This document outlines best practices for selecting and configuring IPsec-enabled equipment. It also details the design, operation, and maintenance of a network encryption service utilizing IPsec to ensure adequate security for personal, enterprise, and OFFICIAL-tier government data. The guidelines provided focus on balancing security and usability.
Overview of This Guidance
This guidance is intended for securing data in transit within an organization or among multiple organizations over networks such as the internet or commercial WAN circuits. Additional scenarios that may find this guidance beneficial include data protection over dedicated links between organizations and cloud service providers, as well as inter-data center connections within those networks.
The target audience includes system administrators tasked with configuring network cryptographic devices and software. This document establishes two profiles for IPsec utilization:
- The Recommended Profile, which utilizes modern cryptographic algorithms and protocols.
- The Legacy Profile, designed for older devices that may not support certain elements of the Recommended Profile.
Important Note
This guidance, along with IPsec, assumes no specific security or resilience requirements of the underlying bearer network. Therefore, any bearer network may be employed without compromising the confidentiality or integrity assurance provided by the IPsec VPN.
Ensuring Secure Deployment and Use of IPsec
IPsec safeguards the confidentiality and integrity of data as it traverses untrusted networks. Network-based encryption employs the IPsec protocol to establish Virtual Private Networks (VPNs), which can be implemented via a software client on an End User Device (EUD), a dedicated hardware appliance (VPN gateway), or as part of existing networking infrastructure (for example, a router).
IPsec VPNs may serve a dedicated purpose, such as interconnecting data centers, or function with a single gateway supporting multiple clients (e.g., for remote access).
Core Device Principles
Establishing reliable encrypted network connections involves more than just technology; it also requires competent individuals managing these connections within a robust management framework to protect system integrity.
Devices utilizing IPsec cryptographic protections should:
- Be deployed and managed by qualified authorities to uphold the protection standards, utilizing a suitable management platform.
- Be configured for effective cryptographic protection.
- Be disposed of securely.
- Appropriately generate and protect private keys.
- Be promptly updated when software or firmware patches are released.
- Utilize certificates for device identification and trust, although Pre-Shared Keys (PSKs) may be considered as an exception for authentication.
Further guidance for VPN usage can be found in the NCSC’s Device Security Guidance.
Guidelines on Pre-Shared Keys (PSKs)
While using certificates for device authentication is highly recommended, we acknowledge that PSKs are prevalent in site-to-site VPNs and may sometimes be the sole authentication option. When using PSKs, adhere to the following recommendations:
- Generate them in a cryptographically secure manner, ensuring at least 128 bits of entropy.
- Ensure they are unique to each authentication group and not shared across different groups.
- Manage them securely, restricting access to authorized personnel throughout their lifecycle.
- Change them immediately if there are concerns about their compromise.
Network Design Considerations
- A simplified network design enhances security and performance. To this end:
- Avoid excessive security functionalities in any single product or feature.
- Preferably, VPN gateways should have three interfaces: one for the LAN, one for the WAN (IPsec encrypted), and one for management.
- The management interface should connect to a dedicated management LAN or a secure management WAN, with encrypted traffic and strong authentication.
- The management functionality should not be accessible directly via the WAN interface.
- Monitor VPN gateways and the associated traffic for unexpected patterns that may indicate misconfiguration or compromise.
Consider potential complexities when designing your network, as additional features can increase the risk of traffic misrouting or device misconfiguration, potentially exposing sensitive data.
More detailed information on secure network design can be found in the Secure design principles and Security architecture anti-patterns, as well as within the guidance on managing and securing network devices.
Cryptographic Profiles
For optimal security, VPN gateways and clients should be configured to:
- Utilize only the Recommended Profile and/or the Legacy Profile.
- Not negotiate alternative cipher suites unless expressly authorized by an administrator.
Both profiles are acceptable for protecting information classified as OFFICIAL within government and public sector networks. When possible, prioritize the Recommended Profile, although the Legacy Profile may be adapted with suitable elements from the Recommended Profile if necessary.
Important Note
The previously defined ‘PSN Interim’ profile is no longer considered appropriate and should be phased out in favor of the profiles defined in this guidance.
Certificate Algorithms and Key Sizes
For most IPsec networks, VPN gateways and clients will require certificates based on a central trust model for authenticating with other VPN devices. Both the Recommended and Legacy Profiles utilize X.509 certificates for peer authentication, achievable through ECDSA or RSA digital signature algorithms.
The parameters for these algorithms, including root CAs, sub-CAs, and end devices, are as follows:
- ECDSA with SHA256 on the NIST P-256 curve
- RSA with a 2048-bit modulus and SHA256 digests
For RSA signatures, both RSASSA-PSS and RSASSA-PKCS1-v1_5 are permissible, with the latter being more broadly compatible (see RFCs 7427, 8017).
Both ECDSA and RSA with the stipulated parameters are anticipated to adequately protect OFFICIAL information until at least December 31, 2027.
The NCSC provides guidance on provisioning and securing security certificates.
Recommended Profile (2022)
For configuring IKE, the Recommended Profile (2022) adopts the parameters outlined below:
| Parameter | Selection | RFCs |
|---|---|---|
| IKE Version | IKEv2 | RFC7296 |
| Encryption Algorithm | AES with 128-bit key using GCM with 16-octet (128-bit) tags | RFC5282 |
| Pseudo-Random Function | PRF-HMAC-SHA-256 | RFC4868 |
| Diffie-Hellman Group | 256-bit random ECP Group 19 or 2048-bit MODP Group 14 | RFC5903, RFC3526 |
| Authentication Method | X.509 certificates using ECDSA or RSA | RFC4945, RFC4754, RFC4055 |
For configuring the Encapsulating Security Payload (ESP), the Recommended Profile (2022) specifies:
| Parameter | Selection | RFCs |
|---|---|---|
| Encryption Algorithm | AES with 128-bit key using GCM with 16-octet (128-bit) tags | RFC4106 |
For key lifetimes, the Recommended Profile (2022) includes:
| Key Type | Lifetime |
|---|---|
| IKE SA | 86400 seconds (1 day) |
| Child SA | 28800 seconds (8 hours) |
The Recommended Profile (2022) is expected to maintain a high level of protection for OFFICIAL information until at least December 31, 2027.
Legacy Profile (2022)
This profile encompasses an RFC-compliant version of IPsec using IKEv1 in ‘Main Mode’ (RFC2409), without any extensions, incorporating Extended Sequence Numbers (RFC4304), Encapsulating Security Payload (ESP) (RFC4303), and the algorithms outlined in the tables below.
For IKE configuration, the Legacy Profile (2022) adopts the following parameters:
| Parameter | Selection | RFCs |
|---|---|---|
| IKE Version | IKEv1 | RFC2409 |
| Mode | Main Mode | RFC2409 |
| Encryption Algorithm | AES with 128-bit key using CBC | RFC3602 |
| Hash Algorithm | SHA2-256 | RFC4868 |
| Diffie-Hellman Group | 256-bit random ECP Group 19 or 2048-bit MODP Group 14 | RFC5903, RFC3526 |
| Authentication Method | X.509 certificates using ECDSA or RSA | RFC4945, RFC4754, RFC4055 |
Important Note
Utilizing Main Mode is mandatory; no alternative modes are permitted.
For ESP configuration, the Legacy Profile (2022) specifies the following:
| Parameter | Selection | RFCs |
|---|---|---|
| Encryption Algorithm | AES with 128-bit key using CBC | RFC3602 |
| Integrity Algorithm | HMAC-SHA-256-128 | RFC4868 |
For key lifetimes, the Legacy Profile (2022) includes:
| Key Type | Lifetime |
|---|---|
| Phase 1 | 86400 seconds (1 day) |
| Phase 2 | 28800 seconds (8 hours) |
Substituting any element of the Legacy Profile (2022) with the equivalent from the Recommended Profile (2022) is permissible.
The Legacy Profile (2022) is anticipated to provide adequate protection for OFFICIAL information until at least December 31, 2023.
Security Considerations for Key Exchanges
Some IPsec equipment might reuse ephemeral Diffie-Hellman private keys across multiple IKE SAs. If such equipment can be configured this way, it is advisable that each ephemeral key is used by only one IKE SA.
Profile Alterations
Certain network functionalities may necessitate deviations from the outlined profiles.
Some previously deployed devices might be unable to utilize HMAC-SHA-256-128 as the ESP integrity algorithm. Thus, per broader SHA-1 usage guidelines, HMAC-SHA-1-96 may continue to be used for the ESP integrity algorithm until further notice. SHA-1, however, must not be utilized for any other purposes within IPsec.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/using-ipsec-protect-data
