RE: [Ipsec] IKEv2 questions (for lecture)

[Pasi.Eronen@nokia.com]

Amir Herzberg wrote:

> 1. In section 2.14 Generating Keying Material for the IKE_SA, you 
> use SKEYSEED = prf(Ni | Nr, g^ir). But, the key to the  prf is 
> the _first_ parameter, in this case Ni | Nr, which is of course 
> not secret. Is this intentional or a typo (i.e. the intention 
> was SKEYSEED =  prf(g^ir, Ni | Nr) ?

This is intentional (and was done the same way in IKEv1).  Appendix
C.2 in Hugo Krawczyk's SIGMA paper explains why this was done
(http://www.ee.technion.ac.il/~hugo/sigma.ps).

> 2. I didn't find where the (optional) N parameter of CREATE_CHILD_SA
> request is defined, and also, I wonder if there is a good reason for
> using here the letter N as the symbol for this value. (See section
> 1.3).

I agree, this is not perhaps the best possible notation :-)
"N" means a "Notify" payload (but this isn't explained until
section 3.2), and the text in section 1.3 says that the notify 
type is REKEY_SA.

> 3. Also in section 1.3: there is a comment there `if the SA offers
> include different Diffie-Hellman groups,...` - doesn't the same
> comment apply for the initial exchange (section 1.2)?

Yes, the comment applies to initial exchange also (and it is
mentioned later, in section 3.3.6).

Best regards,
Pasi

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec