IETF Logo Mail Archive

Re: [IPsec] IPsec maintenance/extensions WG?

"balaji raghavan" <balaji.raghavan.t@gmail.com> Wed, 23 April 2008 07:42 UTC

Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B9733A6C81; Wed, 23 Apr 2008 00:42:46 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D49D3A6975 for <ipsec@core3.amsl.com>; Wed, 23 Apr 2008 00:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H4lAk2MNeyNy for <ipsec@core3.amsl.com>; Wed, 23 Apr 2008 00:42:44 -0700 (PDT)
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by core3.amsl.com (Postfix) with ESMTP id 4490E3A6C53 for <ipsec@ietf.org>; Wed, 23 Apr 2008 00:42:44 -0700 (PDT)
Received: by py-out-1112.google.com with SMTP id x19so3352620pyg.24 for <ipsec@ietf.org>; Wed, 23 Apr 2008 00:42:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=CoUIUW63mdDRiBc9+HCCejOwAIrU8FdTsyP+NvRzZg4=; b=blRvzg8r/KbOWfFdtjFqwG8QAiJ2c0tQmxGc/8akLdIEh33R3OAE06JoVwRjLhIfkH6ZTplYEz1XUyQz1cdMMQJEeLX0DEaIqMf0IzddkyZ5SCA8qoqpCTzdHp2T1wtvQLMkbomYvQ7TMedB4jqCiglYqyblnUDiPCCVuVg+Es0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ndeL11elt81jG63QoQmXhrLfN2910Yw/pld80bCoCPefCpvFluLNrQrDTPpaDMkIQa17moxTmsaPyXgodxCGYo00qcSB8WGF5slev32SiY81GmsHn5fywnMcbu1EJaFSL+T8nqcmQNrE2679zYme1MLnrxh0WHof/w1nApLas+s=
Received: by 10.35.96.11 with SMTP id y11mr2155345pyl.52.1208936569796; Wed, 23 Apr 2008 00:42:49 -0700 (PDT)
Received: by 10.35.37.3 with HTTP; Wed, 23 Apr 2008 00:42:49 -0700 (PDT)
Message-ID: <850df0c40804230042o2dfe5d9i45200f0b952fe496@mail.gmail.com>
Date: Wed, 23 Apr 2008 09:42:49 +0200
From: balaji raghavan <balaji.raghavan.t@gmail.com>
To: Dan McDonald <danmcd@sun.com>
In-Reply-To: <20080422201533.GG15188@kebe.east.sun.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <200804221721.m3MHLMTp001727@faith.austin.ibm.com> <480E4282.1040403@certicom.com> <20080422201533.GG15188@kebe.east.sun.com>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] IPsec maintenance/extensions WG?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: balaji.raghavan.t@gmail.com
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

To flog the dead(?) horse once more ... :)

The effects of ESP(v3) and AH updates( RFC 4302 and RFC 4303) , for
example ESN and TFC enhancements on Pfkey have to be also considered
.. Though RFC 4718 does clarify the effects of these enhancements on
IKEv2 operation it does leave out pfkey related matters.

Although i do agree that the pfkey API specification does fall out of
the scope of IETF,  for the sake of interop doesn't it atleast warrant
mention in the WG forum ?

-Regards
Balaji

On Tue, Apr 22, 2008 at 10:15 PM, Dan McDonald <danmcd@sun.com> wrote:
> On Tue, Apr 22, 2008 at 03:54:42PM -0400, Chinh Nguyen wrote:
>  > Joy Latten wrote:
>  >
>  > > This may be a moot topic, if so please ignore, but are there any
>  > > plans to improve/extend pfkey for ikev2? Just wondering. :-)
>
>  There's been prodding by some to produce PF_KEYv3.  I've had no cycles, but I
>  do have interest in helping produce a 430x-happy PF_KEYv3.
>
>
>  > There are certainly a number of pfkey issues. For example, linux & bsd
>  > have slightly different implementation of pfkey. Now, this is a impl.
>  > issue not a standards issue but it highlights the fact that people are
>  > wishing to extend pfkey. These extensions typically never made it past
>  > draft, and have since expired.
>
>  Yes - and the BSD and Linux extensions (based on the KAME/WIDE work) are very
>  VERY different than, say, the ones produced in what is now OpenSolaris.  When
>  we opened up OpenSolaris, I blogged about it here:
>
>         http://blogs.sun.com/danmcd/entry/pf_key_in_solaris_or
>
>  Part of that divergence is my fault - when I co-wrote 2367, I was fighting
>  internal IPsec battles at Sun (old-timers on this list know EXACTLY what I'm
>  talking about).  I didn't consider the needs of an actual KMd writer, and I
>  was resistant to anything that to my mind would favor IKEv1 vs. another
>  future KM protocol.  I'd like to think anyone could build JFK, IKEv2, or
>  anything else on top of PF_KEY, as that was the point of PF_KEY in the first
>  place.  2367 as published had several weaknesses, which various extension
>  efforts fixed in their own way.
>
>
>  > A second one is that if you were to attempt to convert an "IKEv2" child
>  > SA to pfkey format, you will find that there are no IANA numbers
>  > assigned to the ipsec side for ENCR_NULL_AUTH_AES_GMAC and
>  > AUTH_AES_[128|192|256]_GMAC
>  > (http://www.iana.org/assignments/ikev2-parameters). This assumes that
>  > pfkey is using the values from
>  > http://www.iana.org/assignments/isakmp-registry, which is true for linux.
>
>  And what's worse --> IKEv2/430x uses slightly different values than
>  IKEv1/240x for algorithms like the SHA-2 family.  Check this out:
>
>  From http://www.iana.org/assignments/ikev2-parameters  -- we have:
>
>      For Transform Type 3 (Integrity Algorithm),
>      defined Transform IDs are:
>      Number    Name                                Reference
>      ------    ---------------------------------   ---------
>           0    NONE                                [RFC4306]
>           1    AUTH_HMAC_MD5_96                    [RFC2403]
>           2    AUTH_HMAC_SHA1_96                   [RFC2404]
>           3    AUTH_DES_MAC                        [RFC4306]
>           4    AUTH_KPDK_MD5                       [RFC1826]
>           5    AUTH_AES_XCBC_96                    [RFC3566]
>           6    AUTH_HMAC_MD5_128                   [RFC4595]
>           7    AUTH_HMAC_SHA1_160                  [RFC4595]
>           8    AUTH_AES_CMAC_96                    [RFC4494]
>           9    AUTH_AES_128_GMAC                   [RFC4543]
>          10    AUTH_AES_192_GMAC                   [RFC4543]
>          11    AUTH_AES_256_GMAC                   [RFC4543]
>          12    AUTH_HMAC_SHA2_256_128              [RFC4868]
>          13    AUTH_HMAC_SHA2_384_192              [RFC4868]
>          14    AUTH_HMAC_SHA2_512_256              [RFC4868]
>
>  But from RFC 4868 we have:
>
>    For IKE Phase 2 negotiations, IANA has assigned the following
>    authentication algorithm identifiers:
>
>    HMAC-SHA2-256:  5
>
>    HMAC-SHA2-384:  6
>
>    HMAC-SHA2-512:  7
>
>
>  So it's DIFFERENT between IKEv1 and IKEv2, and we really would like to keep
>  PF_KEY independent, yet optimized.  This used to be simple, now it's quite
>  hard.  OpenSolaris uses 5-7 for SHA2 in PF_KEY, but when we switch to a fully
>  430x-happy IPsec, we need to consider what to do.
>
>  There are two distinct PF_KEY lists too,  the original one --
>  pf_key@inner.net (Bcc:ing the keeper of that list), and one on vpnc.org.
>
>
>  I think PF_KEY falls outside this or any followup IETF group -- after all the
>  IETF isn't supposed to do APIs last time I checked.  OTOH, there's plenty of
>  fertile ground for feedback into PF_KEYv3.  As I'm learning the hard way how
>  much two implementations have diverged (I'm bringing up racoon2 on
>  OpenSolaris) - I believe there's an opportunity to get it right.  I just hope
>  it doesn't get bloated beyond usability.
>
>  Dan
>
>
> _______________________________________________
>  IPsec mailing list
>  IPsec@ietf.org
>  https://www.ietf.org/mailman/listinfo/ipsec
>
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email