Re: ISAKMP DELETE payload

[pau@watson.ibm.com]

> 
> Pau-Chen,
> 
> > Yes, you are right. Does the draft also define a standard way
> > to authenticate the payload, like a keyed-hash or signature
> > should be computed over certain parts of the msg (or payload) ?
> 
> No. That is really dependent on the mechanisms negotiated. These
> mechanisms will differ in most DOIs. So, in our case, the IPSEC DOI
> document defines the mechanisms negotiable for IPSEC and the
> ISAKMP/Oakley document defines how the hashes and/or signatures are
> computed for ISAKMP exchanges.

Doug, 

  I more or less understand negotiation and ISAKMP/OAKLEY. Unless I am
missing something, neither doc defines how a hash is going to be computed
over a ISAKMP DELETE payload. I don't mean the hash algorithm, but rather
the input (say SPI's, protocols, ...) and/or the key to be used for the
hash; whatever the actual hash algorithm may be. Such should be independent
of any particular hash algorithm or KEP, since nothing in the DELETE payload
is depedenent on them.

  Also, I would suggest that ISAKMP doc should state explicitly that a
DELETE payload should be sent together with a HASH paylaod, assuming that
is the intention of ISAKMP.


Pau-Chen 

> 
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> * Douglas Maughan                Voice:  (301) 688-0847           *
> * Technical Director, R23        Fax:    (301) 688-0255           *
> * National Security Agency       E-mail: wdmaugh@tycho.ncsc.mil   *
> * 9800 Savage Road                       maughan@cs.umbc.edu      *
> * Fort Meade, MD. 20755-6000                                      *
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>

---

• Prev by Date: RE: Certificate Request Payload
• Next by Date: Re: Re[5]: AH (without ESP) on a secure gateway
• Prev by thread: Re: ISAKMP DELETE payload
• Next by thread: Re: ISAKMP DELETE payload
• Index(es):
  • Main
  • Thread