Re: [IPsec] #122: Integrity proposals with combined algorithms

[Tero Kivinen <kivinen@iki.fi>]

Paul Hoffman writes:
> I'm pretty sure others have read this the other way: you must give a
> transform of "none".

I do not see any point why I should send none, when it is better to
just leave it out, this is what you normally do for ESP when you use
combined mode ciphers. Leaving it out makes packets smaller...

The problem is that in IKEv2 you are explicitly FORBIDDEN of using
integrity algorithm of NONE:

5.  Security Considerations
...
   choices in this protocol, see [SIGMA] and [SKEME].  Though the
   security of negotiated CHILD_SAs does not depend on the strength of
   the encryption and integrity protection negotiated in the IKE_SA,
   implementations MUST NOT negotiate NONE as the IKE integrity
   protection algorithm or ENCR_NULL as the IKE encryption algorithm.

And someone might interpret that there cannot be Integrity algorithm
NONE in any proposal for IKEv2 SA (in a sense there is no separate IKE
integrity protection algorithm at all, but integrity protection is
provided by the encryption algorithm). 

> Are people OK with wording that says "MUST either offer an integrity
> algorithm or a single integrity algorithm of 'none'"?

If you add "no" somewhere there (i.e. MUST either offer no integrity
algorithm...) then I can accept it.

> I still don't think NONE is not allowed, but I want to hear from
> others. If no one implemented sending 'none', I'm happy to remove
> it, but I don't want to break anyone's implementation. 

We do not support combined modes for IKEv2 SA yet (only for ESP, and
in ESP we do not send integrity algorithm at all, but we do accept
other ends proposal if they send none).
-- 
kivinen@iki.fi