| rfc7634v1.txt | rfc7634.txt | |||
|---|---|---|---|---|
| skipping to change at page 2, line 18 | skipping to change at page 2, line 18 | |||
| 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 | 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 | |||
| 2. ChaCha20 and Poly1305 for ESP . . . . . . . . . . . . . . . . 3 | 2. ChaCha20 and Poly1305 for ESP . . . . . . . . . . . . . . . . 3 | |||
| 2.1. AAD Construction . . . . . . . . . . . . . . . . . . . . 5 | 2.1. AAD Construction . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Use in IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3. Use in IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Negotiation in IKEv2 . . . . . . . . . . . . . . . . . . . . 6 | 4. Negotiation in IKEv2 . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 8 | 7.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| Appendix A. ESP Example . . . . . . . . . . . . . . . . . . . . 8 | Appendix A. ESP Example . . . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix B. IKEv2 Example . . . . . . . . . . . . . . . . . . . 11 | Appendix B. IKEv2 Example . . . . . . . . . . . . . . . . . . . 11 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 1. Introduction | 1. Introduction | |||
| The Advanced Encryption Standard (AES) [FIPS-197] has become the go- | The Advanced Encryption Standard (AES) [FIPS-197] has become the go- | |||
| to algorithm for encryption. It is now the most commonly used | to algorithm for encryption. It is now the most commonly used | |||
| algorithm in many areas, including IPsec Virtual Private Networks | algorithm in many areas, including IPsec Virtual Private Networks | |||
| (VPNs). On most modern platforms, AES is anywhere from four to ten | (VPNs). On most modern platforms, AES is anywhere from four to ten | |||
| skipping to change at page 5, line 48 | skipping to change at page 5, line 50 | |||
| o The Integrity Check Value field contains the 16-octet tag. | o The Integrity Check Value field contains the 16-octet tag. | |||
| 2.1. AAD Construction | 2.1. AAD Construction | |||
| The construction of the Additional Authenticated Data (AAD) is | The construction of the Additional Authenticated Data (AAD) is | |||
| similar to the one in [RFC4106]. For security associations (SAs) | similar to the one in [RFC4106]. For security associations (SAs) | |||
| with 32-bit sequence numbers, the AAD is 8 octets: a 4-octet SPI | with 32-bit sequence numbers, the AAD is 8 octets: a 4-octet SPI | |||
| followed by a 4-octet sequence number ordered exactly as it is in the | followed by a 4-octet sequence number ordered exactly as it is in the | |||
| packet. For SAs with an Extended Sequence Number (ESN), the AAD is | packet. For SAs with an Extended Sequence Number (ESN), the AAD is | |||
| 12 octets: a 4-octet SPI followed by an 8-octet sequence number as a | 12 octets: a 4-octet SPI followed by an 8-octet sequence number as a | |||
| 64-bit integer in network byte order. | 64-bit integer in big-endian byte order. | |||
| 3. Use in IKEv2 | 3. Use in IKEv2 | |||
| AEAD algorithms can be used in IKE, as described in [RFC5282]. More | AEAD algorithms can be used in IKE, as described in [RFC5282]. More | |||
| specifically: | specifically: | |||
| o The Encrypted Payload is as described in Section 3 of RFC 5282. | o The Encrypted Payload is as described in Section 3 of RFC 5282. | |||
| o The ChaCha20-Poly1305 keying material is derived similarly to ESP: | o The ChaCha20-Poly1305 keying material is derived similarly to ESP: | |||
| 36 octets are requested for each of SK_ei and SK_er, of which the | 36 octets are requested for each of SK_ei and SK_er, of which the | |||
| skipping to change at page 7, line 32 | skipping to change at page 7, line 32 | |||
| algorithm described in this document in the "Transform Type 1 - | algorithm described in this document in the "Transform Type 1 - | |||
| Encryption Algorithm Transform IDs" registry with name | Encryption Algorithm Transform IDs" registry with name | |||
| ENCR_CHACHA20_POLY1305 and this document as reference for both ESP | ENCR_CHACHA20_POLY1305 and this document as reference for both ESP | |||
| and IKEv2. | and IKEv2. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | Requirement Levels", BCP 14, RFC 2119, | |||
| RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC | [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", | |||
| 4303, DOI 10.17487/RFC4303, December 2005, | RFC 4303, DOI 10.17487/RFC4303, December 2005, | |||
| <http://www.rfc-editor.org/info/rfc4303>. | <http://www.rfc-editor.org/info/rfc4303>. | |||
| [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption | [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption | |||
| Algorithms with the Encrypted Payload of the Internet Key | Algorithms with the Encrypted Payload of the Internet Key | |||
| Exchange version 2 (IKEv2) Protocol", RFC 5282, DOI | Exchange version 2 (IKEv2) Protocol", RFC 5282, | |||
| 10.17487/RFC5282, August 2008, | DOI 10.17487/RFC5282, August 2008, | |||
| <http://www.rfc-editor.org/info/rfc5282>. | <http://www.rfc-editor.org/info/rfc5282>. | |||
| [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | |||
| Kivinen, "Internet Key Exchange Protocol Version 2 | Kivinen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | |||
| 2014, <http://www.rfc-editor.org/info/rfc7296>. | 2014, <http://www.rfc-editor.org/info/rfc7296>. | |||
| [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | |||
| Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, | Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, | |||
| <http://www.rfc-editor.org/info/rfc7539>. | <http://www.rfc-editor.org/info/rfc7539>. | |||
| skipping to change at page 8, line 28 | skipping to change at page 8, line 28 | |||
| National Institute of Standards and Technology, "Advanced | National Institute of Standards and Technology, "Advanced | |||
| Encryption Standard (AES)", FIPS PUB 197, November 2001, | Encryption Standard (AES)", FIPS PUB 197, November 2001, | |||
| <http://csrc.nist.gov/publications/fips/fips197/ | <http://csrc.nist.gov/publications/fips/fips197/ | |||
| fips-197.pdf>. | fips-197.pdf>. | |||
| [RFC1761] Callaghan, B. and R. Gilligan, "Snoop Version 2 Packet | [RFC1761] Callaghan, B. and R. Gilligan, "Snoop Version 2 Packet | |||
| Capture File Format", RFC 1761, DOI 10.17487/RFC1761, | Capture File Format", RFC 1761, DOI 10.17487/RFC1761, | |||
| February 1995, <http://www.rfc-editor.org/info/rfc1761>. | February 1995, <http://www.rfc-editor.org/info/rfc1761>. | |||
| [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode | [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode | |||
| (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC | (GCM) in IPsec Encapsulating Security Payload (ESP)", | |||
| 4106, DOI 10.17487/RFC4106, June 2005, | RFC 4106, DOI 10.17487/RFC4106, June 2005, | |||
| <http://www.rfc-editor.org/info/rfc4106>. | <http://www.rfc-editor.org/info/rfc4106>. | |||
| [SP800-67] | [SP800-67] | |||
| National Institute of Standards and Technology, | National Institute of Standards and Technology, | |||
| "Recommendation for the Triple Data Encryption Algorithm | "Recommendation for the Triple Data Encryption Algorithm | |||
| (TDEA) Block Cipher", FIPS SP800-67, January 2012, | (TDEA) Block Cipher", FIPS SP800-67, January 2012, | |||
| <http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/ | <http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/ | |||
| SP-800-67-Rev1.pdf>. | SP-800-67-Rev1.pdf>. | |||
| [Standby-Cipher] | [Standby-Cipher] | |||
| McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | |||
| Future Cryptographic Standards", Work in Progress draft- | Future Cryptographic Standards", Work in Progress | |||
| mcgrew-standby-cipher-00, January 2013. | draft-mcgrew-standby-cipher-00, January 2013. | |||
| Appendix A. ESP Example | Appendix A. ESP Example | |||
| For this example, we will use a tunnel-mode ESP SA using the | For this example, we will use a tunnel-mode ESP SA using the | |||
| ChaCha20-Poly1305 algorithm. The keying material is as follows: | ChaCha20-Poly1305 algorithm. The keying material is as follows: | |||
| KEYMAT: | KEYMAT: | |||
| 000 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f ................ | 000 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f ................ | |||
| 016 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f ................ | 016 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f ................ | |||
| 032 a0 a1 a2 a3 .... | 032 a0 a1 a2 a3 .... | |||
| skipping to change at page 11, line 31 | skipping to change at page 11, line 38 | |||
| o The Salt is 0xa0 0xa1 0xa2 0xa3. | o The Salt is 0xa0 0xa1 0xa2 0xa3. | |||
| o The IV will also be the same as in the previous example. The fact | o The IV will also be the same as in the previous example. The fact | |||
| that the IV and Salt are both the same means that the nonce is | that the IV and Salt are both the same means that the nonce is | |||
| also the same. | also the same. | |||
| o Because the key and nonce are the same, so is the one-time | o Because the key and nonce are the same, so is the one-time | |||
| Poly1305 key. | Poly1305 key. | |||
| o The packet will be an Informational request carrying a single | o The packet will be an INFORMATIONAL request carrying a single | |||
| payload: a Notify payload with type SET_WINDOW_SIZE, setting the | payload: a Notify payload with type SET_WINDOW_SIZE, setting the | |||
| window size to 10. | window size to 10. | |||
| o iSPI = 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7. | o iSPI = 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7. | |||
| o rSPI = 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7. | o rSPI = 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7. | |||
| o Message ID shall be 9. | o Message ID shall be 9. | |||
| The Notify Payload: | The Notify Payload: | |||
| skipping to change at page 12, line 43 | skipping to change at page 13, line 9 | |||
| 000 c0 c1 c2 c3 c4 c5 c6 c7 d0 d1 d2 d3 d4 d5 d6 d7 ................ | 000 c0 c1 c2 c3 c4 c5 c6 c7 d0 d1 d2 d3 d4 d5 d6 d7 ................ | |||
| 016 2e 20 25 00 00 00 00 09 00 00 00 45 29 00 00 29 . %........E)..) | 016 2e 20 25 00 00 00 00 09 00 00 00 45 29 00 00 29 . %........E)..) | |||
| 032 10 11 12 13 14 15 16 17 61 03 94 70 1f 8d 01 7f ........a..p.... | 032 10 11 12 13 14 15 16 17 61 03 94 70 1f 8d 01 7f ........a..p.... | |||
| 048 7c 12 92 48 89 6b 71 bf e2 52 36 ef d7 cd c6 70 |..H.kq..R6....p | 048 7c 12 92 48 89 6b 71 bf e2 52 36 ef d7 cd c6 70 |..H.kq..R6....p | |||
| 064 66 90 63 15 b2 f.c.. | 064 66 90 63 15 b2 f.c.. | |||
| The below file in the snoop format [RFC1761] contains three packets: | The below file in the snoop format [RFC1761] contains three packets: | |||
| The first is the ICMP packet from the example in Appendix A, the | The first is the ICMP packet from the example in Appendix A, the | |||
| second is the ESP packet from the same appendix, and the third is the | second is the ESP packet from the same appendix, and the third is the | |||
| IKEv2 packet from this appendix. To convert this text back into a | IKEv2 packet from this appendix. To convert this text back into a | |||
| file, you can use a Unix command line tool such as "openssl enc -d | file, you can use a Unix command line tool such as | |||
| -a": | "openssl enc -d -a": | |||
| c25vb3AAAAAAAAACAAAABAAAAGIAAABiAAAAegAAAABVPq8PAAADVdhs6fUQBHgx | c25vb3AAAAAAAAACAAAABAAAAGIAAABiAAAAegAAAABVPq8PAAADVdhs6fUQBHgx | |||
| wbcpwggARQAAVKbyAABAAed4xjNkBcAAAgUIAFt6OggAAFU77BAABzYnCAkKCwwN | wbcpwggARQAAVKbyAABAAed4xjNkBcAAAgUIAFt6OggAAFU77BAABzYnCAkKCwwN | |||
| Dg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3AAAAmgAA | Dg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3AAAAmgAA | |||
| AJoAAACyAAAAAFU+rw8AAAo62Gzp9RAEeDHBtynCCABFAACMI0UAAEAy3lvLAHGZ | AJoAAACyAAAAAFU+rw8AAAo62Gzp9RAEeDHBtynCCABFAACMI0UAAEAy3lvLAHGZ | |||
| ywBxBQECAwQAAAAFEBESExQVFhckA5QouX9BfjwTdTpPBQh7Z8NS5qf6sbmC1Gbv | ywBxBQECAwQAAAAFEBESExQVFhckA5QouX9BfjwTdTpPBQh7Z8NS5qf6sbmC1Gbv | |||
| QHrlxhTugJnVKETrYaqV36tMAvcqpx58TE9kyb7+L6zGOOjzy+wWP6xGm1Anc/b7 | QHrlxhTugJnVKETrYaqV36tMAvcqpx58TE9kyb7+L6zGOOjzy+wWP6xGm1Anc/b7 | |||
| lOZk2pFluCgp9kHgdqqoJmt/sPexGzaZB+GtQwAAAG8AAABvAAAAhwAAAABVPq8P | lOZk2pFluCgp9kHgdqqoJmt/sPexGzaZB+GtQwAAAG8AAABvAAAAhwAAAABVPq8P | |||
| AAARH9hs6fUQBHgxwbcpwggARQAAYSNFAABAEd6nywBxmcsAcQUB9AH0AE0IUcDB | AAARH9hs6fUQBHgxwbcpwggARQAAYSNFAABAEd6nywBxmcsAcQUB9AH0AE0IUcDB | |||
| wsPExcbH0NHS09TV1tcuICUAAAAACQAAAEUpAAApEBESExQVFhdhA5RwH40Bf3wS | wsPExcbH0NHS09TV1tcuICUAAAAACQAAAEUpAAApEBESExQVFhdhA5RwH40Bf3wS | |||
| End of changes. 9 change blocks. | ||||
| 15 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||