diff options
| author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
|---|---|---|
| committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
| commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
| tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc9333.txt | |
| parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) | |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc9333.txt')
| -rw-r--r-- | doc/rfc/rfc9333.txt | 688 |
1 files changed, 688 insertions, 0 deletions
diff --git a/doc/rfc/rfc9333.txt b/doc/rfc/rfc9333.txt new file mode 100644 index 0000000..aa02d98 --- /dev/null +++ b/doc/rfc/rfc9333.txt @@ -0,0 +1,688 @@ + + + + +Internet Engineering Task Force (IETF) D. Migault +Request for Comments: 9333 Ericsson +Category: Informational T. Guggemos +ISSN: 2070-1721 LMU Munich + January 2023 + + + Minimal IP Encapsulating Security Payload (ESP) + +Abstract + + This document describes the minimal properties that an IP + Encapsulating Security Payload (ESP) implementation needs to meet to + remain interoperable with the standard ESP as defined in RFC 4303. + Such a minimal version of ESP is not intended to become a replacement + of ESP in RFC 4303. Instead, a minimal implementation is expected to + be optimized for constrained environments while remaining + interoperable with implementations of ESP. In addition, this + document provides some considerations for implementing minimal ESP in + a constrained environment, such as limiting the number of flash + writes, handling frequent wakeup and sleep states, limiting wakeup + time, and reducing the use of random generation. + + This document does not update or modify RFC 4303. It provides a + compact description of how to implement the minimal version of that + protocol. RFC 4303 remains the authoritative description. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are candidates for any level of Internet + Standard; see Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc9333. + +Copyright Notice + + Copyright (c) 2023 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Revised BSD License text as described in Section 4.e of the + Trust Legal Provisions and are provided without warranty as described + in the Revised BSD License. + +Table of Contents + + 1. Introduction + 2. Requirements Notation + 3. Security Parameters Index (SPI) + 3.1. Considerations for SPI Generation + 4. Sequence Number (SN) + 5. Padding + 6. Next Header and "Dummy" Packets + 7. ICV + 8. Cryptographic Suites + 9. IANA Considerations + 10. Security Considerations + 11. Privacy Considerations + 12. References + 12.1. Normative References + 12.2. Informative References + Acknowledgments + Authors' Addresses + +1. Introduction + + ESP [RFC4303] is part of the IPsec protocol suite [RFC4301]. IPsec + is used to provide confidentiality, data origin authentication, + connectionless integrity, an anti-replay service, and limited Traffic + Flow Confidentiality (TFC) padding. + + Figure 1 describes an ESP packet. Currently, ESP is implemented in + the kernel of most major multipurpose Operating Systems (OSes). ESP + is usually implemented with all of its features to fit the + multipurpose usage of these OSes, at the expense of resources and + with no considerations for code size. Constrained devices are likely + to have their own implementation of ESP optimized and adapted to + their specific use, such as limiting the number of flash writes (for + each packet or across wake time), handling frequent wakeup and sleep + states, limiting wakeup time, and reducing the use of random + generation. With the adoption of IPsec by Internet of Things (IoT) + devices with minimal IKEv2 [RFC7815] and ESP Header Compression (EHC) + [EHC-DIET-ESP] [EHC-IKEv2], these ESP implementations MUST remain + interoperable with standard ESP implementations. This document + describes the minimal properties an ESP implementation needs to meet + to remain interoperable with ESP [RFC4303]. In addition, this + document provides advice to implementers for implementing ESP within + constrained environments. This document does not update or modify + [RFC4303]. + + For each field of the ESP packet represented in Figure 1, this + document provides recommendations and guidance for minimal + implementations. The primary purpose of minimal ESP is to remain + interoperable with other nodes implementing ESP [RFC4303], while + limiting the standard complexity of the implementation. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---- +| Security Parameters Index (SPI) | ^Int. ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- +| Sequence Number | |ered ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ---- +| Payload Data* (variable) | | ^ +~ ~ | | +| | |Conf. ++ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- +| | Padding (0-255 bytes) | |ered* ++-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +| | Pad Length | Next Header | v v ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------ +| Integrity Check Value (ICV) (variable) | +~ ~ +| | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 1: ESP Packet Description + +2. Requirements Notation + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +3. Security Parameters Index (SPI) + + [RFC4303] defines the SPI as a mandatory 32-bit field. + + The SPI has local significance to index the Security Association + (SA). As described in Section 4.1 of [RFC4301], nodes supporting + only unicast communications can index their SA using only the SPI. + Nodes supporting multicast communications also require the use of IP + addresses; thus, SA lookup needs to be performed using the longest + match. + + For nodes supporting only unicast communications, indexing the SA + using only the SPI is RECOMMENDED. The index may be based on the + full 32 bits of the SPI or a subset of these bits. The node may + require a combination of the SPI as well as other parameters (like + the IP address) to index the SA. + + Values 0-255 MUST NOT be used. As per Section 2.1 of [RFC4303], + values 1-255 are reserved, and 0 is only allowed to be used + internally and MUST NOT be sent over the wire. + + [RFC4303] does not require the 32-bit SPI to be randomly generated, + although that is the RECOMMENDED way to generate SPIs as it provides + some privacy and security benefits and avoids correlation between ESP + communications. To obtain a usable random 32-bit SPI, the node + generates a random 32-bit value and checks it does not fall within + the 0-255 range. If the SPI has an acceptable value, it is used to + index the inbound session. Otherwise, the generated value is + discarded, and the process repeats until a valid value is found. + + Some constrained devices are less concerned with the privacy + properties associated with randomly generated SPIs. Examples of such + devices might include sensors looking to reduce their code + complexity. The use of a predictive function to generate the SPI + might be preferred over the generation and handling of random values. + An implementation of such predictable function could use the + combination of a fixed value and the memory address of the Security + Association Database (SAD) structure. For every incoming packet, the + node will be able to point to the SAD structure directly from the SPI + value. This avoids having a separate and additional binding and + lookup function for the SPI to its SAD entry for every incoming + packet. + +3.1. Considerations for SPI Generation + + SPIs that are not randomly generated over 32 bits may have privacy + and security concerns. As a result, the use of alternative designs + requires careful security and privacy reviews. This section provides + some considerations for the adoption of alternative designs. + + The SPI value is only looked up for inbound traffic. The SPI + negotiated with IKEv2 [RFC7296] or minimal IKEv2 [RFC7815] by a peer + is the value used by the remote peer when it sends traffic. The main + advantage of using a rekeying mechanism is to enable a rekey, which + is performed by replacing an old SA with a new SA, both indexed with + distinct SPIs. The SPI is only used for inbound traffic by the peer, + which allows each peer to manage the set of SPIs used for its inbound + traffic. The necessary number of SPIs reflects the number of inbound + SAs as well as the ability to rekey those SAs. Typically, rekeying + an SA is performed by creating a new SA (with a dedicated SPI) before + the old SA is deleted. This results in an additional SA and the need + to support an additional SPI. Similarly, the privacy concerns + associated with the generation of non-random SPIs is also limited to + the incoming traffic. + + Alternatively, some constrained devices will not implement IKEv2 or + minimal IKEv2 and, as such, will not be able to manage a rollover + between two distinct SAs. In addition, some of these constrained + devices are likely to have a limited number of SAs; for example, they + are likely to be indexed over 3 bytes only. One possible way to + enable a rekeying mechanism with these devices is to use the SPI + where, for example, the first 3 bytes designates the SA while the + remaining byte indicates a rekey index. SPI numbers can be used to + implement tracking the inbound SAs when rekeying is taking place. + When rekeying an SPI, the new SPI could use the SPI bytes to indicate + the rekeying index. + + The use of a small, limited set of SPI numbers across communications + comes with privacy and security concerns. Some specific values or + subsets of SPI values could reveal the model or manufacturer of the + node implementing ESP or reveal a state such as "not yet rekeyed" or + "rekeyed 10 times". If a constrained host uses a very limited number + of applications, eventually a single one, the SPI itself could + indicate what kind of traffic is transmitted (e.g., the kind of + application typically running). This could also be correlated with + encrypted data size to further leak information to an observer on the + network. In addition, use of specific hardcoded SPI numbers could + reveal a manufacturer or device version. If updated devices use + different SPI numbers, an attacker could locate vulnerable devices by + their use of specific SPI numbers. + + A privacy analysis should consider at least the type of information + as well as the traffic pattern before deciding whether non-random + SPIs are safe to use. Typically, temperature and wind sensors that + are used outdoors do not leak privacy-sensitive information, and most + of their traffic is expected to be outbound traffic. When used + indoors, a sensor that reports an encrypted status of a door (closed + or opened) every minute might not leak sensitive information outside + the local network. In these examples, the privacy aspect of the + information itself might be limited. Being able to determine the + version of the sensor to potentially take control of it may also have + some limited security consequences. Of course, this depends on the + context in which these sensors are being used. If the risks + associated to privacy and security are acceptable, a non-randomized + SPI can be used. + +4. Sequence Number (SN) + + The Sequence Number (SN) in [RFC4303] is a mandatory 32-bit field in + the packet. + + The SN is set by the sender so the receiver can implement anti-replay + protection. The SN is derived from any strictly increasing function + that guarantees the following: if packet B is sent after packet A, + then the SN of packet B is higher than the SN of packet A. + + Some constrained devices may establish communication with specific + devices where it is known whether or not the peer implements anti- + replay protection. As per [RFC4303], the sender MUST still implement + a strictly increasing function to generate the SN. + + It is RECOMMENDED that multipurpose ESP implementations increment a + counter for each packet sent. However, a constrained device may + avoid maintaining this context and use another source that is known + to always increase. Typically, constrained devices use 802.15.4 Time + Slotted Channel Hopping (TSCH). This communication is heavily + dependent on time. A constrained device can take advantage of this + clock mechanism to generate the SN. A lot of IoT devices are in a + sleep state most of the time and wake up only to perform a specific + operation before going back to sleep. These devices have separate + hardware that allows them to wake up after a certain timeout and + typically also have timers that start running when the device is + booted up, so they might have a concept of time with certain + granularity. This requires devices to store any information in + stable storage that can be restored across sleeps (e.g., flash + memory). Storing information associated with the SA (such as the SN) + requires some read and write operations on stable storage after each + packet is sent as opposed to an SPI number or cryptographic keys that + are only written to stable storage at the creation of the SA. Write + operations wear out the flash storage. Write operations also slow + down the system significantly, as writing to flash is much slower + than reading from flash. While these devices have internal clocks or + timers that might not be very accurate, they are good enough to + guarantee that each time the device wakes up from sleep, the time is + greater than what it was before the device went to sleep. Using time + for the SN would guarantee a strictly increasing function and avoid + storing any additional values or context related to the SN on flash. + In addition to the time value, a RAM-based counter can be used to + ensure that the serial numbers are still increasing and unique if the + device sends multiple packets over an SA within one wakeup period. + + For inbound traffic, it is RECOMMENDED that receivers implement anti- + replay protection. The size of the window should depend on the + network characteristic to deliver packets out of order. In an + environment where out-of-order packets are not possible, the window + size can be set to one. An ESP implementation may choose to not + implement anti-replay protection. An implementation of anti-replay + protection may require the device to write the received SN for every + packet to stable storage. This will have the same issues as + discussed earlier with the SN. Some constrained device + implementations may choose to not implement the optional anti-replay + protection. A typical example is an IoT device such as a temperature + sensor that sends a temperature measurement every 60 seconds and + receives an acknowledgment from the receiver. In a case like this, + the ability to spoof and replay an acknowledgement is of limited + interest and might not justify the implementation of an anti-replay + mechanism. Receiving peers may also use an ESP anti-replay mechanism + adapted to a specific application. Typically, when the sending peer + is using an SN based on time, anti-replay may be implemented by + discarding any packets that present an SN whose value is too much in + the past. Such mechanisms may consider clock drifting in various + ways in addition to acceptable delay induced by the network to avoid + the anti-replay windows rejecting legitimate packets. Receiving + peers could accept any SN as long as it is higher than the previously + received SN. Another mechanism could be used where only the received + time on the device is used to consider a packet to be valid, without + looking at the SN at all. + + The SN can be represented as a 32-bit number or as a 64-bit number, + known as an "Extended Sequence Number (ESN)". As per [RFC4303], + support of ESN is not mandatory, and its use is negotiated via IKEv2 + [RFC7296]. An ESN is used for high-speed links to ensure there can + be more than 2^32 packets before the SA needs to be rekeyed to + prevent the SN from rolling over. This assumes the SN is incremented + by 1 for each packet. When the SN is incremented differently -- such + as when time is used -- rekeying needs to happen based on how the SN + is incremented to prevent the SN from rolling over. The security of + all data protected under a given key decreases slightly with each + message, and a node must ensure the limit is not reached, even though + the SN would permit it. Estimation of the maximum number of packets + to be sent by a node is not always predictable, and large margins + should be used, especially as nodes could be online for much more + time than expected. Even for constrained devices, it is RECOMMENDED + to implement some rekeying mechanisms (see Section 10). + +5. Padding + + Padding is required to keep the 32-bit alignment of ESP. It is also + required for some encryption transforms that need a specific block + size of input, such as ENCR_AES_CBC. ESP specifies padding in the + Pad Length byte, followed by up to 255 bytes of padding. + + Checking the padding structure is not mandatory, so constrained + devices may omit these checks on received ESP packets. For outgoing + ESP packets, padding must be applied as required by ESP. + + In some situations, the padding bytes may take a fixed value. This + would typically be the case when the Payload Data is of fixed size. + + ESP [RFC4303] additionally provides Traffic Flow Confidentiality + (TFC) as a way to perform padding to hide traffic characteristics. + TFC is not mandatory and is negotiated with the SA management + protocol, such as IKEv2. TFC has been widely implemented, but it is + not widely deployed for ESP traffic. It is NOT RECOMMENDED to + implement TFC for minimal ESP. + + As a consequence, communication protection that relies on TFC would + be more sensitive to traffic patterns without TFC. This can leak + application information as well as the manufacturer or model of the + device used to a passive monitoring attacker. Such information can + be used, for example, by an attacker if a vulnerability is known for + the specific device or application. In addition, some applications + (such as health applications) could leak important privacy-oriented + information. + + Constrained devices that have a limited battery lifetime may prefer + to avoid sending extra padding bytes. In most cases, the payload + carried by these devices is quite small, and the standard padding + mechanism can be used as an alternative to TFC. Alternatively, any + information leak based on the size -- or presence -- of the packet + can also be addressed at the application level before the packet is + encrypted with ESP. If application packets vary between 1 to 30 + bytes, the application could always send 32-byte responses to ensure + all traffic sent is of identical length. To prevent leaking + information that a sensor changed state, such as "temperature + changed" or "door opened", an application could send this information + at regular time intervals, rather than when a specific event is + happening, even if the sensor state did not change. + +6. Next Header and "Dummy" Packets + + ESP [RFC4303] defines the Next Header as a mandatory 8-bit field in + the packet. The Next Header, only visible after decryption, + specifies the data contained in the payload. In addition, the Next + Header may carry an indication on how to process the packet + [BEET-ESP]. The Next Header can point to a "dummy" packet, i.e., a + packet with the Next Header value set to 59, meaning "no next + header". The data following "no next header" is unstructured "dummy" + data. (Note that this document uses the term "dummy" for consistency + with [RFC4303].) + + The ability to generate, receive, and ignore "dummy" packets is + required by [RFC4303]. An implementation can omit ever generating + and sending "dummy" packets. For interoperability, a minimal ESP + implementation MUST be able to process and discard "dummy" packets + without indicating an error. + + In constrained environments, sending "dummy" packets may have too + much impact on the device lifetime, in which case, "dummy" packets + should not be generated and sent. On the other hand, constrained + devices running specific applications that would leak too much + information by not generating and sending "dummy" packets may + implement this functionality or even implement something similar at + the application layer. Note also that similarly to padding and TFC + that can be used to hide some traffic characteristics (see + Section 5), "dummy" packets may also reveal some patterns that can be + used to identify the application. For example, an application may + send "dummy" data to hide a traffic pattern. Suppose such an + application sends a 1-byte data when a change occurs. This results + in sending a packet notifying a change has occurred. "Dummy" packets + may be used to prevent such information from being leaked by sending + a 1-byte packet every second when the information is not changed. + After an upgrade, the data becomes 2 bytes. At that point, the + "dummy" packets do not hide anything, and having 1 byte regularly + versus 2 bytes makes even the identification of the application + version easier to identify. This generally makes the use of "dummy" + packets more appropriate on high-speed links. + + In some cases, devices are dedicated to a single application or a + single transport protocol. In this case, the Next Header has a fixed + value. + + Specific processing indications have not been standardized yet + [BEET-ESP] and are expected to result from an agreement between the + peers. As a result, they SHOULD NOT be part of a minimal + implementation of ESP. + +7. ICV + + The ICV depends on the cryptographic suite used. As detailed in + [RFC8221], authentication or authenticated encryption is RECOMMENDED, + and as such, the ICV field must be present with a size different from + zero. Its length is defined by the security recommendations only. + +8. Cryptographic Suites + + The recommended algorithms to use are expected to evolve over time, + and implementers SHOULD follow the recommendations provided by + [RFC8221] and updates. + + This section lists some of the criteria that may be considered to + select an appropriate cryptographic suite. The list is not expected + to be exhaustive and may also evolve over time. + + 1. Security: Security is the criteria that should be considered + first for the selection of encryption algorithm transforms. The + security of encryption algorithm transforms is expected to evolve + over time, and it is of primary importance to follow up-to-date + security guidance and recommendations. The chosen encryption + algorithm MUST NOT be vulnerable or weak (see [RFC8221] for + outdated ciphers). ESP can be used to authenticate only + (ENCR_NULL) or to encrypt the communication. In the latter case, + Authenticated Encryption with Associated Data (AEAD) is + RECOMMENDED [RFC8221]. + + 2. Resilience to Nonce Reuse: Some transforms, including AES-GCM, + are vulnerable to nonce collision with a given key. While the + generation of the nonce may prevent such collision during a + session, the mechanisms are unlikely to provide such protection + across sleep states or reboot. This causes an issue for devices + that are configured using static keys (called "manual keying"), + and manual keying should not be used with these encryption + algorithms. When the key is likely to be reused across reboots, + algorithms that are resistant to nonce misuse (for example, AES- + SIV [RFC5297], AES-GCM-SIV [RFC8452], and Deoxys-II [DeoxysII]) + are RECOMMENDED. Note, however, that none of these are currently + defined for use with ESP. + + 3. Interoperability: Constrained devices usually only implement one + or very few different encryption algorithm transforms. [RFC8221] + takes the life cycle of encryption algorithm transforms and + device manufacturing into consideration in its recommendations + for mandatory-to-implement (MTI) algorithms. + + 4. Power Consumption and Cipher Suite Complexity: Complexity of the + encryption algorithm transform and the energy cost associated + with it are especially important considerations for devices that + have limited resources or are battery powered. The battery life + might determine the lifetime of the entire device. When choosing + a cryptographic function, reusing specific libraries or taking + advantage of hardware acceleration provided by the device should + be considered. For example, if the device benefits from AES + hardware modules and uses ENCR_AES_CTR, it may prefer AUTH_AES- + XCBC for its authentication. In addition, some devices may embed + radio modules with hardware acceleration for AES-CCM, in which + case, this transform may be preferred. + + 5. Power Consumption and Bandwidth Consumption: Reducing the payload + sent may significantly reduce the energy consumption of the + device. Encryption algorithm transforms with low overhead are + strongly preferred. To reduce the overall payload size, one may, + for example: + + * Use counter-based ciphers without fixed block length (e.g., + AES-CTR or ChaCha20-Poly1305). + + * Use ciphers capable of using implicit Initialization Vectors + (IVs) [RFC8750]. + + * Use ciphers recommended for IoT [RFC8221]. + + * Avoid padding by sending payload data that are aligned to the + cipher block length -- 2 bytes for the ESP trailer. + +9. IANA Considerations + + This document has no IANA actions. + +10. Security Considerations + + The security considerations in [RFC4303] apply to this document as + well. In addition, this document provides security recommendations + and guidance for the implementation choices for each ESP field. + + The security of a communication provided by ESP is closely related to + the security associated with the management of that key. This + usually includes mechanisms to prevent a nonce from repeating, for + example. When a node is provisioned with a session key that is used + across reboot, the implementer MUST ensure that the mechanisms put in + place remain valid across reboot as well. + + It is RECOMMENDED to use ESP in conjunction with key management + protocols such as, for example, IKEv2 [RFC7296] or minimal IKEv2 + [RFC7815]. Such mechanisms are responsible for negotiating fresh + session keys as well as preventing a session key being used beyond + its lifetime. When such mechanisms cannot be implemented, such as + when the session key is provisioned, the device MUST ensure that keys + are not used beyond their lifetime and that the key remains used in + compliance with all security requirements across reboots (e.g., + conditions on counters and nonces remain valid). + + When a device generates its own key or when random values such as + nonces are generated, the random generation MUST follow [RFC4086]. + In addition, [SP-800-90A-Rev-1] provides guidance on how to build + random generators based on deterministic random functions. + +11. Privacy Considerations + + Preventing the leakage of privacy-sensitive information is a hard + problem to solve and usually results in balancing the information + potentially being leaked to the cost associated with the counter + measures. This problem is not inherent to the minimal ESP described + in this document and also concerns the use of ESP in general. + + This document targets minimal implementations of ESP and, as such, + describes a minimalistic way to implement ESP. In some cases, this + may result in potentially revealing privacy-sensitive pieces of + information. This document describes these privacy implications so + the implementer can make the appropriate decisions given the + specificities of a given environment and deployment. + + The main risk associated with privacy is the ability to identify an + application or a device by analyzing the traffic, which is designated + as "traffic shaping". As discussed in Section 3, the use in a very + specific context of non-randomly generated SPIs might ease the + determination of the device or the application in some cases. + Similarly, padding provides limited capabilities to obfuscate the + traffic compared to those provided by TFC. Such consequences on + privacy are detailed in Section 5. + +12. References + +12.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <https://www.rfc-editor.org/info/rfc2119>. + + [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, + "Randomness Requirements for Security", BCP 106, RFC 4086, + DOI 10.17487/RFC4086, June 2005, + <https://www.rfc-editor.org/info/rfc4086>. + + [RFC4301] Kent, S. and K. Seo, "Security Architecture for the + Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, + December 2005, <https://www.rfc-editor.org/info/rfc4301>. + + [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", + RFC 4303, DOI 10.17487/RFC4303, December 2005, + <https://www.rfc-editor.org/info/rfc4303>. + + [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. + Kivinen, "Internet Key Exchange Protocol Version 2 + (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October + 2014, <https://www.rfc-editor.org/info/rfc7296>. + + [RFC7815] Kivinen, T., "Minimal Internet Key Exchange Version 2 + (IKEv2) Initiator Implementation", RFC 7815, + DOI 10.17487/RFC7815, March 2016, + <https://www.rfc-editor.org/info/rfc7815>. + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, <https://www.rfc-editor.org/info/rfc8174>. + + [RFC8221] Wouters, P., Migault, D., Mattsson, J., Nir, Y., and T. + Kivinen, "Cryptographic Algorithm Implementation + Requirements and Usage Guidance for Encapsulating Security + Payload (ESP) and Authentication Header (AH)", RFC 8221, + DOI 10.17487/RFC8221, October 2017, + <https://www.rfc-editor.org/info/rfc8221>. + + [RFC8750] Migault, D., Guggemos, T., and Y. Nir, "Implicit + Initialization Vector (IV) for Counter-Based Ciphers in + Encapsulating Security Payload (ESP)", RFC 8750, + DOI 10.17487/RFC8750, March 2020, + <https://www.rfc-editor.org/info/rfc8750>. + +12.2. Informative References + + [BEET-ESP] Nikander, P. and J. Melen, "A Bound End-to-End Tunnel + (BEET) mode for ESP", Work in Progress, Internet-Draft, + draft-nikander-esp-beet-mode-09, 5 August 2008, + <https://datatracker.ietf.org/doc/html/draft-nikander-esp- + beet-mode-09>. + + [DeoxysII] Jean, J., Nikolić, I., Peyrin, T., and Y. Seurin, "Deoxys + v1.41", October 2016, + <https://competitions.cr.yp.to/round3/deoxysv141.pdf>. + + [EHC-DIET-ESP] + Migault, D., Guggemos, T., Bormann, C., and D. Schinazi, + "ESP Header Compression and Diet-ESP", Work in Progress, + Internet-Draft, draft-mglt-ipsecme-diet-esp-08, 13 May + 2022, <https://datatracker.ietf.org/doc/html/draft-mglt- + ipsecme-diet-esp-08>. + + [EHC-IKEv2] + Migault, D., Guggemos, T., and D. Schinazi, "Internet Key + Exchange version 2 (IKEv2) extension for the ESP Header + Compression (EHC) Strategy", Work in Progress, Internet- + Draft, draft-mglt-ipsecme-ikev2-diet-esp-extension-02, 13 + May 2022, <https://datatracker.ietf.org/doc/html/draft- + mglt-ipsecme-ikev2-diet-esp-extension-02>. + + [RFC5297] Harkins, D., "Synthetic Initialization Vector (SIV) + Authenticated Encryption Using the Advanced Encryption + Standard (AES)", RFC 5297, DOI 10.17487/RFC5297, October + 2008, <https://www.rfc-editor.org/info/rfc5297>. + + [RFC8452] Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV: + Nonce Misuse-Resistant Authenticated Encryption", + RFC 8452, DOI 10.17487/RFC8452, April 2019, + <https://www.rfc-editor.org/info/rfc8452>. + + [SP-800-90A-Rev-1] + Barker, E. and J. Kelsey, "Recommendation for Random + Number Generation Using Deterministic Random Bit + Generators", NIST SP 800-90A Rev 1, + DOI 10.6028/NIST.SP.800-90Ar1, June 2015, + <https://csrc.nist.gov/publications/detail/sp/800-90a/rev- + 1/final>. + +Acknowledgments + + The authors would like to thank Daniel Palomares, Scott Fluhrer, Tero + Kivinen, Valery Smyslov, Yoav Nir, Michael Richardson, Thomas Peyrin, + Eric Thormarker, Nancy Cam-Winget, and Bob Briscoe for their valuable + comments. In particular, Scott Fluhrer suggested including the rekey + index in the SPI. Tero Kivinen also provided multiple clarifications + and examples of ESP deployment within constrained devices with their + associated optimizations. Thomas Peyrin, Eric Thormarker, and Scott + Fluhrer suggested and clarified the use of transform resilient to + nonce misuse. The authors would also like to thank Mohit Sethi for + his support as the LWIG Working Group Chair. + +Authors' Addresses + + Daniel Migault + Ericsson + 8275 Rte Transcanadienne + Saint-Laurent QC H4S 0B6 + Canada + Email: daniel.migault@ericsson.com + + + Tobias Guggemos + LMU Munich + MNM-Team + Oettingenstr. 67 + 80538 Munich + Germany + Email: guggemos@mnm-team.org |