Implemented Standards: Difference between revisions

From Libreswan
Jump to navigation Jump to search
No edit summary
No edit summary
Line 53: Line 53:
|
|
|-
|-
| ?
| v
| [http://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06 draft-jenkins-ipsec-rekeying]
| [http://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06 draft-jenkins-ipsec-rekeying]
| IPsec Re-keying Issues
| IPsec Re-keying Issues
|
| Implementation differs on some point but accomplishes the same
|-
|-
| X
| X
Line 75: Line 75:
| Obsoletes [http://tools.ietf.org/html/rfc5996 RFC 5996] and [http://tools.ietf.org/html/rfc4718 RFC 4718]
| Obsoletes [http://tools.ietf.org/html/rfc5996 RFC 5996] and [http://tools.ietf.org/html/rfc4718 RFC 4718]
|-
|-
| v
| X
| [http://tools.ietf.org/html/rfc7815 RFC 7815]
| [http://tools.ietf.org/html/rfc7815 RFC 7815]
| Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation
| Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation
| This is a really just a subset of [http://tools.ietf.org/html/rfc7296 RFC 7296]
| This is a really just a subset of IKEv2 [http://tools.ietf.org/html/rfc7296 RFC 7296]
|-
|-
|?
|p
| [https://tools.ietf.org/html/rfc4478 RFC 4478]
| [https://tools.ietf.org/html/rfc4478 RFC 4478]
| Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
| Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
|
|
|-
|-
|?
|p
| [https://tools.ietf.org/html/rfc4555 RFC 4555]
| [https://tools.ietf.org/html/rfc4555 RFC 4555]
| IKEv2 Mobility and Multihoming Protocol (MOBIKE)
| IKEv2 Mobility and Multihoming Protocol (MOBIKE)
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc4595 RFC 4595]
| [https://tools.ietf.org/html/rfc4595 RFC 4595]
| Use of IKEv2 in the Fibre Channel Security Association Management Protocol
| Use of IKEv2 in the Fibre Channel Security Association Management Protocol
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6515 RFC 6515]
| [https://tools.ietf.org/html/rfc6515 RFC 6515]
| The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE
| The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE
|
|
|-
|-
|?
|p
| [https://tools.ietf.org/html/rfc4621 RFC 4621]
| [https://tools.ietf.org/html/rfc4621 RFC 4621]
| Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
| Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
|
|
|-
|-
|?
|p
| [https://tools.ietf.org/html/rfc4739 RFC 4739]
| [https://tools.ietf.org/html/rfc4739 RFC 4739]
| Multiple Authentication Exchanges in the IKEv2 Protocol
| Multiple Authentication Exchanges in the IKEv2 Protocol
|
|
|-
|-
|?
|p
| [https://tools.ietf.org/html/rfc4754 RFC 4754]
| [https://tools.ietf.org/html/rfc4754 RFC 4754]
| IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
| IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc4806 RFC 4806]
| [https://tools.ietf.org/html/rfc4806 RFC 4806]
| Online Certificate Status Protocol (OCSP) Extensions to IKEv2
| Online Certificate Status Protocol (OCSP) Extensions to IKEv2
|
| Regular OCSP fetching outside of IKE is supported.
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc5026 RFC 5026]
| [https://tools.ietf.org/html/rfc5026 RFC 5026]
| Mobile IPv6 Bootstrapping in Split Scenario
| Mobile IPv6 Bootstrapping in Split Scenario
|
|
|-
|-
|?
|v
| [https://tools.ietf.org/html/rfc5282 RFC 5282]
| [https://tools.ietf.org/html/rfc5282 RFC 5282]
| Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol
| Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol
|
| Only AES_GCM is implemented. AES_CCM requires support in the nss library
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc5685 RFC 5685]
| [https://tools.ietf.org/html/rfc5685 RFC 5685]
| Redirect Mechanism for IKEv2
| Redirect Mechanism for IKEv2
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc5857 RFC 5857]
| [https://tools.ietf.org/html/rfc5857 RFC 5857]
| IKEv2 Extensions to Support Robust Header Compression over IPsec
| IKEv2 Extensions to Support Robust Header Compression over IPsec
|
|
|-
|-
|?
|p
| [https://tools.ietf.org/html/rfc5723 RFC 5723]
| [https://tools.ietf.org/html/rfc5723 RFC 5723]
| Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption
| Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc5739 RFC 5739]
| [https://tools.ietf.org/html/rfc5739 RFC 5739]
| IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)
| IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)
|
|
|-
|-
|?
|p
| [https://tools.ietf.org/html/rfc5903 RFC 5903]
| [https://tools.ietf.org/html/rfc5903 RFC 5903]
| ECP Groups for IKE and IKEv2
| ECP Groups for IKE and IKEv2
|
|
|-
|-
|?
|v
| [https://tools.ietf.org/html/rfc5930 RFC 5930]
| [https://tools.ietf.org/html/rfc5930 RFC 5930]
| Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol
| Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc5998 RFC 5998]
| [https://tools.ietf.org/html/rfc5998 RFC 5998]
| An Extension for EAP-only Authentication in IKEv2
| An Extension for EAP-only Authentication in IKEv2
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6023 RFC 6023]
| [https://tools.ietf.org/html/rfc6023 RFC 6023]
| A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)
| A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)
|
|
|-
|-
|?
| N/A
| [https://tools.ietf.org/html/rfc6027 RFC 6027]
| [https://tools.ietf.org/html/rfc6027 RFC 6027]
| IPsec Cluster Problem Statement
| IPsec Cluster Problem Statement
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6290 RFC 6290]
| [https://tools.ietf.org/html/rfc6290 RFC 6290]
| A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE)
| A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE)
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6311 RFC 6311]
| [https://tools.ietf.org/html/rfc6311 RFC 6311]
| Protocol Support for High Availability of IKEv2/IPsec
| Protocol Support for High Availability of IKEv2/IPsec
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6467 RFC 6467]
| [https://tools.ietf.org/html/rfc6467 RFC 6467]
| Secure Password Framework for IKEv2
| Secure Password Framework for IKEv2
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6617 RFC 6617]
| [https://tools.ietf.org/html/rfc6617 RFC 6617]
| Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE)
| Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE)
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6628 RFC 6628]
| [https://tools.ietf.org/html/rfc6628 RFC 6628]
| Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2
| Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6631 RFC 6631]
| [https://tools.ietf.org/html/rfc6631 RFC 6631]
| Password Authenticated Connection Establishment with IKEv2
| Password Authenticated Connection Establishment with IKEv2
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6867 RFC 6867]
| [https://tools.ietf.org/html/rfc6867 RFC 6867]
| An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP)
| An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP)
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6932 RFC 6932]
| [https://tools.ietf.org/html/rfc6932 RFC 6932]
| Brainpool Elliptic Curves for the IKE Group Description Registry
| Brainpool Elliptic Curves for the IKE Group Description Registry
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc6954 RFC 6954]
| [https://tools.ietf.org/html/rfc6954 RFC 6954]
| Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2)
| Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2)
|
|  
|-
|-
|-
|?
| [https://tools.ietf.org/html/rfc6989 RFC 6989]
| [https://tools.ietf.org/html/rfc6989 RFC 6989]
| Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
| Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
|
| This work is or needs to be done inside the nss library
|-
|-
|?
|v
| [https://tools.ietf.org/html/rfc7383 RFC 7383]
| [https://tools.ietf.org/html/rfc7383 RFC 7383]
| Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation
| Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation
|
|
|-
|-
|?
|p
| [https://tools.ietf.org/html/rfc7427 RFC 7427]
| [https://tools.ietf.org/html/rfc7427 RFC 7427]
| Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)
| Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)
|
|
|-
|-
|?
|v
| [https://tools.ietf.org/html/rfc7619 RFC 7619]
| [https://tools.ietf.org/html/rfc7619 RFC 7619]
| The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)
| The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)
|
|
|-
|-
|?
|p
| [https://tools.ietf.org/html/rfc7634 RFC 7634]
| [https://tools.ietf.org/html/rfc7634 RFC 7634]
| ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec
| ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/rfc7651 RFC 7651]
| [https://tools.ietf.org/html/rfc7651 RFC 7651]
| 3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2)
| 3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2)
|
|
|-
|-
|?
|p
| [https://tools.ietf.org/html/rfc7670 RFC 7670]
| [https://tools.ietf.org/html/rfc7670 RFC 7670]
| Generic Raw Public-Key Support for IKEv2
| Generic Raw Public-Key Support for IKEv2
|
| raw RSA public keys are supported using the core IKE RFCs
|-
|-
|?
| -
| [https://tools.ietf.org/html/draft-brunner-ikev2-mediation draft-brunner-ikev2-mediation]
| [https://tools.ietf.org/html/draft-brunner-ikev2-mediation draft-brunner-ikev2-mediation]
| IKEv2 Mediation Extension
| IKEv2 Mediation Extension
|
|
|-
|-
|?
| -
| [https://tools.ietf.org/html/draft-laganier-ike-ipv6-cga]
| [https://tools.ietf.org/html/draft-laganier-ike-ipv6-cga]
|  Using IKE with IPv6 Cryptographically Generated Addresses
|  Using IKE with IPv6 Cryptographically Generated Addresses

Revision as of 22:27, 17 June 2016

The following table lists the RFCs, drafts and standards related to IKE and IPsec. An overview of IKE and IPsec related RFC's is available in RFC 6071 |

Implementation status can be: implemented (v), planned (p), not implemented (-) or will not be implemented (X)

Status Standard Description Comments
IKEv1
v RFC 2407 IPsec Domain of Interpretation for ISAKMP (IPsec DoI)
v RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)
v RFC 2409 Internet Key Exchange (IKE) Revised Mode not implemented
v RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups
v RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers known as "DPD"
v RFC 3947 Negotiation of NAT-Traversal in the IKE known as "NATT" or "ESPinUDP"
v draft-dukes-ike-mode-cfg The ISAKMP Configuration Method
v draft-ietf-ipsec-isakmp-xauth Extended Authentication within ISAKMP/Oakley (XAUTH)
v draft-jenkins-ipsec-rekeying IPsec Re-keying Issues Implementation differs on some point but accomplishes the same
X draft-ietf-ipsec-isakmp-hybrid-auth A Hybrid Authentication Mode for IKE
IKEv2
v RFC 4307 Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)
v RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2) Obsoletes RFC 5996 and RFC 4718
X RFC 7815 Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation This is a really just a subset of IKEv2 RFC 7296
p RFC 4478 Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
p RFC 4555 IKEv2 Mobility and Multihoming Protocol (MOBIKE)
- RFC 4595 Use of IKEv2 in the Fibre Channel Security Association Management Protocol
- RFC 6515 The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE
p RFC 4621 Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
p RFC 4739 Multiple Authentication Exchanges in the IKEv2 Protocol
p RFC 4754 IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
- RFC 4806 Online Certificate Status Protocol (OCSP) Extensions to IKEv2 Regular OCSP fetching outside of IKE is supported.
- RFC 5026 Mobile IPv6 Bootstrapping in Split Scenario
v RFC 5282 Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol Only AES_GCM is implemented. AES_CCM requires support in the nss library
- RFC 5685 Redirect Mechanism for IKEv2
- RFC 5857 IKEv2 Extensions to Support Robust Header Compression over IPsec
p RFC 5723 Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption
- RFC 5739 IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)
p RFC 5903 ECP Groups for IKE and IKEv2
v RFC 5930 Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol
- RFC 5998 An Extension for EAP-only Authentication in IKEv2
- RFC 6023 A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)
N/A RFC 6027 IPsec Cluster Problem Statement
- RFC 6290 A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE)
- RFC 6311 Protocol Support for High Availability of IKEv2/IPsec
- RFC 6467 Secure Password Framework for IKEv2
- RFC 6617 Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE)
- RFC 6628 Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2
- RFC 6631 Password Authenticated Connection Establishment with IKEv2
- RFC 6867 An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP)
- RFC 6932 Brainpool Elliptic Curves for the IKE Group Description Registry
- RFC 6954 Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2)
RFC 6989 Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2) This work is or needs to be done inside the nss library
v RFC 7383 Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation
p RFC 7427 Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)
v RFC 7619 The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)
p RFC 7634 ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec
- RFC 7651 3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2)
p RFC 7670 Generic Raw Public-Key Support for IKEv2 raw RSA public keys are supported using the core IKE RFCs
- draft-brunner-ikev2-mediation IKEv2 Mediation Extension
- [1] Using IKE with IPv6 Cryptographically Generated Addresses