[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: transform type 5 in ui-suites-03

To: Charlie_Kaufman@notesdev.ibm.com
Subject: Re: transform type 5 in ui-suites-03
From: "Lakshminath Dondeti" <ldondeti@nortelnetworks.com>
Date: Mon, 11 Aug 2003 10:51:22 -0400
CC: ipsec@lists.tislabs.com, paul.hoffman@vpnc.org
In-Reply-To: <OFA0D9AF6C.AD166060-ON85256D7E.00704F55-85256D7E.0074D11A@notesdev.ibm.com>
References: <OFA0D9AF6C.AD166060-ON85256D7E.00704F55-85256D7E.0074D11A@notesdev.ibm.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

The current version (option 2 below) is fine (except for not leaving '0' 
as RESERVED, as in the other transform types!).  

However, the ui-suites I-D needs to be corrected accordingly, i.e., 
VPN-A proposal needs to send ESN=0 as part of the transforms.

regards,
Lakshminath

Charlie_Kaufman@notesdev.ibm.com wrote:

>
>
> Lakshminath Dondeti wrote on 08/04/2003 02:46:39 PM:
> > Hi,
> >
> > Why is transform type 5 (Extended Sequence Numbers) excluded from Suite
> > definitions in the ui-suites I-D?
> >
> > IKEv2-08 says "If Transform Type 5 is not included in a proposal, 
> use of
> > Extended Sequence Numbers is assumed."   Thus a VPN-A proposal needs to
> > send ESN=0 as part of the transforms.
> >
> > Thanks in advance for any insight into this.
> >
> > regards,
> > Lakshminath
> >
>
> I agree that the current wording of the IKEv2 spec implies that any 
> proposal
> that excludes use of ESNs requires a Transform Type 5 w/ESN=0 to be 
> included.
>
> I worded it the way I did because I assumed that going forward use of 
> Extended
> Sequence Numbers would likely become universal and that therefore 
> using them
> would be the right default (and have the shorter encoding).
>
> The alternatives are:
>
> 1) Require that transform type 5 (ESN) always be provided in a 
> proposal for
> ESP or AH.
>
> 2) Allow it to be specified, but choose a default value that is 
> implied and
> allow the transform to be omitted if only the default is proposed. (This
> is the current wording).
>
> 3) Allow it to be specified, but choose a default value that is 
> implied and
> *require* the transform to be omitted if only the default is proposed.
>
> The trade-offs involve a minimal amount of complexity in proposal 
> generation
> and parsing and 4 bytes on the wire in each direction. I don't believe 
> any
> of the arguments is very strong, and wrote the current text after 
> flipping
> a (virtual) three sided coin.
>
> But perhaps others see this differently (or perhaps the text does not
> express what I think it does).
>
>         --Charlie

Follow-Ups:
- Re: transform type 5 in ui-suites-03
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: New IKEv2 draft -09
Next by Date: Re: revised IPsec processing model
Prev by thread: transform type 5 in ui-suites-03
Next by thread: Re: transform type 5 in ui-suites-03
Index(es):
- Date
- Thread