Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)
RFC 3686

Document Type RFC - Proposed Standard (January 2004; No errata)
Last updated 2015-10-14
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3686 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Steven Bellovin
IESG note Published as RFC 3686 in January 2004
Send notices to (None)
Network Working Group                                         R. Housley
Request for Comments: 3686                                Vigil Security
Category: Standards Track                                   January 2004

         Using Advanced Encryption Standard (AES) Counter Mode
            With IPsec Encapsulating Security Payload (ESP)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   This document describes the use of Advanced Encryption Standard (AES)
   Counter Mode, with an explicit initialization vector, as an IPsec
   Encapsulating Security Payload (ESP) confidentiality mechanism.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Conventions Used In This Document. . . . . . . . . . . .  2
   2.  AES Block Cipher . . . . . . . . . . . . . . . . . . . . . . .  2
       2.1.  Counter Mode . . . . . . . . . . . . . . . . . . . . . .  2
       2.2.  Key Size and Rounds. . . . . . . . . . . . . . . . . . .  5
       2.3.  Block Size . . . . . . . . . . . . . . . . . . . . . . .  5
   3.  ESP Payload. . . . . . . . . . . . . . . . . . . . . . . . . .  5
       3.1.  Initialization Vector. . . . . . . . . . . . . . . . . .  6
       3.2.  Encrypted Payload. . . . . . . . . . . . . . . . . . . .  6
       3.3.  Authentication Data. . . . . . . . . . . . . . . . . . .  6
   4.  Counter Block Format . . . . . . . . . . . . . . . . . . . . .  7
   5.  IKE Conventions. . . . . . . . . . . . . . . . . . . . . . . .  8
       5.1.  Keying Material and Nonces . . . . . . . . . . . . . . .  8
       5.2.  Phase 1 Identifier . . . . . . . . . . . . . . . . . . .  9
       5.3.  Phase 2 Identifier . . . . . . . . . . . . . . . . . . .  9
       5.4.  Key Length Attribute . . . . . . . . . . . . . . . . . .  9
   6.  Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . .  9
   7.  Security Considerations. . . . . . . . . . . . . . . . . . . . 12
   8.  Design Rationale . . . . . . . . . . . . . . . . . . . . . . . 14
   9.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 16

Housley                     Standards Track                     [Page 1]
RFC 3686         Using AES Counter Mode With IPsec ESP      January 2004

   10. Intellectual Property Statement. . . . . . . . . . . . . . . . 16
   11. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 16
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
       12.1. Normative References . . . . . . . . . . . . . . . . . . 17
       12.2. Informative References . . . . . . . . . . . . . . . . . 17
   13. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 18
   14. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 19

1.  Introduction

   The National Institute of Standards and Technology (NIST) recently
   selected the Advanced Encryption Standard (AES) [AES], also known as
   Rijndael.  The AES is a block cipher, and it can be used in many
   different modes.  This document describes the use of AES Counter Mode
   (AES-CTR), with an explicit initialization vector (IV), as an IPsec
   Encapsulating Security Payload (ESP) [ESP] confidentiality mechanism.

   This document does not provide an overview of IPsec.  However,
   information about how the various components of IPsec and the way in
   which they collectively provide security services is available in
   [ARCH] and [ROADMAP].

1.1.  Conventions Used In This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [STDWORDS].

2.  AES Block Cipher

   This section contains a brief description of the relevant
   characteristics of the AES block cipher.  Implementation requirements
   are also discussed.

2.1.  Counter Mode

   NIST has defined five modes of operation for AES and other FIPS-
   approved block ciphers [MODES].  Each of these modes has different
   characteristics.  The five modes are: ECB (Electronic Code Book), CBC
   (Cipher Block Chaining), CFB (Cipher FeedBack), OFB (Output
   FeedBack), and CTR (Counter).

   Only AES Counter mode (AES-CTR) is discussed in this specification.
   AES-CTR requires the encryptor to generate a unique per-packet value,
   and communicate this value to the decryptor.  This specification
   calls this per-packet value an initialization vector (IV).  The same
   IV and key combination MUST NOT be used more than once.  The

Housley                     Standards Track                     [Page 2]
Show full document text