IETF Logo Mail Archive

Re: [IPsec] RFC4869 bis submitted

Paul Hoffman <paul.hoffman@vpnc.org> Thu, 19 November 2009 23:56 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7FF7B28C0EA for <ipsec@core3.amsl.com>; Thu, 19 Nov 2009 15:56:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.003
X-Spam-Level:
X-Spam-Status: No, score=-6.003 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ia7jbilhxM+S for <ipsec@core3.amsl.com>; Thu, 19 Nov 2009 15:56:29 -0800 (PST)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id BDFDA28C0E4 for <ipsec@ietf.org>; Thu, 19 Nov 2009 15:56:29 -0800 (PST)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id nAJNuPVI044086 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 19 Nov 2009 16:56:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624082ac72b8aa0501e@[10.20.30.158]>
In-Reply-To: <1258674334.15596.312.camel@thunk-west>
References: <D22B261D1FA3CD48B0414DF484E43D3211B49B@celebration.infosec.tycho.ncsc.mil > <1258667497.15596.206.camel@thunk-west> <p06240828c72b7fc0c3ce@[10.20.30.158]> <1258674334.15596.312.camel@thunk-west>
Date: Thu, 19 Nov 2009 15:56:24 -0800
To: Bill Sommerfeld <sommerfeld@sun.com>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: ipsec@ietf.org, "Law, Laurie" <lelaw@tycho.ncsc.mil>
Subject: Re: [IPsec] RFC4869 bis submitted
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2009 23:56:30 -0000

At 3:45 PM -0800 11/19/09, Bill Sommerfeld wrote:
>On Thu, 2009-11-19 at 15:08 -0800, Paul Hoffman wrote:
>> The text says:
>>   IKEv1 implementations MUST
>>   support pre-shared key authentication [RFC2409] for interoperability.
>>   The authentication method used with IKEv1 MUST be either pre-shared
>>   key [RFC2409] or ECDSA-256 [RFC4754].
>> To me, that sounds like preshared keys are just fine for IKEv1 in this
>> profile, but I might be misunderstanding what you mean by "usefully".
>
>I make a distinction between "optional to use" and "optional to
>implement".  There are many things which are optional to use but
>effectively mandatory to implement -- an implementation is not viewed as
>complete unless it allows the use of the option.

Given that this is IKEv1, where both parties must authenticate using the same authentication mechanism, I have assumed that this text means that ECDSA is not mandatory to implement in IKEv1 for this profile.

>As you pointed out earlier in this thread, this profile is an individual
>submission describing a particular organization's requirements.  I'm
>reluctant to guess or rely on the guess of someone who isn't part of
>this organization when the document itself could be clarified.

Given that this is a revision to an existing RFC, the authors may not know the words that would make this clear to you. Suggested wording for them?

>There is a large gap between "can deliver next week" and "impossible".

RFC 4869 was published more than a week ago. :-)

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email