[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP null transforms

To: Brett Howard <bretth@ca.newbridge.com>
Subject: Re: ISAKMP null transforms
From: Daniel Harkins <dharkins@cisco.com>
Date: Tue, 18 Jun 1996 11:20:14 -0700
Cc: ipsec@TIS.COM
In-Reply-To: Your message of "Tue, 18 Jun 1996 11:10:16 EDT." <199606181510.LAA19636@thor.ca.newbridge.com>
Sender: ipsec-approval@neptune.tis.com

> In my understanding of ISAKMP, the proposal for ESP and AH are sent as a
> list in order of preference.  Does it not make sense to define "null"
> transform?  The rationale is this:
> 
> Suppose I wish to convey to my pier that I would like to communicate
> with no AH; however, I am capable of communicating using an MD5 AH,
> or, say SHA-1 AH.

There are 2 negotiations taking place with ISAKMP. The first is to protect
ISAKMP-to-ISAKMP traffic; the second is to negotiate one or more security
associations like AH and ESP under the protection of the policy negotiated
in the first phase.
  The first phase of negotiation doesn't use AH or ESP. Encryption and
authentication are negotiated and subsequently used, but the AH _header_ 
and ESP _header_ are never sent as part of an ISAKMP payload. You would
never want to negotiate a null here. All ISAKMP exchanges require 
authentication; you must negotiate it. (The Authentication Only exchange
does not encrypt the traffic but it still authenticates the two parties). 
  If your question relates to the second phase of negoatiation then I'm
a bit confused. If you don't want to do a transform I don't understand why 
you need ISAKMP to announce that fact. Just don't negotiate a transform. 
It says nothing about your ability just your intent. 

> As it is now, I don't see how to propose this.  I can propose no
> AH transforms (true?), in which case my pier gets the wrong message
> since it will think I *cannot* speak MD5; or I can propose MD5 and SHA-1
> which again conveys the wrong message, since I'd really prefer no AH (and
> how would this be differentiated from the case where I will not accept
> anything less than, say, MD5?).

I don't see the problem here. If you don't want to do AH you shouldn't worry
about your peer getting any message about your ability to do it. The only 
thing your peer cares about is what you intend on doing-- how you intend
on communicating. 
  The second phase of negotiation establishes security associations. There is 
no such thing as a "null" security association. You can't do AH with nothing,
same for ESP.

  Dan.

References:

ISAKMP null transforms

From: Brett Howard <bretth@ca.newbridge.com>

Prev by Date: Re: UUNET Network Encryption Patents
Next by Date: adding port number to ISAKMP Internet DOI ID's
Prev by thread: ISAKMP null transforms
Next by thread: Re: ISAKMP null transforms
Index(es):
- Main
- Thread