[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why is the length of transform ID 2 octets in IKEv2?

To: "Dondeti, Lakshminath" <ldondeti@nortelnetworks.com>
Subject: Why is the length of transform ID 2 octets in IKEv2?
From: Tero Kivinen <kivinen@iki.fi>
Date: Tue, 13 Jan 2004 02:14:05 +0200
Cc: ipsec@lists.tislabs.com
In-reply-to: <4002CFD0.4060008@nortelnetworks.com>
Organization: Helsinki University of Technology
References: <200401072101.QAA01462@ietf.org><4002CFD0.4060008@nortelnetworks.com>
Sender: owner-ipsec@lists.tislabs.com

Dondeti, Lakshminath writes:
> The length of the transform ID is 2 octets  in IKEv2 (was 2 octets in 
> 00, changed to 1 octet in 01, and back to 2 octets in 08 and stayed that 
> way) whereas it is 1 octet in 2408.  I am curious about the reasoning 
> behind the change(s).  Do we really need 2 octets for this field?

The rfc2408 transform id only contained parts of the things we
currently store in the transform id (i.e crypto algorithm). Some of
the data stored now in the transform id used to be in the transform
attributes, where they were 16 or 32 bit values (for example the
Diffie-Hellman group, authentication algorithm etc).

We did have space there, and there is also some space needed for
private use values. I think there might be more semi-permanent and
semi-documented private use values for the Diffie-Hellman groups, as
the current document says that the support for defining private
Diffie-Hellman groups is SHOULD, and there are organizations requiring
them. As the group parameters are no longer exchanged inside the IKE,
the requirements for the internal documentation for the private
groups used is much higher, and organizations propably tries to keep
the numbering separate (i.e people do not take the first private use
number, but instead take random value and start using groups from that
point).

On the other hand to be able to use the private use numbers, the
management interface should also allow adding vendor ID payloads to
identify the private use number space used. I.e the organization
defining that number 12314 is their first private group, should also
be able to add vendor ID specified by them to identify that group (i.e
the managment facility which allows specification of Diffie-Hellman
parameters should also include the vendor ID associated to the group.
-- 
kivinen@iki.fi

References:
- I-D ACTION:draft-ietf-ipsec-ikev2-12.txt
  - From: Internet-Drafts@ietf.org
- Why is the length of transform ID 2 octets in IKEv2?
  - From: "Dondeti, Lakshminath" <ldondeti@nortelnetworks.com>

Prev by Date: Re: IKEv1 and multiple SAs ?
Next by Date: Re: Charlie has submitted a new version of draft-ietf-ipsec-ikev2
Previous by thread: Why is the length of transform ID 2 octets in IKEv2?
Next by thread: IKEv1 and multiple SAs ?
Index(es):
- Date
- Thread