ipsec October 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate combined

Re: [IPsec] [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?

From: Frankel, Sheila E. <sheila.frankel_at_nospam>
Date: Tue Oct 27 2009 - 15:39:17 GMT
To: "ipsec@ietf.org" <ipsec@ietf.org>

#111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?

Proposed changes to Roadmap doc:

  1. Add text to section 5.4 (Combined Mode Algorithms)

Current text:

   IKEv1 and ESP-v2 use separate algorithms to provide encryption and    integrity-protection, and IKEv1 can negotiate different combinations    of algorithms for different SAs. In ESP-v3, a new class of    algorithms was introduced, in which a single algorithm can provide    both encryption and integrity-protection. [RFC4306] describes how    IKEv2 can negotiate combined mode algorithms to be used in ESP-v3    SAs. [RFC5282] adds that capability to IKEv2, enabling IKEv2 to    negotiate and use combined mode algorithms for its own traffic. When    properly designed, these algorithms can provide increased efficiency    in both implementation and execution.

Additional text:

   Some IKEv1 implementations have added the capability to negotiate    combined mode algorithms for use in IPsec SAs; these implementations    do not include the capability to use combined mode algorithms to protect    IKE SAs. Since combined mode algorithms are not a feature of IPsec-v2,    these IKEv1 implementations are used in conjunction with IPsec-v3. IANA    numbers for combined mode algorithms have been added to the IKEv1 registry.

2) Change IKEv2 and IPsec-v2 requirement levels Requirements levels for AES-GMAC: old IKEv2 - optional new IKEv2 - optional (integrity-protection algorithm) N/A (combined mode algorithm with NULL encryption) old IPsec-v2 - undefined (no IANA #) new IPsec-v2: AH-v2 - optional (integrity-protection alg) ESP-v2 - N/A (combined mode algorithm with NULL encryption)

3) Move RFC 4543 to section on combined mode algorithms, since it has 2 versions: classic integ prot and also combined mode



From: ipsecme issue tracker [trac@tools.ietf.org] Sent: Friday, October 16, 2009 8:10 PM
To: paul.hoffman@vpnc.org; Frankel, Sheila E. Subject: [ipsecme] #111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?

#111: Can IKEv1 negotiate combined algorithms to be used by IPsec-v3?
-----------------------------------+---------------------------------------- Reporter: paul.hoffman@ | Owner: sheila.frankel@ Type: defect | Status: new Priority: normal | Milestone: Component: roadmap | Severity: - Keywords: | -----------------------------------+----------------------------------------  Section 5.4 says:

    IKEv1 and ESP-v2 use separate algorithms to provide encryption and     integrity-protection, and IKEv1 can negotiate different combinations     of algorithms for different SAs. In ESP-v3, a new class of     algorithms was introduced, in which a single algorithm can provide     both encryption and integrity-protection. [RFC4306] describes how     IKEv2 can negotiate combined mode algorithms to be used in ESP-v3     SAs. [RFC5282] adds that capability to IKEv2, enabling IKEv2 to     negotiate and use combined mode algorithms for its own traffic. When     properly designed, these algorithms can provide increased efficiency     in both implementation and execution.  What about IKEv1? Can you use IKEv1 to negotiate a combined algorithm for  IPsec-v3? -- Ticket URL: <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/111> ipsecme <http://tools.ietf.org/ipsecme/> _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec