[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 allocation policies

To: ipsec@lists.tislabs.com
Subject: Re: IKEv2 allocation policies
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 29 Jan 2004 20:35:16 -0500
In-reply-to: Your message of "Thu, 29 Jan 2004 16:36:52 EST." <11472.1075412212@marajade.sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


Motivation for these rules:

   IKEv2 Exchange types			    Standards Action.
   IKEv2 Security Protocol Identifiers	    Standards Action.

I believe that new exchange types will be entirely new protocols, or
significant extensions. If they are sufficiently different to be totally
incompatible, then they could run on their own port. If they aren't 
that incompatible, then I presume that we need to think hard about this.

   IKEv2 Encryption Transform IDs	    expert review.
   IKEv2 Pseudo-random Transform IDs	    expert review.
   IKEv2 Integrity Algorithm Transform IDs  expert review. 
   IKEv2 Notification IPCOMP Transform IDs  expert review. 

Algorithms are relatively simple to standardize, and if an implementation
does not understand them, then it can just ignore them.

   IKEv2 Diffie-Hellman, ECP/EC2N           Specification Required.

If one guess wrong, then an extra round trip is required. It seems that
there should be very little reason to have private definitions that are
not published somewhere.

   IKEv2 Payload Types			    Specification Required.

New payloads will be significant features, so need to be described.
IKEv1's lack of a critical bit meant it was effectively Standards Action,
so this is a relaxation.

   IKEv2 Transform Types		    Specification Required.
   IKEv2 Transform Attribute Types	    Specification Required.

If we invent something other than authenticate, encrypt and compress,
then I think it needs to be described well.

   IKEv2 Extended Sequence Numbers Transform IDs    IETF Consenus.

A new value here would require an "RFC2401bis"-bis. (128bit sequence
numbers?)  

   IKEv2 Identification Payload ID Types    Specification Required.
   IKEv2 Certificate Encodings		    Specification Required.
   IKEv2 Authentication Method		    Specification Required.
   IKEv2 Traffic Selector Types		    Specification Required.

I think that new types should be explained, or it will be very hard to
interop. 

   IKEv2 Notification Payload Types	    First Come-First Served.

Big wide space, with minimal impact on interop.

   IKEv2 Configuration Payload CFG Types    Specification Required.
   IKEv2 Configuration Payload Attribute Types    Specification Required.

These remind me of the problems in PPP,radius,DHCP with having vendors too
easily able to innovate (and become incompatible). Specification Required at
least requires that there be a document that exaplain things. It shouldn't be
too onerous, in my opinion. This could be watered down to "expert review".

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQBm004qHRg3pndX9AQEaCgP/cmmwNzvh4i0xKs40z9n9Wxt/+rwGIPXP
kDeTvAFqqHbh9V0GJEKOOIUZFBLHt7f8oxD878MpnoYJenL8x7+kodrZyiRQszde
zZ9878SYj3hu7fa9eLAsTHvjuRBTFnPo0vMLheDSqGcgXihAcN2uyXD3kGQcW17M
Tpnk2P9pnpY=
=Xkzf
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: IKEv2 allocation policies
  - From: Jari Arkko <jari.arkko@kolumbus.fi>

References:
- IKEv2 allocation policies
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: IKEv2 allocation policies
Next by Date: Re: IKEv2 allocation policies
Previous by thread: IKEv2 allocation policies
Next by thread: Re: IKEv2 allocation policies
Index(es):
- Date
- Thread