Re: [IPsec] IANA ikev2 registry and FC values

Yaron Sheffer <> Thu, 17 January 2013 17:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1C9EC21F8587 for <>; Thu, 17 Jan 2013 09:13:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id l8MKUEzyhhXY for <>; Thu, 17 Jan 2013 09:13:40 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id CC11421F879D for <>; Thu, 17 Jan 2013 09:13:39 -0800 (PST)
Received: by with SMTP id n10so2025215lbo.8 for <>; Thu, 17 Jan 2013 09:13:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=7M0/57E3Sh3zVxxnef1RiyAQgW3ga8m8JSh9jFkpkdE=; b=04TtwuaGg4AHkuV66ivN9wyE2Kz3P6xR2f4U6QOAyDM+ZUXN+Vw+mPkmUVp4BCfqeV dmt3oSDEgF0Gpyi8OMv2paVkB3i6Ud4lpm/KRPKj8Si4UJfLEMoFft5gNNU0m7I6cmYh x7UOQS6v2EWzwfyPSaFuA9M9JL37HhZwDut2kQ1P5JT52UPvZW2bNuM1nMPh7axTrmD3 a4TYH2nCErJ5aOOlOeEVNQPlxaSwwHL6urNMti1B0jZoCVtq/B1p4ARvnkDvE8D0131X EuoamOW4sT4TfKvh+5k0Q39mwI/KEhc8M20y7slM2GNEdenrDTe6hUtATCQw+sZVvx0I Ws4Q==
X-Received: by with SMTP id hw18mr5639880lab.22.1358442818738; Thu, 17 Jan 2013 09:13:38 -0800 (PST)
Received: from [] ( []) by with ESMTPS id hn3sm1021181lab.10.2013. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 17 Jan 2013 09:13:37 -0800 (PST)
Message-ID: <>
Date: Thu, 17 Jan 2013 19:13:32 +0200
From: Yaron Sheffer <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Tero Kivinen <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [IPsec] IANA ikev2 registry and FC values
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Jan 2013 17:13:41 -0000

Actually, why? At first sight they look entirely reasonable to me 
(untruncated versions of MAC, where we usually truncate). Are you saying 
they are not well defined?

If they're both well-defined and secure, I don't see any reason to add 
this limitation.

After all, we do have much weirder algorithms in the registry.


On 01/17/2013 07:03 PM, Tero Kivinen wrote:
> I got question now about the values allocated for the "IKEv2 in the
> Fibre Channel Security Association Management Protocol" and their use
> in the normal IPsec use over IP. This question was about support for
> AUTH_HMAC_MD5_128 and AUTH_HMAC_SHA1_160 for IPsec over IP, instead of
> using the normal AUTH_HMAC_MD5_96 and AUTH_HMAC_SHA1_96 values
> everybody in IP world are using. When those values were allocated it
> was assumed that they were only to be used in the FC world.
> I noticed that when all other RFC4595 allocated numbers have FC_ in
> their names, but these AUTH_* does not have those. Also there is
> nothing that explictly forbid their use in the IKEv2/ESP over IP, it
> has been implicit because there is nothing that says they can be used
> in the IP world either.
> One of the reasons for these is that this allocation happened when we
> had this process flaw and those drafts never came to the IANA expert
> for review (i.e. to me), so I only did some early comments to their
> -00 draft, and then later noticed that the values had been added to
> the registry.
> To clear up this confusion, I would like to add note to the IANA table
> saying "Only for Fibre Channel use" for those two values.
> Does anybody have any objections for doing that?