@@ -1820,7 +1820,51 @@ be supported.
18201820Security is central to the design of this protocol, and thus security
18211821considerations permeate the specification. Additional security-
18221822relevant aspects of using the IPsec protocol are discussed in the
1823- Security Architecture document.
1823+ Security Architecture document [[RFC4301]].
1824+
1825+ ** DDoS when using Sub-SAs
1826+ Creation of excessive Sub-SAs may exhaust resources on constrained peers.
1827+ Implementations using IKEv2 SHOULD negotiate a “Max Sub-SA IDs” limit and
1828+ MUST enforce local limits on the number of active Sub-SAs.
1829+
1830+ ** Using Crypt Offset
1831+ The Crypt Offset feature exposes portions of the next-header information in
1832+ cleartext, reducing confidentiality and introducing inherent security risk.
1833+ Its use is intended only within a single administrative domain where both
1834+ peers are under common operational control.
1835+
1836+ The following recommendations apply:
1837+
1838+ This mechanism is not intended for use across administrative domains or
1839+ on the open Internet.
1840+
1841+ The receiver SHOULD validate the Crypt Offset against local policy and
1842+ log any violations as auditable event. Even for stateless implementations
1843+ (e.g., similar to [[PSP]]), local maximum Offset values SHOULD be enforced.
1844+
1845+ ** Optional Disabling of Replay Protection
1846+ Disabling replay protection may allow an attacker to force unnecessary
1847+ cryptographic processing, even if higher-layer protocols reject
1848+ replayed data. This is a deployment-specific trade-off and SHOULD be
1849+ enabled only when appropriate for the operational environment.
1850+ Alternativey use localy synchronized clock to filter older packets, when
1851+ the IV is current time.
1852+
1853+ ** Too Many Optional Headers
1854+ EESP optional headers resemble IPv6 Extension Headers. Excessive use of
1855+ optional headers may lead to resource exhaustion on intermediate
1856+ routers or the receiving peer. Implementations SHOULD avoid attaching
1857+ an excessive number of optional headers to a single packet.
1858+
1859+ ** New Sub SA Key Derivation Function
1860+
1861+ This draft introduces a new key derivation procedure for Sub-SAs
1862+ ([[Key Derivation for Sub SAs]]). Any new cryptographic construction
1863+ requires review to ensure that the Sub-SA Key Derivation Function (SSKDF)
1864+ provides appropriate secrecy, independence between Sub-SAs, and resistance
1865+ to key-recovery or cross-SA attacks. A dedicated cryptographic review of
1866+ the SSKDF is therefore RECOMMENDED, and like requested by IETF
1867+ cryptographic working groups or CFRG.
18241868
18251869* IANA Considerations
18261870
0 commit comments