Some IPsec ressources I was using while developing ipdecap
RFCs
Requirement Encryption Algorithm (notes)
----------- --------------------------
MUST NULL [RFC2410] (1)
MUST AES-CBC with 128-bit keys [RFC3602]
MUST- TripleDES-CBC [RFC2451]
SHOULD AES-CTR [RFC3686]
SHOULD NOT DES-CBC [RFC2405] (2)
Requirement Authentication Algorithm (notes)
----------- -----------------------------
MUST HMAC-SHA1-96 [RFC2404] (3)
SHOULD+ AES-XCBC-MAC-96 [RFC3566]
MAY NULL (1)
MAY HMAC-MD5-96 [RFC2403] (4)
Authentication
- rfc 2104: HMAC: Keyed-Hashing for Message Authentication
- rfc 2403: The Use of HMAC-MD5-96 within ESP and AH
- rfc 2404: The Use of HMAC-SHA-1-96 within ESP and AH
- rfc 2410: The NULL Encryption Algorithm and Its Use With IPsec
- rfc 4868: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
- draft: The HMAC-SHA-256-96 Algorithm and Its Use With IPsec
- draft: The HMAC-SHA-256-128 Algorithm and Its Use With IPsec
Encryption
- rfc 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV
- rfc 3686: Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)
- rfc 3602: The AES-CBC Cipher Algorithm and Its Use with IPsec
- draft: The ESP CAST5-128-CBC Transform
- draft: The ESP Blowfish-CBC Algorithm Using an Explicit IV
- draft: The ESP CAST128-CBC Algorithm
- draft: The ESP RC5-CBC Algorithm