Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?
"Frankel, Sheila E." <sheila.frankel@nist.gov> Tue, 27 October 2009 15:43 UTC
Return-Path: <sheila.frankel@nist.gov>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE9EC3A6925 for <ipsec@core3.amsl.com>; Tue, 27 Oct 2009 08:43:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.351
X-Spam-Level:
X-Spam-Status: No, score=-6.351 tagged_above=-999 required=5 tests=[AWL=0.248, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OgBarxulEpEy for <ipsec@core3.amsl.com>; Tue, 27 Oct 2009 08:43:52 -0700 (PDT)
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by core3.amsl.com (Postfix) with ESMTP id A2C323A6858 for <ipsec@ietf.org>; Tue, 27 Oct 2009 08:43:51 -0700 (PDT)
Received: from WSXGHUB2.xchange.nist.gov (wsxghub2.nist.gov [129.6.18.19]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id n9RFhlS4026105; Tue, 27 Oct 2009 11:43:47 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([2002:8106:1213::8106:1213]) with mapi; Tue, 27 Oct 2009 11:43:43 -0400
From: "Frankel, Sheila E." <sheila.frankel@nist.gov>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Date: Tue, 27 Oct 2009 11:39:17 -0400
Thread-Topic: [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?
Thread-Index: AcpOvk9aHvjitHGqTBejH4YXV3r4SgIXVU/9
Message-ID: <D7A0423E5E193F40BE6E94126930C4930789878B73@MBCLUSTER.xchange.nist.gov>
References: <063.764926e4414cb9e492e9c76aed2dcc1d@tools.ietf.org>
In-Reply-To: <063.764926e4414cb9e492e9c76aed2dcc1d@tools.ietf.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: sheila.frankel@nist.gov
Cc: Tero Kivinen <kivinen@iki.fi>, Paul Hoffman <paul.hoffman@vpnc.org>, "suresh.krishnan@ericsson.com" <suresh.krishnan@ericsson.com>
Subject: Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2009 15:43:53 -0000
#111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3? Proposed changes to Roadmap doc: 1) Add text to section 5.4 (Combined Mode Algorithms) Current text: IKEv1 and ESP-v2 use separate algorithms to provide encryption and integrity-protection, and IKEv1 can negotiate different combinations of algorithms for different SAs. In ESP-v3, a new class of algorithms was introduced, in which a single algorithm can provide both encryption and integrity-protection. [RFC4306] describes how IKEv2 can negotiate combined mode algorithms to be used in ESP-v3 SAs. [RFC5282] adds that capability to IKEv2, enabling IKEv2 to negotiate and use combined mode algorithms for its own traffic. When properly designed, these algorithms can provide increased efficiency in both implementation and execution. Additional text: Some IKEv1 implementations have added the capability to negotiate combined mode algorithms for use in IPsec SAs; these implementations do not include the capability to use combined mode algorithms to protect IKE SAs. Since combined mode algorithms are not a feature of IPsec-v2, these IKEv1 implementations are used in conjunction with IPsec-v3. IANA numbers for combined mode algorithms have been added to the IKEv1 registry. 2) Change IKEv2 and IPsec-v2 requirement levels Requirements levels for AES-GMAC: old IKEv2 - optional new IKEv2 - optional (integrity-protection algorithm) N/A (combined mode algorithm with NULL encryption) old IPsec-v2 - undefined (no IANA #) new IPsec-v2: AH-v2 - optional (integrity-protection alg) ESP-v2 - N/A (combined mode algorithm with NULL encryption) 3) Move RFC 4543 to section on combined mode algorithms, since it has 2 versions: classic integ prot and also combined mode ________________________________________ From: ipsecme issue tracker [trac@tools.ietf.org] Sent: Friday, October 16, 2009 8:10 PM To: paul.hoffman@vpnc.org; Frankel, Sheila E. Subject: [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3? #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3? -----------------------------------+---------------------------------------- Reporter: paul.hoffman@… | Owner: sheila.frankel@… Type: defect | Status: new Priority: normal | Milestone: Component: roadmap | Severity: - Keywords: | -----------------------------------+---------------------------------------- Section 5.4 says: IKEv1 and ESP-v2 use separate algorithms to provide encryption and integrity-protection, and IKEv1 can negotiate different combinations of algorithms for different SAs. In ESP-v3, a new class of algorithms was introduced, in which a single algorithm can provide both encryption and integrity-protection. [RFC4306] describes how IKEv2 can negotiate combined mode algorithms to be used in ESP-v3 SAs. [RFC5282] adds that capability to IKEv2, enabling IKEv2 to negotiate and use combined mode algorithms for its own traffic. When properly designed, these algorithms can provide increased efficiency in both implementation and execution. What about IKEv1? Can you use IKEv1 to negotiate a combined algorithm for IPsec-v3? -- Ticket URL: <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/111> ipsecme <http://tools.ietf.org/ipsecme/>
- Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate c… Frankel, Sheila E.
- Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate c… Tero Kivinen