Re: [IPsec] RFC4869 bis submitted

Paul Hoffman <> Thu, 19 November 2009 23:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7FF7B28C0EA for <>; Thu, 19 Nov 2009 15:56:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.003
X-Spam-Status: No, score=-6.003 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ia7jbilhxM+S for <>; Thu, 19 Nov 2009 15:56:29 -0800 (PST)
Received: from (Balder-227.Proper.COM []) by (Postfix) with ESMTP id BDFDA28C0E4 for <>; Thu, 19 Nov 2009 15:56:29 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.2/8.14.2) with ESMTP id nAJNuPVI044086 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 19 Nov 2009 16:56:26 -0700 (MST) (envelope-from
Mime-Version: 1.0
Message-Id: <p0624082ac72b8aa0501e@[]>
In-Reply-To: <1258674334.15596.312.camel@thunk-west>
References: < > <1258667497.15596.206.camel@thunk-west> <p06240828c72b7fc0c3ce@[]> <1258674334.15596.312.camel@thunk-west>
Date: Thu, 19 Nov 2009 15:56:24 -0800
To: Bill Sommerfeld <>
From: Paul Hoffman <>
Content-Type: text/plain; charset="us-ascii"
Cc:, "Law, Laurie" <>
Subject: Re: [IPsec] RFC4869 bis submitted
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Nov 2009 23:56:30 -0000

At 3:45 PM -0800 11/19/09, Bill Sommerfeld wrote:
>On Thu, 2009-11-19 at 15:08 -0800, Paul Hoffman wrote:
>> The text says:
>>   IKEv1 implementations MUST
>>   support pre-shared key authentication [RFC2409] for interoperability.
>>   The authentication method used with IKEv1 MUST be either pre-shared
>>   key [RFC2409] or ECDSA-256 [RFC4754].
>> To me, that sounds like preshared keys are just fine for IKEv1 in this
>> profile, but I might be misunderstanding what you mean by "usefully".
>I make a distinction between "optional to use" and "optional to
>implement".  There are many things which are optional to use but
>effectively mandatory to implement -- an implementation is not viewed as
>complete unless it allows the use of the option.

Given that this is IKEv1, where both parties must authenticate using the same authentication mechanism, I have assumed that this text means that ECDSA is not mandatory to implement in IKEv1 for this profile.

>As you pointed out earlier in this thread, this profile is an individual
>submission describing a particular organization's requirements.  I'm
>reluctant to guess or rely on the guess of someone who isn't part of
>this organization when the document itself could be clarified.

Given that this is a revision to an existing RFC, the authors may not know the words that would make this clear to you. Suggested wording for them?

>There is a large gap between "can deliver next week" and "impossible".

RFC 4869 was published more than a week ago. :-)

--Paul Hoffman, Director
--VPN Consortium