[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEV2: Issue #2: Cipher suites

To: ipsec@lists.tislabs.com
Subject: Re: IKEV2: Issue #2: Cipher suites
From: Tero Kivinen <kivinen@iki.fi>
Date: 13 Feb 2003 03:22:56 +0200
In-Reply-To: kivinen@ssh.fi's message of "Thu, 13 Feb 2003 00:41:38 +0000 (UTC)"
Organization: Helsinki University of Technology
References: <o9nof5hcapx.fsf@tero.kivinen.iki.fi>
Sender: owner-ipsec@lists.tislabs.com

kivinen@ssh.fi (Tero Kivinen) writes:
> There was also proposal to split the suites to IKE and IPsec suites,
> i.e put all IKE suites to have numbers 0-8191 and IPsec suites from
> 8192-16383 or similar.

To reply my own comment, I think it would be even better to split
those tables completely. The crypto suite numbers should be allocated
in two different pools, one for the phase 1 and one for the phase 2.

This would remove prolems and errors where someone includes suite for
ESP in the phase 1 or IKE suite for child_sa. The parsing of SA
payload can be identical but the meaning of the values in the payloads
should depend on if it is phase 1 or 2 SA negotiation payload.
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- Re: IKEV2: Issue #2: Cipher suites
  - From: Charlie_Kaufman@notesdev.ibm.com

References:
- Re: IKEV2: Issue #2: Cipher suites
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Re: IKEV2: Issue #4 Revised Identity
Next by Date: Re: IKEV2: Issue #4 Revised Identity
Prev by thread: Re: IKEV2: Issue #2: Cipher suites
Next by thread: Re: IKEV2: Issue #2: Cipher suites
Index(es):
- Date
- Thread