Ciphersuite Proposal
The Proposal structure contains within it a Proposal Num and an IPsec
protocol ID. Each structure MUST have a proposal number one (1)
greater than the previous structure. The first Proposal in the
initiator's SA payload MUST have a Proposal Num of one (1). One
reason to use multiple proposals is to propose both standard crypto
ciphers and combined-mode ciphers. Combined-mode ciphers include
both integrity and encryption in a single encryption algorithm, and
MUST either offer no integrity algorithm or a single integrity
algorithm of "NONE", with no integrity algorithm being the
RECOMMENDED method. If an initiator wants to propose both combined-
mode ciphers and normal ciphers, it must include two proposals: one
will have all the combined-mode ciphers, and the other will have all
the normal ciphers with the integrity algorithms. For example, one
such proposal would have two proposal structures. Proposal 1 is ESP
with AES-128, AES-192, and AES-256 bits in Cipher Block Chaining
(CBC) mode, with either HMAC-SHA1-96 or XCBC-96 as the integrity
algorithm; Proposal 2 is AES-128 or AES-256 in GCM mode with an
8-octet Integrity Check Value (ICV). Both proposals allow but do not
require the use of ESNs (Extended Sequence Numbers). This can be
illustrated as:
SA Payload
|
+--- Proposal #1 ( Proto ID = ESP(3), SPI size = 4,
| | 7 transforms, SPI = 0x052357bb )
| |
| +-- Transform ENCR ( Name = ENCR_AES_CBC )
| | +-- Attribute ( Key Length = 128 )
| |
| +-- Transform ENCR ( Name = ENCR_AES_CBC )
| | +-- Attribute ( Key Length = 192 )
| |
| +-- Transform ENCR ( Name = ENCR_AES_CBC )
| | +-- Attribute ( Key Length = 256 )
| |
| +-- Transform INTEG ( Name = AUTH_HMAC_SHA1_96 )
| +-- Transform INTEG ( Name = AUTH_AES_XCBC_96 )
| +-- Transform ESN ( Name = ESNs )
| +-- Transform ESN ( Name = No ESNs )
|
+--- Proposal #2 ( Proto ID = ESP(3), SPI size = 4,
| 4 transforms, SPI = 0x35a1d6f2 )
|
+-- Transform ENCR ( Name = AES-GCM with a 8 octet ICV )
| +-- Attribute ( Key Length = 128 )
|
+-- Transform ENCR ( Name = AES-GCM with a 8 octet ICV )
| +-- Attribute ( Key Length = 256 )
|
+-- Transform ESN ( Name = ESNs )
+-- Transform ESN ( Name = No ESNs )Each Proposal/Protocol structure is followed by one or more transform
structures. The number of different transforms is generally
determined by the Protocol. AH generally has two transforms:
Extended Sequence Numbers (ESNs) and an integrity check algorithm.
ESP generally has three: ESN, an encryption algorithm, and an
integrity check algorithm. IKE generally has four transforms: a
Diffie-Hellman group, an integrity check algorithm, a PRF algorithm,
and an encryption algorithm. For each Protocol, the set of
permissible transforms is assigned Transform ID numbers, which appear
in the header of each transform.
Defined in RFC7296 section 3.3.1
This method tests for self and other values to be equal, and is used by ==. Read more
This method tests for !=.
Performs copy-assignment from source. Read more
Formats the value using the given formatter. Read more
Creates owned data from borrowed data, usually by cloning. Read more
🔬 This is a nightly-only experimental API. (toowned_clone_into)
recently added
Uses borrowed data to replace owned data, usually by cloning. Read more
🔬 This is a nightly-only experimental API. (try_from)
The type returned in the event of a conversion error.
🔬 This is a nightly-only experimental API. (try_from)
Immutably borrows from an owned value. Read more
🔬 This is a nightly-only experimental API. (get_type_id)
this method will likely be replaced by an associated static
🔬 This is a nightly-only experimental API. (try_from)
The type returned in the event of a conversion error.
🔬 This is a nightly-only experimental API. (try_from)
Mutably borrows from an owned value. Read more