[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE V2 Open Issues

To: ipsec@lists.tislabs.com
Subject: Re: IKE V2 Open Issues
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Thu, 10 Apr 2003 14:25:36 -0700
Cc: Jeff Schiller <jis@mit.edu>, Charlie Kaufman <Charlie_Kaufman@notesdev.ibm.com>
In-Reply-To: <E193Mu6-0000by-00@think.thunk.org>
References: <E193Mu6-0000by-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

There is another big open issue that Ted didn't list, but we need to 
resolve, namely the splitting out of the crypto algorithms and MUSTs 
and SHOULDs.

What we have in this moment is -06 which lists the crypto algorithms 
and discusses the mandatory algorithms (without actually specifying 
them). Jeff Schiller volunteered to write the second document, which 
would define the mandatory algorithms and the UI suites that we would 
use.

After talking with Charlie, we realized that we had different views 
of what was agreed to at the San Francisco meeting, and unfortunately 
the minutes don't help clarify it. There seemed to be general 
agreement that the main IKEv2 document should not need to be revised 
if the we change algorithms or change how or why we want 
implementations to use them. The second document would be easier to 
update, specifically when we wanted to mandate AES and associated 
algorithms. This split has been used successfully in other IETF WGs.

There also seemed to be agreement that we should have a small number 
of UI suites that cover the mandatory algorithms, and that the UI 
suites should have justifying text.

Based on that, I propose the following:

- The list of crypto algorithms should be in Jeff's document. Leave 
the transform IDs in section 3.3.2 of IKEv2, but move everything 
starting with "For Transform Type 1..." to Jeff's document.

- Leave section 3.3.3 (the mandatory transform types, not algorithms) 
in the IKEv2 document.

- Move the discussion of mandatory transform IDs to Jeff's document. 
Section 3.3.4 should not be in the IKEv2 document, and Jeff can use 
as much of it as he wants in his document, depending on how he is 
arranging it.

- Jeff's document also has a short list of UI suites and some 
discussion of them. The list could be shorter than the one Charlie 
had in the -05 draft, and might only encompass the mandatory 
algorithms, or it might be longer. We need to discuss the list after 
we see it.

The result will bring us more in line with current IETF practice, and 
will let us give the VPN industry some clear guidance on how they can 
make their future IKEv2 systems more interoperable.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- Re: IKE V2 Open Issues
  - From: "Theodore Ts'o" <tytso@mit.edu>

References:
- IKE V2 Open Issues
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: Question on SA Bundle
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: Re: IKE V2 Open Issues
Next by thread: Re: IKE V2 Open Issues
Index(es):
- Date
- Thread