ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec
RFC 7634

Document Type RFC - Proposed Standard (August 2015; No errata)
Last updated 2015-10-14
Replaces draft-nir-ipsecme-chacha20-poly1305
Stream IETF
Formats plain text pdf html bibtex
Stream WG state Submitted to IESG for Publication
Document shepherd Paul Hoffman
Shepherd write-up Show (last changed 2015-06-14)
IESG IESG state RFC 7634 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Kathleen Moriarty
Send notices to (None)
IANA IANA review state IANA OK - Actions Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                            Y. Nir
Request for Comments: 7634                                   Check Point
Category: Standards Track                                    August 2015
ISSN: 2070-1721

                   ChaCha20, Poly1305, and Their Use
         in the Internet Key Exchange Protocol (IKE) and IPsec

Abstract

   This document describes the use of the ChaCha20 stream cipher along
   with the Poly1305 authenticator, combined into an AEAD algorithm for
   the Internet Key Exchange Protocol version 2 (IKEv2) and for IPsec.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7634.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Nir                          Standards Track                    [Page 1]
RFC 7634              ChaCha20 & Poly1305 for IPsec          August 2015

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Conventions Used in This Document . . . . . . . . . . . .   3
   2.  ChaCha20 and Poly1305 for ESP . . . . . . . . . . . . . . . .   3
     2.1.  AAD Construction  . . . . . . . . . . . . . . . . . . . .   5
   3.  Use in IKEv2  . . . . . . . . . . . . . . . . . . . . . . . .   6
   4.  Negotiation in IKEv2  . . . . . . . . . . . . . . . . . . . .   6
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Appendix A.  ESP Example  . . . . . . . . . . . . . . . . . . . .   9
   Appendix B.  IKEv2 Example  . . . . . . . . . . . . . . . . . . .  11
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  13
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  13

1.  Introduction

   The Advanced Encryption Standard (AES) [FIPS-197] has become the go-
   to algorithm for encryption.  It is now the most commonly used
   algorithm in many areas, including IPsec Virtual Private Networks
   (VPNs).  On most modern platforms, AES is anywhere from four to ten
   times as fast as the previously popular cipher, Triple Data
   Encryption Standard (3DES) [SP800-67].  3DES also uses a 64-bit
   block; this means that the amount of data that can be encrypted
   before rekeying is required is limited.  These reasons make AES not
   only the best choice, but the only viable choice for IPsec.

   The problem is that if future advances in cryptanalysis reveal a
   weakness in AES, VPN users will be in an unenviable position.  With
   the only other widely supported cipher for IPsec implementations
   being the much slower 3DES, it is not feasible to reconfigure IPsec
   installations away from AES.  [Standby-Cipher] describes this issue
   and the need for a standby cipher in greater detail.

   This document proposes the fast and secure ChaCha20 stream cipher as
   such a standby cipher in an Authenticated Encryption with Associated
   Data (AEAD) construction with the Poly1305 authenticator for use with
   the Encapsulated Security Protocol (ESP) [RFC4303] and the Internet
   Key Exchange Protocol version 2 (IKEv2) [RFC7296].  The algorithms
   are described in a separate document ([RFC7539]).  This document only
   describes the IPsec-specific things.

Nir                          Standards Track                    [Page 2]
RFC 7634              ChaCha20 & Poly1305 for IPsec          August 2015
Show full document text