IETF Logo Mail Archive

Ciphersuites for IKEv2, revised

Paul Hoffman / VPNC <paul.hoffman@vpnc.org> Thu, 30 January 2003 19:09 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA07404 for <ipsec-archive@lists.ietf.org>; Thu, 30 Jan 2003 14:09:43 -0500 (EST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA17077 Thu, 30 Jan 2003 11:49:28 -0500 (EST)
Mime-Version: 1.0
X-Sender: phoffvpnc@mail.vpnc.org
Message-Id: <p05210206ba5f02f0c3a5@[165.227.249.18]>
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report>.
Date: Thu, 30 Jan 2003 08:50:57 -0800
To: ipsec@lists.tislabs.com
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Ciphersuites for IKEv2, revised
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Greetings again. Based on feedback from the list and offline, here is
revised wording for the ciphersuites in IKEv2. The changes are:

- clarified where the various Diffie-Hellman groups are defined

- changed the split between what is reserved for IANA and what is
   for private use

- added a paragraph to the end of the addition to 5.3.1 to specify
   that users should be able to use future and private-use Suite-IDs

- added a note in Appendix B and a new reference

The following text be should be used in section 5.3.1:

=====

For Suite-ID, the following values are defined:

Suite-ID  Meaning
--------  -------
0         Covers: IKE
           168-bit 3DES CBC encryption
           Diffie-Hellman group 2 (1024-bit), defined in Appendix B.2
           HMAC-SHA1 integrity and prf

1         Covers: ESP
           3DES encryption with three keys
           HMAC-SHA1 integrity

2         Covers: AH
           HMAC-SHA1 integrity

3         Covers: IKE
           168-bit 3DES CBC encryption
           Diffie-Hellman group 5 (1536-bit), defined in Appendix B.5
           HMAC-SHA1 integrity and prf

4         Covers: IKE
           AES encryption in CBC mode with 128-bit keys
           Diffie-Hellman group 5 (1536-bit), defined in Appendix B.5
           HMAC-SHA1 integrity and prf

5         Covers: IKE
           AES encryption in CBC mode with 128-bit keys
           Diffie-Hellman group 14 (2048-bit), defined in [ADDGROUP]
           HMAC-SHA1 integrity and prf

6         Covers: ESP
           AES encryption in CBC mode with 128-bit keys
           HMAC-SHA1 integrity

7         Covers: IKE
           AES encryption in CTR mode with 128-bit keys
           Diffie-Hellman group 14 (2048-bit), defined in [ADDGROUP]
           AES-CBC MAC + XCBC integrity and prf

8         Covers: ESP
           AES encryption in CTR mode with 128-bit keys
           AES-CBC MAC + XCBC integrity

Values 9-32000 are reserved to IANA. Values 32001-65533 are for private
use among mutually consenting parties. Additional Suite-ID values will
be assigned by IANA based on consultation with the IESG.

All implementations of IKEv2 MUST be able to negotiate Suite-ID 0 and
Suite-ID 1. Implementations SHOULD be able to negotiate Suite-IDs 3, 4,
5, and 6.

The must-be-implemented ciphersuites (0 and 1) are based on
currently-deployed hardware that meets the security requirements of the
vast majority of current IPsec users, and should be useful for at least
a decade according to cryptographic estimates from NIST for business
user scenarios. The should-be-implemented ciphersuites (3, 4, 5, and 6)
are based on expectations of where the security industry is moving
(namely, to the AES encryption suite) and where more security-conscious
users are moving as current key lengths become more attackable due to
the steady lowering of cost to mount brute-force attacks.

An important lesson learned from IKEv1 is that no system should only
implement the mandatory algorithms and expect them to be the best choice
for all customers. For example, at the time that this document was being
written, many IKEv1 implementers are starting to migrate to AES in CBC
mode for VPN applications. Many IPsec systems based on IKEv2 will
implement AES, longer Diffie-Hellman keys, and additional hash
algorithms, and some IPsec customers already require these algorithms in
addition to the mandatory ones listed above.

It is likely that IANA will add additional Suite-IDs in the future, and
some security-conscious users will want to use private-use Suite-IDs.
All implementations SHOULD be able to let users set policies that use
Suite-IDs from the currently-unassigned IANA values and from the private
use values. Of course, there is no standard way to handle all possible
new algorithms, Diffie-Hellman groups, and combinations thereof. However,
many IPsec users will want to base security policies on Suite-IDs that
are not covered in this document and SHOULD be able to do so.

=====

Add the following to just before Appendix B.1:

Additional Diffie-Hellman groups have been defined in [ADDGROUP]. Future
IANA-registered and private use Suite-IDs MAY use Diffie-Hellman groups
that have prime values and generators that are different than those in
this document or in [ADDGROUP].

Add to the non-normative references:

[ADDGROUP] Kivinen, T. et. al., "More MODP Diffie-Hellman groups for 
IKE", draft-ietf-ipsec-ike-modp-groups-05.txt, in RFC Editor's queue 
for Proposed Standard.

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email