[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ISAKMP Oakley resolution and ipsec doi document questions

To: "'baiju@ideal.jf.intel.com'" <baiju@ideal.jf.intel.com>, "'ipsec@tis.com'" <ipsec@tis.com>
Subject: RE: ISAKMP Oakley resolution and ipsec doi document questions
From: "Edward A. Russell" <erussell@ftp.com>
Date: Fri, 13 Jun 1997 15:33:48 -0400
Sender: owner-ipsec@ex.tis.com

Baiju Patel (baiju@ideal.jf.intel.com) said on 6/13/97 at 8:11 AM
>
>1. The ISAKMP/OAKLEY document specifies
>
>  Quick Mode is defined as follows:
>
>        Initiator                        Responder
>       -----------                      -----------
>        HDR*, HASH(1), SA, Ni
>          [, KE ] [, IDui, IDur ] -->
>                                  <--    HDR*, HASH(2), SA, Nr
>                                               [, KE ] [, IDui, IDur ]
>        HDR*, HASH(3)             -->
>
>Does this mean that either both IDui and IDur must be specified 
>or none. Or was it authors intention to specify
>
>
>        Initiator                        Responder
>       -----------                      -----------
>        HDR*, HASH(1), SA, Ni
>          [, KE ] [, IDui][,IDur ] -->
>                                  <--    HDR*, HASH(2), SA, Nr
>                                               [, KE ] [, IDui][, IDur ]
>        HDR*, HASH(3)             -->
>So that one or both IDui and IDur can be specified. 
>Basically, I am curious on how will the initiator know
>the identity IDur if receiver is a proxy.

I belieive the assumption is you must specify both or neither.
The initiator should know the IDur identity even if the receiver
(isakmp peer) is a proxy because the initiator presumbably knows
who he want to ultimately connect to.  It is up to the initiator to tell the
responder who the ultimate destination (IDur) is going to be and therefor
who this SA is going to be used for.

>
>2. in the doi document, who's port number is specified in
>the identification payload? (initiator or reviver?)
>The protocol ID and port are also in the field marked
>reserved in the ISAKMP document. Is this intentional?
>In my view, this should be consistent.

The port is 500 for sending
The port is 500 for receiving
The port is 500 ONLY.
I believe this came out of Memphis.

>
>3. draft-ietf-ipsec-isakmp-oakley-03.txt:
>   The introduction states:
>This draft combines ISAKMP and Oakley. The purpose is to negotiate,
>   and provide authenticated keying material for, security associations
>   in a protected manner.
>
>Since this document is only applicable (to best of my understanding)
>to peer to peer communication (and not multicast), it may be a good idea to
> specify that clearly.


Edward Russell
erussell@ftp.com

Follow-Ups:

Re: ISAKMP Oakley resolution and ipsec doi document questions

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: users and connections definitions
Next by Date: AH/ESP loose ends
Prev by thread: ISAKMP Oakley resolution and ipsec doi document questions
Next by thread: Re: ISAKMP Oakley resolution and ipsec doi document questions
Index(es):
- Main
- Thread