[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP DELETE payload
>
> Pau-Chen,
>
> > Yes, you are right. Does the draft also define a standard way
> > to authenticate the payload, like a keyed-hash or signature
> > should be computed over certain parts of the msg (or payload) ?
>
> No. That is really dependent on the mechanisms negotiated. These
> mechanisms will differ in most DOIs. So, in our case, the IPSEC DOI
> document defines the mechanisms negotiable for IPSEC and the
> ISAKMP/Oakley document defines how the hashes and/or signatures are
> computed for ISAKMP exchanges.
Doug,
I more or less understand negotiation and ISAKMP/OAKLEY. Unless I am
missing something, neither doc defines how a hash is going to be computed
over a ISAKMP DELETE payload. I don't mean the hash algorithm, but rather
the input (say SPI's, protocols, ...) and/or the key to be used for the
hash; whatever the actual hash algorithm may be. Such should be independent
of any particular hash algorithm or KEP, since nothing in the DELETE payload
is depedenent on them.
Also, I would suggest that ISAKMP doc should state explicitly that a
DELETE payload should be sent together with a HASH paylaod, assuming that
is the intention of ISAKMP.
Pau-Chen
>
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> * Douglas Maughan Voice: (301) 688-0847 *
> * Technical Director, R23 Fax: (301) 688-0255 *
> * National Security Agency E-mail: wdmaugh@tycho.ncsc.mil *
> * 9800 Savage Road maughan@cs.umbc.edu *
> * Fort Meade, MD. 20755-6000 *
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>