IPv6-ESP and AH Algorithm Requirements
【摘要】 介绍ESP和AH是通过IPsec进行加密保护的机制。The Encapsulating Security Payload (ESP) [RFC4303] and the Authentication Header (AH) [RFC4302] are the mechanisms for applying cryptographic protection to data being sent...
介绍
ESP和AH是通过IPsec进行加密保护的机制。
The Encapsulating Security Payload (ESP) [RFC4303] and the Authentication Header (AH) [RFC4302] are the mechanisms for applying cryptographic protection to data being sent over an IPsec Security Association (SA) [RFC4301].
背景
老的加密算法总是会被新的取代。
The field of cryptography evolves continuously: new, stronger algorithms appear, and existing algorithms are found to be less secure than originally thought. Therefore, algorithm implementation requirements and usage guidance need to be updated from time to time to reflect the new reality.
加密必须认证
Encryption Must Be Authenticated
Encryption without authentication is not effective and MUST NOT be used. IPsec offers three ways to provide both encryption and authentication:
o ESP with an Authenticated Encryption with Associated Data (AEAD) cipher
o ESP with a non-AEAD cipher + authentication
o ESP with a non-AEAD cipher + AH with authentication
5. ESP Encryption Algorithms
+-------------------------+------------+---------+----------------+
| Name | Status | AEAD | Comment |
+-------------------------+------------+---------+----------------+
| ENCR_DES_IV64 | MUST NOT | No | UNSPECIFIED |
| ENCR_DES | MUST NOT | No | [RFC2405] |
| ENCR_3DES | SHOULD NOT | No | [RFC2451] |
| ENCR_BLOWFISH | MUST NOT | No | [RFC2451] |
| ENCR_3IDEA | MUST NOT | No | UNSPECIFIED |
| ENCR_DES_IV32 | MUST NOT | No | UNSPECIFIED |
| ENCR_NULL | MUST | No | [RFC2410] |
| ENCR_AES_CBC | MUST | No | [RFC3602][1] |
| ENCR_AES_CCM_8 | SHOULD | Yes | [RFC4309](IoT) |
| ENCR_AES_GCM_16 | MUST | Yes | [RFC4106][1] |
| ENCR_CHACHA20_POLY1305 | SHOULD | Yes | [RFC7634] |
+-------------------------+------------+---------+----------------+6. ESP and AH Authentication Algorithms
Authentication algorithm recommendations in this section are
targeting two types of communications:
o Authenticated-only communications without encryption, such as ESP
with NULL encryption or AH communications.
o Communications that are encrypted with a non-AEAD algorithm that
MUST be combined with an authentication algorithm.
+------------------------+----------------+-------------------------+
| Name | Status | Comment |
+------------------------+----------------+-------------------------+
| AUTH_NONE | MUST / | [RFC7296][RFC5282] |
| | MUST NOT | AEAD-only |
| AUTH_HMAC_MD5_96 | MUST NOT | [RFC2403][RFC7296] |
| AUTH_HMAC_SHA1_96 | MUST- | [RFC2404][RFC7296] |
| AUTH_DES_MAC | MUST NOT | UNSPECIFIED |
| AUTH_KPDK_MD5 | MUST NOT | UNSPECIFIED |
| AUTH_AES_XCBC_96 | SHOULD / MAY | [RFC3566][RFC7296] |
| | | (IoT) |
| AUTH_AES_128_GMAC | MAY | [RFC4543] |
| AUTH_AES_256_GMAC | MAY | [RFC4543] |
| AUTH_HMAC_SHA2_256_128 | MUST | [RFC4868] |
| AUTH_HMAC_SHA2_512_256 | SHOULD | [RFC4868] |
+------------------------+----------------+-------------------------+7. ESP and AH Compression Algorithms
+----------------+----------+-------------+
| Name | Status | Comment |
+----------------+----------+-------------+
| IPCOMP_OUI | MUST NOT | UNSPECIFIED |
| IPCOMP_DEFLATE | MAY | [RFC3173] |
| IPCOMP_LZS | MAY | [RFC2395] |
| IPCOMP_LZJH | MAY | [RFC3051] |
+----------------+----------+-------------+8. Summary of Changes from RFC 7321
The following table summarizes the changes from RFC 7321.
+-------------------+----------+-----------------+
| Algorithm | RFC 7321 | RFC 8221 |
+-------------------+----------+-----------------+
| ENCR_AES_GCM_16 | SHOULD+ | MUST |
| ENCR_AES_CCM_8 | MAY | SHOULD |
| ENCR_AES_CTR | MAY | MAY(*) |
| ENCR_3DES | MAY | SHOULD NOT |
| AUTH_HMAC_SHA1_96 | MUST | MUST- |
| AUTH_AES_128_GMAC | SHOULD+ | MAY |
| AUTH_NONE | MAY | MUST / MUST NOT |
+-------------------+----------+-----------------+
【版权声明】本文为华为云社区用户翻译文章,如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,
举报邮箱:cloudbbs@huaweicloud.com
- 点赞
- 收藏
- 关注作者
评论(0)