authenticated Encryption . . . . . . . . . . . . . . . . 6
4.2. Encryption Transforms . . . . . . . . . . . . . . . . . . 6 4.2. Encryption Transforms . . . . . . . . . . . . . . . . . . 6
4.3. Authentication Transforms . . . . . . . . . . . . . . . . 7 4.3. Authentication Transforms . . . . . . . . . . . . . . . . 7
5. Algorithm Diversity . . . . . . . . . . . . . . . . . . . . . 8 5. Algorithm Diversity . . . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.1. Normative References . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . 9
9.2. Informative References . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
skipping to change at page 4, line 5 skipping to change at page 4, line 5
Following [RFC4835], we define some additional key words: Following [RFC4835], we define some additional key words:
MUST- This term means the same as MUST. However, we expect that at MUST- This term means the same as MUST. However, we expect that at
some point in the future this algorithm will no longer be a MUST. some point in the future this algorithm will no longer be a MUST.
SHOULD+ This term means the same as SHOULD. However, it is likely SHOULD+ This term means the same as SHOULD. However, it is likely
that an algorithm marked as SHOULD+ will be promoted at some that an algorithm marked as SHOULD+ will be promoted at some
future time to be a MUST. future time to be a MUST.
SHOULD- This term means the same as SHOULD. However, it is likely
that an algorithm marked as SHOULD- will be deprecated to a MAY or
worse in a future version of this document.
2. Implementation Requirements 2. Implementation Requirements
This section specifies the cryptographic algorithms that MUST be This section specifies the cryptographic algorithms that MUST be
implemented, and provides guidance about ones that SHOULD or SHOULD implemented, and provides guidance about ones that SHOULD or SHOULD
NOT be implemented. NOT be implemented.
In the following sections, all AES modes are for 128-bit AES. 192-bit In the following sections, all AES modes are for 128-bit AES. 192-bit
and 256-bit AES MAY be supported for those modes, but the and 256-bit AES MAY be supported for those modes, but the
requirements here are for 128-bit AES. requirements here are for 128-bit AES.
skipping to change at page 5, line 14 skipping to change at page 5, line 10
from Section 2.1, the requirement for NULL encryption is the same as from Section 2.1, the requirement for NULL encryption is the same as
the requirement for the authenticated encryption itself. When using the requirement for the authenticated encryption itself. When using
the encryption from Section 2.2, the requirement for NULL encryption the encryption from Section 2.2, the requirement for NULL encryption
is truly "MAY"; see Section 3 for more detail. is truly "MAY"; see Section 3 for more detail.
2.4. AH Authentication Algorithms 2.4. AH Authentication Algorithms
The requirements for AH are the same as for ESP Authentication The requirements for AH are the same as for ESP Authentication
Algorithms, except that NULL authentication is inapplicable. Algorithms, except that NULL authentication is inapplicable.
2.5. Summary of Changes 2.5. Summary of Changes from RFC 4835
Old New Old New
Requirement Requirement Algorithm (notes) Requirement Requirement Algorithm (notes)
---- ----------- ----------------- ---- ----------- -----------------
MAY SHOULD+ AES-GCM with a 16 octet ICV [RFC4106] MAY SHOULD+ AES-GCM with a 16 octet ICV [RFC4106]
MAY SHOULD+ AES-GMAC with AES-128 [RFC4543] MAY SHOULD+ AES-GMAC with AES-128 [RFC4543]
MUST- MAY TripleDES-CBC [RFC2451] MUST- MAY TripleDES-CBC [RFC2451]
SHOULD NOT MUST NOT DES-CBC [RFC2405] SHOULD NOT MUST NOT DES-CBC [RFC2405]
SHOULD+ SHOULD AES-XCBC-MAC-96 [RFC3566] SHOULD+ SHOULD AES-XCBC-MAC-96 [RFC3566]
SHOULD MAY AES-CTR [RFC3686] SHOULD MAY AES-CTR [RFC3686]
skipping to change at page 5, line 37 skipping to change at page 5, line 33
Since ESP and AH can be used in several different ways, this document Since ESP and AH can be used in several different ways, this document
provides guidance on the best way to utilize these mechanisms. provides guidance on the best way to utilize these mechanisms.
ESP can provide confidentiality, data origin authentication, or the ESP can provide confidentiality, data origin authentication, or the
combination of both of those security services. AH provides only combination of both of those security services. AH provides only
data origin authentication. Background information on those security data origin authentication. Background information on those security
services is available [RFC4949]. In the following, we shorten "data services is available [RFC4949]. In the following, we shorten "data
origin authentication" to "authentication". origin authentication" to "authentication".
Both confidentiality and authentication SHOULD be provided. If Providing both confidentiality and authentication offers the best
confidentiality is not needed, then authentication MAY be provided. security. If confidentiality is not needed, providing authentication
Confidentiality without authentication is not effective [DP07] and can still be useful. Confidentiality without authentication is not
SHOULD NOT be used. We describe each of these cases in more detail effective [DP07] and therefore SHOULD NOT be used. We describe each
below. of these cases in more detail below.
To provide both confidentiality and authentication, an authenticated To provide both confidentiality and authentication, an authenticated
encryption transform from Section 2.1 SHOULD be used in ESP, in encryption transform from Section 2.1 SHOULD be used in ESP, in
conjunction with NULL authentication. Alternatively, an ESP conjunction with NULL authentication. Alternatively, an ESP
encryption transform and ESP authentication transform MAY be used encryption transform and ESP authentication transform MAY be used
together. It is NOT RECOMMENDED to use ESP with NULL authentication together. It is NOT RECOMMENDED to use ESP with NULL authentication
in conjunction with AH; some configurations of this combination of in conjunction with AH; some configurations of this combination of
services have been shown to be insecure [PD10]. services have been shown to be insecure [PD10].
To provide authentication without confidentiality, an authentication To provide authentication without confidentiality, an authentication
skipping to change at page 6, line 33 skipping to change at page 6, line 26
4. Rationale 4. Rationale
This section explains the principles behind the implementation This section explains the principles behind the implementation
requirements described above. requirements described above.
The algorithms listed as MAY-implement are not meant to be endorsed The algorithms listed as MAY-implement are not meant to be endorsed
over other non-standard alternatives. All of the algorithms that over other non-standard alternatives. All of the algorithms that
appeared in [RFC4835] are included in this document, for the sake of appeared in [RFC4835] are included in this document, for the sake of
continuity. In some cases, these algorithms have moved from being continuity. In some cases, these algorithms have moved from being
SHOULD-implement to MAY-implement algorithms. "SHOULD implement" to "MAY implement" algorithms.
4.1. Authenticated Encryption 4.1. Authenticated Encryption
This document encourages the use of authenticated encryption This document encourages the use of authenticated encryption
algorithms because they can provide significant efficiency and algorithms because they can provide significant efficiency and
throughput advantages, and the tight binding between authentication throughput advantages, and the tight binding between authentication
and encryption can be a security advantage [RFC5116]. and encryption can be a security advantage [RFC5116].
AES-GCM [RFC4106] brings significant performance benefits [KKGEGD], AES-GCM [RFC4106] brings significant performance benefits [KKGEGD],
has been incorporated into IPsec recommendations [RFC6379] and has has been incorporated into IPsec recommendations [RFC6379] and has
skipping to change at page 8, line 19 skipping to change at page 8, line 12
algorithm diversity. But the passage of time has eroded the algorithm diversity. But the passage of time has eroded the
viability of Triple-DES as an alternative to AES. As it is a 64-bit viability of Triple-DES as an alternative to AES. As it is a 64-bit
block cipher, its security is inadequate at high data rates (see block cipher, its security is inadequate at high data rates (see
Section 4.2). Its performance in software and FPGAs is considerably Section 4.2). Its performance in software and FPGAs is considerably
worse than that of AES. Since it would not be possible to use worse than that of AES. Since it would not be possible to use
Triple-DES as an alternative to AES in high data rate environments, Triple-DES as an alternative to AES in high data rate environments,
or in environments where its performance could not keep up the or in environments where its performance could not keep up the
requirements, the rationale of retaining Triple-DES to provide requirements, the rationale of retaining Triple-DES to provide
algorithm diversity is disappearing. (Of course, this does not algorithm diversity is disappearing. (Of course, this does not
change the rationale of retaining Triple-DES in IPsec implementations change the rationale of retaining Triple-DES in IPsec implementations
for backwards compability.) for backwards compatibility.)
Recent discussions in the IETF have started considering how to make Recent discussions in the IETF have started considering how to make
the selection of a different cipher that could provide algorithm the selection of a different cipher that could provide algorithm
diversity in IPsec and other IETF standards. That work is expected diversity in IPsec and other IETF standards. That work is expected
to take a long time and involve discussions among many participants to take a long time and involve discussions among many participants
and organizations. and organizations.
It is important to bear in mind that it is very highly unlikely that It is important to bear in mind that it is very highly unlikely that
an exploitable flaw will be found in AES (e.g., a flaw that required an exploitable flaw will be found in AES (e.g., a flaw that required
less than a terabyte of known plaintext, when AES is used in a less than a terabyte of known plaintext, when AES is used in a
conventional mode of operation). The only reason that algorithm conventional mode of operation). The only reason that algorithm
diversity deserves any consideration is because the problems that diversity deserves any consideration is because the problems that
would be caused if such a flaw were found would be so large. would be caused if such a flaw were found would be so large.
6. Acknowledgements 6. Acknowledgements
Much of the wording herein was adapted from [RFC4835], the parent Some of the wording herein was adapted from [RFC4835], the document
document of this document. That RFC itself borrows from earlier that this one obsoletes. That RFC itself borrows from earlier RFCs,
RFCs, notably RFC 4305 and 4307. RFC 4835, RFC 4305, and RFC 4307 notably RFC 4305 and 4307. RFC 4835, RFC 4305, and RFC 4307 were
were authored by Vishwas Manral, Donald Eastlake, and Jeffrey authored by Vishwas Manral, Donald Eastlake, and Jeffrey Schiller
Schiller respectively. respectively.
Thanks are due to Wajdi Feghali, Brian Weis, Cheryl Madson, Dan Thanks are due to Wajdi Feghali, Brian Weis, Cheryl Madson, Dan
Harkins, Paul Wouters, Ran Atkinson, Scott Fluhrer, Tero Kivinen, and Harkins, Paul Wouters, Ran Atkinson, Scott Fluhrer, Tero Kivinen, and
Valery Smyslov for insightful feedback on this draft. Valery Smyslov for insightful feedback on this draft.
[[[ This paragraph exists so that the nits checker doesn't barf. It [[[ This paragraph exists so that the nits checker doesn't barf. It
is to be removed before this is published as an RFC. [RFC2404] is to be removed before this is published as an RFC. [RFC2404]
[RFC2405] [RFC2410] [RFC2451] [RFC3566] [RFC3602] [RFC3686] [RFC4309] [RFC2405] [RFC2410] [RFC2451] [RFC3566] [RFC3602] [RFC3686] [RFC4309]
[RFC4543] ]]] [RFC4543] ]]]
 End of changes. 11 change blocks. 
22 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/