JFK algorithm choice

[Eric Rescorla <ekr@rtfm.com>]

Apologies on advance for focusing on the bits on the wire over
the cryptographic skeleton but I wanted to get some clarification
on a few fine points of JFK.

I'm not sure I understand how JFK chooses cryptographic algorithms.

S 2.5 says:

   We also eliminate negotiation, in favor of ukases issued by the
   Responder.  The Responder is providing a service; it is entitled to
   set its own requirements for that service.

and later:

   Any cryptographic	
   primitive mentioned by the Responder is acceptable; the Initiator
   can choose any it wishes.

This information appear to be contained in the GRPIFOr TLV transmitted in
Msg2, defined in S 4.2:

   grpInfo is expressed as a string of at least four octets. The first
   octet is the encryption algorithm ID, the second octet is the
   signature algorithm ID, and the third octet is the hash function
   used for session key derivation.  Each remaining octet specifies an
   acceptable group number.

As far as I can tell, the only way to express multiple digest and
encryption algorithms (as the second excerpt suggests you can do) 
is for the Responder to send multiple GRPINFO payloads in Msg2.
Is this what you intend?

Section 4.2 also says that the SA payload is:

   SA tag  Meaning
   1       IPsec SA, as described in [RFC2409]
   
What's not clear to me here is that the SA payload in RFC 2409
seems to (when you factor in 2407 and 2408) also include
algorithm information. How is the SA payload intended to be used?
Have I misread one of the specs?

-Ekr

---

Follow-Ups:

• Re: JFK algorithm choice
• From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>

---

• Prev by Date: Re: Son-of-IKE Performance
• Next by Date: Re: Please kill preshared key.
• Prev by thread: RE: UDP DoS attack in Win2k via IKE (fwd)
• Next by thread: Re: JFK algorithm choice
• Index(es):
  • Main
  • Thread