[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Protocol ID Field

To: ipsec@lists.tislabs.com
Subject: Protocol ID Field
From: Charlie_Kaufman@notesdev.ibm.com
Date: Thu, 1 May 2003 17:07:30 -0400
Sender: owner-ipsec@lists.tislabs.com





There is a field called "Protocol ID", which I intended to leave unchanged
from IKEv1 in the SA, Notify, and Delete payloads. But I initially misread
IKEv1 and then fixed it incorrectly. It is now inconsistently specified in
the spec and I'd like to fix it. I assume this will be non-controversial,
but don't want to make any non-obvious changes at this point without
warning.

Protocol ID is a one byte field that indicates whether we're talking about
an IKE SA, an ESP SA, an AH SA, or an IPcomp SA (though in IKEv2 this code
is never used). I originally believed that the values came from the
Protocol ID IP header field (50 for ESP, 51 for AH, and 108 for IPcomp),
with the special value zero used for the IKE SA. But IKEv1 actually took
values from a different IANA registry "Security Protocol" with assigned
values: 1 for ISAKMP, 2 for AH, 3 for ESP, 4 for IPcomp. When I switched
back from suites to a la carte crypto negotiation (where this field figure
prominently in the SA payload), I changed the codes but made two mistakes.
I left the field name as Protocol ID, making it easily confused with the
field called Protocol ID in the traffic selector field. In the traffic
selector, the Protocol ID field does take its values from the IP header,
most commonly using the codes for TCP and UDP. More dramatically, I used
values different from the ones in the existing IANA registry (0 for IKE, 1
for ESP, and 2 for AH).

Someone pointed these errors out to me in private email, and I tried to fix
it in -07, changing the field name to Security Protocol ID and the values
to match those in IKEv1. But I apparently missed some places. In
particular, in the Proposal structure, it still has the old name and old
values. I'd like to complete the fix by making the numbers and name in the
proposal structure match the values elsewhere. Any objections?

      --Charlie

p.s. A subtlety is that in the IANA registry, the value 1 is for "ISAKMP",
while I am using the value 1 for "IKE". I believe the IKE is a protocol
while ISAKMP is a syntax and that it therefore makes more sense to call the
value IKE. But if anyone believes otherwise, and perhaps believes we should
assign a new code for IKE, now would be a good time to speak up.

Prev by Date: RE: IPSec Passthrough
Next by Date: Re: Requirements for IKEv2 implementations
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Requirements for IKEv2 implementations
Index(es):
- Date
- Thread