IETF Logo Mail Archive

Re: [IPsec] IANA ikev2 registry and FC values

"Dan Harkins" <dharkins@lounge.org> Thu, 17 January 2013 19:44 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 493D421F8870 for <ipsec@ietfa.amsl.com>; Thu, 17 Jan 2013 11:44:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.265
X-Spam-Level:
X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wccni3ktsB+W for <ipsec@ietfa.amsl.com>; Thu, 17 Jan 2013 11:44:24 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 08FEE21F88ED for <ipsec@ietf.org>; Thu, 17 Jan 2013 11:44:24 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 2CCE410224052; Thu, 17 Jan 2013 11:44:21 -0800 (PST)
Received: from 216.123.155.211 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Thu, 17 Jan 2013 11:44:21 -0800 (PST)
Message-ID: <a837b58bc18cf1ed1a943dc9055033c1.squirrel@www.trepanning.net>
In-Reply-To: <50F841B8.5080707@gmail.com>
References: <20728.12021.834751.712756@fireball.kivinen.iki.fi> <50F8313C.60204@gmail.com> <20728.14111.293749.62984@fireball.kivinen.iki.fi> <50F83953.9060003@gmail.com> <20728.16202.414687.956476@fireball.kivinen.iki.fi> <50F841B8.5080707@gmail.com>
Date: Thu, 17 Jan 2013 11:44:21 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: ipsec@ietf.org, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] IANA ikev2 registry and FC values
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2013 19:44:28 -0000

  Hello,

On Thu, January 17, 2013 10:23 am, Yaron Sheffer wrote:
> I agree that sharing registries with related but different protocols is
> not a good thing. I just think this is not one of these cases.

  I agree that this is not the case but sharing registries should not
be a problem. We use OIDs all the time with different protocols.
The problems arise when a group of people attempts to impose
administrative rules on protocol use and say that some completely
legitimate technical application is prohibited for the simple reason
that they say it is.

  Dan.

> Thanks,
> 	Yaron
>
> On 01/17/2013 08:13 PM, Tero Kivinen wrote:
>> Yaron Sheffer writes:
>>> OTOH your proposal would mean one more difference between "regular"
>>> IPsec implementations and FC-specific ones. I don't think that would be
>>> a good thing.
>>
>> FC-specific ones are only using these non-truncated ones, and they are
>> using special ID payloads, separate protocol ID values, different
>> types of traffic selectors etc. They are reusing the basic IKEv2
>> protocol, and some of the payloads, but it is different protocol than
>> IKEv2.
>>
>>>> They are not defined for IP use at all. None of the IKEv2/ESP over IP
>>>> uses those values. Ah, found text from our IPsec/IKE Roadmap:
>>>>
>>>> 		   For HMAC-SHA-1 and HMAC-MD5, the IKEv2 IANA registry
>>>>      contains values for both the truncated version and the standard
>>>> non-
>>>>      truncated version; thus, IKEv2 has the capability to negotiate
>>>> either
>>>>      version of the algorithm.  However, only the truncated version is
>>>>      used for IKEv2 SAs and for IPsec SAs.  The non-truncated version
>>>> is
>>>>      reserved for use by the Fibre Channel protocol [RFC4595].  For
>>>> the
>>>>      other algorithms (AES-XCBC, HMAC-SHA-256/384/512, AES-CMAC, and
>>>> HMAC-
>>>>      RIPEMD), only the truncated version can be used for both IKEv2
>>>> and
>>>>      IPsec-v3 SAs.
>>>>
>>>> which actually says we always use truncated version (so I was wrong
>>>> they are not forbidden anywhere, missed this text last time as it uses
>>>> SHA-1 spelling not SHA1, which I was searching for :-).
>>>>
>>>
>>> This text is simply describing the existing situation. It is not at all
>>> normative.
>>
>> Which is why I also want to describe that existing situation in the
>> IANA registry. If you want to use those non-truncated versions in
>> IPsec, you can write draft describing that...
>>
>>>> That is true, and I do not consider that as a good thing. It is much
>>>> better to have one good way of doing things than two ways of doing
>>>> same thing, especially if those two ways are about the same.
>>>>
>>>
>>> Yes, but people have good reasons to add algorithms, which is (part of
>>> the reason) why we negotiate them in the protocol. Thus "Tiger",
>>> "camellia" and the like, and I'm sure the FC folks had a good reason
>>> for
>>> the untruncated algorithms, too.
>>
>> They had some reason, but on the other hand IPsec people did not want
>> those untruncated algorithms, and have not specified them for IP use.
>> This is one of the problems when sharing registries causes problems.
>> Suddenly you might have options for protocols which did not request
>> them added to them, because someone else who shares the same registry
>> added them.
>>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email