Does anyone have experience configuring IPSec to match the Suite B Cryptographic Suites for IPSec per RFC 6379?
If so what are your experiences compared to the built in AES-128 / AES-256 policies? Were performance issues noted, any connection problems?
RFC 6379 - Suite B Cryptographic Suites for IPsec
3.1. Suite "Suite-B-GCM-128"
This suite provides ESP integrity protection and confidentiality
using 128-bit AES-GCM (see [RFC4106]). This suite or the following
suite should be used when ESP integrity protection and encryption are
both needed.
ESP:
Encryption AES with 128-bit keys and 16-octet Integrity
Check Value (ICV) in GCM mode [RFC4106]
Integrity NULL
IKEv2:
Encryption AES with 128-bit keys in CBC mode
[RFC3602]
Pseudo-random function HMAC-SHA-256 [RFC4868]
Integrity HMAC-SHA-256-128 [RFC4868]
Diffie-Hellman group 256-bit random ECP group [RFC5903]
3.2. Suite "Suite-B-GCM-256"
This suite provides ESP integrity protection and confidentiality
using 256-bit AES-GCM (see [RFC4106]). This suite or the preceding
suite should be used when ESP integrity protection and encryption are
both needed.
ESP:
Encryption AES with 256-bit keys and 16-octet ICV in GCM mode
[RFC4106]
Integrity NULL
IKEv2:
Encryption AES with 256-bit keys in CBC mode
[RFC3602]
Pseudo-random function HMAC-SHA-384 [RFC4868]
Integrity HMAC-SHA-384-192 [RFC4868]
Diffie-Hellman group 384-bit random ECP group [RFC5903]
If so what are your experiences compared to the built in AES-128 / AES-256 policies? Were performance issues noted, any connection problems?
RFC 6379 - Suite B Cryptographic Suites for IPsec
3.1. Suite "Suite-B-GCM-128"
This suite provides ESP integrity protection and confidentiality
using 128-bit AES-GCM (see [RFC4106]). This suite or the following
suite should be used when ESP integrity protection and encryption are
both needed.
ESP:
Encryption AES with 128-bit keys and 16-octet Integrity
Check Value (ICV) in GCM mode [RFC4106]
Integrity NULL
IKEv2:
Encryption AES with 128-bit keys in CBC mode
[RFC3602]
Pseudo-random function HMAC-SHA-256 [RFC4868]
Integrity HMAC-SHA-256-128 [RFC4868]
Diffie-Hellman group 256-bit random ECP group [RFC5903]
3.2. Suite "Suite-B-GCM-256"
This suite provides ESP integrity protection and confidentiality
using 256-bit AES-GCM (see [RFC4106]). This suite or the preceding
suite should be used when ESP integrity protection and encryption are
both needed.
ESP:
Encryption AES with 256-bit keys and 16-octet ICV in GCM mode
[RFC4106]
Integrity NULL
IKEv2:
Encryption AES with 256-bit keys in CBC mode
[RFC3602]
Pseudo-random function HMAC-SHA-384 [RFC4868]
Integrity HMAC-SHA-384-192 [RFC4868]
Diffie-Hellman group 384-bit random ECP group [RFC5903]