[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please help with answer to discrepancy question

To: wdm@epoch.ncsc.mil (W. Douglas Maughan)
Subject: Re: Please help with answer to discrepancy question
From: Daniel Harkins <dharkins@cisco.com>
Date: Mon, 12 May 1997 11:10:49 -0700
Cc: jryder@vnet.ibm.com, ipsec@tis.com
In-Reply-To: Your message of "Fri, 09 May 1997 15:38:36 EDT." <9705091938.AA01119@dolphin.ncsc.mil>
Sender: owner-ipsec@ex.tis.com

  Doug, Jim,

> > <A>
> > the figure shown in the
> > <draft-ietf-ipsec-isakmp-oakley-03.txt>, section 5.7.1 'Phase 1 using
> > Oakley Main Mode', the first collections of payloads
> > 
> > and
> > 
> > <B>
> > the figure shown in the
> > <draft-ietf-ipsec-isakmp-07.txt>, section 3.6 'Transform Payload'.
> > 
> > <A> shows the RESERVED area of the Transform Payload (not the generic
> > header RESERVED area), in both Transform 1 and 2 to be BETWEEN the
> > 'Transform #' and the 'Transform-ID' fields. In example <A>, I am
> > assuming that the 'OAKLEY' present in the field is the 'Transform-ID'. 
> > 
> > <B> shows the RESERVED2 area of the Transform Payload (not the generic
> > header RESERVED area), to be FOLLOWING the 'Transform-ID'.
> > 
> I'll give you my interpretation, but we'll need to hear the same thing
> from Dan Harkins and/or Dave Carrel (authors of the ISAKMP/Oakley
> draft). If you look at section 4.1.1 of <B> you'll see two full
> examples of the payloads. I think the drawing in <A> is leftover from
> the format in the ISAKMP-05 or -06 Internet Draft. I believe the
> agreement made between the ISAKMP, ISAKMP/Oakley, and IPSEC DOI I-D
> editors was that the Transform # field and the Transform ID field were
> together followed by the 2 octet RESERVED2 field. Again, we should hear
> from Dan Harkins and/or Dave Carrel to make sure we're in agreement.

Yes, that's right. The payload explosions in 5.7.1 of the resolution
document are incorrect. The transform payload is as Doug describes. But,
5.7.1 is incorrect for another reason, and section 4.1.1 of the base ISAKMP
draft shares this.

  Figure 6 and section 3.5 of the base ISAKMP draft show a spi-size field
which denotes the size of the *variable length* SPI. Section 4.1.1 does
not have this field and sets the SPI to 8 octets (same with 5.7.1 in the
resolution document). Section 2.4 of the base ISAKMP draft says "For
uniformity, all SPIs are 8 octets long" but this I think is a leftover from
the ISAKMP-05 or ISAKMP-06 draft which did not contain a spi-size in the 
proposal payload. Doug, is this correct? The spi is, in fact, variable and
it's size is determined by the spi-size field?

> > 2) In <A> listed above in question 1), 'OAKLEY' is in the
> > 'Transform-ID' field. I have looked in <A> and <B> but I do not find the
> > transform id values listed anywhere. I also looked in the
> > <draft-ietf-ipsec-ipsec-doi-02.txt> but I don't see anything that looks
> > like a really good answer there either.
> > 
> > Question: Is the OAKLEY transform-id to use the KEY_OAKLEY (1) transform
> >           value listed in section 4.4.2 'IPSEC ISAKMP Transform Values'
> >           of the <draft-ietf-ipsec-ipsec-doi-02.txt> document?

The transform-ID for phase 1 negotiation (as defined by the resolution doc)
is the same as the protocol-- PROTO_ISAKMP from 4.4.1 of the DOI. The 
transform-IDs for other protocols are described later in the DOI under the
respective protocol description.

  Dan.

References:

Re: Please help with answer to discrepancy question

From: wdm@epoch.ncsc.mil (W. Douglas Maughan)

Prev by Date: INET'97
Next by Date: Re: ISAKMP commit and notify usage
Prev by thread: Re: Please help with answer to discrepancy question
Next by thread: INET'97
Index(es):
- Main
- Thread