[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE V2 Open Issues
There is another big open issue that Ted didn't list, but we need to
resolve, namely the splitting out of the crypto algorithms and MUSTs
and SHOULDs.
What we have in this moment is -06 which lists the crypto algorithms
and discusses the mandatory algorithms (without actually specifying
them). Jeff Schiller volunteered to write the second document, which
would define the mandatory algorithms and the UI suites that we would
use.
After talking with Charlie, we realized that we had different views
of what was agreed to at the San Francisco meeting, and unfortunately
the minutes don't help clarify it. There seemed to be general
agreement that the main IKEv2 document should not need to be revised
if the we change algorithms or change how or why we want
implementations to use them. The second document would be easier to
update, specifically when we wanted to mandate AES and associated
algorithms. This split has been used successfully in other IETF WGs.
There also seemed to be agreement that we should have a small number
of UI suites that cover the mandatory algorithms, and that the UI
suites should have justifying text.
Based on that, I propose the following:
- The list of crypto algorithms should be in Jeff's document. Leave
the transform IDs in section 3.3.2 of IKEv2, but move everything
starting with "For Transform Type 1..." to Jeff's document.
- Leave section 3.3.3 (the mandatory transform types, not algorithms)
in the IKEv2 document.
- Move the discussion of mandatory transform IDs to Jeff's document.
Section 3.3.4 should not be in the IKEv2 document, and Jeff can use
as much of it as he wants in his document, depending on how he is
arranging it.
- Jeff's document also has a short list of UI suites and some
discussion of them. The list could be shorter than the one Charlie
had in the -05 draft, and might only encompass the mandatory
algorithms, or it might be longer. We need to discuss the list after
we see it.
The result will bring us more in line with current IETF practice, and
will let us give the VPN industry some clear guidance on how they can
make their future IKEv2 systems more interoperable.
--Paul Hoffman, Director
--VPN Consortium