[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A pothole in ISAKMP/Oakley

To: pau@watson.ibm.com, dharkins@cisco.com
Subject: Re: A pothole in ISAKMP/Oakley
From: pau@watson.ibm.com
Date: Tue, 15 Apr 1997 17:30:13 -0400
Cc: piper@cisco.com, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

> From dharkins@cisco.com Tue Apr 15 16:56:27 1997
> Message-Id: <199704152049.NAA10076@dharkins-ss20>
> X-Authentication-Warning: dharkins-ss20.cisco.com: Host localhost.cisco.com didn't use HELO protocol
> To: pau@watson.ibm.com
> Cc: piper@cisco.com, ipsec@tis.com
> Subject: Re: A pothole in ISAKMP/Oakley
> In-Reply-To: Your message of "Tue, 15 Apr 1997 15:58:33 EDT."
             <9704151958.AA22946@secpwr.watson.ibm.com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> Date: Tue, 15 Apr 1997 13:49:47 -0700
> From: Daniel Harkins <dharkins@cisco.com>
> Content-Length: 1036
> Status: RO
> 
>   Pau-Chen,
> 
> > This is a 2-line change to the ISAKMP-OAKLEY doc.
> > As for the code, the current doc requires the code to take the SPI value
> > from the PROPOSAL payload header when computing Quick Mode KEYMAT.
> > The proposed change requires the code to also take the "Protocol-ID"
> > value from the SAME PROPOSAL payload header when computing Quick Mode KEYMAT.
> > I don't think that is a difficult change.
> 
>   The size of the change isn't the issue, it's the merit of the change.
> Another way of looking at this is that we're changing the document to 
> accomodate incorrect implementations (monotonically increasing a counter to
> generate a SPI is probably unwise regardless of this pothole). In that light, 
> is this change meritorious?
> 
>   Personally, I'm in favor of this change but I'd like to note that the
> cement is drying on this document. If we have some consensus that this is
> really a problem that really needs to be addressed it can be changed, but
> I'd like to avoid what is becoming an even bigger problem: document creep.
> 
>   Dan.
>

Dan, I agree that document creeping should be avoided, especially now.
There has been discussion on "SPI usage". It seems that there are opinions
on both sides. However, if OAKLEY adopts the change suggested in Ran's note,
OAKLEY is cryptographiocally more sound and can stay out of the discusion on
"SPI usage", whichever end the discussion will lead to.


Regards, Pau-Chen

Prev by Date: Re: Another pothole in ISAKMP/Oakley
Next by Date: Re[2]: ESP with stream ciphers
Prev by thread: Re: A pothole in ISAKMP/Oakley
Next by thread: Re: A pothole in ISAKMP/Oakley
Index(es):
- Main
- Thread