The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
RFC 4543
Document Type RFC - Proposed Standard (May 2006; Errata)
Was draft-mcgrew-aes-gmac-esp (individual in sec area)
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4543 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to john@viega.org
Email authors IPR References Referenced by Nits 
Network Working Group                                          D. McGrew
Request for Comments: 4543                           Cisco Systems, Inc.
Category: Standards Track                                       J. Viega
                                                            McAfee, Inc.
                                                                May 2006

        The Use of Galois Message Authentication Code (GMAC) in
                            IPsec ESP and AH

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This memo describes the use of the Advanced Encryption Standard (AES)
   Galois Message Authentication Code (GMAC) as a mechanism to provide
   data origin authentication, but not confidentiality, within the IPsec
   Encapsulating Security Payload (ESP) and Authentication Header (AH).
   GMAC is based on the Galois/Counter Mode (GCM) of operation, and can
   be efficiently implemented in hardware for speeds of 10 gigabits per
   second and above, and is also well-suited to software
   implementations.

McGrew & Viega              Standards Track                     [Page 1]
RFC 4543                GMAC in IPsec ESP and AH                May 2006

Table of Contents

   1. Introduction ....................................................2
      1.1. Conventions Used in This Document ..........................3
   2. AES-GMAC ........................................................3
   3. The Use of AES-GMAC in ESP ......................................3
      3.1. Initialization Vector ......................................4
      3.2. Nonce Format ...............................................4
      3.3. AAD Construction ...........................................5
      3.4. Integrity Check Value (ICV) ................................6
      3.5. Differences with AES-GCM-ESP ...............................6
      3.6. Packet Expansion ...........................................7
   4. The Use of AES-GMAC in AH .......................................7
   5. IKE Conventions .................................................8
      5.1. Phase 1 Identifier .........................................8
      5.2. Phase 2 Identifier .........................................8
      5.3. Key Length Attribute .......................................9
      5.4. Keying Material and Salt Values ............................9
   6. Test Vectors ....................................................9
   7. Security Considerations ........................................10
   8. Design Rationale ...............................................11
   9. IANA Considerations ............................................11
   10. Acknowledgements ..............................................11
   11. References ....................................................12
      11.1. Normative References .....................................12
      11.2. Informative References ...................................12
1.  Introduction

   This document describes the use of AES-GMAC mode (AES-GMAC) as a
   mechanism for data origin authentication in ESP [RFC4303] and AH
   [RFC4302].  We refer to these methods as ENCR_NULL_AUTH_AES_GMAC and
   AUTH_AES_GMAC, respectively.  ENCR_NULL_AUTH_AES_GMAC is a companion
   to the AES Galois/Counter Mode ESP [RFC4106], which provides
   authentication as well as confidentiality.  ENCR_NULL_AUTH_AES_GMAC
   is intended for cases in which confidentiality is not desired.  Like
   GCM, GMAC is efficient and secure, and is amenable to high-speed
   implementations in hardware.  ENCR_NULL_AUTH_AES_GMAC and
   AUTH_AES_GMAC are designed so that the incremental cost of
   implementation, given an implementation is AES-GCM-ESP, is small.

   This document does not cover implementation details of GCM or GMAC.
   Those details can be found in [GCM], along with test vectors.

McGrew & Viega              Standards Track                     [Page 2]
RFC 4543                GMAC in IPsec ESP and AH                May 2006

1.1.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  AES-GMAC

   GMAC is a block cipher mode of operation providing data origin
   authentication.  It is defined in terms of the GCM authenticated
   encryption operation as follows.  The GCM authenticated encryption
   operation has four inputs: a secret key, an initialization vector
   (IV), a plaintext, and an input for additional authenticated data
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools