Implemented Standards

From Libreswan
Jump to: navigation, search

The following table lists the RFCs, drafts and standards related to IKE and IPsec. An overview of IKE and IPsec related RFC's is available in RFC 6071 |

Implementation status can be: implemented (v), planned (p), not implemented (-) or will not be implemented (X)

Status Standard Description Comments
IKEv1
v RFC 2407 IPsec Domain of Interpretation for ISAKMP (IPsec DoI)
v RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)
v RFC 2409 Internet Key Exchange (IKE) Revised Mode not implemented
v RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups
v RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers known as "DPD"
v RFC 3947 Negotiation of NAT-Traversal in the IKE known as "NATT" or "ESPinUDP"
v draft-dukes-ike-mode-cfg The ISAKMP Configuration Method
v draft-ietf-ipsec-isakmp-xauth Extended Authentication within ISAKMP/Oakley (XAUTH)
v draft-jenkins-ipsec-rekeying IPsec Re-keying Issues Implementation differs on some point but accomplishes the same
X draft-ietf-ipsec-isakmp-hybrid-auth A Hybrid Authentication Mode for IKE
IKEv2
v RFC 4307 Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2) Obsoleted by RFC 8247
v RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2) Obsoletes RFC 5996 and RFC 4718
X RFC 7815 Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation This is a really just a subset of IKEv2 RFC 7296
p RFC 4478 Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
v RFC 4555 IKEv2 Mobility and Multihoming Protocol (MOBIKE) "Additional Addresses" not supported
- RFC 4595 Use of IKEv2 in the Fibre Channel Security Association Management Protocol
p RFC 4615 The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE CMAC is supoorted as INTEG (for ESP/IKE) but not as PRF(for IKE) - this is pending support in the NSS library.
N/A RFC 4621 Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
p RFC 4739 Multiple Authentication Exchanges in the IKEv2 Protocol
p RFC 4754 IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
- RFC 4806 Online Certificate Status Protocol (OCSP) Extensions to IKEv2 Regular OCSP fetching outside of IKE is supported.
- RFC 5026 Mobile IPv6 Bootstrapping in Split Scenario
v RFC 5282 Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol Only AES_GCM is implemented. AES_CCM requires support in the nss library
- RFC 5685 Redirect Mechanism for IKEv2
- RFC 5857 IKEv2 Extensions to Support Robust Header Compression over IPsec
p RFC 5723 Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption
- RFC 5739 IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)
v RFC 5903 ECP Groups for IKE and IKEv2
v RFC 5930 Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol
- RFC 5998 An Extension for EAP-only Authentication in IKEv2
- RFC 6023 A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)
N/A RFC 6027 IPsec Cluster Problem Statement
- RFC 6290 A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE)
- RFC 6311 Protocol Support for High Availability of IKEv2/IPsec
- RFC 6467 Secure Password Framework for IKEv2
- RFC 6617 Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE)
- RFC 6628 Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2
- RFC 6631 Password Authenticated Connection Establishment with IKEv2
- RFC 6867 An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP)
- RFC 6932 Brainpool Elliptic Curves for the IKE Group Description Registry
- RFC 6954 Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2)
N/A RFC 6989 Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2) This work is or needs to be done inside the nss library
v RFC 7383 Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation
v RFC 7427 Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) Initial implementation only supports RSA-v1.5. More planned in near future
v RFC 7619 The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)
p RFC 7634 ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec
- RFC 7651 3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2)
p RFC 7670 Generic Raw Public-Key Support for IKEv2 raw RSA public keys are supported using the core IKE RFCs
v RFC 8247 Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)
v RFC 8229 TCP Encapsulation of IKE and IPsec Packets IKE over TCP implemented - waiting on Linux kernel for ESP over TCP implementation. Does not currently support IKE/ESP over TLS
- draft-brunner-ikev2-mediation IKEv2 Mediation Extension
- draft-laganier-ike-ipv6-cga Using IKE with IPv6 Cryptographically Generated Addresses
p draft-ietf-ipsecme-split-dns Split DNS Configuration for IKEv2 in progress
p draft-ietf-ipsecme-qr-ikev2 Postquantum Preshared Keys for IKEv2 in progress - previous version implemented (draft-fluhrer-qr-ikev2)
IPsec
v RFC 4301 Security Architecture for the Internet Protocol
v RFC 4302 IP Authentication Header (AH)
v RFC 4303 IP Encapsulating Security Payload (ESP)
RFC 4308 Cryptographic Suites for IPsec
v RFC 7321 Cryptographic Algorithm Implementation Requirements and Usage Guidance for ESP and AH Extensions
v RFC 2410 The NULL Encryption Algorithm and Its Use With IPsec
v RFC 2451 The ESP CBC-Mode Cipher Algorithms
v RFC 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec
v RFC 3948 UDP Encapsulation of IPsec ESP Packets
v RFC 3686 Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)
v RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec ESP
v RFC 4304 Extended Sequence Number (ESN) Addendum to IPsec DOI for ISAKMP
v RFC 4309 Using Advanced Encryption Standard (AES) CCM Mode with IPsec ESP
x RFC 4494 The AES-CMAC-96 Algorithm and Its Use with IPsec
x RFC 4543 The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH Kernel support is availble, ike support is not
v RFC 4868 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
v RFC 5114 Additional Diffie-Hellman Groups for Use with IETF Standards Only DH22,23,24 - remainder planned
v RFC 5529 Modes of Operation for Camellia for Use with IPsec
X RFC 5660 IPsec Channels: Connection Latching
N/A RFC 5879 Heuristics for Detecting ESP-NULL Packets
X RFC 5840 Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility
v RFC 6379 Suite B Cryptographic Suites for IPsec Not all ciphers are implemented
v RFC 6380 Suite B Profile for Internet Protocol Security (IPsec)
? RFC 6479 IPsec Anti-Replay Algorithm without Bit Shifting
N/A RFC 7018 Auto-Discovery VPN Problem Statement and Requirements
v RFC 7321 Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) Obsoleted by RFC 8221
v RFC 8221 Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) Obsoletes RFC 7321
v draft-antony-ipsecme-oppo-nat NAT-Traversal support for Opportunistic IPsec Experimental