I agree that sharing registries with related but different protocols is
not a good thing. I just think this is not one of these cases.
Thanks,
Yaron
On 01/17/2013 08:13 PM, Tero Kivinen wrote:
Yaron Sheffer writes:
OTOH your proposal would mean one more difference between "regular"
IPsec implementations and FC-specific ones. I don't think that would be
a good thing.
FC-specific ones are only using these non-truncated ones, and they are
using special ID payloads, separate protocol ID values, different
types of traffic selectors etc. They are reusing the basic IKEv2
protocol, and some of the payloads, but it is different protocol than
IKEv2.
They are not defined for IP use at all. None of the IKEv2/ESP over IP
uses those values. Ah, found text from our IPsec/IKE Roadmap:
For HMAC-SHA-1 and HMAC-MD5, the IKEv2 IANA registry
contains values for both the truncated version and the standard non-
truncated version; thus, IKEv2 has the capability to negotiate either
version of the algorithm. However, only the truncated version is
used for IKEv2 SAs and for IPsec SAs. The non-truncated version is
reserved for use by the Fibre Channel protocol [RFC4595]. For the
other algorithms (AES-XCBC, HMAC-SHA-256/384/512, AES-CMAC, and HMAC-
RIPEMD), only the truncated version can be used for both IKEv2 and
IPsec-v3 SAs.
which actually says we always use truncated version (so I was wrong
they are not forbidden anywhere, missed this text last time as it uses
SHA-1 spelling not SHA1, which I was searching for :-).
This text is simply describing the existing situation. It is not at all
normative.
Which is why I also want to describe that existing situation in the
IANA registry. If you want to use those non-truncated versions in
IPsec, you can write draft describing that...
That is true, and I do not consider that as a good thing. It is much
better to have one good way of doing things than two ways of doing
same thing, especially if those two ways are about the same.
Yes, but people have good reasons to add algorithms, which is (part of
the reason) why we negotiate them in the protocol. Thus "Tiger",
"camellia" and the like, and I'm sure the FC folks had a good reason for
the untruncated algorithms, too.
They had some reason, but on the other hand IPsec people did not want
those untruncated algorithms, and have not specified them for IP use.
This is one of the problems when sharing registries causes problems.
Suddenly you might have options for protocols which did not request
them added to them, because someone else who shares the same registry
added them.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
