IETF Logo Mail Archive

Re: [IPsec] RFC4869 bis submitted

Paul Hoffman <paul.hoffman@vpnc.org> Thu, 19 November 2009 23:08 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 603A23A67F4 for <ipsec@core3.amsl.com>; Thu, 19 Nov 2009 15:08:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.996
X-Spam-Level:
X-Spam-Status: No, score=-5.996 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAvLlurcFWrM for <ipsec@core3.amsl.com>; Thu, 19 Nov 2009 15:08:44 -0800 (PST)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id A58CB3A67B2 for <ipsec@ietf.org>; Thu, 19 Nov 2009 15:08:44 -0800 (PST)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id nAJN8e4r042011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 19 Nov 2009 16:08:41 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240828c72b7fc0c3ce@[10.20.30.158]>
In-Reply-To: <1258667497.15596.206.camel@thunk-west>
References: <D22B261D1FA3CD48B0414DF484E43D3211B49B@celebration.infosec.tycho.ncsc.mil > <1258667497.15596.206.camel@thunk-west>
Date: Thu, 19 Nov 2009 15:08:39 -0800
To: Bill Sommerfeld <sommerfeld@sun.com>, "Law, Laurie" <lelaw@tycho.ncsc.mil>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: ipsec@ietf.org
Subject: Re: [IPsec] RFC4869 bis submitted
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2009 23:08:45 -0000

At 1:51 PM -0800 11/19/09, Bill Sommerfeld wrote:
>On Tue, 2009-11-10 at 17:15 -0500, Law, Laurie wrote:
>> This Internet-Draft makes several minor changes to the suites in RFC
>> 4869 and incorporates comments that have been posted to the ipsec
>> mailing list.
>
>On reading the spec, it's not clear to me whether an IKEv1
>implementation which supports ECP-based DH (rfc4753) with preshared keys
>but not ECDSA (rfc4754) is considered to usefully implement this
>specification.

The text says:
  IKEv1 implementations MUST
  support pre-shared key authentication [RFC2409] for interoperability.
  The authentication method used with IKEv1 MUST be either pre-shared
  key [RFC2409] or ECDSA-256 [RFC4754].
To me, that sounds like preshared keys are just fine for IKEv1 in this profile, but I might be misunderstanding what you mean by "usefully".

>As a practical matter, the ECDSA piece of this spec is likely to be the
>largest and last piece built -- given a working elliptic curve codebase,
>plugging ephemeral ECDH into an IKE implementation is a much smaller
>problem than building ECDSA into both an IKE implementation and the PKI
>client codebase, tools, and keystores it relies on.

Probably true, but ECDSA is far from impossible, as the OpenSSL people have shown for a while now.

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email