rfc7634v1.txt   rfc7634.txt 
skipping to change at page 2, line 18 skipping to change at page 2, line 18
1.1. Conventions Used in This Document . . . . . . . . . . . . 3 1.1. Conventions Used in This Document . . . . . . . . . . . . 3
2. ChaCha20 and Poly1305 for ESP . . . . . . . . . . . . . . . . 3 2. ChaCha20 and Poly1305 for ESP . . . . . . . . . . . . . . . . 3
2.1. AAD Construction . . . . . . . . . . . . . . . . . . . . 5 2.1. AAD Construction . . . . . . . . . . . . . . . . . . . . 5
3. Use in IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Use in IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Negotiation in IKEv2 . . . . . . . . . . . . . . . . . . . . 6 4. Negotiation in IKEv2 . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.1. Normative References . . . . . . . . . . . . . . . . . . 7 7.1. Normative References . . . . . . . . . . . . . . . . . . 7
7.2. Informative References . . . . . . . . . . . . . . . . . 8 7.2. Informative References . . . . . . . . . . . . . . . . . 8
Appendix A. ESP Example . . . . . . . . . . . . . . . . . . . . 8 Appendix A. ESP Example . . . . . . . . . . . . . . . . . . . . 9
Appendix B. IKEv2 Example . . . . . . . . . . . . . . . . . . . 11 Appendix B. IKEv2 Example . . . . . . . . . . . . . . . . . . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
The Advanced Encryption Standard (AES) [FIPS-197] has become the go- The Advanced Encryption Standard (AES) [FIPS-197] has become the go-
to algorithm for encryption. It is now the most commonly used to algorithm for encryption. It is now the most commonly used
algorithm in many areas, including IPsec Virtual Private Networks algorithm in many areas, including IPsec Virtual Private Networks
(VPNs). On most modern platforms, AES is anywhere from four to ten (VPNs). On most modern platforms, AES is anywhere from four to ten
skipping to change at page 5, line 48 skipping to change at page 5, line 50
o The Integrity Check Value field contains the 16-octet tag. o The Integrity Check Value field contains the 16-octet tag.
2.1. AAD Construction 2.1. AAD Construction
The construction of the Additional Authenticated Data (AAD) is The construction of the Additional Authenticated Data (AAD) is
similar to the one in [RFC4106]. For security associations (SAs) similar to the one in [RFC4106]. For security associations (SAs)
with 32-bit sequence numbers, the AAD is 8 octets: a 4-octet SPI with 32-bit sequence numbers, the AAD is 8 octets: a 4-octet SPI
followed by a 4-octet sequence number ordered exactly as it is in the followed by a 4-octet sequence number ordered exactly as it is in the
packet. For SAs with an Extended Sequence Number (ESN), the AAD is packet. For SAs with an Extended Sequence Number (ESN), the AAD is
12 octets: a 4-octet SPI followed by an 8-octet sequence number as a 12 octets: a 4-octet SPI followed by an 8-octet sequence number as a
64-bit integer in network byte order. 64-bit integer in big-endian byte order.
3. Use in IKEv2 3. Use in IKEv2
AEAD algorithms can be used in IKE, as described in [RFC5282]. More AEAD algorithms can be used in IKE, as described in [RFC5282]. More
specifically: specifically:
o The Encrypted Payload is as described in Section 3 of RFC 5282. o The Encrypted Payload is as described in Section 3 of RFC 5282.
o The ChaCha20-Poly1305 keying material is derived similarly to ESP: o The ChaCha20-Poly1305 keying material is derived similarly to ESP:
36 octets are requested for each of SK_ei and SK_er, of which the 36 octets are requested for each of SK_ei and SK_er, of which the
skipping to change at page 7, line 32 skipping to change at page 7, line 32
algorithm described in this document in the "Transform Type 1 - algorithm described in this document in the "Transform Type 1 -
Encryption Algorithm Transform IDs" registry with name Encryption Algorithm Transform IDs" registry with name
ENCR_CHACHA20_POLY1305 and this document as reference for both ESP ENCR_CHACHA20_POLY1305 and this document as reference for both ESP
and IKEv2. and IKEv2.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
4303, DOI 10.17487/RFC4303, December 2005, RFC 4303, DOI 10.17487/RFC4303, December 2005,
<http://www.rfc-editor.org/info/rfc4303>. <http://www.rfc-editor.org/info/rfc4303>.
[RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption
Algorithms with the Encrypted Payload of the Internet Key Algorithms with the Encrypted Payload of the Internet Key
Exchange version 2 (IKEv2) Protocol", RFC 5282, DOI Exchange version 2 (IKEv2) Protocol", RFC 5282,
10.17487/RFC5282, August 2008, DOI 10.17487/RFC5282, August 2008,
<http://www.rfc-editor.org/info/rfc5282>. <http://www.rfc-editor.org/info/rfc5282>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <http://www.rfc-editor.org/info/rfc7296>. 2014, <http://www.rfc-editor.org/info/rfc7296>.
[RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015,
<http://www.rfc-editor.org/info/rfc7539>. <http://www.rfc-editor.org/info/rfc7539>.
skipping to change at page 8, line 28 skipping to change at page 8, line 28
National Institute of Standards and Technology, "Advanced National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", FIPS PUB 197, November 2001, Encryption Standard (AES)", FIPS PUB 197, November 2001,
<http://csrc.nist.gov/publications/fips/fips197/ <http://csrc.nist.gov/publications/fips/fips197/
fips-197.pdf>. fips-197.pdf>.
[RFC1761] Callaghan, B. and R. Gilligan, "Snoop Version 2 Packet [RFC1761] Callaghan, B. and R. Gilligan, "Snoop Version 2 Packet
Capture File Format", RFC 1761, DOI 10.17487/RFC1761, Capture File Format", RFC 1761, DOI 10.17487/RFC1761,
February 1995, <http://www.rfc-editor.org/info/rfc1761>. February 1995, <http://www.rfc-editor.org/info/rfc1761>.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)", RFC (GCM) in IPsec Encapsulating Security Payload (ESP)",
4106, DOI 10.17487/RFC4106, June 2005, RFC 4106, DOI 10.17487/RFC4106, June 2005,
<http://www.rfc-editor.org/info/rfc4106>. <http://www.rfc-editor.org/info/rfc4106>.
[SP800-67] [SP800-67]
National Institute of Standards and Technology, National Institute of Standards and Technology,
"Recommendation for the Triple Data Encryption Algorithm "Recommendation for the Triple Data Encryption Algorithm
(TDEA) Block Cipher", FIPS SP800-67, January 2012, (TDEA) Block Cipher", FIPS SP800-67, January 2012,
<http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/ <http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/
SP-800-67-Rev1.pdf>. SP-800-67-Rev1.pdf>.
[Standby-Cipher] [Standby-Cipher]
McGrew, D., Grieco, A., and Y. Sheffer, "Selection of McGrew, D., Grieco, A., and Y. Sheffer, "Selection of
Future Cryptographic Standards", Work in Progress draft- Future Cryptographic Standards", Work in Progress
mcgrew-standby-cipher-00, January 2013. draft-mcgrew-standby-cipher-00, January 2013.
Appendix A. ESP Example Appendix A. ESP Example
For this example, we will use a tunnel-mode ESP SA using the For this example, we will use a tunnel-mode ESP SA using the
ChaCha20-Poly1305 algorithm. The keying material is as follows: ChaCha20-Poly1305 algorithm. The keying material is as follows:
KEYMAT: KEYMAT:
000 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f ................ 000 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f ................
016 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f ................ 016 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f ................
032 a0 a1 a2 a3 .... 032 a0 a1 a2 a3 ....
skipping to change at page 11, line 31 skipping to change at page 11, line 38
o The Salt is 0xa0 0xa1 0xa2 0xa3. o The Salt is 0xa0 0xa1 0xa2 0xa3.
o The IV will also be the same as in the previous example. The fact o The IV will also be the same as in the previous example. The fact
that the IV and Salt are both the same means that the nonce is that the IV and Salt are both the same means that the nonce is
also the same. also the same.
o Because the key and nonce are the same, so is the one-time o Because the key and nonce are the same, so is the one-time
Poly1305 key. Poly1305 key.
o The packet will be an Informational request carrying a single o The packet will be an INFORMATIONAL request carrying a single
payload: a Notify payload with type SET_WINDOW_SIZE, setting the payload: a Notify payload with type SET_WINDOW_SIZE, setting the
window size to 10. window size to 10.
o iSPI = 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7. o iSPI = 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7.
o rSPI = 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7. o rSPI = 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7.
o Message ID shall be 9. o Message ID shall be 9.
The Notify Payload: The Notify Payload:
skipping to change at page 12, line 43 skipping to change at page 13, line 9
000 c0 c1 c2 c3 c4 c5 c6 c7 d0 d1 d2 d3 d4 d5 d6 d7 ................ 000 c0 c1 c2 c3 c4 c5 c6 c7 d0 d1 d2 d3 d4 d5 d6 d7 ................
016 2e 20 25 00 00 00 00 09 00 00 00 45 29 00 00 29 . %........E)..) 016 2e 20 25 00 00 00 00 09 00 00 00 45 29 00 00 29 . %........E)..)
032 10 11 12 13 14 15 16 17 61 03 94 70 1f 8d 01 7f ........a..p.... 032 10 11 12 13 14 15 16 17 61 03 94 70 1f 8d 01 7f ........a..p....
048 7c 12 92 48 89 6b 71 bf e2 52 36 ef d7 cd c6 70 |..H.kq..R6....p 048 7c 12 92 48 89 6b 71 bf e2 52 36 ef d7 cd c6 70 |..H.kq..R6....p
064 66 90 63 15 b2 f.c.. 064 66 90 63 15 b2 f.c..
The below file in the snoop format [RFC1761] contains three packets: The below file in the snoop format [RFC1761] contains three packets:
The first is the ICMP packet from the example in Appendix A, the The first is the ICMP packet from the example in Appendix A, the
second is the ESP packet from the same appendix, and the third is the second is the ESP packet from the same appendix, and the third is the
IKEv2 packet from this appendix. To convert this text back into a IKEv2 packet from this appendix. To convert this text back into a
file, you can use a Unix command line tool such as "openssl enc -d file, you can use a Unix command line tool such as
-a": "openssl enc -d -a":
c25vb3AAAAAAAAACAAAABAAAAGIAAABiAAAAegAAAABVPq8PAAADVdhs6fUQBHgx c25vb3AAAAAAAAACAAAABAAAAGIAAABiAAAAegAAAABVPq8PAAADVdhs6fUQBHgx
wbcpwggARQAAVKbyAABAAed4xjNkBcAAAgUIAFt6OggAAFU77BAABzYnCAkKCwwN wbcpwggARQAAVKbyAABAAed4xjNkBcAAAgUIAFt6OggAAFU77BAABzYnCAkKCwwN
Dg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3AAAAmgAA Dg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3AAAAmgAA
AJoAAACyAAAAAFU+rw8AAAo62Gzp9RAEeDHBtynCCABFAACMI0UAAEAy3lvLAHGZ AJoAAACyAAAAAFU+rw8AAAo62Gzp9RAEeDHBtynCCABFAACMI0UAAEAy3lvLAHGZ
ywBxBQECAwQAAAAFEBESExQVFhckA5QouX9BfjwTdTpPBQh7Z8NS5qf6sbmC1Gbv ywBxBQECAwQAAAAFEBESExQVFhckA5QouX9BfjwTdTpPBQh7Z8NS5qf6sbmC1Gbv
QHrlxhTugJnVKETrYaqV36tMAvcqpx58TE9kyb7+L6zGOOjzy+wWP6xGm1Anc/b7 QHrlxhTugJnVKETrYaqV36tMAvcqpx58TE9kyb7+L6zGOOjzy+wWP6xGm1Anc/b7
lOZk2pFluCgp9kHgdqqoJmt/sPexGzaZB+GtQwAAAG8AAABvAAAAhwAAAABVPq8P lOZk2pFluCgp9kHgdqqoJmt/sPexGzaZB+GtQwAAAG8AAABvAAAAhwAAAABVPq8P
AAARH9hs6fUQBHgxwbcpwggARQAAYSNFAABAEd6nywBxmcsAcQUB9AH0AE0IUcDB AAARH9hs6fUQBHgxwbcpwggARQAAYSNFAABAEd6nywBxmcsAcQUB9AH0AE0IUcDB
wsPExcbH0NHS09TV1tcuICUAAAAACQAAAEUpAAApEBESExQVFhdhA5RwH40Bf3wS wsPExcbH0NHS09TV1tcuICUAAAAACQAAAEUpAAApEBESExQVFhdhA5RwH40Bf3wS
 End of changes. 9 change blocks. 
15 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/