| rfc9206v2.txt | rfc9206.txt | |||
|---|---|---|---|---|
| skipping to change at line 203 ¶ | skipping to change at line 203 ¶ | |||
| User Interface (UI) suites [RFC4308] are named suites that cover some | User Interface (UI) suites [RFC4308] are named suites that cover some | |||
| typical security policy options for IPsec. Use of UI suites does not | typical security policy options for IPsec. Use of UI suites does not | |||
| change the IPsec protocol in any way. The following UI suites | change the IPsec protocol in any way. The following UI suites | |||
| provide cryptographic algorithm choices for ESP [RFC4303] and for | provide cryptographic algorithm choices for ESP [RFC4303] and for | |||
| IKEv2 [RFC7296]. The selection of a UI suite will depend on the key | IKEv2 [RFC7296]. The selection of a UI suite will depend on the key | |||
| exchange algorithm. The suite names indicate the Advanced Encryption | exchange algorithm. The suite names indicate the Advanced Encryption | |||
| Standard [FIPS197] mode, AES key length specified for encryption, and | Standard [FIPS197] mode, AES key length specified for encryption, and | |||
| the key exchange algorithm. | the key exchange algorithm. | |||
| Although RSA is also a CNSA-approved key establishment algorithm, | Although RSA is also a CNSA-approved key establishment algorithm, | |||
| only DH or ECDH are specified for key exchange in IKEv2 [RFC7296]. | only DH and ECDH are specified for key exchange in IKEv2 [RFC7296]. | |||
| RSA in IPsec is used only for digital signatures. See Section 6. | RSA in IPsec is used only for digital signatures. See Section 6. | |||
| ESP requires negotiation of both a confidentiality algorithm and an | ESP requires negotiation of both a confidentiality algorithm and an | |||
| integrity algorithm. However, algorithms for Authenticated | integrity algorithm. However, algorithms for Authenticated | |||
| Encryption with Associated Data (AEAD) [RFC5116] do not require a | Encryption with Associated Data (AEAD) [RFC5116] do not require a | |||
| separate integrity algorithm to be negotiated. In particular, since | separate integrity algorithm to be negotiated. In particular, since | |||
| AES-GCM is an AEAD algorithm, ESP implementing AES-GCM MUST either | AES-GCM is an AEAD algorithm, ESP implementing AES-GCM MUST either | |||
| offer no integrity algorithm or indicate the single integrity | offer no integrity algorithm or indicate the single integrity | |||
| algorithm NONE (see Section 3.3 of [RFC7296]). | algorithm NONE (see Section 3.3 of [RFC7296]). | |||
| skipping to change at line 349 ¶ | skipping to change at line 349 ¶ | |||
| 9. The Key Exchange Payload in the IKE_SA_INIT Exchange | 9. The Key Exchange Payload in the IKE_SA_INIT Exchange | |||
| The key exchange payload is used to exchange Diffie-Hellman public | The key exchange payload is used to exchange Diffie-Hellman public | |||
| numbers as part of a Diffie-Hellman key exchange. The CNSA-compliant | numbers as part of a Diffie-Hellman key exchange. The CNSA-compliant | |||
| initiator and responder MUST each generate an ephemeral key pair to | initiator and responder MUST each generate an ephemeral key pair to | |||
| be used in the key exchange. | be used in the key exchange. | |||
| If the Elliptic Curve Diffie-Hellman (ECDH) key exchange is selected | If the Elliptic Curve Diffie-Hellman (ECDH) key exchange is selected | |||
| for the SA, the initiator and responder both MUST generate an | for the SA, the initiator and responder both MUST generate an | |||
| elliptic curve (EC) key pair using the P-384 elliptic curve. | elliptic curve (EC) key pair using the P-384 elliptic curve. The | |||
| ephemeral public keys MUST be stored in the key exchange payload as | ||||
| described in [RFC5903]. | ||||
| If the Diffie-Hellman (DH) key exchange is selected for the SA, the | If the Diffie-Hellman (DH) key exchange is selected for the SA, the | |||
| initiator and responder both MUST generate a key pair using the | initiator and responder both MUST generate a key pair using the | |||
| appropriately sized MODP group as described in [RFC3526]. The size | appropriately sized MODP group as described in [RFC3526]. The size | |||
| of the MODP group will be determined by the selection of either a | of the MODP group will be determined by the selection of either a | |||
| 3072-bit or greater modulus for the SA. | 3072-bit or greater modulus for the SA. | |||
| 10. Generating Key Material for the IKE SA | 10. Generating Key Material for the IKE SA | |||
| As noted in Section 7 of [RFC5903], the shared secret result of an | As noted in Section 7 of [RFC5903], the shared secret result of an | |||
| End of changes. 2 change blocks. | ||||
| 2 lines changed or deleted | 4 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||