Additional Diffie-Hellman Tests for IKEv2
draft-ietf-ipsecme-dh-checks-00

The information below is for an old version of the document
Document Type Active Internet-Draft (ipsecme WG)
Last updated 2013-01-29
Replaces draft-sheffer-ipsecme-dh-checks
Stream IETF
Intended RFC status (None)
Formats plain text pdf html
Stream WG state WG Document
Document shepherd None
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
ipsecme                                                       Y. Sheffer
Internet-Draft                                                  Porticor
Updates: 5996 (if approved)                                   S. Fluhrer
Intended status: Standards Track                                   Cisco
Expires: August 2, 2013                                 January 29, 2013

               Additional Diffie-Hellman Tests for IKEv2
                    draft-ietf-ipsecme-dh-checks-00

Abstract

   This document adds a small number of mandatory tests required for the
   secure operation of IKEv2 with elliptic curve groups.  No change is
   required to IKE implementations that use modular exponential groups,
   other than a few rarely used so-called DSA groups.  This document
   updates the IKEv2 protocol, RFC 5996.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 2, 2013.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as

Sheffer & Fluhrer        Expires August 2, 2013                 [Page 1]
Internet-Draft                  DH Tests                    January 2013

   described in the Simplified BSD License.

Table of Contents

   1.          Introduction  . . . . . . . . . . . . . . . . . . . . . 3
   1.1.        Conventions used in this document . . . . . . . . . . . 3
   2.          Group Membership Tests  . . . . . . . . . . . . . . . . 3
   2.1.        Regular MODP Groups . . . . . . . . . . . . . . . . . . 3
   2.2.        MODP Groups with Small Subgroups  . . . . . . . . . . . 3
   2.3.        Elliptic Curve Groups . . . . . . . . . . . . . . . . . 4
   2.4.        Transition  . . . . . . . . . . . . . . . . . . . . . . 4
   3.          Security Considerations . . . . . . . . . . . . . . . . 5
   3.1.        DH Key Reuse and Multiple Peers . . . . . . . . . . . . 5
   3.2.        Groups not covered by this RFC  . . . . . . . . . . . . 5
   4.          IANA Considerations . . . . . . . . . . . . . . . . . . 5
   5.          Acknowledgements  . . . . . . . . . . . . . . . . . . . 6
   6.          References  . . . . . . . . . . . . . . . . . . . . . . 6
   6.1.        Normative References  . . . . . . . . . . . . . . . . . 6
   6.2.        Informative References  . . . . . . . . . . . . . . . . 6
   Appendix A. Appendix: Change Log  . . . . . . . . . . . . . . . . . 7
   A.1.        -00 . . . . . . . . . . . . . . . . . . . . . . . . . . 7
               Authors' Addresses  . . . . . . . . . . . . . . . . . . 7

Sheffer & Fluhrer        Expires August 2, 2013                 [Page 2]
Internet-Draft                  DH Tests                    January 2013

1.  Introduction

   IKEv2 [RFC5996] consists of the establishment of a shared secret
   using the Diffie-Hellman (DH) protocol, followed by authentication of
   the two peers.  Existing implementations typically use modular
   exponential (MODP) DH groups, such as those defined in [RFC3526].

   IKEv2 does not require that any tests be performed by a peer
   receiving a public Diffie-Hellman key from the other peer.  This is
   fine for the common case of MODP groups.  For other DH groups, when
   peers reuse DH values across multiple IKE sessions, the lack of tests
   by the recipient results in a potential vulnerability (see
   Section 3.1 for more details).  In particular, this is true for
   elliptic curve groups whose use is becoming ever more popular.  This
   document defines such tests for several types of DH groups.

1.1.  Conventions used in this document
Show full document text