Implemented Standards: Difference between revisions

Revision as of 05:59, 16 June 2022

The following table lists the RFCs, drafts and standards related to IKE and IPsec. An overview of IKE and IPsec related RFC's is available in RFC 6071.

Implementation status can be: implemented (v), planned (p), not implemented (-), will not be implemented (X) and work in progress (wip)

Draft standards can be found at IP Security Maintenance and Extensions

IKEv2

Standard	Description	Status	Comments
RFC 7296	Internet Key Exchange Protocol Version 2 (IKEv2)	v	Obsoletes RFC 5996 and RFC 4718

RFC 8784	Postquantum Preshared Keys for IKEv2	v3.25
RFC 8420	Using the Edwards-Curve Digital Signature Algorithm (EdDSA) in the Internet Key Exchange Protocol Version 2 (IKEv2)	wip	Code is available in a branch, but requires NSS patches - waiting on NSS merge before merging into libreswan
RFC 8247	Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)	v
RFC 8229	TCP Encapsulation of IKE and IPsec Packets	v4.0	IKE over TCP implemented and IKE over ESP supported on Linux 5.6+ kernels. Does not currently support IKE/ESP over TLS
RFC 8019	Protecting Internet Key Exchange Protocol Version 2 (IKEv2) Implementations from Distributed Denial-of-Service Attacks	-
RFC 7815	Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation	X	This is a really just a subset of IKEv2 RFC 7296
RFC 7670	Generic Raw Public-Key Support for IKEv2	p	raw RSA public keys are supported using the core IKE RFCs
RFC 7651	3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2)	-
RFC 7634	ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec	v3.26
RFC 7619	The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)	v
RFC 7427	Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)	v	Implementation supports RSS-PSS (since v3.26) and RSA-v1.5 (since v4.7)
RFC 7383	Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation	v
RFC 7296	Internet Key Exchange Protocol Version 2 (IKEv2)	v	Obsoletes RFC 5996 and RFC 4718
RFC 6989	Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)	N/A	This work is or needs to be done inside the nss library
RFC 6954	Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2)	-
RFC 6932	Brainpool Elliptic Curves for the IKE Group Description Registry	-
RFC 6867	An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP)	-
RFC 6631	Password Authenticated Connection Establishment with IKEv2	-
RFC 6628	Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2	-
RFC 6617	Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE)	-
RFC 6467	Secure Password Framework for IKEv2	-
RFC 6311	Protocol Support for High Availability of IKEv2/IPsec	-
RFC 6290	A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE)	p
RFC 6027	IPsec Cluster Problem Statement	N/A
RFC 6023	A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)	-
RFC 5998	An Extension for EAP-only Authentication in IKEv2	wip
RFC 5930	Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol	v
RFC 5903	ECP Groups for IKE and IKEv2	v
RFC 5857	IKEv2 Extensions to Support Robust Header Compression over IPsec	-
RFC 5739	IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)	-
RFC 5723	Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption	wip
RFC 5685	Redirect Mechanism for IKEv2	v3.28
RFC 5282	Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol	v	Only AES_GCM is implemented. AES_CCM requires support in the nss library
RFC 5026	Mobile IPv6 Bootstrapping in Split Scenario	-
RFC 4806	Online Certificate Status Protocol (OCSP) Extensions to IKEv2	-	Regular OCSP fetching outside of IKE is supported.
RFC 4754	IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)	p
RFC 4739	Multiple Authentication Exchanges in the IKEv2 Protocol	p
RFC 4621	Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol	N/A
RFC 4615	The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE	p	CMAC is supoorted as INTEG (for ESP/IKE) but not as PRF(for IKE) - this is pending support in the NSS library.
RFC 4595	Use of IKEv2 in the Fibre Channel Security Association Management Protocol	-
RFC 4555	IKEv2 Mobility and Multihoming Protocol (MOBIKE)	v	"Additional Addresses" not supported
RFC 4478	Repeated Authentication in Internet Key Exchange (IKEv2) Protocol	p
RFC 4307	Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)	v	Obsoleted by RFC 8247
draft-brunner-ikev2-mediation	IKEv2 Mediation Extension	-
draft-laganier-ike-ipv6-cga	Using IKE with IPv6 Cryptographically Generated Addresses	-
draft-ietf-ipsecme-split-dns	Split DNS Configuration for IKEv2	p	INTERNAL_DOMAIN implemented, INTERNAL_TA_DNSSEC not yet implemented
draft-ietf-ipsecme-ikev2-intermediate	Intermediate Exchange in the IKEv2 Protocol	v	Experimental
draft-ietf-ipsecme-labeled-ipsec	Labeled IPsec Traffic Selector support for IKEv2	v4.4	Internet-Draft
draft-ietf-ipsecme-ikev2-auth-announce	Announcing Supported Authentication Methods in IKEv2		Internet-Draft
draft-pwouters-ipsecme-multi-sa-performance	IKEv2 support for per-queue Child SAs		Internet-Draft

IKEv1

Standard	Description	Status	Comments
RFC 3947	Negotiation of NAT-Traversal in the IKE	v	known as "NATT" or "ESPinUDP"
RFC 3706	A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers	v	known as "DPD"; IKEv2's equivalent is "liveness"
RFC 3526	More Modular Exponential (MODP) Diffie-Hellman groups	v
RFC 2409	Internet Key Exchange (IKE)	v	Revised Mode not implemented
RFC 2408	Internet Security Association and Key Management Protocol (ISAKMP)	v
RFC 2407	IPsec Domain of Interpretation for ISAKMP (IPsec DoI)	v
draft-dukes-ike-mode-cfg	The ISAKMP Configuration Method	v
draft-ietf-ipsec-isakmp-xauth	Extended Authentication within ISAKMP/Oakley (XAUTH)	v
draft-jenkins-ipsec-rekeying	IPsec Re-keying Issues	v	Implementation differs on some point but accomplishes the same
draft-ietf-ipsec-isakmp-hybrid-auth	A Hybrid Authentication Mode for IKE	X

IPsec

Standard	Description	Status	Comments
RFC 4302	IP Authentication Header (AH)	v	Obsoletes: 2402
RFC 4303	IP Encapsulating Security Payload (ESP)	v	Obsoletes: 2406

RFC 8221	Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)	v	Obsoletes RFC 7321
RFC 7321	Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)	v	Obsoleted by RFC 8221
RFC 7018	Auto-Discovery VPN Problem Statement and Requirements	N/A
RFC 6479	IPsec Anti-Replay Algorithm without Bit Shifting	?
RFC 6379	Suite B Cryptographic Suites for IPsec	v	Not all ciphers are implemented
RFC 6380	Suite B Profile for Internet Protocol Security (IPsec)	v
RFC 5879	Heuristics for Detecting ESP-NULL Packets	N/A
RFC 5840	Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility	X
RFC 5660	IPsec Channels: Connection Latching	X
RFC 5529	Modes of Operation for Camellia for Use with IPsec	v
RFC 5114	Additional Diffie-Hellman Groups for Use with IETF Standards	v	Only DH22,23,24 - remainder planned
RFC 4868	Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec	v
RFC 4543	The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH	X	Kernel support is availble, ike support is not
RFC 4494	The AES-CMAC-96 Algorithm and Its Use with IPsec	X
RFC 4309	Using Advanced Encryption Standard (AES) CCM Mode with IPsec ESP	v
RFC 4308	Cryptographic Suites for IPsec
RFC 4304	Extended Sequence Number (ESN) Addendum to IPsec DOI for ISAKMP	v
RFC 4303	IP Encapsulating Security Payload (ESP)	v	Obsoletes: 2406
RFC 4302	IP Authentication Header (AH)	v	Obsoletes: 2402
RFC 4301	Security Architecture for the Internet Protocol	v
RFC 4106	The Use of Galois/Counter Mode (GCM) in IPsec ESP	v
RFC 3948	UDP Encapsulation of IPsec ESP Packets	v
RFC 3686	Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)	v
RFC 3602	The AES-CBC Cipher Algorithm and Its Use with IPsec	v
RFC 2451	The ESP CBC-Mode Cipher Algorithms	v
RFC 2410	The NULL Encryption Algorithm and Its Use With IPsec	v
draft-antony-ipsecme-oppo-nat	NAT-Traversal support for Opportunistic IPsec	v	Experimental

EAP

Standard	Description	Status	Comments
RFC-9190	EAP-TLS 1.3: Using the Extensible Authentication Protocol with TLS 1.3	v4.7
RFC-5998	An Extension for EAP-Only Authentication in IKEv2	v4.7?
RFC-5216	The EAP-TLS Authentication Protocol		Updated by RFC-9190
RFC-3748	Extensible Authentication Protocol (EAP)
RFC-2716	PPP EAP TLS Authentication Protocol		Obsoleted by RFC-5216

PF KEY V2

most BSD derived systems implement a flavour of PF KEY v2 using the KAME code base as a starting point
even Linux, which implements XFRM, has borrowed concepts from PF KEY v2

Standard	Description	Status	Comments
RFC-2367	PF_KEY Key Management API, Version 2	v4.7	SADB messages to set up kernel state on BSD machines
draft-schilcher-mobike-pfkey-extension-01	MOBIKE Extensions for PF_KEY	v4.7	also defines KAME's SPD extensions to set up kernel policy on BSD machine
PF_KEY Extensions for IPsec Policy Management in KAME Stack	Post to KAME mailing list about PF KEY		Some background

Implemented Standards: Difference between revisions

Revision as of 05:59, 16 June 2022

Contents

IKEv2

IKEv1

IPsec

EAP

PF KEY V2

Navigation menu

Implemented Standards: Difference between revisions

Revision as of 05:59, 16 June 2022

IKEv2

IKEv1

IPsec

EAP

PF KEY V2

Navigation menu

Search