[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CBC IV generation in ISAKMP/Oakley





----------
From:  Daniel Harkins[SMTP:dharkins@cisco.com]
Sent:  Friday, April 18, 1997 11:51 AM
To:  Edward Russell
Cc:  ipsec@tis.com
Subject:  Re: CBC IV generation in ISAKMP/Oakley 

>  The IV for Quick Mode is hash(phase1-IV | message-ID). Since the message-ID
>is unique for each quick mode the IV will be different. This is the IV
>for this Quick Mode, after it's over the IV and all associated state
>goes away. The next Quick Mode has another (new and different) IV. If
>two start simultaneously they'll each have a different IV. The message-id
>in the header lets you identify the state (incl. the IV) for this particular
>exchange. The IVs are still running, there is a defined start (so each side
>has the same one) but after processing each Quick Mode packet it changes
>until the Quick Mode ends then it goes away.
>  Dan.

O.K. 
It still makes me nervous that the "running" is dependent on messages not passing in the night.
What if each side decides to send notifies simultaneously within the same Main Mode.  I guess
that goes along with what Shawn was referring to.  I almost wish the IV were the last block
of  the CURRENT message, but that's the same as sending the IV along with the message (in fact
it is).

Ed Russell
erussell@ftp.com