[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SA Attribute Negotiation

To: "'ipsec@tis.com'" <ipsec@tis.com>
Subject: SA Attribute Negotiation
From: Greg Carter <carterg@entrust.com>
Date: Fri, 6 Dec 1996 16:04:45 -0500
Cc: "'isakmp-oakley@cisco.com'" <isakmp-oakley@cisco.com>
Sender: owner-ipsec@ex.tis.com

I am a little unclear as to how to negotiate variable length SA
attributes, such as any of the Duration attributes.

Are these variable length attributes non negotiable?  Simply stated by
the initiator and accepted by the responder?

If not how are we supposed to handle differences in values?  It would
seem impractical to reject a proposal because the requested Key Duration
was not exactly that expected.  Is it local policy as to what to do
(i.e. accept shorter durations, but reject longer)?

I took a quick look at the Cisco code and it looks like variable length
attributes are not negotiated.
from the comments...

	 * a value of a VPI cannot be specified in a protection suite. 
	 * Therefore if att_type is non-zero the matching attribute be basic. 

or is this an implementation issue?

Thanks.
Bye.
----
Greg Carter
Nortel Secure Networks - Entrust
carterg@entrust.com

Follow-Ups:

Re: SA Attribute Negotiation

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Last Call: Combined DES-CBC, HMAC and Replay Prevention Security Transform to Proposed Standard
Next by Date: Re: SA Attribute Negotiation
Prev by thread: Re: Last Call: Combined DES-CBC, HMAC and Replay Prevention Security Transform to Proposed Standard
Next by thread: Re: SA Attribute Negotiation
Index(es):
- Main
- Thread