Re: SA Attribute Negotiation

[Daniel Harkins <dharkins@cisco.com>]

  Greg,

> I am a little unclear as to how to negotiate variable length SA
> attributes, such as any of the Duration attributes.
> 
> Are these variable length attributes non negotiable?  Simply stated by
> the initiator and accepted by the responder?
> 
> If not how are we supposed to handle differences in values?  It would
> seem impractical to reject a proposal because the requested Key Duration
> was not exactly that expected.  Is it local policy as to what to do
> (i.e. accept shorter durations, but reject longer)?
> 
> I took a quick look at the Cisco code and it looks like variable length
> attributes are not negotiated.
> from the comments...
> 
> 	 * a value of a VPI cannot be specified in a protection suite. 
> 	 * Therefore if att_type is non-zero the matching attribute be basic. 
> 
> or is this an implementation issue?

Absolutely an implementation issue. D-H Group characteristics such as 
the prime (when establishing a new group description with New Group Mode) 
should be evaluated. The other ISAKMP SA attribute which can variable
is the lifetime. If this is a critical issue for you I imagine that you
would not accept an offer of a lifetime which is greater than that which
is set in your local policy.

  Basically, there are no requirements in the document to do any checking
for strong primes or realistic lifetimes but I'd imagine that implementations 
would do some checking. 

  Dan.

---

References:

• SA Attribute Negotiation
• From: Greg Carter <carterg@entrust.com>

---

• Prev by Date: SA Attribute Negotiation
• Next by Date: Updated IPSEC DOI draft
• Prev by thread: SA Attribute Negotiation
• Next by thread: RE: SA Attribute Negotiation
• Index(es):
  • Main
  • Thread