| Network | P. Wouters, Ed. |
| Internet-Draft | Red Hat |
| Updates: 7296,8221,8247 (if approved) | December 17, 2019 |
| Intended status: Standards Track | |
| Expires: June 19, 2020 |
Deprecation of IKEv1 and obsoleted algorithms
draft-pwouters-ikev1-ipsec-graveyard-03
This document moves Internet Key Exchange version 1 (IKEv1) to Historic status. It also deprecates a number of algorithms that are obsolete and closes all IKEv1 registries.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 19, 2020.
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
IKEv1 [RFC2409] and its related documents for ISAKMP [RFC2408] and IPsec DOI [RFC2407] were obsoleted by IKEv2 [RFC4306] in December 2005. The latest version of IKEv2 at the time of writing was published in 2014 in [RFC7296]. The Internet Key Exchange (IKE) version 2 has replaced version 1 over 15 years ago. IKEv2 has now seen wide deployment and provides a full replacement for all IKEv1 functionality. No new modifications or new algorithms have been accepted for IKEv1 for at least a decade. IKEv2 addresses various issues present in IKEv1, such as IKEv1 being vulnerable to amplification attacks. This document moves IKEv1 to to Historic status, and requests IANA to close all IKEv1 registries.
Algorithm implementation requirements and usage guidelines for IKEv2 [RFC8247] and ESP/AH [RFC8223] gives guidance to implementors but limits that guidance to avoid broken or weak algorithms. It does not deprecate algorithms that have aged and are no longer in use, but leave these algorithms in a state of "MAY be used". This document deprecates those algorithms that are no longer advised but for which there are no known attacks resulting in their earlier deprecation.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
IKEv1 is deprecated. Systems running IKEv1 should be upgraded and reconfigured to run IKEv2. Systems that support IKEv1 but not IKEv2 are most likely also unsuitable candidates for continued operation. Such unsupported systems have a much higher chance of containing an implementation vulnerability that will never be patched. IKEv1 systems can be abused for packet amplification attacks. IKEv1 systems most likely do not support modern algorithms such as AES-GCM or CHACHA20_POLY1305 and quite often only support or have been configured to use the very weak Diffie-Hellman Groups 2 and 5. IKEv1 systems should be upgraded or replaced by IKEv2 systems.
IKEv1 and its way of using Preshared Keys (PSKs) protects against quantum computer based attacks. IKEv2 updated its use of PSK to improve the error reporting, but at the expense of post-quantum security. If post-quantum security is required, these systems should be migrated to use IKEv2 Postquantum Preshared Keys (PPK) [draft-ietf-ipsecme-qr-ikev2].
Some IKEv1 implementations support Labeled IPsec, a method to negotiate an addition Security Context selector to the SPD, but this method was never standarized in IKEv1. Those IKEv1 systems that require Labeled IPsec should migrate to an IKEv2 system supporting Labeled IPsec as specified in [draft-ietf-ipsecme-labeled-ipsec].
EDITOR NOTE: This document is expected to be released only after the PPK draft has become an RFC. While the same could be said for Labeled IPsec, there is no IKEv1 RFC that specifies Labeled IPsec, so pointing to a draft here does not demote a reference from RFC to a draft.
This document deprecates the following algorithms:
There are only security benefits by deprecating IKEv1 for IKEv2.
The deprecated algorithms have long been in disuse and are no longer actively deployed or researched. It presents an unknown security risk that is best avoided. Additionally, these algorithms not being supported in implementations simplifies those implementations and reduces the accidental use of these deprecated algorithms through misconfiguration or downgrade attacks.
This document instructs IANA to mark all IKEv1 registries as DEPRECATED.
Transform Type 1 - Encryption Algorithm IDs
Number Name Status
------ --------------- ------
1 ENCR_DES_IV64 DEPRECATED [this document]
2 ENCR_DES DEPRECATED [RFC8247]
4 ENCR_RC5 DEPRECATED [this document]
5 ENCR_IDEA DEPRECATED [this document]
6 ENCR_CAST DEPRECATED [this document]
7 ENCR_BLOWFISH DEPRECATED [this document]
8 ENCR_3IDEA DEPRECATED [this document]
9 ENCR_DES_IV32 DEPRECATED [this document]
Figure 1
Transform Type 2 - Pseudorandom Function Transform IDs
Number Name Status
------ ------------ ----------
1 PRF_HMAC_MD5 DEPRECATED [RFC8247]
1 PRF_HMAC_TIGER DEPRECATED [this document]
Figure 2
Transform Type 3 - Integrity Algorithm Transform IDs
Number Name Status
------ ----------------- ----------
1 AUTH_HMAC_MD5_96 DEPRECATED [RFC8247]
3 AUTH_DES_MAC DEPRECATED [RFC8247]
4 AUTH_KPDK_MD5 DEPRECATED [RFC8247]
6 AUTH_HMAC_MD5_128 DEPRECATED [this document]
7 AUTH_HMAC_SHA1_160 DEPRECATED [this document]
Figure 3
Transform Type 4 - Diffie Hellman Group Transform IDs
Number Name Status
------ ---------------------------- ----------
1 768-bit MODP Group DEPRECATED [RFC8247]
22 1024-bit MODP Group with
160-bit Prime Order Subgroup DEPRECATED [RFC8247]
Figure 4
Additionally, this document instructs IANA to add an additional Status column to the IKEv2 Transform Type registries and mark the following entries as DEPRECATED:
This document instructs IANA to close and mark as obsolete the Internet Key Exchange (IKE) Attributes registries as well as the "Magic Numbers" for ISAKMP Protocol registries.
The IESG is requested to designate IKEv1 to Historic.
| [draft-ietf-ipsecme-labeled-ipsec] | Wouters, P. and S. Prasad, "Labeled IPsec Traffic Selector support for IKEv2", Internet-Draft draft-ietf-ipsecme-labeled-ipsec, March 2019. |
| [draft-ietf-ipsecme-qr-ikev2] | Fluhrer, S., McGre, D., Kampanakis, P. and V. Smyslov, "Postquantum Preshared Keys for IKEv2", Internet-Draft draft-ietf-ipsecme-qr-ikev2, March 2019. |