[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP DELETE payload

To: pau@watson.ibm.com
Subject: Re: ISAKMP DELETE payload
From: mamros@ftp.com (Shawn Mamros)
Date: Wed, 4 Dec 1996 11:38:58 -0500
Cc: wdm@epoch.ncsc.mil, ipsec@tis.com
Originating-Client: cavedog.ftp.com
Reply-To: mamros@ftp.com
Repository: mailserv-2high.ftp.com, [message accepted at Wed Dec 4 11:38:58 1996]
Sender: owner-ipsec@ex.tis.com

>  I think this is an ISAKMP job. IMHO, Oakley is a Key Exchange Protocol
>  but deleting an SA is part of SA management, not key exchange. From an
>  operational point of view, the SPI's in the msg header will identify the
>  ISAKMP SA, which leads to the right hash algorithm and key. So no
>  KEP-specific details are needed here. After all, the DELETE and HASH
>  payloads are defined by ISAKMP, not OAKLEY.

On the one hand, I understand your viewpoint.  On the other, though,
one cannot establish an ISAKMP SA from the details of the ISAKMP draft
alone.  One needs a DOI definition, and specific transforms need to
be proposed by the initiator for the ISAKMP SA; those transforms are in
turn defined by the DOI.

It also isn't clear that one would always want to use a HASH payload
to protect the DELETE.  A DOI definition could just as well mandate
that the Informational exchange must be encrypted, rather than hashed.

Also, keep in mind that one may be using the Informational exchange to
delete not the ISAKMP SA, but rather some underlying protocol SA, such
as an IPSEC SA.  By definition, the details of those protocol SAs are
defined by the DOI, and not in the base ISAKMP document.

-Shawn Mamros
E-mail to: mamros@ftp.com

Follow-Ups:

Re: ISAKMP DELETE payload

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: ISAKMP DELETE payload
Next by Date: Re[2]: AH (without ESP) on a secure gateway
Prev by thread: Re: ISAKMP DELETE payload
Next by thread: Re: ISAKMP DELETE payload
Index(es):
- Main
- Thread