Cisco Cisco Packet Data Gateway (PDG)
IKEv2 RFC 5996 Compliance
RFC 5996 Compliance ▀
IPSec Reference, StarOS Release 18 ▄
153
Integrity with Combined Mode Ciphers
RFC 5996 makes changes in specifications to allow negotiation of combined mode ciphers. Combined mode ciphers are
algorithms that support integrity and encryption in a single encryption algorithm. RFC 5996 makes negotiation for the
integrity algorithm optional if combined mode cipher is used. In RFC 4306 the integrity algorithm was mandatory in the
SA payload.
algorithms that support integrity and encryption in a single encryption algorithm. RFC 5996 makes negotiation for the
integrity algorithm optional if combined mode cipher is used. In RFC 4306 the integrity algorithm was mandatory in the
SA payload.
StarOS does not support the combined mode cipher. Staros IKEv2 has been enhanced to identify a currently defined
combined cipher. If a proposal for combined mode cipher is received, StarOS responds with
NO_PROPOSAL_CHOSEN if no other proposal matches.
combined cipher. If a proposal for combined mode cipher is received, StarOS responds with
NO_PROPOSAL_CHOSEN if no other proposal matches.
Negotiation Parameters in CHILDSA REKEY
On rekeying of a CHILD SA the traffic selectors and algorithms match the ones negotiated during the set up of the child
SA. StarOS IKEv2 does not send any new parameters in CREATE_CHILD_SA for a child SA being rekeyed.
SA. StarOS IKEv2 does not send any new parameters in CREATE_CHILD_SA for a child SA being rekeyed.
Certificates
StarOS supports a CLI command to enable sending and receiving HTTP method for hash-and-URL lookup with
CERT/CERTREQ payloads.
CERT/CERTREQ payloads.
If configured and if a peer requests CERT using encoding type as “Hash and URL of X.509 certificate” and send
HTTP_CERT_LOOKUP_SUPPORTED using notify payload in the first IKE_AUTH, StarOS sends the URL in the
CERT payload instead of sending the entire certificate in the payload.
HTTP_CERT_LOOKUP_SUPPORTED using notify payload in the first IKE_AUTH, StarOS sends the URL in the
CERT payload instead of sending the entire certificate in the payload.
If not configured and CERTREQ is received with encoding type as “Hash and URL for X.509 certificate”, StarOS
responds with entire certificate as it in release 14.1, even if peer had sent HTTP_CERT_LOOKUP_SUPPORTED.
responds with entire certificate as it in release 14.1, even if peer had sent HTTP_CERT_LOOKUP_SUPPORTED.
If configured for Hash and URL while sending the CERTREQ request, StarOS sends the request with encoding type as
“Hash and URL of X.509 certificate” and sends notify payload HTTP_CERT_LOOKUP_SUPPORTED. However, also
sends another CERTREQ with encoding type as X.509 certificate (as in release 14.1) and accepts the entire certificate
coming in the CERT payload. If CERT payload is received with encoding type as hash and URL, StarOS fetches the
certificate using the URL.
“Hash and URL of X.509 certificate” and sends notify payload HTTP_CERT_LOOKUP_SUPPORTED. However, also
sends another CERTREQ with encoding type as X.509 certificate (as in release 14.1) and accepts the entire certificate
coming in the CERT payload. If CERT payload is received with encoding type as hash and URL, StarOS fetches the
certificate using the URL.
Multiple Traffic Selectors
During traffic selector negotiation, the gateway should be able to narrow down the UE's request for a range of traffic
selectors in accordance with RFC 5996.
selectors in accordance with RFC 5996.