Content for  TS 33.310  Word version:  19.1.0

The following requirements on certificate based IKEv2 authentication in addition to those specified in NDS/IP [1] shall be applied: For the IKE_INIT_SA and IKE_AUTH exchanges:

• Following algorithms shall be supported:
  • Authentication: Method 1 - RSA Digital Signature [42];
    • Implementations shall support signatures that use SHA-256, should support signatures that use SHA-384, and shall not support signatures that use SHA-1. Implementations should use SHA-256 as the default hash function when generating signatures.
    • Usage of Method 1 is not recommended as it uses PKCS#1v1.5 padding.
  • Hash Algorithm Notification [43]
    • Implementations shall support SHA2-256, should support SHA2-384, and shall not support SHA1.
  • Authentication: Method 14 - Digital Signature [43].
    • Implementations shall support ecdsa-with-sha256 and should support ecdsa-with-sha384, and should support RSASSA-PSS with SHA-256. Implementations shall not support sha1WithRSAEncryption, dsa-with-sha1, ecdsa-with-sha1, RSASSA-PSS with Empty Parameters, and RSASSA-PSS with Default Parameters.
• The identity of the CERT payload (including the end entity certificate) shall be used for policy checks;
• Initiating/responding end entities are required to send certificate requests in the IKE_INIT_SA exchange for the responder and in the IKE_AUTH exchange for the initiator;
• Cross-certificates shall not be sent by the peer end entity as they are pre-configured in the end entity;
• The certificates in the certificate payload shall be encoded as type 4 (X.509 Certificate - Signature);
• An end entity shall rekey the IKE SA when any used end entity certificate expires.

Some PKI-capable VPN gateways do not support fragmentation of IKE packets, which becomes an issue when more than one certificate is sent in the certificate payloads, forcing IKE packet fragmentation. This means that direct cross-certification or manually importing the peer CA certificate to the local SEG and trusting it is preferable to bridge CA systems. When IKE is run over pure IPv6 the typical MTU sizes do not increase and long packets still have to be fragmented (allowed for end UDP hosts even for IPv6, see Path MTU Discovery for IPv6 - RFC 8201), so this is a potential interoperability issue. Certificate encoding with PKCS#7 is supported by some PKI-capable VPN gateways, but it shall not be used.

The following requirements are mandatory:

• The TLS server shall always send its own end entity certificate in the ServerCertificate message;
• The TLS client shall send its own end entity certificate in the Certificate message if requested by the TLS server;
• Cross-certificates shall not be sent by the TLS entities in the TLS handshake as they are available locally to the TLS entities.

No general interoperability issues are identified.

• Validity of certificates received from the peer end entity shall be verified by CRLs or OCSP responses retrieved via the mechanisms specified in clause 6.1.1, based on the CRL Distribution Point or Authority Information Access extensions in the certificates.
• Validity of certificates received from the TLS entity shall be verified by CRLs or OCSP responses retrieved via the mechanisms specified in clause 6.1.1, based on the CRL Distribution Point or Authority Information Access extensions in the certificates.
• Any NE, SEG or TLS entity shall not validate received certificates from a peer entity whose validity time has expired, but end the path validation with a negative result.
• Any NE, SEG shall not validate received certificates from a peer entity whose CRL distribution point field is empty, but end the path validation with a negative result.
• Certificate validity calculation results shall not be cached in a SEGs or NEs for longer than the lifetime enforced by the end entity.
• Certificate validity calculation results shall not be cached in TLS entities for longer than the TLS connection lifetime.