RFC 5282, "Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol", August 2008Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec
Errata ID: 5109
Reported By: Andrew Cagney
Date Reported: 2017-09-08
Section 8. says:
8. IKEv2 Algorithm Selection This section applies to the use of any authenticated encryption algorithm with the IKEv2 Encrypted Payload and is unique to that usage. IKEv2 (Section 3.3.3 of [RFC4306]) specifies that both an encryption algorithm and an integrity checking algorithm are required for an IKE SA (Security Association). This document updates [RFC4306] to require that when an authenticated encryption algorithm is selected as the encryption algorithm for any SA (IKE or ESP), an integrity algorithm MUST NOT be selected for that SA. This document further updates [RFC4306] to require that if all of the encryption algorithms in any proposal are authenticated encryption algorithms, then the proposal MUST NOT propose any integrity transforms.
It should say:
8. IKEv2 Algorithm Selection IKEv2 [rfc7296], section 3.3. Security Association Payload, specifies AEAD algorithm selection.
RFC-7296 and RFC-5282 contradict each other (yet RFC-7296 cites RFC-5282 without any
- RFC-7296 explicitly disallows mixing AEAD and non-AEAD algorithms in a single
proposal; RFC-5282 does not (and strongly implies it is allowed)
- RFC-7296 allows 'none' integrity in an AEAD-only proposal; RFC-5282 does not