I was reading the draft-ietf-ipsecme-ikev2-intermediate through and I think it might be good thing to add a note at the end of section 3.3.1 Protection of the IKE_INTERMEDIATE messages to clarify which SK_e[i/r] and SK_a[i/r] are to be used for the IKE_AUTH after all IKE_INTERMEDIATE exchanges (I assume it is the latest one).
Also perhaps we should have appendix showing the full protocol exchange example. I.e. something like this: ---------------------------------------------------------------------- Appendix A. Example of IKE_INTERMEDIATE exchange. This appendix contains a short example of the messages using IKE_INTERMEDIATE. This appendix is purely informative; if it disagrees with the body of this document, the other text is considered correct. In this example there is one IKE_SA_INIT exchange, two IKE_INTERMEDIATE key exchanges followed by the IKE_AUTH exchange to authenticate the exchange. The xxx in the HDR(xxx,MID=yyy) indicates the exchange type, and yyy tells the message id used for that exchange. The keys used for each SK {} payload is indicated in the parenthesis after the SK. Otherwise payload notation is same as is used in the RFC7296. Initiator Responder ------------------------------------------------------------------- HDR(IKE_SA_INIT,MID=0), SAi1, KEi, Ni, N(INTERMEDIATE_EXCHANGE_SUPPORTED) --> <-- HDR(IKE_SA_INIT,MID=0), SAr1, KEr, Nr, [CERTREQ], N(INTERMEDIATE_EXCHANGE_SUPPORTED) <Generate SK_[aip][ir] and store them as SK_[aip][ir]_1, start using them for SK {} payloads> HDR(IKE_INTERMEDIATE,MID=1), SK(SK_ei_1,SK_ai_1) { ... } --> <Calculate IntAuth_1_I = prf(SK_pi_1, ...)> <-- HDR(IKE_INTERMEDIATE,MID=1), SK(SK_er_1,SK_ai_1) { ... } <Calculate IntAuth_1_R = prf(SK_pr_1, ...)> <If this IKE_INTERMEDIATE did a new key exchange then update SK_[aip][ir] and store them as SK_[aip][ir]_2, start using them for SK {} payloads> HDR(IKE_INTERMEDIATE,MID=2), SK(SK_ei_2,SK_ai_2) { ... } --> <Calculate IntAuth_2_I = prf(SK_pi_2, ...)> <-- HDR(IKE_INTERMEDIATE,MID=2), SK(SK_er_2,SK_ai_2) { ... } <Calculate IntAuth_2_R = prf(SK_pr_2, ...)> <If this IKE_INTERMEDIATE did a new key exchange then update SK_[aip][ir] and store them as SK_[aip][ir]_3, start using them for SK {} payloads> HDR(IKE_AUTH,MID=3), SK(SK_ei_3,SK_ai_3) {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} --> <-- HDR(IKE_AUTH,MID=3), SK(SK_er_3,SK_ar_3) {IDr, [CERT,] AUTH, SAr2, TSi, TSr} ---------------------------------------------------------------------- I think having such appendix would make things easier to understand. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec