[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ISAKMP Oakley resolution and ipsec doi document questions




1. The ISAKMP/OAKLEY document specifies

  Quick Mode is defined as follows:

        Initiator                        Responder
       -----------                      -----------
        HDR*, HASH(1), SA, Ni
          [, KE ] [, IDui, IDur ] -->
                                  <--    HDR*, HASH(2), SA, Nr
                                               [, KE ] [, IDui, IDur ]
        HDR*, HASH(3)             -->

Does this mean that either both IDui and IDur must be specified 
or none. Or was it authors intention to specify


        Initiator                        Responder
       -----------                      -----------
        HDR*, HASH(1), SA, Ni
          [, KE ] [, IDui][,IDur ] -->
                                  <--    HDR*, HASH(2), SA, Nr
                                               [, KE ] [, IDui][, IDur ]
        HDR*, HASH(3)             -->
So that one or both IDui and IDur can be specified. 
Basically, I am curious on how will the initiator know
the identity IDur if receiver is a proxy.

2. in the doi document, who's port number is specified in
the identification payload? (initiator or reviver?)
The protocol ID and port are also in the field marked
reserved in the ISAKMP document. Is this intentional?
In my view, this should be consistent.

3. draft-ietf-ipsec-isakmp-oakley-03.txt:
   The introduction states:
This draft combines ISAKMP and Oakley. The purpose is to negotiate,
   and provide authenticated keying material for, security associations
   in a protected manner.

Since this document is only applicable (to best of my understanding)
to peer to peer communication (and not multicast), it may be a good idea to
 specify that clearly.
-------------------------------------------
Baiju V. Patel,                503 264 2422  
Internet Security Architect
Intel Architecture Labs
JF3-206
2111 N.E. 25th Avenue
Hillsboro, OR 97124