[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: KEI visa XCHG (ISAKMP & OAKLEY)
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 20 Aug 1996 pau@watson.ibm.com wrote:
>Oliver, how about treating OAKLEY as a "security" protocol" under ISAKMP
>(like ESP is a "security protocol" for IP.) and treating differnet modes
>of OAKLEY as the attributes of OAKLEY.
>
>In othwer words, we can construct OAKLEY, or any other KEP,
>and its mode(s) as a ISAKMP proposal. Theefore a KEP can be negotiated
>just like ESP and its transform.
>
>
>Regards, Pau-Chen
>
If you define the progress of an exchange using the security protocol
instead of the xchng field then why should there be an exchange field
at all?
ISAKMP Base, Identity and Auth only Exchanges could also be defined
via the security protocol or as attributes to the ISAKMP proposal.
To avoid confusion I would like to mention that Oakley specifies when
which payload has to be exchanged. It not only specifies the contents
of the payloads.
I have a few reasons to oppose this concept.
1. You have to negotiate a proposal before you can start up an
exchange adding one message exchange (send/receive SA payload).
Otherwise you won't know how to generate/process the other
payloads.
2. You allays have to pass the SA payload in clear.
(OAKLEY or ISAKMP don't encrypt the FIRST SA payload, but
a key exchange framework shouldn't prevent a key exchange
protocol from doing so.)
3. You can't demultiplex early by only reading the header to the
right state machine for processing. This is an implementation issue
but I think an important one.
Oliver
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBMhn5tjnVPgUZ7uZJAQFqqAP/VqkRDN0f4bfLk7qP3J86tiXdLflyiY0R
K94OuySyCEOOSKTbKPx4H/qzhCrCVLOYEdP0n5/MqNQQjyN3j/y5jZZIsWk8r5tF
ml/BtgjDDen/jMSiIXzjf6AYTUregRM0FHNmqZxZd8YGJkJ0AMLvvy/JytrAX2LC
RnB6fO+NHc0=
=VioU
-----END PGP SIGNATURE-----
References: