Difference between revisions of "Implemented Standards"
Jump to navigation
Jump to search
Paul Wouters (talk | contribs) |
Paul Wouters (talk | contribs) |
||
(12 intermediate revisions by the same user not shown) | |||
Line 53: | Line 53: | ||
| | | | ||
|- | |- | ||
− | | | + | | v |
| [http://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06 draft-jenkins-ipsec-rekeying] | | [http://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06 draft-jenkins-ipsec-rekeying] | ||
| IPsec Re-keying Issues | | IPsec Re-keying Issues | ||
− | | | + | | Implementation differs on some point but accomplishes the same |
|- | |- | ||
| X | | X | ||
Line 68: | Line 68: | ||
| [http://tools.ietf.org/html/rfc4307 RFC 4307] | | [http://tools.ietf.org/html/rfc4307 RFC 4307] | ||
| Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2) | | Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2) | ||
− | | | + | | Obsoleted by [http://tools.ietf.org/html/rfc8247 RFC 8247] |
|- | |- | ||
| v | | v | ||
Line 75: | Line 75: | ||
| Obsoletes [http://tools.ietf.org/html/rfc5996 RFC 5996] and [http://tools.ietf.org/html/rfc4718 RFC 4718] | | Obsoletes [http://tools.ietf.org/html/rfc5996 RFC 5996] and [http://tools.ietf.org/html/rfc4718 RFC 4718] | ||
|- | |- | ||
− | | | + | | X |
| [http://tools.ietf.org/html/rfc7815 RFC 7815] | | [http://tools.ietf.org/html/rfc7815 RFC 7815] | ||
| Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation | | Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation | ||
− | | This is a really just a subset of [http://tools.ietf.org/html/rfc7296 RFC 7296] | + | | This is a really just a subset of IKEv2 [http://tools.ietf.org/html/rfc7296 RFC 7296] |
|- | |- | ||
− | | | + | |p |
| [https://tools.ietf.org/html/rfc4478 RFC 4478] | | [https://tools.ietf.org/html/rfc4478 RFC 4478] | ||
| Repeated Authentication in Internet Key Exchange (IKEv2) Protocol | | Repeated Authentication in Internet Key Exchange (IKEv2) Protocol | ||
| | | | ||
|- | |- | ||
− | | | + | |v |
| [https://tools.ietf.org/html/rfc4555 RFC 4555] | | [https://tools.ietf.org/html/rfc4555 RFC 4555] | ||
| IKEv2 Mobility and Multihoming Protocol (MOBIKE) | | IKEv2 Mobility and Multihoming Protocol (MOBIKE) | ||
− | | | + | | "Additional Addresses" not supported |
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc4595 RFC 4595] | | [https://tools.ietf.org/html/rfc4595 RFC 4595] | ||
| Use of IKEv2 in the Fibre Channel Security Association Management Protocol | | Use of IKEv2 in the Fibre Channel Security Association Management Protocol | ||
| | | | ||
|- | |- | ||
− | | | + | | p |
− | | [https://tools.ietf.org/html/ | + | | [https://tools.ietf.org/html/rfc4615 RFC 4615] |
| The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE | | The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE | ||
− | | | + | | CMAC is supoorted as INTEG (for ESP/IKE) but not as PRF(for IKE) - this is pending support in the NSS library. |
|- | |- | ||
− | | | + | |N/A |
| [https://tools.ietf.org/html/rfc4621 RFC 4621] | | [https://tools.ietf.org/html/rfc4621 RFC 4621] | ||
| Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol | | Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol | ||
| | | | ||
|- | |- | ||
− | | | + | |p |
| [https://tools.ietf.org/html/rfc4739 RFC 4739] | | [https://tools.ietf.org/html/rfc4739 RFC 4739] | ||
| Multiple Authentication Exchanges in the IKEv2 Protocol | | Multiple Authentication Exchanges in the IKEv2 Protocol | ||
| | | | ||
|- | |- | ||
− | | | + | |v |
| [https://tools.ietf.org/html/rfc4754 RFC 4754] | | [https://tools.ietf.org/html/rfc4754 RFC 4754] | ||
| IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA) | | IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA) | ||
− | | | + | | added in 3.26 |
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc4806 RFC 4806] | | [https://tools.ietf.org/html/rfc4806 RFC 4806] | ||
| Online Certificate Status Protocol (OCSP) Extensions to IKEv2 | | Online Certificate Status Protocol (OCSP) Extensions to IKEv2 | ||
− | | | + | | Regular OCSP fetching outside of IKE is supported. |
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc5026 RFC 5026] | | [https://tools.ietf.org/html/rfc5026 RFC 5026] | ||
| Mobile IPv6 Bootstrapping in Split Scenario | | Mobile IPv6 Bootstrapping in Split Scenario | ||
| | | | ||
|- | |- | ||
− | | | + | |v |
| [https://tools.ietf.org/html/rfc5282 RFC 5282] | | [https://tools.ietf.org/html/rfc5282 RFC 5282] | ||
| Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol | | Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol | ||
− | | | + | | Only AES_GCM is implemented. AES_CCM requires support in the nss library |
|- | |- | ||
− | | | + | |p |
| [https://tools.ietf.org/html/rfc5685 RFC 5685] | | [https://tools.ietf.org/html/rfc5685 RFC 5685] | ||
| Redirect Mechanism for IKEv2 | | Redirect Mechanism for IKEv2 | ||
− | | | + | | scheduled for 3.27 |
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc5857 RFC 5857] | | [https://tools.ietf.org/html/rfc5857 RFC 5857] | ||
| IKEv2 Extensions to Support Robust Header Compression over IPsec | | IKEv2 Extensions to Support Robust Header Compression over IPsec | ||
| | | | ||
|- | |- | ||
− | | | + | |p |
| [https://tools.ietf.org/html/rfc5723 RFC 5723] | | [https://tools.ietf.org/html/rfc5723 RFC 5723] | ||
| Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption | | Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc5739 RFC 5739] | | [https://tools.ietf.org/html/rfc5739 RFC 5739] | ||
| IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2) | | IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2) | ||
| | | | ||
|- | |- | ||
− | | | + | |v |
| [https://tools.ietf.org/html/rfc5903 RFC 5903] | | [https://tools.ietf.org/html/rfc5903 RFC 5903] | ||
| ECP Groups for IKE and IKEv2 | | ECP Groups for IKE and IKEv2 | ||
| | | | ||
|- | |- | ||
− | | | + | |v |
| [https://tools.ietf.org/html/rfc5930 RFC 5930] | | [https://tools.ietf.org/html/rfc5930 RFC 5930] | ||
| Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol | | Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc5998 RFC 5998] | | [https://tools.ietf.org/html/rfc5998 RFC 5998] | ||
| An Extension for EAP-only Authentication in IKEv2 | | An Extension for EAP-only Authentication in IKEv2 | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc6023 RFC 6023] | | [https://tools.ietf.org/html/rfc6023 RFC 6023] | ||
| A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA) | | A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA) | ||
| | | | ||
|- | |- | ||
− | | | + | | N/A |
| [https://tools.ietf.org/html/rfc6027 RFC 6027] | | [https://tools.ietf.org/html/rfc6027 RFC 6027] | ||
| IPsec Cluster Problem Statement | | IPsec Cluster Problem Statement | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc6290 RFC 6290] | | [https://tools.ietf.org/html/rfc6290 RFC 6290] | ||
| A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) | | A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc6311 RFC 6311] | | [https://tools.ietf.org/html/rfc6311 RFC 6311] | ||
| Protocol Support for High Availability of IKEv2/IPsec | | Protocol Support for High Availability of IKEv2/IPsec | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc6467 RFC 6467] | | [https://tools.ietf.org/html/rfc6467 RFC 6467] | ||
| Secure Password Framework for IKEv2 | | Secure Password Framework for IKEv2 | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc6617 RFC 6617] | | [https://tools.ietf.org/html/rfc6617 RFC 6617] | ||
| Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE) | | Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE) | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc6628 RFC 6628] | | [https://tools.ietf.org/html/rfc6628 RFC 6628] | ||
| Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2 | | Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2 | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc6631 RFC 6631] | | [https://tools.ietf.org/html/rfc6631 RFC 6631] | ||
| Password Authenticated Connection Establishment with IKEv2 | | Password Authenticated Connection Establishment with IKEv2 | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc6867 RFC 6867] | | [https://tools.ietf.org/html/rfc6867 RFC 6867] | ||
| An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP) | | An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP) | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc6932 RFC 6932] | | [https://tools.ietf.org/html/rfc6932 RFC 6932] | ||
| Brainpool Elliptic Curves for the IKE Group Description Registry | | Brainpool Elliptic Curves for the IKE Group Description Registry | ||
| | | | ||
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc6954 RFC 6954] | | [https://tools.ietf.org/html/rfc6954 RFC 6954] | ||
| Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2) | | Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2) | ||
− | | | + | | |
|- | |- | ||
− | | | + | | N/A |
| [https://tools.ietf.org/html/rfc6989 RFC 6989] | | [https://tools.ietf.org/html/rfc6989 RFC 6989] | ||
| Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2) | | Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2) | ||
− | | | + | | This work is or needs to be done inside the nss library |
|- | |- | ||
− | | | + | |v |
| [https://tools.ietf.org/html/rfc7383 RFC 7383] | | [https://tools.ietf.org/html/rfc7383 RFC 7383] | ||
| Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation | | Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation | ||
| | | | ||
|- | |- | ||
− | | | + | |v |
| [https://tools.ietf.org/html/rfc7427 RFC 7427] | | [https://tools.ietf.org/html/rfc7427 RFC 7427] | ||
| Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) | | Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) | ||
− | | | + | | Initial implementation only supports RSA-v1.5. More planned in near future |
|- | |- | ||
− | | | + | |v |
| [https://tools.ietf.org/html/rfc7619 RFC 7619] | | [https://tools.ietf.org/html/rfc7619 RFC 7619] | ||
| The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2) | | The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2) | ||
| | | | ||
|- | |- | ||
− | | | + | |v |
| [https://tools.ietf.org/html/rfc7634 RFC 7634] | | [https://tools.ietf.org/html/rfc7634 RFC 7634] | ||
| ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec | | ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec | ||
− | | | + | | added in 3.26 |
|- | |- | ||
− | | | + | | - |
| [https://tools.ietf.org/html/rfc7651 RFC 7651] | | [https://tools.ietf.org/html/rfc7651 RFC 7651] | ||
| 3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2) | | 3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2) | ||
| | | | ||
|- | |- | ||
− | | | + | |p |
| [https://tools.ietf.org/html/rfc7670 RFC 7670] | | [https://tools.ietf.org/html/rfc7670 RFC 7670] | ||
| Generic Raw Public-Key Support for IKEv2 | | Generic Raw Public-Key Support for IKEv2 | ||
+ | | raw RSA public keys are supported using the core IKE RFCs | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc8247 RFC 8247] | ||
+ | | Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2) | ||
| | | | ||
|- | |- | ||
− | | | + | |v |
+ | | [https://tools.ietf.org/html/rfc8229 RFC 8229] | ||
+ | | TCP Encapsulation of IKE and IPsec Packets | ||
+ | | IKE over TCP implemented - waiting on Linux kernel for ESP over TCP implementation. Does not currently support IKE/ESP over TLS | ||
+ | |- | ||
+ | | - | ||
| [https://tools.ietf.org/html/draft-brunner-ikev2-mediation draft-brunner-ikev2-mediation] | | [https://tools.ietf.org/html/draft-brunner-ikev2-mediation draft-brunner-ikev2-mediation] | ||
| IKEv2 Mediation Extension | | IKEv2 Mediation Extension | ||
+ | | | ||
+ | |- | ||
+ | | - | ||
+ | | [https://tools.ietf.org/html/draft-laganier-ike-ipv6-cga draft-laganier-ike-ipv6-cga] | ||
+ | | Using IKE with IPv6 Cryptographically Generated Addresses | ||
+ | | | ||
+ | |- | ||
+ | | p | ||
+ | | [https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns draft-ietf-ipsecme-split-dns] | ||
+ | | Split DNS Configuration for IKEv2 | ||
+ | | INTERNAL_DOMAIN implemented, INTERNAL_TA_DNSSEC not yet implemented | ||
+ | |- | ||
+ | | v | ||
+ | | [https://tools.ietf.org/html/draft-ietf-ipsecme-qr-ikev2 draft-ietf-ipsecme-qr-ikev2] | ||
+ | | Postquantum Preshared Keys for IKEv2 | ||
+ | | Implemented in 3.25 | ||
+ | |- | ||
+ | | colspan="4"| IPsec | ||
+ | |- | ||
+ | | v | ||
+ | | [https://tools.ietf.org/html/rfc4301 RFC 4301 ] | ||
+ | | Security Architecture for the Internet Protocol | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc4302 RFC 4302 ] | ||
+ | | IP Authentication Header (AH) | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc4303 RFC 4303 ] | ||
+ | | IP Encapsulating Security Payload (ESP) | ||
+ | | | ||
+ | |- | ||
+ | | | ||
+ | | [https://tools.ietf.org/html/rfc4308 RFC 4308 ] | ||
+ | | Cryptographic Suites for IPsec | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc7321 RFC 7321 ] | ||
+ | | Cryptographic Algorithm Implementation Requirements and Usage Guidance for ESP and AH Extensions | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc2410 RFC 2410 ] | ||
+ | | The NULL Encryption Algorithm and Its Use With IPsec | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc2451 RFC 2451 ] | ||
+ | | The ESP CBC-Mode Cipher Algorithms | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc3602 RFC 3602 ] | ||
+ | | The AES-CBC Cipher Algorithm and Its Use with IPsec | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc3948 RFC 3948 ] | ||
+ | | UDP Encapsulation of IPsec ESP Packets | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc3686 RFC 3686 ] | ||
+ | | Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP) | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc4106 RFC 4106 ] | ||
+ | | The Use of Galois/Counter Mode (GCM) in IPsec ESP | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc4304 RFC 4304 ] | ||
+ | | Extended Sequence Number (ESN) Addendum to IPsec DOI for ISAKMP | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc4309 RFC 4309 ] | ||
+ | | Using Advanced Encryption Standard (AES) CCM Mode with IPsec ESP | ||
+ | | | ||
+ | |- | ||
+ | |x | ||
+ | | [https://tools.ietf.org/html/rfc4494 RFC 4494 ] | ||
+ | | The AES-CMAC-96 Algorithm and Its Use with IPsec | ||
+ | | | ||
+ | |- | ||
+ | |x | ||
+ | | [https://tools.ietf.org/html/rfc4543 RFC 4543 ] | ||
+ | | The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH | ||
+ | | Kernel support is availble, ike support is not | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc4868 RFC 4868 ] | ||
+ | | Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc5114 RFC 5114 ] | ||
+ | | Additional Diffie-Hellman Groups for Use with IETF Standards | ||
+ | | Only DH22,23,24 - remainder planned | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc5529 RFC 5529 ] | ||
+ | | Modes of Operation for Camellia for Use with IPsec | ||
+ | | | ||
+ | |- | ||
+ | |X | ||
+ | | [https://tools.ietf.org/html/rfc5660 RFC 5660 ] | ||
+ | | IPsec Channels: Connection Latching | ||
+ | | | ||
+ | |- | ||
+ | | N/A | ||
+ | | [https://tools.ietf.org/html/rfc5879 RFC 5879 ] | ||
+ | | Heuristics for Detecting ESP-NULL Packets | ||
+ | | | ||
+ | |- | ||
+ | |X | ||
+ | | [https://tools.ietf.org/html/rfc5840 RFC 5840 ] | ||
+ | | Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility | ||
+ | | | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc6379 RFC 6379 ] | ||
+ | | Suite B Cryptographic Suites for IPsec | ||
+ | | Not all ciphers are implemented | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/rfc6380 RFC 6380 ] | ||
+ | | Suite B Profile for Internet Protocol Security (IPsec) | ||
| | | | ||
|- | |- | ||
|? | |? | ||
− | | [https://tools.ietf.org/html/ | + | | [https://tools.ietf.org/html/rfc6479 RFC 6479 ] |
− | | | + | | IPsec Anti-Replay Algorithm without Bit Shifting |
+ | | | ||
+ | |- | ||
+ | |N/A | ||
+ | | [https://tools.ietf.org/html/rfc7018 RFC 7018 ] | ||
+ | | Auto-Discovery VPN Problem Statement and Requirements | ||
| | | | ||
|- | |- | ||
− | + | |v | |
− | + | | [https://tools.ietf.org/html/rfc7321 RFC 7321] | |
− | + | | Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) | |
− | + | | Obsoleted by [http://tools.ietf.org/html/rfc8221 RFC 8221] | |
− | + | |- | |
− | + | |v | |
− | + | | [https://tools.ietf.org/html/rfc8221 RFC 8221] | |
+ | | Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) | ||
+ | | Obsoletes [http://tools.ietf.org/html/rfc7321 RFC 7321] | ||
+ | |- | ||
+ | |v | ||
+ | | [https://tools.ietf.org/html/draft-antony-ipsecme-oppo-nat draft-antony-ipsecme-oppo-nat] | ||
+ | | NAT-Traversal support for Opportunistic IPsec | ||
+ | | Experimental | ||
|} | |} |
Revision as of 23:22, 20 September 2018
The following table lists the RFCs, drafts and standards related to IKE and IPsec. An overview of IKE and IPsec related RFC's is available in RFC 6071 |
Implementation status can be: implemented (v), planned (p), not implemented (-) or will not be implemented (X)
Status | Standard | Description | Comments |
---|---|---|---|
IKEv1 | |||
v | RFC 2407 | IPsec Domain of Interpretation for ISAKMP (IPsec DoI) | |
v | RFC 2408 | Internet Security Association and Key Management Protocol (ISAKMP) | |
v | RFC 2409 | Internet Key Exchange (IKE) | Revised Mode not implemented |
v | RFC 3526 | More Modular Exponential (MODP) Diffie-Hellman groups | |
v | RFC 3706 | A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers | known as "DPD" |
v | RFC 3947 | Negotiation of NAT-Traversal in the IKE | known as "NATT" or "ESPinUDP" |
v | draft-dukes-ike-mode-cfg | The ISAKMP Configuration Method | |
v | draft-ietf-ipsec-isakmp-xauth | Extended Authentication within ISAKMP/Oakley (XAUTH) | |
v | draft-jenkins-ipsec-rekeying | IPsec Re-keying Issues | Implementation differs on some point but accomplishes the same |
X | draft-ietf-ipsec-isakmp-hybrid-auth | A Hybrid Authentication Mode for IKE | |
IKEv2 | |||
v | RFC 4307 | Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2) | Obsoleted by RFC 8247 |
v | RFC 7296 | Internet Key Exchange Protocol Version 2 (IKEv2) | Obsoletes RFC 5996 and RFC 4718 |
X | RFC 7815 | Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation | This is a really just a subset of IKEv2 RFC 7296 |
p | RFC 4478 | Repeated Authentication in Internet Key Exchange (IKEv2) Protocol | |
v | RFC 4555 | IKEv2 Mobility and Multihoming Protocol (MOBIKE) | "Additional Addresses" not supported |
- | RFC 4595 | Use of IKEv2 in the Fibre Channel Security Association Management Protocol | |
p | RFC 4615 | The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE | CMAC is supoorted as INTEG (for ESP/IKE) but not as PRF(for IKE) - this is pending support in the NSS library. |
N/A | RFC 4621 | Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol | |
p | RFC 4739 | Multiple Authentication Exchanges in the IKEv2 Protocol | |
v | RFC 4754 | IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA) | added in 3.26 |
- | RFC 4806 | Online Certificate Status Protocol (OCSP) Extensions to IKEv2 | Regular OCSP fetching outside of IKE is supported. |
- | RFC 5026 | Mobile IPv6 Bootstrapping in Split Scenario | |
v | RFC 5282 | Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol | Only AES_GCM is implemented. AES_CCM requires support in the nss library |
p | RFC 5685 | Redirect Mechanism for IKEv2 | scheduled for 3.27 |
- | RFC 5857 | IKEv2 Extensions to Support Robust Header Compression over IPsec | |
p | RFC 5723 | Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption | |
- | RFC 5739 | IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2) | |
v | RFC 5903 | ECP Groups for IKE and IKEv2 | |
v | RFC 5930 | Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol | |
- | RFC 5998 | An Extension for EAP-only Authentication in IKEv2 | |
- | RFC 6023 | A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA) | |
N/A | RFC 6027 | IPsec Cluster Problem Statement | |
- | RFC 6290 | A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) | |
- | RFC 6311 | Protocol Support for High Availability of IKEv2/IPsec | |
- | RFC 6467 | Secure Password Framework for IKEv2 | |
- | RFC 6617 | Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE) | |
- | RFC 6628 | Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2 | |
- | RFC 6631 | Password Authenticated Connection Establishment with IKEv2 | |
- | RFC 6867 | An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP) | |
- | RFC 6932 | Brainpool Elliptic Curves for the IKE Group Description Registry | |
- | RFC 6954 | Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2) | |
N/A | RFC 6989 | Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2) | This work is or needs to be done inside the nss library |
v | RFC 7383 | Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation | |
v | RFC 7427 | Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) | Initial implementation only supports RSA-v1.5. More planned in near future |
v | RFC 7619 | The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2) | |
v | RFC 7634 | ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec | added in 3.26 |
- | RFC 7651 | 3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2) | |
p | RFC 7670 | Generic Raw Public-Key Support for IKEv2 | raw RSA public keys are supported using the core IKE RFCs |
v | RFC 8247 | Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2) | |
v | RFC 8229 | TCP Encapsulation of IKE and IPsec Packets | IKE over TCP implemented - waiting on Linux kernel for ESP over TCP implementation. Does not currently support IKE/ESP over TLS |
- | draft-brunner-ikev2-mediation | IKEv2 Mediation Extension | |
- | draft-laganier-ike-ipv6-cga | Using IKE with IPv6 Cryptographically Generated Addresses | |
p | draft-ietf-ipsecme-split-dns | Split DNS Configuration for IKEv2 | INTERNAL_DOMAIN implemented, INTERNAL_TA_DNSSEC not yet implemented |
v | draft-ietf-ipsecme-qr-ikev2 | Postquantum Preshared Keys for IKEv2 | Implemented in 3.25 |
IPsec | |||
v | RFC 4301 | Security Architecture for the Internet Protocol | |
v | RFC 4302 | IP Authentication Header (AH) | |
v | RFC 4303 | IP Encapsulating Security Payload (ESP) | |
RFC 4308 | Cryptographic Suites for IPsec | ||
v | RFC 7321 | Cryptographic Algorithm Implementation Requirements and Usage Guidance for ESP and AH Extensions | |
v | RFC 2410 | The NULL Encryption Algorithm and Its Use With IPsec | |
v | RFC 2451 | The ESP CBC-Mode Cipher Algorithms | |
v | RFC 3602 | The AES-CBC Cipher Algorithm and Its Use with IPsec | |
v | RFC 3948 | UDP Encapsulation of IPsec ESP Packets | |
v | RFC 3686 | Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP) | |
v | RFC 4106 | The Use of Galois/Counter Mode (GCM) in IPsec ESP | |
v | RFC 4304 | Extended Sequence Number (ESN) Addendum to IPsec DOI for ISAKMP | |
v | RFC 4309 | Using Advanced Encryption Standard (AES) CCM Mode with IPsec ESP | |
x | RFC 4494 | The AES-CMAC-96 Algorithm and Its Use with IPsec | |
x | RFC 4543 | The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH | Kernel support is availble, ike support is not |
v | RFC 4868 | Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec | |
v | RFC 5114 | Additional Diffie-Hellman Groups for Use with IETF Standards | Only DH22,23,24 - remainder planned |
v | RFC 5529 | Modes of Operation for Camellia for Use with IPsec | |
X | RFC 5660 | IPsec Channels: Connection Latching | |
N/A | RFC 5879 | Heuristics for Detecting ESP-NULL Packets | |
X | RFC 5840 | Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility | |
v | RFC 6379 | Suite B Cryptographic Suites for IPsec | Not all ciphers are implemented |
v | RFC 6380 | Suite B Profile for Internet Protocol Security (IPsec) | |
? | RFC 6479 | IPsec Anti-Replay Algorithm without Bit Shifting | |
N/A | RFC 7018 | Auto-Discovery VPN Problem Statement and Requirements | |
v | RFC 7321 | Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) | Obsoleted by RFC 8221 |
v | RFC 8221 | Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) | Obsoletes RFC 7321 |
v | draft-antony-ipsecme-oppo-nat | NAT-Traversal support for Opportunistic IPsec | Experimental |