Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?

To: "ipsec at ietf.org" <ipsec at ietf.org>
Subject: Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?
From: "Frankel, Sheila E." <sheila.frankel at nist.gov>
Date: Tue, 27 Oct 2009 11:39:17 -0400
Accept-language: en-US
Acceptlanguage: en-US
Cc: Tero Kivinen <kivinen at iki.fi>, Paul Hoffman <paul.hoffman at vpnc.org>, "suresh.krishnan at ericsson.com" <suresh.krishnan at ericsson.com>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <063.764926e4414cb9e492e9c76aed2dcc1d at tools.ietf.org>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <063.764926e4414cb9e492e9c76aed2dcc1d at tools.ietf.org>
Thread-index: AcpOvk9aHvjitHGqTBejH4YXV3r4SgIXVU/9
Thread-topic: [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?

#111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?

Proposed changes to Roadmap doc:

1) Add text to section 5.4 (Combined Mode Algorithms)

Current text:
   IKEv1 and ESP-v2 use separate algorithms to provide encryption and
   integrity-protection, and IKEv1 can negotiate different combinations
   of algorithms for different SAs.  In ESP-v3, a new class of
   algorithms was introduced, in which a single algorithm can provide
   both encryption and integrity-protection. [RFC4306] describes how
   IKEv2 can negotiate combined mode algorithms to be used in ESP-v3
   SAs. [RFC5282] adds that capability to IKEv2, enabling IKEv2 to
   negotiate and use combined mode algorithms for its own traffic.  When
   properly designed, these algorithms can provide increased efficiency
   in both implementation and execution.

Additional text:
   Some IKEv1 implementations have added the capability to negotiate 
   combined mode algorithms for use in IPsec SAs; these implementations
   do not include the capability to use combined mode algorithms to protect
   IKE SAs. Since combined mode algorithms are not a feature of IPsec-v2, 
   these IKEv1 implementations are used in conjunction with IPsec-v3.  IANA
   numbers for combined mode algorithms have been added to the IKEv1 registry.

2) Change IKEv2 and IPsec-v2 requirement levels

	Requirements levels for AES-GMAC:
		old IKEv2 - optional
		new IKEv2 - optional (integrity-protection algorithm)
			    N/A (combined mode algorithm with NULL encryption)
		old IPsec-v2 - undefined (no IANA #)
		new IPsec-v2:
		    AH-v2 - optional (integrity-protection alg)
		    ESP-v2 - N/A (combined mode algorithm with NULL encryption)

3) Move RFC 4543 to section on combined mode algorithms, since it has 2 versions: classic integ prot and also combined mode

________________________________________
From: ipsecme issue tracker [trac at tools.ietf.org]
Sent: Friday, October 16, 2009 8:10 PM
To: paul.hoffman at vpnc.org; Frankel, Sheila E.
Subject: [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?

#111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?
-----------------------------------+----------------------------------------
 Reporter:  paul.hoffman at …         |       Owner:  sheila.frankel at …
     Type:  defect                 |      Status:  new
 Priority:  normal                 |   Milestone:
Component:  roadmap                |    Severity:  -
 Keywords:                         |
-----------------------------------+----------------------------------------
 Section 5.4 says:
    IKEv1 and ESP-v2 use separate algorithms to provide encryption and
    integrity-protection, and IKEv1 can negotiate different combinations
    of algorithms for different SAs.  In ESP-v3, a new class of
    algorithms was introduced, in which a single algorithm can provide
    both encryption and integrity-protection. [RFC4306] describes how
    IKEv2 can negotiate combined mode algorithms to be used in ESP-v3
    SAs. [RFC5282] adds that capability to IKEv2, enabling IKEv2 to
    negotiate and use combined mode algorithms for its own traffic.  When
    properly designed, these algorithms can provide increased efficiency
    in both implementation and execution.
 What about IKEv1? Can you use IKEv1 to negotiate a combined algorithm for
 IPsec-v3?

--
Ticket URL: <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/111>
ipsecme <http://tools.ietf.org/ipsecme/>

Follow-Ups:
- Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?
  - From: Tero Kivinen

Prev by Date: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-ipv6-config-03.txt
Next by Date: Re: [IPsec] [ipsecme] #112: Truncation of SHA-1 ICVs
Previous by thread: [IPsec] I-D Action:draft-ietf-ipsecme-ikev2-ipv6-config-03.txt
Next by thread: Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?
Index(es):
- Date
- Thread

Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.