[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP DELETE payload

To: pau@watson.ibm.com
Subject: Re: ISAKMP DELETE payload
From: wdm@epoch.ncsc.mil (W. Douglas Maughan)
Date: Wed, 4 Dec 96 07:54:32 EST
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Pau-Chen,
 
> > Pau-Chen,
> > 
> > > Yes, you are right. Does the draft also define a standard way
> > > to authenticate the payload, like a keyed-hash or signature
> > > should be computed over certain parts of the msg (or payload) ?
> > 
> > No. That is really dependent on the mechanisms negotiated. These
> > mechanisms will differ in most DOIs. So, in our case, the IPSEC DOI
> > document defines the mechanisms negotiable for IPSEC and the
> > ISAKMP/Oakley document defines how the hashes and/or signatures are
> > computed for ISAKMP exchanges.
> 
> Doug, 
> 
>   I more or less understand negotiation and ISAKMP/OAKLEY. Unless I am
> missing something, neither doc defines how a hash is going to be computed
> over a ISAKMP DELETE payload. I don't mean the hash algorithm, but rather
> the input (say SPI's, protocols, ...) and/or the key to be used for the
> hash; whatever the actual hash algorithm may be. Such should be independent
> of any particular hash algorithm or KEP, since nothing in the DELETE payload
> is depedenent on them.

You are correct. I was thinking the ISAKMP/Oakley document specified
this, but they only specify how to do the hash for the other exchanges
and not for the Informational Exchange.

>   Also, I would suggest that ISAKMP doc should state explicitly that a
> DELETE payload should be sent together with a HASH paylaod, assuming that
> is the intention of ISAKMP.

Does this belong in the ISAKMP doc or in the ISAKMP/Oakley doc? The
ISAKMP/Oakley doc outlines which of the ISAKMP exchanges it uses and
then adds the additional ones. Should they also specify how to use
Informational Exchanges within the context of an IPSEC DOI using Oakley
or should this be done in the ISAKMP doc? If I specify it in the ISAKMP
doc then any DOI/Key Exchange would have to use it in the way
specified. The splitting of the details from the ISAKMP doc to the
other docs was to eliminate this. Would appreciate any other opinions
on this issue?

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Douglas Maughan                Voice:  (301) 688-0847           *
* Technical Director, R23        Fax:    (301) 688-0255           *
* National Security Agency       E-mail: wdmaugh@tycho.ncsc.mil   *
* 9800 Savage Road                       maughan@cs.umbc.edu      *
* Fort Meade, MD. 20755-6000                                      *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Follow-Ups:

Re: ISAKMP DELETE payload

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: AH (without ESP) on a secure gateway
Next by Date: Re[2]: AH (without ESP) on a secure gateway
Prev by thread: Re: ISAKMP DELETE payload
Next by thread: Re: ISAKMP DELETE payload
Index(es):
- Main
- Thread