[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: ISAKMP commit and notify usage

To: Tom_Markham@securecomputing.com (Tom Markham)
Subject: Re: Re[2]: ISAKMP commit and notify usage
From: Daniel Harkins <dharkins@cisco.com>
Date: Thu, 15 May 1997 08:33:36 -0700
Cc: Greg Carter <carterg@entrust.com>, ipsec@tis.com
In-Reply-To: Your message of "Thu, 15 May 1997 09:46:45 CDT." <v01540b42afa0cb6184e6@[172.17.1.161]>
Sender: owner-ipsec@ex.tis.com

> >This is the conclusion I came to when implementing the commit bit.
> >For phase 1 I check for exchange type, if its not Aggressive I'll signal
> >Invalid flag if the commit bit is set.  It didn't seem to make much
> >sense for Main Mode.
> >----
> 
> I do not see anything in the ISAKMP spec which limits the use of the commit
> bit to the agressive mode. Granted this may have been the driving reason
> for the commit.

I witnessed the birth of the commit bit and it's driving reason was for
phase 2 exchanges (Quick Mode). Period.

> I would like to allow the general use of the commit bit by initiator or
> responder in any mode. This allows support for security policies and
> implementations (e.g. multicast) which may require ISAKMP to access another
> machine prior to allowing encrypted traffic to flow.

How (and why!) would you use this bit in a phase 1 exchange? How does 
multicast change anything? Phase 1 merely establishes the ISAKMP peer-to-peer
communication channel. I don't see the point in using the commit bit there.

  Dan.

References:

RE: Re[2]: ISAKMP commit and notify usage

From: Tom_Markham@securecomputing.com (Tom Markham)

Prev by Date: RE: Re[2]: ISAKMP commit and notify usage
Next by Date: Re: Re[2]: ISAKMP commit and notify usage
Prev by thread: RE: Re[2]: ISAKMP commit and notify usage
Next by thread: Re: Re[2]: ISAKMP commit and notify usage
Index(es):
- Main
- Thread