Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol
RFC 5282
Document Type RFC - Proposed Standard (August 2008; Errata)
Updates RFC 4306
Was draft-black-ipsec-ikev2-aead-modes (individual in sec area)
Authors David Black  , David McGrew 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Reviews
SECDIR Telechat Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5282 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Tim Polk
Send notices to (None)
Email authors IPR References Referenced by Nits 
Network Working Group                                           D. Black
Request for Comments: 5282                                           EMC
Updates: 4306                                                  D. McGrew
Category: Standards Track                                    August 2008

  Using Authenticated Encryption Algorithms with the Encrypted Payload
        of the Internet Key Exchange version 2 (IKEv2) Protocol

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   An authenticated encryption algorithm combines encryption and
   integrity into a single operation; such algorithms may also be
   referred to as combined modes of an encryption cipher or as combined
   mode algorithms.  This document describes the use of authenticated
   encryption algorithms with the Encrypted Payload of the Internet Key
   Exchange version 2 (IKEv2) protocol.

   The use of two specific authenticated encryption algorithms with the
   IKEv2 Encrypted Payload is also described; these two algorithms are
   the Advanced Encryption Standard (AES) in Galois/Counter Mode (AES
   GCM) and AES in Counter with CBC-MAC Mode (AES CCM).  Additional
   documents may describe the use of other authenticated encryption
   algorithms with the IKEv2 Encrypted Payload.

Black & McGrew              Standards Track                     [Page 1]
RFC 5282           Authenticated Encryption and IKEv2        August 2008

Table of Contents

   1. Introduction ....................................................3
      1.1. Conventions Used in This Document ..........................3
   2. Structure of this Document ......................................4
   3. IKEv2 Encrypted Payload Data ....................................4
      3.1. AES GCM and AES CCM Initialization Vector (IV) .............6
      3.2. AES GCM and AES CCM Ciphertext (C) Construction ............6
   4. AES GCM and AES CCM Nonce (N) Format ............................7
   5. IKEv2 Associated Data (A) .......................................8
      5.1. Associated Data (A) Construction ...........................8
      5.2. Data Integrity Coverage ....................................8
   6. AES GCM and AES CCM Encrypted Payload Expansion .................9
   7. IKEv2 Conventions for AES GCM and AES CCM .......................9
      7.1. Keying Material and Salt Values ............................9
      7.2. IKEv2 Identifiers .........................................10
      7.3. Key Length ................................................10
   8. IKEv2 Algorithm Selection ......................................11
   9. Test Vectors ...................................................11
   10. RFC 5116 AEAD_* Algorithms ....................................11
      10.1. AES GCM Algorithms with 8- and 12-octet ICVs .............12
           10.1.1. AEAD_AES_128_GCM_8 ................................12
           10.1.2. AEAD_AES_256_GCM_8 ................................12
           10.1.3. AEAD_AES_128_GCM_12 ...............................12
           10.1.4. AEAD_AES_256_GCM_12 ...............................12
      10.2. AES CCM Algorithms with an 11-octet Nonce ................13
           10.2.1. AEAD_AES_128_CCM_SHORT ............................13
           10.2.2. AEAD_AES_256_CCM_SHORT ............................14
           10.2.3. AEAD_AES_128_CCM_SHORT_8 ..........................14
           10.2.4. AEAD_AES_256_CCM_SHORT_8 ..........................14
           10.2.5. AEAD_AES_128_CCM_SHORT_12 .........................14
           10.2.6. AEAD_AES_256_CCM_SHORT_12 .........................14
      10.3. AEAD_* Algorithms and IKEv2 ..............................15
   11. Security Considerations .......................................15
   12. IANA Considerations ...........................................16
   13. Acknowledgments ...............................................16
   14. References ....................................................17
      14.1. Normative References .....................................17
      14.2. Informative References ...................................17

Black & McGrew              Standards Track                     [Page 2]
RFC 5282           Authenticated Encryption and IKEv2        August 2008

1.  Introduction

   An authenticated encryption algorithm combines encryption and
   integrity into a single operation on plaintext data to produce
   ciphertext that includes an integrity check [RFC5116].  The integrity
   check may be an Integrity Check Value (ICV) that is logically
   distinct from the encrypted data, or the integrity check may be
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools