[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Re[2]: ISAKMP commit and notify usage
This is the conclusion I came to when implementing the commit bit.
For phase 1 I check for exchange type, if its not Aggressive I'll signal
Invalid flag if the commit bit is set. It didn't seem to make much
sense for Main Mode.
----
Greg Carter
Entrust Technologies
carterg@entrust.com
>----------
>From: svakil@usr.com[SMTP:svakil@usr.com]
>Sent: Wednesday, May 14, 1997 10:11 AM
>To: ipsec@tis.com
>Subject: Re[2]: ISAKMP commit and notify usage
>
><<File: RFC822 message headers.txt>>
> John,
> Your example fits the phase 1 aggressive exchange.
>
> From the ISAKMP + Oakley draft:
>
> Oakley Aggressive mode with signatures in conjunction with ISAKMP is
> described as follows:
>
> Initiator Responder
> ----------- -----------
> 1. HDR, SA, KE, Ni, IDii -->
>
> 2. <-- HDR, SA, KE, Nr, IDir,
> [ CERT, ] SIG_R
>
> 3. HDR, [ CERT, ] SIG_I -->
>
> In both modes, the signed data, SIG_I or SIG_R, is the result of the
> negotiated digital signature algorithm applied to HASH_I or HASH_R
> respectively.
>
> If the responder sets the Commit flag in message #2, then how is the
> Initiator going to generate message #3? In 2, the responder tells the
> initator "Don't use the SA 'till you receive a notification from me".
> But, the initiator needs to use the signature algorithm from the SA to
> generate SIG_I in mesasge #3. So, the initiator waits for a notify
> message from the responder to generate message #3, and the responder
> waits for message #3 from the initiator to generate the notify!!!
> Seems like I'm missing something here.
>
> Sumit A. Vakil
> Software Engineer
> Routing Consulting Engineering
> US Robotics, Access Corp.
>
>
>