[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP SA negotiation



On Wed, 2 Jul 1997 05:07:17 +0000 "Elfed T. Weaver" <weaver@hydra.dra.hmg.gb> wrote:
> On Tue, 01 Jul 1997 08:03:46 -0700, Daniel Harkins <dharkins@cisco.com> wrote:
> > That might be what you'd do but my implmementation chooses P2. In the
> > example, B has his own policy priority settings; he wants P2 over P1.
> > In fact, if A offered P1, P2, P3, P4 and B wanted P4, P2, P1, P3, B
> > would select P4. I never let someone else override my local policy. It
> > was set like that for a reason.
> 
> The above begs the question of who we believe the owner of the SA 
> is and why they should be considered as the owner.  
> 
> Scenario:
> 
> An initiators policy may require the initiator to dictate the 
> confidentiality and integrity services applied to its messages - 
> therefore the initiator should have its prioritisation respected.
> 
> On the other hand the responder may want to dictate the 
> authentication service on the message it will receive from the 
> initiator then its policy dictates the it honours its prioritisation 
> list.
> 
> Since both initiator and responder policies agree that both SA's are 
> acceptable do we have a problem ?

The problem with this is that the responder may want to enforce 
confidentiality on all messages in or out, regardless of the 
initiators preferences.  Similarly for initiators and integrity.  It's 
not that hard to envision situations where this is the case.

If I'm offered a list of policies, I'm going to pick whichever one is
most acceptable to my site, since, by offering me a list instead of
a single choice, my peer has indicated that any of the offered choices
are acceptable.

If my list of policies was [P4,P2,P1,P3], the only time I would ever
choose a policy other than P4 is if the other side didn't offer P4.

Kevin Brock
<brock@netmanage.com>




References: