[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP & IPSEC DOI Drafts - Notify Payload - Certificate

To: carterg@entrust.com
Subject: Re: ISAKMP & IPSEC DOI Drafts - Notify Payload - Certificate
From: wdm@epoch.ncsc.mil (W. Douglas Maughan)
Date: Tue, 3 Dec 96 10:26:01 EST

Authorities
Cc: ipsec@tis.com
Sender: owner-ipsec@portal.ex.tis.com
Precedence: bulk

Greg,

> Questions on ISAKMP draft:
> 
> Can Notify Payloads be sent in any exchange or are they valid only in
> Informational Exchanges?

Because Notify and Delete messages are one-way, i.e. no acknowledgement
expected, they were separated out to their own exchange. Nothing
precludes you from defining an exchange that allows Notify or Delete
payloads anywhere in the exchange. We defined a default set of
exchanges in ISAKMP. None of those exchanges (Base, ID Protect,
Aggressive, and Auth Only) allow Notify or Delete payloads as part of
the exchange. We separated out the Notify and Delete payload into their
own exchange, i.e. Informational.
 
> What action should be taken when a Notify Payload is received and the
> Message Type is not known.  i.e. My ISAKMP server is using some of the
> private Message Types to exchange Environment information, but the peer
> ISAKMP server has no concept of this info (and hence the private message
> types).

Section 5.12 specifies a RECOMMENDED way to handle the problem. We
probably should add more to this section to make it like the other
sections (similar detail and clarity for error handling). Additionally,
I would expect that ISAKMP servers using Private Message Types would be
able to handle them appropriately. As you state, it is only when an
ISAKMP server has no idea what to do with the Private Message Type that
this becomes an issue.

> Section 3.10 Certificate Request Payload of ISAKMP - draft 6
> 
> For the Certificate Authorities field it references the IPSEC DOI
> document, however I couldn't find any reference to 'Distinguished Name
> Attribute Type' value in the IPSEC DOI doc.
> 
> Could someone expand on this?

I think this might have been something that got lost or overlooked in
the transfer of stuff from the appendices of ISAKMP-05 to the IPSEC DOI
document. I'll check with Derrell Piper (piper@tgv.com). Feel free to
contact him as well.
 
> ----
> Greg Carter
> Nortel Secure Networks - Entrust
> carterg@entrust.com

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Douglas Maughan                Voice:  (301) 688-0847           *
* Technical Director, R23        Fax:    (301) 688-0255           *
* National Security Agency       E-mail: wdmaugh@tycho.ncsc.mil   *
* 9800 Savage Road                       maughan@cs.umbc.edu      *
* Fort Meade, MD. 20755-6000                                      *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Prev by Date: Re: How to skip phase 1?
Next by Date: Re: ISAKMP questions
Prev by thread: Re: How to skip phase 1?
Next by thread: Re: ISAKMP questions
Index(es):
- Main
- Thread