Deprecation of IKEv1 and obsoleted algorithms
draft-pwouters-ikev1-ipsec-graveyard-00

Document Type Active Internet-Draft (individual)
Last updated 2019-03-11
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network                                                  P. Wouters, Ed.
Internet-Draft                                                   Red Hat
Updates: 7296 (if approved)                               March 11, 2019
Intended status: Standards Track
Expires: September 12, 2019

             Deprecation of IKEv1 and obsoleted algorithms
                draft-pwouters-ikev1-ipsec-graveyard-00

Abstract

   This document deprecates Internet Key Exchange version 1 (IKEv1) and
   additionally deprecates a number of algorithms that are obsolete.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 12, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Wouters                Expires September 12, 2019               [Page 1]
Internet-Draft  Deprecation of IKEv1 and some algorithms      March 2019

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   2
   3.  Deprecating IKEv1 . . . . . . . . . . . . . . . . . . . . . .   2
   4.  Deprecating obsolete algorithms . . . . . . . . . . . . . . .   3
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   IKEv1 [RFC2409] and its related documents for ISAKMP [RFC2408] and
   IPsec DOI [RFC2407] were obsoleted by IKEv2 [RFC4306] in December
   2005.  The latest version of IKEv2 at the time of writing was
   published in 2014 in [RFC7296].  The Internet Key Exchange (IKE)
   version 2 has replaced version 1 over 15 years ago.  IKEv2 has now
   seen wide deployment and provides a full replacement for all IKEv1
   functionality.  No new modifications or new algorithms have been
   accepted for IKEv1 for at least a decade.  IKEv2 addresses various
   issues present in IKEv1, such as IKEv1 being vulnerable to
   amplification attacks.  This document specifies the deprecation of
   IKEv1.  IKEv1 MUST NOT be deployed.

   Algorithm implementation requirements and usage guidelines for IKEv2
   [RFC8247] and ESP/AH [RFC8223] gives guidance to implementors but
   limits that guidance to avoid broken or weak algorithms.  It does not
   deprecate algorithms that have aged and are no longer in use, but
   leave these algorithms in a state of "MAY be used".  This document
   deprecates those algorithms that are no longer advised but for which
   there are no known attacks resulting in their earlier deprecation.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  Deprecating IKEv1

   IKEv1 is deprecated and MUST NOT be deployed.  Systems running IKEv1
   should be upgraded and reconfigured to run IKEv2.  Systems that
   support IKEv1 but not IKEv2 are most likely also unsuitable
   candidates for continued operation.  Such unsupported systems have a
   much higher chance of containing an implementation vulnerability that

Wouters                Expires September 12, 2019               [Page 2]
Internet-Draft  Deprecation of IKEv1 and some algorithms      March 2019

   will never be patched.  IKEv1 systems can be abused for packet
   amplification attacks.  IKEv1 systems most likely do not support
Show full document text