Re: [IPsec] RFC4307 & ENCR_NULL & USGv6 profile & Roadmap document
Tero Kivinen <kivinen@iki.fi> Thu, 22 October 2009 08:38 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 052623A6828 for <ipsec@core3.amsl.com>; Thu, 22 Oct 2009 01:38:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Level:
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[AWL=0.288, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEXwXNg1QDI3 for <ipsec@core3.amsl.com>; Thu, 22 Oct 2009 01:38:52 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id E062D3A63EC for <ipsec@ietf.org>; Thu, 22 Oct 2009 01:38:51 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.13.8) with ESMTP id n9M8ctA1001844 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Oct 2009 11:38:55 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id n9M8csoD000488; Thu, 22 Oct 2009 11:38:54 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19168.6686.368531.842814@fireball.kivinen.iki.fi>
Date: Thu, 22 Oct 2009 11:38:54 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Frankel, Sheila E." <sheila.frankel@nist.gov>
In-Reply-To: <D7A0423E5E193F40BE6E94126930C4930789878B5E@MBCLUSTER.xchange.nist.gov>
References: <19165.48619.530034.469960@fireball.kivinen.iki.fi> <D7A0423E5E193F40BE6E94126930C4930789878B5E@MBCLUSTER.xchange.nist.gov>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 12 min
X-Total-Time: 31 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "pasi.eronen@nokia.com" <pasi.eronen@nokia.com>
Subject: Re: [IPsec] RFC4307 & ENCR_NULL & USGv6 profile & Roadmap document
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2009 08:38:53 -0000
Frankel, Sheila E. writes: > I interpreted RFC 4307 slightly differently than Tero does, and I > stand by the wording of both the USGv6 Profile and the IPsec > Roadmap. Although RFC 4307's domain is limited to IKEv2, it clearly > specifies both those algorithms used within IKEv2 and also those > algorithms that IKEv2 negotiates for use by IPsec. That is why there > are 2 separate lists of algorithms: Section 3.1.1 (Encrypted Payload > Algorithms) specifies those algorithms that are used BY IKEv2 in its > Encrypted Payload. Sections 3.1.3 (IKEv2 Transform Type 1 > Algorithms) and 3.1.5 (IKEv2 Transform Type 3 Algorithms) lists > those algorithms that IKEv2 should be able to negotiate for use > within IPsec/child SAs. One detail that supports this interpretation > is the inclusion of NULL encryption in section 3.1.3 - clearly, this > is not appropriate in the IKE Encrypted Payload. If the > applicability of Sections 3.1.3 and 3.1.5 is limited to IKEv2 SAs, > then there is no need for the more constrained list in Section > 3.1.1, which clearly applies only to IKEv2's payloads. Hmm... Yes, it could be interpreted so also, but what is the relationship between RFC4307 and RFC4305/4835 then. Would RFC4305/RFC4835 then cover only manual keying and IKEv1? I always assumed that RFC4307 talks about IKEv2 SAs and RFC4305/4835 talks about ESP and AH (i.e. IPsec SAs aka Child SAs). One reason I think this is the correct interpretation is that RFC4307 section 3.1.4 lists Transform Type 2 Algorithms (Pseudor-random functions, PRFs), and those are applicable ONLY to IKEv2. IPsec SAs/Child SAs/ESP/AH cannot have PRFs. Also section 3.1.5 does not give any status for NONE authentication (as it cannot be used for IKEv2 SAs), but for example RFC4305/RFC4835 both give requirement for it (MUST / MAY). -- kivinen@iki.fi
- [IPsec] RFC4307 & ENCR_NULL & USGv6 profile & Roa… Tero Kivinen
- Re: [IPsec] RFC4307 & ENCR_NULL & USGv6 profile &… Frankel, Sheila E.
- Re: [IPsec] RFC4307 & ENCR_NULL & USGv6 profile &… Paul Hoffman
- Re: [IPsec] RFC4307 & ENCR_NULL & USGv6 profile &… Frankel, Sheila E.
- Re: [IPsec] RFC4307 & ENCR_NULL & USGv6 profile &… Paul Hoffman
- Re: [IPsec] RFC4307 & ENCR_NULL & USGv6 profile &… Tero Kivinen
- Re: [IPsec] RFC4307 & ENCR_NULL & USGv6 profile &… Pasi.Eronen
- Re: [IPsec] RFC4307 & ENCR_NULL & USGv6 profile &… Tero Kivinen