[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-ietf-ipsec-ikev2-04.txt

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: draft-ietf-ipsec-ikev2-04.txt
From: Charlie_Kaufman@xxxxxxxxxxxxxxxx
Date: Wed, 8 Jan 2003 15:00:07 -0500
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx




I just sent a revised draft of IKEv2 off to the I-D editor. I copied Paul
Hoffman, who offered to post it on his web page faster than the I-D editor
is likely to be able to post it.

This new draft includes NAT traversal, revised IPcomp, changing back to 6/4
messages from always 4, acquiring internal addresses from remote networks,
and negotiation of tunnel vs. transport mode.

It does not include legacy authentication and proposed "revised
identities", which we need to resolve quickly.

I'd particularly like experts on NAT traversal to review what I said and
tell me how to fix it. I tried to copy the logic from the existing I-Ds,
but can't be sure I got it right.

It also includes only a single option for cipher suites. There is general
agreement that we need more, but I need concrete proposals on what they
should be. Currently specified is:

1536-bit Diffie-Hellman; 112-bit 3DES CBC; HMAC-SHA1; ESP.

People have advocated something with a smaller D-H group for performance,
something with a bigger D-H group for security, 128 bit AES (is that CBC
mode, counter mode, or do we need both?). And I would guess someone wants
to be able to negotiate AH. Is that with an encryption-only ESP or without?
ESP with extended sequence numbers is considered different from ESP without
extended sequence numbers. The spec doesn't say which... I'm assuming it
should say "without" since this one is intended to reflect what is
currently deployed. Can someone verify that is what deployed? Is there any
reason to propose an "new" suites (e.g. AES) without extended sequence
number support?

Would people like to make concrete proposals?

I'd like to keep the number of suites in the initial draft to a minimum -
we can add more later as necessary - and particularly the number of MUST
support ones. But fear there is less than the minimum now.

          --Charlie

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Follow-Ups:
- Re: draft-ietf-ipsec-ikev2-04.txt
  - From: Ari Huttunen

Prev by Date: Re: Proposed text changes to ESPbis and AHbis for multicast support
Next by Date: Re: Proposed text changes to ESPbis and AHbis for multicast support
Previous by thread: ike2: SAi1 in msg 3
Next by thread: Re: draft-ietf-ipsec-ikev2-04.txt
Index(es):
- Date
- Thread