| Re: crypto algorithms for DTLS | <– Date –> <– Thread –> |
From: Abhijit Choudhury (achoudhu) (achoudhu cisco.com)
|
|
| Date: Thu, 10 Jul 2008 09:43:02 -0700 (PDT) | |
Hi Scott, Please see in-line. Thanks, Abhijit -----Original Message----- From: Scott Kelly [mailto:skelly [at] arubanetworks.com] Sent: Thursday, July 10, 2008 9:14 AM To: Abhijit Choudhury (achoudhu); Pat Calhoun (pacalhou); Dorothy.Gellert [at] nokia.com; Joseph Salowey (jsalowey) Cc: capwap [at] frascone.com Subject: RE: [Capwap] crypto algorithms for DTLS Hi Abhijit, > My understanding is that DTLS1.2 will use the ciphers specified in > TLS1.2, which has already been approved. > The DTLS1.2 spec will not have new ciphers, but will possibly have > details on how to use these ciphers in DTLS. > Please correct me if I'm wrong here. > > So, we should be okay adding these approved TLS ciphers to the > OPTIONAL list, although it's true that they will not be used until > DTLS1.2 is finalized. But the list is only OPTIONAL and there are > other optional ciphers as well. > If we take this path, we don't have to touch this spec later to add > these ciphers. I think there's a flaw in this logic. The currently optional ciphers are supported in DTLS1.0 -- you are asking to add ciphers which are not supported in DTLS1.0, meaning a compliant CAPWAP implementation (i.e. one implementing DTLS1.0) will not be able to interoperate with one using these ciphers. [Abhijit] I don't buy this argument. Let's say we go down the route of creating a separate document in the future to add the DTLS1.2 ciphers. What changes ? A compliant DTLS1.0 implementation will be able to interoperate with a compliant DTLS1.2 implementation using the DTLS1.0 ciphers, but not with the new AEAD ciphers. So, the negotiation of the ciphersuite pretty much decides the interoperability. > If we go the other route, how do we see it being done ? > Will we need a draft to specify just the deltas in using DTLS1.2 for > CAPWAP ? The concern I have is that it's not clear if the CAPWAP WG > will be active at that point to take up this new work item. > > Thoughts ? Yes, I think a new, brief document specifying the deltas is exactly what will be required. I also think speculation on the potential (non)existence of the capwap working group should not be the driver here. It isn't very relevant one way or the other. For example, we've published a number of ammendments to IPsec since the wg dissolved, and the ADs willingly sponsored/shepherded these documents through. If for some odd reason (despite the fact that we've just started mib work) the capwap wg dissolves, this should present no impediment to publishing an updated DTLS binding document. It's rarely a good idea to rush such initiatives. --Scott
- Re: crypto algorithms for DTLS, (continued)
- Re: crypto algorithms for DTLS Pat Calhoun (pacalhou), July 10 2008
- Re: crypto algorithms for DTLS Scott Kelly, July 10 2008
- Re: crypto algorithms for DTLS Joseph Salowey (jsalowey), July 10 2008
- Re: crypto algorithms for DTLS Scott Kelly, July 11 2008
- Re: crypto algorithms for DTLS Abhijit Choudhury (achoudhu), July 10 2008
- Re: crypto algorithms for DTLS Margaret Wasserman, July 11 2008
Results generated by Tiger Technologies using MHonArc.