[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE V2 Open Issues

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: Re: IKE V2 Open Issues
From: Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>
Date: Thu, 10 Apr 2003 14:25:36 -0700
Cc: Jeff Schiller <jis@xxxxxxx>, Charlie Kaufman <Charlie_Kaufman@xxxxxxxxxxxxxxxx>
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

There is another big open issue that Ted didn't list, but we need to resolve, namely the splitting out of the crypto algorithms and MUSTs and SHOULDs.

What we have in this moment is -06 which lists the crypto algorithms and discusses the mandatory algorithms (without actually specifying them). Jeff Schiller volunteered to write the second document, which would define the mandatory algorithms and the UI suites that we would use.

After talking with Charlie, we realized that we had different views of what was agreed to at the San Francisco meeting, and unfortunately the minutes don't help clarify it. There seemed to be general agreement that the main IKEv2 document should not need to be revised if the we change algorithms or change how or why we want implementations to use them. The second document would be easier to update, specifically when we wanted to mandate AES and associated algorithms. This split has been used successfully in other IETF WGs.

There also seemed to be agreement that we should have a small number of UI suites that cover the mandatory algorithms, and that the UI suites should have justifying text.

Based on that, I propose the following:

- The list of crypto algorithms should be in Jeff's document. Leave the transform IDs in section 3.3.2 of IKEv2, but move everything starting with "For Transform Type 1..." to Jeff's document.

- Leave section 3.3.3 (the mandatory transform types, not algorithms) in the IKEv2 document.

- Move the discussion of mandatory transform IDs to Jeff's document. Section 3.3.4 should not be in the IKEv2 document, and Jeff can use as much of it as he wants in his document, depending on how he is arranging it.

- Jeff's document also has a short list of UI suites and some discussion of them. The list could be shorter than the one Charlie had in the -05 draft, and might only encompass the mandatory algorithms, or it might be longer. We need to discuss the list after we see it.

The result will bring us more in line with current IETF practice, and will let us give the VPN industry some clear guidance on how they can make their future IKEv2 systems more interoperable.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- Re: IKE V2 Open Issues
  - From: Theodore Ts'o

References:
- IKE V2 Open Issues
  - From: Theodore Ts'o

Prev by Date: Re: IKE V2 Open Issues
Next by Date: Re: Question on SA Bundle
Previous by thread: Re: IKE V2 Open Issues
Next by thread: Re: IKE V2 Open Issues
Index(es):
- Date
- Thread