[anonsec] details of IKE/IPsec channel binding
kivinen at iki.fi
Thu Mar 22 03:12:21 PDT 2007
Nicolas Williams writes:
> Again, this has to work with IKEv1. Bill so insisted, and I agree.
Hmm... the BTNS charter only talks about "Current Internet Protocol
security protocol (IPsec) and Internet Key Exchange protocol (IKE)",
it does not mention IKEv1 anywhere.
The current IPsec and IKE is the RFC430x series, i.e. IKEv2. The old
RFC240x series is obsoleted.
Also the BTNS charter talks about RFC4301 / RFC4306 (IKEv2) concepts
like PAD, and bare RSA keys.
> We could use this approach when using IKEv2 so it also works when using
> EAP, and fallback on public keys when IKEv1 is being used, and oh well
> if you ever get bitten by the problem I described.
I argue should we waste time at all to define anything else than the
RFC4301 and IKEv2 use. Things were different few years back when this
work was started...
kivinen at safenet-inc.com
More information about the ANONSEC