[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Child_SA key material

To: <Charlie_Kaufman@notesdev.ibm.com>
Subject: Re: Child_SA key material
From: "David Faucher" <dfaucher@lucent.com>
Date: Mon, 2 Dec 2002 13:37:04 -0600
Cc: <ipsec@lists.tislabs.com>, <owner-ipsec@lists.tislabs.com>
References: <OF997C8189.2A520E8D-ON85256C81.000D579E-85256C81.000DBDF0@iris.com>
Sender: owner-ipsec@lists.tislabs.com

It was simply a request for clarification.

As a side note, when compared to describing keys
for the IKE-SA the order suggested that my #1 was
the correct choice. To be consistent should the
IKE-SA keys be taken in the following order:

    SK_d, SK_ei, SK_ai, SK_er, SK_ar

(all keys from initiator to responder before responder
to initiator and encryption before authentication)

David

----- Original Message -----
From: <Charlie_Kaufman@notesdev.ibm.com>
To: "David Faucher" <dfaucher@lucent.com>
Cc: <ipsec@lists.tislabs.com>; <owner-ipsec@lists.tislabs.com>
Sent: Friday, November 29, 2002 8:30 PM
Subject: Re: Child_SA key material


|
|
|
|
| Currently the spec says use your order #2. Is your concern that the spec
is
| not clear or that this is not a good order to use?
|
|       --Charlie
|
| "David Faucher" <dfaucher@lucent.com> wrote:
| > Section 4.16 of draft-ietf-ipsec-ikev2-03.txt
| > describes how key material is taken from KEYMAT
| > for CHILD-SAs.
| >
| > If AH and ESP were negotiated would the key material
| > be taken as
| >
| > |     1. AH_ir, AH_ri, ESP_ir(encr, auth), ESP_ri(encr, auth)
| > |
| > |           or
| > |
| > |     2. AH_ir, ESP_ir(encr, auth), AH_ri, ESP_ri(encr, auth)
| >
| > where _ir = initiator to responder SA
| >       _ri = responder to initiator SA
|

References:
- Re: Child_SA key material
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: Re: Counter Mode: Proposed Way Forward
Next by Date: Re: Handling of IPcomp in IKEv2
Prev by thread: Re: Child_SA key material
Next by thread: Re: NAT Traversal in IKEv2
Index(es):
- Date
- Thread