Implemented Standards: Difference between revisions

Revision as of 20:59, 18 December 2017

The following table lists the RFCs, drafts and standards related to IKE and IPsec. An overview of IKE and IPsec related RFC's is available in RFC 6071 |

Implementation status can be: implemented (v), planned (p), not implemented (-) or will not be implemented (X)

Status	Standard	Description	Comments
IKEv1
v	RFC 2407	IPsec Domain of Interpretation for ISAKMP (IPsec DoI)
v	RFC 2408	Internet Security Association and Key Management Protocol (ISAKMP)
v	RFC 2409	Internet Key Exchange (IKE)	Revised Mode not implemented
v	RFC 3526	More Modular Exponential (MODP) Diffie-Hellman groups
v	RFC 3706	A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers	known as "DPD"
v	RFC 3947	Negotiation of NAT-Traversal in the IKE	known as "NATT" or "ESPinUDP"
v	draft-dukes-ike-mode-cfg	The ISAKMP Configuration Method
v	draft-ietf-ipsec-isakmp-xauth	Extended Authentication within ISAKMP/Oakley (XAUTH)
v	draft-jenkins-ipsec-rekeying	IPsec Re-keying Issues	Implementation differs on some point but accomplishes the same
X	draft-ietf-ipsec-isakmp-hybrid-auth	A Hybrid Authentication Mode for IKE
IKEv2
v	RFC 4307	Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)	Obsoleted by RFC 8247
v	RFC 7296	Internet Key Exchange Protocol Version 2 (IKEv2)	Obsoletes RFC 5996 and RFC 4718
X	RFC 7815	Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation	This is a really just a subset of IKEv2 RFC 7296
p	RFC 4478	Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
p	RFC 4555	IKEv2 Mobility and Multihoming Protocol (MOBIKE)
-	RFC 4595	Use of IKEv2 in the Fibre Channel Security Association Management Protocol
-	RFC 6515	The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE	CMAC is supoorted as INTEG (for ESP/IKE) but not as PRF(for IKE) - this is pending support in the NSS library.
p	RFC 4621	Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
p	RFC 4739	Multiple Authentication Exchanges in the IKEv2 Protocol
p	RFC 4754	IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
-	RFC 4806	Online Certificate Status Protocol (OCSP) Extensions to IKEv2	Regular OCSP fetching outside of IKE is supported.
-	RFC 5026	Mobile IPv6 Bootstrapping in Split Scenario
v	RFC 5282	Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol	Only AES_GCM is implemented. AES_CCM requires support in the nss library
-	RFC 5685	Redirect Mechanism for IKEv2
-	RFC 5857	IKEv2 Extensions to Support Robust Header Compression over IPsec
p	RFC 5723	Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption
-	RFC 5739	IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)
v	RFC 5903	ECP Groups for IKE and IKEv2
v	RFC 5930	Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol
-	RFC 5998	An Extension for EAP-only Authentication in IKEv2
-	RFC 6023	A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)
N/A	RFC 6027	IPsec Cluster Problem Statement
-	RFC 6290	A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE)
-	RFC 6311	Protocol Support for High Availability of IKEv2/IPsec
-	RFC 6467	Secure Password Framework for IKEv2
-	RFC 6617	Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE)
-	RFC 6628	Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2
-	RFC 6631	Password Authenticated Connection Establishment with IKEv2
-	RFC 6867	An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP)
-	RFC 6932	Brainpool Elliptic Curves for the IKE Group Description Registry
-	RFC 6954	Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2)
-	RFC 6989	Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)	This work is or needs to be done inside the nss library
v	RFC 7383	Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation
v	RFC 7427	Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)	Initial implementation only supports RSA-v1.5. More planned in near future
v	RFC 7619	The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)
p	RFC 7634	ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec
-	RFC 7651	3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2)
p	RFC 7670	Generic Raw Public-Key Support for IKEv2	raw RSA public keys are supported using the core IKE RFCs
v	RFC 8247	Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)
-	draft-brunner-ikev2-mediation	IKEv2 Mediation Extension
-	draft-laganier-ike-ipv6-cga	Using IKE with IPv6 Cryptographically Generated Addresses
IPsec
v	RFC 4301	Security Architecture for the Internet Protocol
v	RFC 4302	IP Authentication Header (AH)
v	RFC 4303	IP Encapsulating Security Payload (ESP)
	RFC 4308	Cryptographic Suites for IPsec
v	RFC 7321	Cryptographic Algorithm Implementation Requirements and Usage Guidance for ESP and AH Extensions
v	RFC 2410	The NULL Encryption Algorithm and Its Use With IPsec
v	RFC 2451	The ESP CBC-Mode Cipher Algorithms
v	RFC 3602	The AES-CBC Cipher Algorithm and Its Use with IPsec
v	RFC 3948	UDP Encapsulation of IPsec ESP Packets
v	RFC 3686	Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)
v	RFC 4106	The Use of Galois/Counter Mode (GCM) in IPsec ESP
v	RFC 4304	Extended Sequence Number (ESN) Addendum to IPsec DOI for ISAKMP
v	RFC 4309	Using Advanced Encryption Standard (AES) CCM Mode with IPsec ESP
x	RFC 4494	The AES-CMAC-96 Algorithm and Its Use with IPsec
x	RFC 4543	The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH	Kernel support is availble, ike support is not
v	RFC 4868	Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
v	RFC 5114	Additional Diffie-Hellman Groups for Use with IETF Standards	Only DH22,23,24 - remainder planned
v	RFC 5529	Modes of Operation for Camellia for Use with IPsec
X	RFC 5660	IPsec Channels: Connection Latching
N/A	RFC 5879	Heuristics for Detecting ESP-NULL Packets
X	RFC 5840	Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility
v	RFC 6379	Suite B Cryptographic Suites for IPsec	Not all ciphers are implemented
v	RFC 6380	Suite B Profile for Internet Protocol Security (IPsec)
?	RFC 6479	IPsec Anti-Replay Algorithm without Bit Shifting
N/A	RFC 7018	Auto-Discovery VPN Problem Statement and Requirements
v	RFC 7321	Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)	Obsoleted by RFC 8221
v	RFC 8221	Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)	Obsoletes RFC 7321
v	draft-antony-ipsecme-oppo-nat	NAT-Traversal support for Opportunistic IPsec	Experimental

@@ Line 68: / Line 68: @@
 | [http://tools.ietf.org/html/rfc4307 RFC 4307]
 | Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)
-|
+| Obsoleted by [http://tools.ietf.org/html/rfc8247 RFC 8247]
 |-
 | v
@@ Line 98: / Line 98: @@
 | [https://tools.ietf.org/html/rfc6515 RFC 6515]
 | The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE
-|
+| CMAC is supoorted as INTEG (for ESP/IKE) but not as PRF(for IKE) - this is pending support in the NSS library.
 |-
 |p
@@ Line 150: / Line 150: @@
 |
 |-
-|p
+|v
 | [https://tools.ietf.org/html/rfc5903 RFC 5903]
 | ECP Groups for IKE and IKEv2
@@ Line 230: / Line 230: @@
 |
 |-
-|p
+|v
 | [https://tools.ietf.org/html/rfc7427 RFC 7427]
 | Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)
-|
+| Initial implementation only supports RSA-v1.5. More planned in near future
 |-
 |v
@@ Line 254: / Line 254: @@
 | Generic Raw Public-Key Support for IKEv2
 | raw RSA public keys are supported using the core IKE RFCs
+|-
+|v
+| [https://tools.ietf.org/html/rfc8247  RFC 8247]
+| Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)
+|
 |-
 | -
@@ Line 263: / Line 268: @@
 | [https://tools.ietf.org/html/draft-laganier-ike-ipv6-cga draft-laganier-ike-ipv6-cga]
 |  Using IKE with IPv6 Cryptographically Generated Addresses
-|
-|-
-|v
-| [https://tools.ihttps://tools.ietf.org/html/draft-ietf-ipsecme-rfc4307bis draft-ietf-ipsecme-rfc4307bis]
-|
-|-
-|v
-| [https://tools.ietf.org/html/draft-mglt-ipsecme-rfc7321bis draft-mglt-ipsecme-rfc7321bis]
 |
 |-
@@ Line 399: / Line 396: @@
 | Auto-Discovery VPN Problem Statement and Requirements
 |
+|-
+|v
+| [https://tools.ietf.org/html/rfc7321 RFC 7321]
+| Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)
+| Obsoleted by [http://tools.ietf.org/html/rfc8221 RFC 8221]
+|-
+|v
+| [https://tools.ietf.org/html/rfc8221 RFC 8221]
+| Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)
+| Obsoletes [http://tools.ietf.org/html/rfc7321 RFC 7321]
 |-
 |v

Implemented Standards: Difference between revisions

Revision as of 20:59, 18 December 2017

Navigation menu

Search