Re: [Ipsec] IKEv2: AUTH_AES_XCBC_96
Kevin Li <kli@cisco.com> Fri, 16 July 2004 16:40 UTC
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA14329 for <ipsec-archive@lists.ietf.org>; Fri, 16 Jul 2004 12:40:46 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BlVhx-0002WX-5B; Fri, 16 Jul 2004 12:37:13 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BlVcX-0001lh-UA for ipsec@megatron.ietf.org; Fri, 16 Jul 2004 12:31:37 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA13767 for <ipsec@ietf.org>; Fri, 16 Jul 2004 12:31:35 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BlVcV-0006Pp-59 for ipsec@ietf.org; Fri, 16 Jul 2004 12:31:35 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BlVbf-00063Z-00 for ipsec@ietf.org; Fri, 16 Jul 2004 12:30:44 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx with esmtp (Exim 4.12) id 1BlVah-0005c7-00 for ipsec@ietf.org; Fri, 16 Jul 2004 12:29:43 -0400
Received: from sj-core-1.cisco.com (171.71.177.237) by sj-iport-2.cisco.com with ESMTP; 16 Jul 2004 09:30:04 -0700
Received: from mira-sjc5-b.cisco.com (IDENT:mirapoint@mira-sjc5-b.cisco.com [171.71.163.14]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id i6GGT98a022965; Fri, 16 Jul 2004 09:29:13 -0700 (PDT)
Received: from [171.71.49.148] (dhcp-171-71-49-148.cisco.com [171.71.49.148]) by mira-sjc5-b.cisco.com (MOS 3.4.5-GR) with ESMTP id AVK10901; Fri, 16 Jul 2004 09:27:59 -0700 (PDT)
Message-ID: <40F8029D.6080907@cisco.com>
Date: Fri, 16 Jul 2004 09:30:21 -0700
From: Kevin Li <kli@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040616
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Dondeti, Lakshminath" <ldondeti@nortelnetworks.com>
Subject: Re: [Ipsec] IKEv2: AUTH_AES_XCBC_96
References: <40F7184E.1050805@cisco.com> <40F7FC0C.3000409@nortelnetworks.com>
In-Reply-To: <40F7FC0C.3000409@nortelnetworks.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Cc: ipsec@ietf.org
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Content-Transfer-Encoding: 7bit
I would agree that AUTH_AES_PRF_128 should change back to AUTH_AES_XCBC_MAC_96 for Transform Type 3 in IKEv2. But to avoid interop issue later, we would like to see that to be standardized in IKEv2. BTW, draft-ietf-ipsec-ikev2-algorithms-05.txt is using the number from older draft of IKEv2. Thanks. Kevin Dondeti, Lakshminath wrote: > Yes, it is confusing! The reference, RFC 3664 names it > AES-XCBC-PRF-128; it is a PRF, not an integrity algorithm. Perhaps it > belongs in the PRF list corresponding to Transform Type 2. > > Perhaps AES-XCBC-MAC-96 defined in RFC 3566 might be > "AUTH_AES_XCBC_MAC_96" and is the correct #5 in Transform Type 3. > > http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-algorithms-05.txt > seems to have it right! > > regards, > Lakshminath > > Kevin Li wrote: > >> Hi, >> >> The latest draft (IKEv2-14) changed the AUTH_AES_XCBC_96 to >> AUTH_AES_PRF_128. >> >> Since AUTH_AES_XCBC_96 is gone in IKEv2, how are we going to negotiate >> AUTH_AES_XCBC_96 which ipsec might request for? >> >> Is there a new number for AUTH_AES_XCBC_96? >> >> Thanks. >> >> Kevin >> Cisco Systems >> >> _______________________________________________ >> Ipsec mailing list >> Ipsec@ietf.org >> https://www1.ietf.org/mailman/listinfo/ipsec >> > > _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] IKEv2: AUTH_AES_XCBC_96 Kevin Li
- Re: [Ipsec] IKEv2: AUTH_AES_XCBC_96 Dondeti, Lakshminath
- Re: [Ipsec] IKEv2: AUTH_AES_XCBC_96 Kevin Li
- RE: [Ipsec] IKEv2: AUTH_AES_XCBC_96 Charlie Kaufman
- Re: [Ipsec] IKEv2: AUTH_AES_XCBC_96 Kevin Li