| draft-ietf-ipsecme-ikev1-algo-to-historic-07.txt | draft-ietf-ipsecme-ikev1-algo-to-historic-09.txt | |||
|---|---|---|---|---|
| Network P. Wouters, Ed. | Network P. Wouters, Ed. | |||
| Internet-Draft Aiven | Internet-Draft Aiven | |||
| Updates: 8221, 8247 (if approved) 11 October 2022 | Updates: 8221, 8247 (if approved) 19 December 2022 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 14 April 2023 | Expires: 22 June 2023 | |||
| Deprecation of IKEv1 and obsoleted algorithms | Deprecation of IKEv1 and obsoleted algorithms | |||
| draft-ietf-ipsecme-ikev1-algo-to-historic-07 | draft-ietf-ipsecme-ikev1-algo-to-historic-09 | |||
| Abstract | Abstract | |||
| Internet Key Exchange version 1 (IKEv1) has been deprecated and its | Internet Key Exchange version 1 (IKEv1) has been deprecated and its | |||
| specification in RFC2407, RFC2408 and RFC2409 have been moved to | specification in RFC2407, RFC2408 and RFC2409 have been moved to | |||
| Historic status. A number of old algorithms that are associated with | Historic status. This document updates RFC 8221 and RFC 8247 to | |||
| IKEv1, and not widely implemented for IKEv2 are deprecated as well. | reflect the usage guidelines of old algorithms that are associated | |||
| This document updates RFC 8221 and RFC 8247 and adds a Status column | with IKEv1, and are not specified or commonly implemented for IKEv2. | |||
| to the IANA IKEv2 Transform Type registries that shows the | This document further updates the IANA IKEv2 Transform Type | |||
| deprecation status. | registries to add a Status column where deprecation status can be | |||
| listed. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 14 April 2023. | This Internet-Draft will expire on 22 June 2023. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 4, line 7 ¶ | skipping to change at page 4, line 7 ¶ | |||
| PAKE support and is actively worked on with respect to defending | PAKE support and is actively worked on with respect to defending | |||
| against quantum computer attacks. | against quantum computer attacks. | |||
| IKEv1-only systems should be upgraded or replaced by systems | IKEv1-only systems should be upgraded or replaced by systems | |||
| supporting IKEv2. IKEv2 implementations SHOULD NOT directly import | supporting IKEv2. IKEv2 implementations SHOULD NOT directly import | |||
| IKEv1 configurations without updating the cryptographic algorithms | IKEv1 configurations without updating the cryptographic algorithms | |||
| used. | used. | |||
| 4. IKEv1 feature equivalents for IKEv2 | 4. IKEv1 feature equivalents for IKEv2 | |||
| A few notably IKEv1 features are not present in the IKEv2 core | A few notable IKEv1 features are not present in the IKEv2 core | |||
| specification [RFC7296] but are available for IKEv2 via an additional | specification [RFC7296] but are available for IKEv2 via an additional | |||
| specification: | specification: | |||
| 4.1. IKEv2 postquantum support | 4.1. IKEv2 postquantum support | |||
| IKEv1 and its way of using Preshared Keys (PSKs) protects against | IKEv1 and its way of using Preshared Keys (PSKs) protects against | |||
| quantum computer based attacks. IKEv2 updated its use of PSK to | quantum computer based attacks. IKEv2 updated its use of PSK to | |||
| improve the error reporting, but at the expense of post-quantum | improve the error reporting, but at the expense of post-quantum | |||
| security. If post-quantum security is required, these systems should | security. If post-quantum security is required, these systems should | |||
| be migrated to use IKEv2 Postquantum Preshared Keys (PPK) [RFC8784] | be migrated to use IKEv2 Postquantum Preshared Keys (PPK) [RFC8784] | |||
| 4.2. IKEv2 Labeled IPsec support | 4.2. IKEv2 Labeled IPsec support | |||
| Some IKEv1 implementations support Labeled IPsec, a method to | Some IKEv1 implementations support Labeled IPsec, a method to | |||
| negotiate an addition Security Context selector to the SPD, but this | negotiate an additional Security Context selector to the SPD, but | |||
| method was never standarized in IKEv1. Those IKEv1 systems that | this method was never standardized in IKEv1. Those IKEv1 systems | |||
| require Labeled IPsec should migrate to an IKEv2 system supporting | that require Labeled IPsec should migrate to an IKEv2 system | |||
| Labeled IPsec as specified in [draft-ietf-ipsecme-labeled-ipsec]. | supporting Labeled IPsec as specified in | |||
| [draft-ietf-ipsecme-labeled-ipsec]. | ||||
| 4.3. IKEv2 Group SA / Multicast support | 4.3. IKEv2 Group SA / Multicast support | |||
| The Group Domain of Interpretation (GDOI, [RFC6407]) protocol, based | The Group Domain of Interpretation (GDOI, [RFC6407]) protocol, based | |||
| on IKEv1 defines the support for Multicast Group SAs. For IKEv2, | on IKEv1 defines the support for Multicast Group SAs. For IKEv2, | |||
| this work is currently in progress via [draft-ietf-ipsecme-g-ikev2] | this work is currently in progress via [draft-ietf-ipsecme-g-ikev2] | |||
| 5. Deprecating obsolete algorithms | 5. Deprecating obsolete algorithms | |||
| This document deprecates the following algorithms: | This document deprecates the following algorithms: | |||
| skipping to change at page 5, line 10 ¶ | skipping to change at page 5, line 14 ¶ | |||
| The deprecated algorithms have long been in disuse and are no longer | The deprecated algorithms have long been in disuse and are no longer | |||
| actively deployed or researched. It presents an unknown security | actively deployed or researched. It presents an unknown security | |||
| risk that is best avoided. Additionally, these algorithms not being | risk that is best avoided. Additionally, these algorithms not being | |||
| supported in implementations simplifies those implementations and | supported in implementations simplifies those implementations and | |||
| reduces the accidental use of these deprecated algorithms through | reduces the accidental use of these deprecated algorithms through | |||
| misconfiguration or downgrade attacks. | misconfiguration or downgrade attacks. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document instructs IANA to add an additional Status column to | This document instructs IANA to insert the following line at the top | |||
| the IKEv2 Transform Type registries and mark the following entries as | of the Notes section of the 'Internet Key Exchange (IKE) Attributes' | |||
| DEPRECATED: | registry and the '"Magic Numbers" for ISAKMP Protocol' registry: All | |||
| registries listed below have been closed, see RFCxxxx. [Note to RFC | ||||
| Editor: change RFCxxx to this document's RFC number] | ||||
| This document further instructs IANA to add an additional Status | ||||
| column to the IKEv2 Transform Type registries and mark the following | ||||
| entries as DEPRECATED: | ||||
| Transform Type 1 - Encryption Algorithm IDs | Transform Type 1 - Encryption Algorithm IDs | |||
| Number Name Status | Number Name Status | |||
| ------ --------------- ------ | ------ --------------- ------ | |||
| 1 ENCR_DES_IV64 DEPRECATED [this document] | 1 ENCR_DES_IV64 DEPRECATED [this document] | |||
| 2 ENCR_DES DEPRECATED [RFC8247] | 2 ENCR_DES DEPRECATED [RFC8247] | |||
| 4 ENCR_RC5 DEPRECATED [this document] | 4 ENCR_RC5 DEPRECATED [this document] | |||
| 5 ENCR_IDEA DEPRECATED [this document] | 5 ENCR_IDEA DEPRECATED [this document] | |||
| 6 ENCR_CAST DEPRECATED [this document] | 6 ENCR_CAST DEPRECATED [this document] | |||
| skipping to change at page 5, line 34 ¶ | skipping to change at page 5, line 44 ¶ | |||
| 8 ENCR_3IDEA DEPRECATED [this document] | 8 ENCR_3IDEA DEPRECATED [this document] | |||
| 9 ENCR_DES_IV32 DEPRECATED [this document] | 9 ENCR_DES_IV32 DEPRECATED [this document] | |||
| Figure 1 | Figure 1 | |||
| Transform Type 2 - Pseudorandom Function Transform IDs | Transform Type 2 - Pseudorandom Function Transform IDs | |||
| Number Name Status | Number Name Status | |||
| ------ ------------ ---------- | ------ ------------ ---------- | |||
| 1 PRF_HMAC_MD5 DEPRECATED [RFC8247] | 1 PRF_HMAC_MD5 DEPRECATED [RFC8247] | |||
| 1 PRF_HMAC_TIGER DEPRECATED [this document] | 3 PRF_HMAC_TIGER DEPRECATED [this document] | |||
| Figure 2 | Figure 2 | |||
| Transform Type 3 - Integrity Algorithm Transform IDs | Transform Type 3 - Integrity Algorithm Transform IDs | |||
| Number Name Status | Number Name Status | |||
| ------ ----------------- ---------- | ------ ----------------- ---------- | |||
| 1 AUTH_HMAC_MD5_96 DEPRECATED [RFC8247] | 1 AUTH_HMAC_MD5_96 DEPRECATED [RFC8247] | |||
| 3 AUTH_DES_MAC DEPRECATED [RFC8247] | 3 AUTH_DES_MAC DEPRECATED [RFC8247] | |||
| 4 AUTH_KPDK_MD5 DEPRECATED [RFC8247] | 4 AUTH_KPDK_MD5 DEPRECATED [RFC8247] | |||
| End of changes. 9 change blocks. | ||||
| 18 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||