[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP Notification with an SA for Lifetimes

To: John Burke <jburke@cylink.com>
Subject: Re: ISAKMP Notification with an SA for Lifetimes
From: Derrell Piper <piper@cisco.com>
Date: Tue, 30 Sep 1997 19:37:38 -0700
cc: ipsec@tis.com, eugenep@cylink.com
In-reply-to: Your message of "Tue, 30 Sep 1997 18:13:31 PDT." <3.0.32.19970930181330.00987c80@192.43.161.2>
Sender: owner-ipsec@ex.tis.com

John,

The DOI regrets its egregious affront on your sensibilities and wishes to
offer the following justification...

The intent of the new text was not to mandate the described behavior but to
define how it should be done if the responder wanted to send a notify.  You
are still free as a responder to accept the proposal and unilaterally
expire the SA as you desire.  This is what I attempted to convey in saying,
"In the latter case,...".

>...other alternatives than this one would probably produce minor alteration 
> or none in peoples' code:
>
>  o Minor: permit responder to return a reduced lifetime; success of the
>    SA setup means unambiguously that both sides accept it; OR,
>
>  o None: Make no provisions in the protocol; lifetime can be enforced
>    unilaterally anyhow, and one is always allowed to send a Delete (I
>    expect some people do this in any case).

Your "Minor" change requires ammending the ISAKMP base document to permit
the responder to return a changed proposal (with the shorter lifetime)
which I believe is a bigger change.  This change would require not only the
change to ISAKMP, but a change to *all* existing implementations to accept
a special-cased modified lifetime attribute.

Your "None" change is, as I explained above, intended to be permitted under
the draft.  I would certainly be willing to state this more explicitly.

>Support requires minimally:
>
>  o add the new Notify code;

Yes.

>  o accept a SPI size of 8 and don't reject it (this is different from
>    the treatment of other Notifies directed at a Phase II SA);

This seemed right to me when I wrote it, but upon re-reading the ISAKMP
document, I would agree that it should be the ISAKMP cookies.

>  o do not abort the established SA upon this Notify type.

Yes.

>This prescription doesn't address the issue for the Phase I SA, which it
>must.  Remember, the IP DOI is not restricted to Phase II activities.

Maybe, maybe not.  The Phase II lifetimes might be more interesting, since
they're the one's more likely to actually expire.

Believe me, I don't want to destabilize these drafts.  And if there's
concensus that this is a "bad thing", I have no qualms about removing it.
However, I will strongly object to proposed changes to the proposal syntax
in ISAKMP and I believe that it's desirable to have a way for the responder
to inform the initiator of his chosen lifetime.

Derrell

References:

ISAKMP Notification with an SA for Lifetimes

From: John Burke <jburke@cylink.com>

Prev by Date: Re: change in isakmp/oakley
Next by Date: Re: Nonce lengths in ISAKMP messages
Prev by thread: ISAKMP Notification with an SA for Lifetimes
Index(es):
- Main
- Thread