Supported IPsec and IKE Standards

On routers equipped with one or more MS-MPCs, MS-MICs, or DPCs, the Canada and U.S. version of Junos OS substantially supports the following RFCs, which define standards for IP Security (IPsec) and Internet Key Exchange (IKE).

• RFC 2085, HMAC-MD5 IP Authentication with Replay Prevention

• RFC 2401, Security Architecture for the Internet Protocol (obsoleted by RFC 4301)

• RFC 2402, IP Authentication Header (obsoleted by RFC 4302)

• RFC 2403, The Use of HMAC-MD5-96 within ESP and AH

• RFC 2404, The Use of HMAC-SHA-1-96 within ESP and AH (obsoleted by RFC 4305)

• RFC 2405, The ESP DES-CBC Cipher Algorithm With Explicit IV

• RFC 2406, IP Encapsulating Security Payload (ESP) (obsoleted by RFC 4303 and RFC 4305)

• RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP (obsoleted by RFC 4306)

• RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP) (obsoleted by RFC 4306)

• RFC 2409, The Internet Key Exchange (IKE) (obsoleted by RFC 4306)

• RFC 2410, The NULL Encryption Algorithm and Its Use With IPsec

• RFC 2451, The ESP CBC-Mode Cipher Algorithms

• RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP

• RFC 3193, Securing L2TP using IPsec

• RFC 3280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

• RFC 3602, The AES-CBC Cipher Algorithm and Its Use with IPsec

• RFC 3948, UDP Encapsulation of IPsec ESP Packets

• RFC 4106, The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)

• RFC 4210, Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)

• RFC 4211, Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)

• RFC 4301, Security Architecture for the Internet Protocol

• RFC 4302, IP Authentication Header

• RFC 4303, IP Encapsulating Security Payload (ESP)

• RFC 4305, Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)

• RFC 4306, Internet Key Exchange (IKEv2) Protocol

• RFC 4307, Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)

• RFC 4308, Cryptographic Suites for IPsec

  Only Suite VPN-A is supported in Junos OS.

• RFC 4754, IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)

• RFC 4835, Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)

• RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2) (obsoleted by RFC 7296)

• RFC 7296, Internet Key Exchange Protocol Version 2 (IKEv2)

• RFC 7427, Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)

• RFC 7634, ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec

• RFC 8200, Internet Protocol, Version 6 (IPv6) Specification

Junos OS partially supports the following RFCs for IPsec and IKE:

• RFC 3526, More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)

• RFC 5114, Additional Diffie-Hellman Groups for Use with IETF Standards

• RFC 5903, Elliptic Curve Groups modulo a Prime (ECP Groups) for IKE and IKEv2

The following RFCs and Internet draft do not define standards, but provide information about IPsec, IKE, and related technologies. The IETF classifies them as “Informational.”

• RFC 2104, HMAC: Keyed-Hashing for Message Authentication

• RFC 2412, The OAKLEY Key Determination Protocol

• RFC 3706, A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers

• Internet draft draft-eastlake-sha2-02.txt, US Secure Hash Algorithms (SHA and HMAC-SHA) (expires July 2006)