[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: ISAKMP commit and notify usage
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tom" == Tom Markham <Tom_Markham@securecomputing.com> writes:
Tom> Greg implied that commit was only valid in agressive mode and
Tom> I am saying that there may be other times when the commit bit
Tom> could be used.
I don't agree that your scenario is reasonable. I have no opinion
about the commit bit though.
Tom> I gave multicast as an example of when commit *might* be
Tom> used. I have not seen any multicast, IPSEC/ISAKMP systems yet
Tom> so I do not want to take away a tool which might be useful to
Tom> them. Here is a hypothetical situation which does not involve
Tom> multicast. Imagine someone behind a firewall establishing a
Tom> SA from their desktop to a remote server.
Tom> 1. Their workstation does the ISAKMP exchange with the remote
Tom> server to establish the AH and ESP keys. The firewall would
Tom> allow ISAKMP exchanges through because it could perform some
Tom> filtering.
Tom> 2. Their workstation passes the AH (but not ESP) key to the
Tom> firewall so the firewall can authenticate packets before
Tom> letting them pass.
How do you pass the key to the firewall? Write that spec, then let's
talk about the commit bit :-)
:!mcr!: | Network security consulting and
Michael Richardson | contract programming
WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBM3tNdqZpLyXYhL+BAQHp/QMAtRSWkYAgnVsz4/QqOduabZ/D1ij04qxz
rVFXjUucMgUpelvxVrtLURT0AQDJVe470wFPgA0Ig8mnSweXPZA6WWBhcyyUDrNF
DSooK0a7k2P7vfamJYUKGE0UmwPo2DPb
=xN3/
-----END PGP SIGNATURE-----
References: