Re: [IPsec] IKEv2 vendor-specific payload
<Pasi.Eronen@nokia.com> Fri, 12 March 2010 13:48 UTC
Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F1C73A6B40 for <ipsec@core3.amsl.com>; Fri, 12 Mar 2010 05:48:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.562
X-Spam-Level:
X-Spam-Status: No, score=-6.562 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BgfcLAFVUIdp for <ipsec@core3.amsl.com>; Fri, 12 Mar 2010 05:48:54 -0800 (PST)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 238923A691E for <ipsec@ietf.org>; Fri, 12 Mar 2010 05:43:00 -0800 (PST)
Received: from vaebh106.NOE.Nokia.com (vaebh106.europe.nokia.com [10.160.244.32]) by mgw-mx03.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id o2CDgTiS008973; Fri, 12 Mar 2010 15:43:03 +0200
Received: from vaebh104.NOE.Nokia.com ([10.160.244.30]) by vaebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 12 Mar 2010 15:42:23 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh104.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Fri, 12 Mar 2010 15:42:18 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-02.mgdnok.nokia.com ([65.54.30.6]) with mapi; Fri, 12 Mar 2010 14:42:18 +0100
From: Pasi.Eronen@nokia.com
To: alper.yegin@yegin.org, ipsec@ietf.org
Date: Fri, 12 Mar 2010 14:42:17 +0100
Thread-Topic: [IPsec] IKEv2 vendor-specific payload
Thread-Index: AcrBOvbDlhuTO80ORuqQSKbz1CMwSgArOxNg
Message-ID: <808FD6E27AD4884E94820BC333B2DB77584840C633@NOK-EUMSG-01.mgdnok.nokia.com>
References: <00e601cac13a$feeed790$fccc86b0$@yegin@yegin.org>
In-Reply-To: <00e601cac13a$feeed790$fccc86b0$@yegin@yegin.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 12 Mar 2010 13:42:18.0722 (UTC) FILETIME=[D5840420:01CAC1E9]
X-Nokia-AV: Clean
Subject: Re: [IPsec] IKEv2 vendor-specific payload
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2010 13:48:55 -0000
Hi Alper I guess the preferred route is *not* defining vendor-specific configuration attributes, but instead publishing the spec and getting an IANA-allocated number :-) (note that this doesn't absolutely require publishing it as RFC, or going through the whole IETF process) But if you use numbers from the "private use" range, you need to use the Vendor ID payload. I guess the approach would be something like: - pick a vendor ID; often specs have used e.g. the MD5 hash of some unique string (like "draft-foo-05" or "http://intranet.example.com/ some/spec/" -- you don't have to tell what the string was) to avoid collisions with others. Something like a 16-byte random value would work well, too. - peer A needs to send this VID to B before B can send any of the vendor-specific configuration attributes to A. Concretely, (1) if the vendor-specific attribute can be included in CFG_REQUESTs (usually they can), the VPN gateway needs to include this VID in IKE_SA_INIT response. (2) the client needs to include this VID either in the IKE_SA_INIT request or 1st IKE_AUTH request (latter is probably preferred) - pick random number(s) from the "private use" range (16384-32767) for your configuration attributes. Best regards, Pasi (not wearing any hats) -----Original Message----- > From: Alper Yegin > Sent: 11 March, 2010 18:51 > To: 'ipsec' > Subject: [IPsec] IKEv2 vendor-specific payload > > Hello, > > What is the recommended approach for defining vendor-specific > configuration payload with IKEv2? > > According to my reading of RFC 4306, there is a bit of a room > there. Vendor ID payload is not mandatory to use in such a case. And > even when it is used, the VID can be anything (there is no mandate > for using Enterprise ID, or anything that is globally managed). > > Other protocols I'm familiar with are more strict about defining > vendor-specific options/payloads. > > So, it makes me wonder if there are some current practices that we > should use when defining new payloads. > > Thank you. > > Alper
- [IPsec] IKEv2 vendor-specific payload Alper Yegin
- Re: [IPsec] IKEv2 vendor-specific payload Pasi.Eronen