[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

To: Stephen Kent <kent@bbn.com>
Subject: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
From: Daniel Harkins <dharkins@cisco.com>
Date: Wed, 14 May 1997 17:10:50 -0700
Cc: ipsec@tis.com
In-Reply-To: Your message of "Tue, 13 May 1997 21:05:44 EDT." <v03007800af9e7cd32425@[128.89.30.20]>
Sender: owner-ipsec@ex.tis.com

  Steve,

> Nonetheless, I propose the following compromise.  Have the sender always
> transmit the AR counter, thus preserving the 8-byte AH alignment when using
> the default auth data size of 12 bytes.  Allow the receiver to determine,
> unilaterally, whether to check the AR counter, and to do so against a
> window size chosen byb the receiver.  Make 32 the default window size, and
> allow for large window sizes, in multiples of 32.  However, have the
> receiver notify the sender of the selected window size (if any) as part of
> the SA negotiation.  This simplifies the negotiation since only the
> receiver needs tell the sender of the former's selected window size, but
> now the sender has specific info about the security service parameters
> empoyed on the SA.
> 
> This differs from the implementors' agreement only in the last detail.
> Hopefully it does not introduce significant complexity (the receiver need
> only declare a constant response if it's election of AR is constant) in the
> code.

  If I understand this correctly, the initiator of the KMP can choose to 
add this attribute to his security suite offering to inform the responder of 
his AR window size. He can also choose not to send it and the default is 
assumed by the responder. Likewise, the responder can choose to send this 
attribute back describing his AR window size regardless of whether the 
initiator sent one (and the attribute value the initiator sends has no 
bearing on the value the responder sends). In other words, this is not a 
negotiable attribute; it is an informational attribute. If that understanding 
isn't correct ignore the rest of this email but please straighten me out,

  While complexity isn't introduced, something else is. We'd always understood 
that the responder in the KMP would either accept or reject a proposed suite 
of services in its entirety and not change anything in the offer or add 
anything that wasn't in the offer. This changes that. 
  Granted, it's a simple change and a check for "didn't add anything or change
anything-- except for replay window size" is pretty easy, but I want the WG 
to realize this change is being proposed before a show of hands. IPsec SA 
negotiation takes place under the protection of the ISAKMP SA so I don't think 
this is opening up a security hole.

  In the way I understand this compromise, I'm fine with it.

  regards,

  Dan.

References:

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: ESP revisions straw poll
Next by Date: RE: ESP revisions straw poll
Prev by thread: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Next by thread: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Index(es):
- Main
- Thread