Re: [IPsec] Issue #157: Illustrate the SA payload with a diagram

Mon, 08 Feb 2010 09:44:48 -0800 

Paul Hoffman writes:
> Tero's proposed tree structure would not fit in an RFC without
> trimming even more, making it even less readable. I have used
> Alfred's proposed layout, but I changed the example to match it.

I think we could add some graphic lines to make it even more easier,
and if we use this format we do not need to interleave the encr
algorithms with the integrity algorithms, but we can group them
together (I used ECNR/INTEG/ENCR/INTEG... instead of
ENCR/ENCR/ENCR/INTEG/INTEG to get the picture narrower). 

> Please: read the example and make sure that the illustration is
> correct: 
> 
>    For example, one such proposal would
>    have two proposal structures.  Proposal 1 is ESP with AES-128, AES-
>    192, and AES-256 bits in CBC mode, with either HMAC-SHA1-96 or
>    XCBC-96 as the integrity algorithm; Proposal 2 is AES-128 or AES-256
>    in GCM mode with an 8-octet ICV.  Both proposals allow but do not
>    require the use of ESN.  This can be illustrated as:

  SA Payload
     |
     +--- Proposal #1 ( Proto ID = ESP(3), SPI size = 4,
     |     |            7 transforms,      SPI = 0x052357bb )
     |     |
     |     +-- Transform ENCR ( Name = ENCR_AES_CBC )
     |     |     +-- Attribute ( Key Length = 128 )
     |     |
     |     +-- Transform ENCR ( Name = ENCR_AES_CBC )
     |     |     +-- Attribute ( Key Length = 192 )
     |     |
     |     +-- Transform ENCR ( Name = ENCR_AES_CBC )
     |     |     +-- Attribute ( Key Length = 256 )
     |     |
     |     +-- Transform INTEG ( Name = AUTH_HMAC_SHA1_96 )
     |     +-- Transform INTEG ( Name = AUTH_AES_XCBC_96 )
     |     +-- Transform ESN ( Name = ESNs )
     |     +-- Transform ESN ( Name = No ESNs )
     |
     +--- Proposal #2 ( Proto ID = ESP(3), SPI size = 4,
           |            4 transforms,      SPI = 0x35a1d6f2 )
           |
           +-- Transform ENCR ( Name = AES-GCM with a 8 octet ICV )
           |     +-- Attribute ( Key Length = 128 )
           |
           +-- Transform ENCR ( Name = AES-GCM with a 8 octet ICV )
           |     +-- Attribute ( Key Length = 256 )
           |
           +-- Transform ESN ( Name = ESNs )
           +-- Transform ESN ( Name = No ESNs )


The original picture used wrong name for AUTH_AES_XCBC_96 (missing AES
part), and it would be better to use "AES-GCM with a 8 octet ICV" as
that is what IANA registry uses, so if no lines are used then the
picture should be:

   SA Payload
      Proposal #1 ( Proto ID = ESP(3), SPI size = 4,
                    7 transforms,      SPI = 0x052357bb )
         Transform  ENCR ( Name = ENCR_AES_CBC )
            Attribute ( Key Length = 128 )
         Transform  ENCR ( Name = ENCR_AES_CBC )
            Attribute ( Key Length = 192 )
         Transform  ENCR ( Name = ENCR_AES_CBC )
            Attribute ( Key Length = 256 )
         Transform  INTEG ( Name = AUTH_HMAC_SHA1_96 )
         Transform  INTEG ( Name = AUTH_AES_XCBC_96 )
         Transform  ESN ( Name = No ESNs )
         Transform  ESN ( Name = ESNs )
      Proposal #2 ( Proto ID = ESP(3), SPI size = 4,
                    4 transforms,      SPI = 0x35a1d6f2 )
         Transform  ENCR ( Name = AES-GCM with a 8 octet ICV )
            Attribute ( Key Length = 128 )
         Transform  ENCR ( Name = AES-GCM with a 8 octet ICV )
            Attribute ( Key Length = 256 )
         Transform  ESN ( Name = No ESNs )
         Transform  ESN ( Name = ESNs )
-- 
kivi...@iki.fi
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to