draft-ietf-ipsecme-ikev1-algo-to-historic-07.txt | draft-ietf-ipsecme-ikev1-algo-to-historic-09.txt | |||
---|---|---|---|---|
Network P. Wouters, Ed. | Network P. Wouters, Ed. | |||
Internet-Draft Aiven | Internet-Draft Aiven | |||
Updates: 8221, 8247 (if approved) 11 October 2022 | Updates: 8221, 8247 (if approved) 19 December 2022 | |||
Intended status: Standards Track | Intended status: Standards Track | |||
Expires: 14 April 2023 | Expires: 22 June 2023 | |||
Deprecation of IKEv1 and obsoleted algorithms | Deprecation of IKEv1 and obsoleted algorithms | |||
draft-ietf-ipsecme-ikev1-algo-to-historic-07 | draft-ietf-ipsecme-ikev1-algo-to-historic-09 | |||
Abstract | Abstract | |||
Internet Key Exchange version 1 (IKEv1) has been deprecated and its | Internet Key Exchange version 1 (IKEv1) has been deprecated and its | |||
specification in RFC2407, RFC2408 and RFC2409 have been moved to | specification in RFC2407, RFC2408 and RFC2409 have been moved to | |||
Historic status. A number of old algorithms that are associated with | Historic status. This document updates RFC 8221 and RFC 8247 to | |||
IKEv1, and not widely implemented for IKEv2 are deprecated as well. | reflect the usage guidelines of old algorithms that are associated | |||
This document updates RFC 8221 and RFC 8247 and adds a Status column | with IKEv1, and are not specified or commonly implemented for IKEv2. | |||
to the IANA IKEv2 Transform Type registries that shows the | This document further updates the IANA IKEv2 Transform Type | |||
deprecation status. | registries to add a Status column where deprecation status can be | |||
listed. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on 14 April 2023. | This Internet-Draft will expire on 22 June 2023. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
skipping to change at page 4, line 7 ¶ | skipping to change at page 4, line 7 ¶ | |||
PAKE support and is actively worked on with respect to defending | PAKE support and is actively worked on with respect to defending | |||
against quantum computer attacks. | against quantum computer attacks. | |||
IKEv1-only systems should be upgraded or replaced by systems | IKEv1-only systems should be upgraded or replaced by systems | |||
supporting IKEv2. IKEv2 implementations SHOULD NOT directly import | supporting IKEv2. IKEv2 implementations SHOULD NOT directly import | |||
IKEv1 configurations without updating the cryptographic algorithms | IKEv1 configurations without updating the cryptographic algorithms | |||
used. | used. | |||
4. IKEv1 feature equivalents for IKEv2 | 4. IKEv1 feature equivalents for IKEv2 | |||
A few notably IKEv1 features are not present in the IKEv2 core | A few notable IKEv1 features are not present in the IKEv2 core | |||
specification [RFC7296] but are available for IKEv2 via an additional | specification [RFC7296] but are available for IKEv2 via an additional | |||
specification: | specification: | |||
4.1. IKEv2 postquantum support | 4.1. IKEv2 postquantum support | |||
IKEv1 and its way of using Preshared Keys (PSKs) protects against | IKEv1 and its way of using Preshared Keys (PSKs) protects against | |||
quantum computer based attacks. IKEv2 updated its use of PSK to | quantum computer based attacks. IKEv2 updated its use of PSK to | |||
improve the error reporting, but at the expense of post-quantum | improve the error reporting, but at the expense of post-quantum | |||
security. If post-quantum security is required, these systems should | security. If post-quantum security is required, these systems should | |||
be migrated to use IKEv2 Postquantum Preshared Keys (PPK) [RFC8784] | be migrated to use IKEv2 Postquantum Preshared Keys (PPK) [RFC8784] | |||
4.2. IKEv2 Labeled IPsec support | 4.2. IKEv2 Labeled IPsec support | |||
Some IKEv1 implementations support Labeled IPsec, a method to | Some IKEv1 implementations support Labeled IPsec, a method to | |||
negotiate an addition Security Context selector to the SPD, but this | negotiate an additional Security Context selector to the SPD, but | |||
method was never standarized in IKEv1. Those IKEv1 systems that | this method was never standardized in IKEv1. Those IKEv1 systems | |||
require Labeled IPsec should migrate to an IKEv2 system supporting | that require Labeled IPsec should migrate to an IKEv2 system | |||
Labeled IPsec as specified in [draft-ietf-ipsecme-labeled-ipsec]. | supporting Labeled IPsec as specified in | |||
[draft-ietf-ipsecme-labeled-ipsec]. | ||||
4.3. IKEv2 Group SA / Multicast support | 4.3. IKEv2 Group SA / Multicast support | |||
The Group Domain of Interpretation (GDOI, [RFC6407]) protocol, based | The Group Domain of Interpretation (GDOI, [RFC6407]) protocol, based | |||
on IKEv1 defines the support for Multicast Group SAs. For IKEv2, | on IKEv1 defines the support for Multicast Group SAs. For IKEv2, | |||
this work is currently in progress via [draft-ietf-ipsecme-g-ikev2] | this work is currently in progress via [draft-ietf-ipsecme-g-ikev2] | |||
5. Deprecating obsolete algorithms | 5. Deprecating obsolete algorithms | |||
This document deprecates the following algorithms: | This document deprecates the following algorithms: | |||
skipping to change at page 5, line 10 ¶ | skipping to change at page 5, line 14 ¶ | |||
The deprecated algorithms have long been in disuse and are no longer | The deprecated algorithms have long been in disuse and are no longer | |||
actively deployed or researched. It presents an unknown security | actively deployed or researched. It presents an unknown security | |||
risk that is best avoided. Additionally, these algorithms not being | risk that is best avoided. Additionally, these algorithms not being | |||
supported in implementations simplifies those implementations and | supported in implementations simplifies those implementations and | |||
reduces the accidental use of these deprecated algorithms through | reduces the accidental use of these deprecated algorithms through | |||
misconfiguration or downgrade attacks. | misconfiguration or downgrade attacks. | |||
7. IANA Considerations | 7. IANA Considerations | |||
This document instructs IANA to add an additional Status column to | This document instructs IANA to insert the following line at the top | |||
the IKEv2 Transform Type registries and mark the following entries as | of the Notes section of the 'Internet Key Exchange (IKE) Attributes' | |||
DEPRECATED: | registry and the '"Magic Numbers" for ISAKMP Protocol' registry: All | |||
registries listed below have been closed, see RFCxxxx. [Note to RFC | ||||
Editor: change RFCxxx to this document's RFC number] | ||||
This document further instructs IANA to add an additional Status | ||||
column to the IKEv2 Transform Type registries and mark the following | ||||
entries as DEPRECATED: | ||||
Transform Type 1 - Encryption Algorithm IDs | Transform Type 1 - Encryption Algorithm IDs | |||
Number Name Status | Number Name Status | |||
------ --------------- ------ | ------ --------------- ------ | |||
1 ENCR_DES_IV64 DEPRECATED [this document] | 1 ENCR_DES_IV64 DEPRECATED [this document] | |||
2 ENCR_DES DEPRECATED [RFC8247] | 2 ENCR_DES DEPRECATED [RFC8247] | |||
4 ENCR_RC5 DEPRECATED [this document] | 4 ENCR_RC5 DEPRECATED [this document] | |||
5 ENCR_IDEA DEPRECATED [this document] | 5 ENCR_IDEA DEPRECATED [this document] | |||
6 ENCR_CAST DEPRECATED [this document] | 6 ENCR_CAST DEPRECATED [this document] | |||
skipping to change at page 5, line 34 ¶ | skipping to change at page 5, line 44 ¶ | |||
8 ENCR_3IDEA DEPRECATED [this document] | 8 ENCR_3IDEA DEPRECATED [this document] | |||
9 ENCR_DES_IV32 DEPRECATED [this document] | 9 ENCR_DES_IV32 DEPRECATED [this document] | |||
Figure 1 | Figure 1 | |||
Transform Type 2 - Pseudorandom Function Transform IDs | Transform Type 2 - Pseudorandom Function Transform IDs | |||
Number Name Status | Number Name Status | |||
------ ------------ ---------- | ------ ------------ ---------- | |||
1 PRF_HMAC_MD5 DEPRECATED [RFC8247] | 1 PRF_HMAC_MD5 DEPRECATED [RFC8247] | |||
1 PRF_HMAC_TIGER DEPRECATED [this document] | 3 PRF_HMAC_TIGER DEPRECATED [this document] | |||
Figure 2 | Figure 2 | |||
Transform Type 3 - Integrity Algorithm Transform IDs | Transform Type 3 - Integrity Algorithm Transform IDs | |||
Number Name Status | Number Name Status | |||
------ ----------------- ---------- | ------ ----------------- ---------- | |||
1 AUTH_HMAC_MD5_96 DEPRECATED [RFC8247] | 1 AUTH_HMAC_MD5_96 DEPRECATED [RFC8247] | |||
3 AUTH_DES_MAC DEPRECATED [RFC8247] | 3 AUTH_DES_MAC DEPRECATED [RFC8247] | |||
4 AUTH_KPDK_MD5 DEPRECATED [RFC8247] | 4 AUTH_KPDK_MD5 DEPRECATED [RFC8247] | |||
End of changes. 9 change blocks. | ||||
18 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |