Re: [IPsec] Issue #157: Illustrate the SA payload with a diagram

Tue, 26 Jan 2010 02:34:20 -0800 

Hi Tero,

This picture looks correct to me.

Best regards,
Pasi

> -----Original Message-----
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf
> Of ext Tero Kivinen
> Sent: 25 January, 2010 14:33
> To: Yoav Nir
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] Issue #157: Illustrate the SA payload with a
> diagram
> 
> Yoav Nir writes:
> > I'm sorry I just noticed this, but is this even allowed?  Can you
> > include multiple key length attributes in the same transform?
> 
> Yes, you are right, you cannot include multiple key length attributes,
> as they would be AND for all of them. So yes, they need to be separate
> transform each of them.
> 
> Here is my fixed proposal picture:
> ----------------------------------------------------------------------
> 
>                           SA Payload
>                               |
>            +------------------+---------------------------+
>            |                                              |
>            |                                              |
>        Proposal #1                                    Proposal #2
>    Proto ID = ESP (3)                             Proto ID = ESP (3)
>      SPI size = 4                                   SPI size = 4
>      7 transforms                                   4 transforms
>    SPI = 0x95903423                               SPI = 0x12345678
>            |                                              |
>   +------+-+----+------+------+------+------+      +------+------+-----
> -+
>   |      |      |      |      |      |      |      |      |      |
> |
>  Trans  Trans  Trans  Trans  Trans  Trans  Trans  Trans  Trans  Trans
> Trans
>  form   form   form   form   form   form   form   form   form   form
> form
>  ENCR   INTEG  ENCR   INTEG  ENCR    ESN   ESN    ENCR   ESN    ENCR
> ESN
>  ENCR   AUTH   ENCR   AUTH   ENCR    No    Use    AES-   No     AES-
> Use
>  _AES   _HMAC  _AES   _AES   _AES    ESN   ESN    GCM    ESN    GCM
> ESN
>  _CBC   _SHA1  _CBC   _XCBC  _CBC     0     1     w/8     0     w/8
> 1
>    |    _96      |    _96      |                  octet         octet
>    |             |             |                  ICV           ICV
>    |             |             |                   |             |
>    |             |             |                   |             |
> Attribute     Attribute     Attribute           Attribute     Attribute
> Key Length    Key Length    Key Length          Key Length    Key
> Length
>    128           192           256                 128           256
> 
> ----------------------------------------------------------------------
> 
> >                 The initiator of an exchange MUST check that the
> >    accepted offer is consistent with one of its proposals, and if not
> >    that response MUST be rejected.
> >
> > BTW: how do you reject a response?
> 
> Silently drop the negotiation (or just the packet if this is
> IKE_SA_INIT) with the peer, as it is clearly not following the
> specification, and this is not a problem that will be fixed by
> changing configuration or similar, it does require software update of
> the other end.
> --
> kivi...@iki.fi
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to