[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ISAKMP Notification with an SA for Lifetimes
I want to object in strongest terms to the introduction in the IP DOI
ver-04 of the prescription, that ISAKMP parties can send a Notification
which includes an SA giving the new lifetime.
Various alternatives were offered on the list when this was discussed, and
I don't remember anything like agreement on this one; other alternatives
than this one would probably produce minor alteration or none in peoples'
code:
o Minor: permit responder to return a reduced lifetime; success of the
SA setup means unambiguously that both sides accept it; OR,
o None: Make no provisions in the protocol; lifetime can be enforced
unilaterally anyhow, and one is always allowed to send a Delete (I
expect some people do this in any case).
The prescribed one is a substantial change by contrast. How did this come
about? This is no time to be introducing new functionality of this
magnitude into these drafts when there is not an overriding justification.
Implementation effort is not the only point; the change is also incomplete;
see below; now the draft is further de-stabilized.
Reminder to all: if it's in the DOI, implementors are required to support
receiving it, unless it is explicitly stated otherwise with words like
"only by mutual agreement between the parties". Support requires minimally:
o add the new Notify code;
o accept a SPI size of 8 and don't reject it (this is different from
the treatment of other Notifies directed at a Phase II SA);
o do not abort the established SA upon this Notify type.
This prescription doesn't address the issue for the Phase I SA, which it
must. Remember, the IP DOI is not restricted to Phase II activities.
Summary: can't we take this back out?
- John Burke, Cylink
Follow-Ups: