[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 allocation policies
-----BEGIN PGP SIGNED MESSAGE-----
Motivation for these rules:
IKEv2 Exchange types Standards Action.
IKEv2 Security Protocol Identifiers Standards Action.
I believe that new exchange types will be entirely new protocols, or
significant extensions. If they are sufficiently different to be totally
incompatible, then they could run on their own port. If they aren't
that incompatible, then I presume that we need to think hard about this.
IKEv2 Encryption Transform IDs expert review.
IKEv2 Pseudo-random Transform IDs expert review.
IKEv2 Integrity Algorithm Transform IDs expert review.
IKEv2 Notification IPCOMP Transform IDs expert review.
Algorithms are relatively simple to standardize, and if an implementation
does not understand them, then it can just ignore them.
IKEv2 Diffie-Hellman, ECP/EC2N Specification Required.
If one guess wrong, then an extra round trip is required. It seems that
there should be very little reason to have private definitions that are
not published somewhere.
IKEv2 Payload Types Specification Required.
New payloads will be significant features, so need to be described.
IKEv1's lack of a critical bit meant it was effectively Standards Action,
so this is a relaxation.
IKEv2 Transform Types Specification Required.
IKEv2 Transform Attribute Types Specification Required.
If we invent something other than authenticate, encrypt and compress,
then I think it needs to be described well.
IKEv2 Extended Sequence Numbers Transform IDs IETF Consenus.
A new value here would require an "RFC2401bis"-bis. (128bit sequence
numbers?)
IKEv2 Identification Payload ID Types Specification Required.
IKEv2 Certificate Encodings Specification Required.
IKEv2 Authentication Method Specification Required.
IKEv2 Traffic Selector Types Specification Required.
I think that new types should be explained, or it will be very hard to
interop.
IKEv2 Notification Payload Types First Come-First Served.
Big wide space, with minimal impact on interop.
IKEv2 Configuration Payload CFG Types Specification Required.
IKEv2 Configuration Payload Attribute Types Specification Required.
These remind me of the problems in PPP,radius,DHCP with having vendors too
easily able to innovate (and become incompatible). Specification Required at
least requires that there be a document that exaplain things. It shouldn't be
too onerous, in my opinion. This could be watered down to "expert review".
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQBm004qHRg3pndX9AQEaCgP/cmmwNzvh4i0xKs40z9n9Wxt/+rwGIPXP
kDeTvAFqqHbh9V0GJEKOOIUZFBLHt7f8oxD878MpnoYJenL8x7+kodrZyiRQszde
zZ9878SYj3hu7fa9eLAsTHvjuRBTFnPo0vMLheDSqGcgXihAcN2uyXD3kGQcW17M
Tpnk2P9pnpY=
=Xkzf
-----END PGP SIGNATURE-----