Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)
RFC 8221
| Document | Type |
RFC - Proposed Standard
(October 2017; No errata)
Obsoletes RFC 7321
|
|
|---|---|---|---|
| Last updated | 2017-10-17 | ||
| Replaces | draft-mglt-ipsecme-rfc7321bis | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Reviews | |||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | David Waltermire | ||
| Shepherd write-up | Show (last changed 2017-02-15) | ||
| IESG | IESG state | RFC 8221 (Proposed Standard) | |
| Consensus Boilerplate | Yes | ||
| Telechat date | |||
| Responsible AD | Eric Rescorla | ||
| Send notices to | "David Waltermire" <david.waltermire@nist.gov> | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA action state | No IANA Actions | ||
Internet Engineering Task Force (IETF) P. Wouters
Request for Comments: 8221 Red Hat
Obsoletes: 7321 D. Migault
Category: Standards Track J. Mattsson
ISSN: 2070-1721 Ericsson
Y. Nir
Check Point
T. Kivinen
October 2017
Cryptographic Algorithm Implementation Requirements and Usage Guidance
for Encapsulating Security Payload (ESP) and Authentication Header (AH)
Abstract
This document replaces RFC 7321, "Cryptographic Algorithm
Implementation Requirements and Usage Guidance for Encapsulating
Security Payload (ESP) and Authentication Header (AH)". The goal of
this document is to enable ESP and AH to benefit from cryptography
that is up to date while making IPsec interoperable.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8221.
Wouters, et al. Standards Track [Page 1]
RFC 8221 ESP and AH Algorithm Requirements October 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Updating Algorithm Implementation Requirements and Usage
Guidance . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Updating Algorithm Requirement Levels . . . . . . . . . . 3
1.3. Document Audience . . . . . . . . . . . . . . . . . . . . 4
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5
3. Manual Keying . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Encryption Must Be Authenticated . . . . . . . . . . . . . . 6
5. ESP Encryption Algorithms . . . . . . . . . . . . . . . . . . 7
6. ESP and AH Authentication Algorithms . . . . . . . . . . . . 9
7. ESP and AH Compression Algorithms . . . . . . . . . . . . . . 10
8. Summary of Changes from RFC 7321 . . . . . . . . . . . . . . 11
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
10. Security Considerations . . . . . . . . . . . . . . . . . . . 11
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
11.1. Normative References . . . . . . . . . . . . . . . . . . 12
11.2. Informative References . . . . . . . . . . . . . . . . . 12
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
Wouters, et al. Standards Track [Page 2]
RFC 8221 ESP and AH Algorithm Requirements October 2017
1. Introduction
The Encapsulating Security Payload (ESP) [RFC4303] and the
Authentication Header (AH) [RFC4302] are the mechanisms for applying
cryptographic protection to data being sent over an IPsec Security
Association (SA) [RFC4301].
This document provides guidance and recommendations so that ESP and
AH can be used with cryptographic algorithms that are up to date.
The challenge of such documents is making sure that, over time, IPsec
implementations can use secure and up-to-date cryptographic
algorithms while keeping IPsec interoperable.
1.1. Updating Algorithm Implementation Requirements and Usage Guidance
The field of cryptography evolves continuously: new, stronger
algorithms appear, and existing algorithms are found to be less
secure than originally thought. Therefore, algorithm implementation
Show full document text