Re: [IPsec] RFC4869 bis submitted

Bill Sommerfeld <> Thu, 19 November 2009 23:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1F8D13A698F for <>; Thu, 19 Nov 2009 15:45:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.046
X-Spam-Status: No, score=-6.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o37zi4KIl2Cx for <>; Thu, 19 Nov 2009 15:45:46 -0800 (PST)
Received: from (brmea-mail-1.Sun.COM []) by (Postfix) with ESMTP id 47C8F3A68C1 for <>; Thu, 19 Nov 2009 15:45:46 -0800 (PST)
Received: from ([]) by (8.13.6+Sun/8.12.9) with ESMTP id nAJNjeNE012431; Thu, 19 Nov 2009 23:45:40 GMT
Received: from thunk-west.local (dhcp-mpk17-108-155.SFBay.Sun.COM []) by (8.13.8+Sun/8.13.8/ENSMAIL,v2.4) with ESMTP id nAJNjcqg027412; Thu, 19 Nov 2009 15:45:38 -0800 (PST)
Received: from thunk-west.local (thunk-west []) by thunk-west.local (8.14.3+Sun/8.14.3) with ESMTP id nAJNjYr0016400; Thu, 19 Nov 2009 15:45:34 -0800 (PST)
Received: (from sommerfeld@localhost) by thunk-west.local (8.14.3+Sun/8.14.3/Submit) id nAJNjYnj016399; Thu, 19 Nov 2009 15:45:34 -0800 (PST)
X-Authentication-Warning: thunk-west.local: sommerfeld set sender to using -f
From: Bill Sommerfeld <>
To: Paul Hoffman <>
In-Reply-To: <p06240828c72b7fc0c3ce@[]>
References: <> <1258667497.15596.206.camel@thunk-west> <p06240828c72b7fc0c3ce@[]>
Content-Type: text/plain; charset="ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 19 Nov 2009 15:45:34 -0800
Message-ID: <1258674334.15596.312.camel@thunk-west>
Mime-Version: 1.0
Cc:, "Law, Laurie" <>
Subject: Re: [IPsec] RFC4869 bis submitted
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Nov 2009 23:45:47 -0000

On Thu, 2009-11-19 at 15:08 -0800, Paul Hoffman wrote:
> The text says:
>   IKEv1 implementations MUST
>   support pre-shared key authentication [RFC2409] for interoperability.
>   The authentication method used with IKEv1 MUST be either pre-shared
>   key [RFC2409] or ECDSA-256 [RFC4754].
> To me, that sounds like preshared keys are just fine for IKEv1 in this
> profile, but I might be misunderstanding what you mean by "usefully".

I make a distinction between "optional to use" and "optional to
implement".  There are many things which are optional to use but
effectively mandatory to implement -- an implementation is not viewed as
complete unless it allows the use of the option.

As you pointed out earlier in this thread, this profile is an individual
submission describing a particular organization's requirements.  I'm
reluctant to guess or rely on the guess of someone who isn't part of
this organization when the document itself could be clarified.

> >As a practical matter, the ECDSA piece of this spec is likely to be the
> >largest and last piece built -- given a working elliptic curve codebase,
> >plugging ephemeral ECDH into an IKE implementation is a much smaller
> >problem than building ECDSA into both an IKE implementation and the PKI
> >client codebase, tools, and keystores it relies on.
> Probably true, but ECDSA is far from impossible, as the OpenSSL people
> have shown for a while now.

There is a large gap between "can deliver next week" and "impossible".
(I'll also note in passing that changing which PKI client codebase you
use in an IKE implementation is also a sizeable task).

					- Bill