[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: ISAKMP commit and notify usage

To: Daniel Harkins <dharkins@cisco.com>
Subject: Re: Re[2]: ISAKMP commit and notify usage
From: Tom_Markham@securecomputing.com (Tom Markham)
Date: Thu, 15 May 1997 11:20:51 -0500
Cc: Tom_Markham@securecomputing.com (Tom Markham), Greg Carter <carterg@entrust.com>, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

At 8:33 AM 5/15/97, Daniel Harkins wrote:

>How (and why!) would you use this bit in a phase 1 exchange? How does
>multicast change anything? Phase 1 merely establishes the ISAKMP peer-to-peer
>communication channel. I don't see the point in using the commit bit there.

I was not clear. I agree that the commit bit is used to hold off phase 2
exchanges. Using commit to hold off part of a phase 1 exchange does not
make sense.

Greg wrote
>This is the conclusion I came to when implementing the commit bit.
>For phase 1 I check for exchange type, if its not Aggressive I'll signal
>Invalid flag if the commit bit is set.  It didn't seem to make much
>sense for Main Mode.

Greg implied that commit was only valid in agressive mode and I am saying
that there may be other times when the commit bit could be used.

I gave multicast as an example of when commit *might* be used. I have not
seen any multicast, IPSEC/ISAKMP systems yet so I do not want to take away
a tool which might be useful to them. Here is a hypothetical situation
which does not involve multicast. Imagine someone behind a firewall
establishing a SA from their desktop to a remote server.

1. Their workstation does the ISAKMP exchange with the remote server to
establish the AH and ESP keys. The firewall would allow ISAKMP exchanges
through because it could perform some filtering.

2. Their workstation passes the AH (but not ESP) key to the firewall so the
firewall can authenticate packets before letting them pass.

3. The server and workstation begin exchanging IPSEC (AH and ESP) protected
traffic. The firewasl allows authenticated AH packets to bypass the
remaining firewall filters.

In this case I would use the commit bit to hold off IPSEC traffic until I
had the AH key in place in the firewall.

I hope this reduces the confusion.

Tom Markham                         markham@securecomputing.com
Secure Computing Corporation        Phone (612) 628-2754
2675 Long Lake Road                 Fax: (612) 628-2701
Roseville, MN 55113                 www.securecomputing.com

Follow-Ups:

Re: Re[2]: ISAKMP commit and notify usage

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: Re[2]: ISAKMP commit and notify usage
Next by Date: Re: Re[2]: ISAKMP commit and notify usage
Prev by thread: Re: Re[2]: ISAKMP commit and notify usage
Next by thread: Re: Re[2]: ISAKMP commit and notify usage
Index(es):
- Main
- Thread