[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Items for ISAKMP draft.
Points for the ISAKMP draft:
o Clarify what is legal in an SA response attribute list.
I think the belief is abroad, though I can't find it in ISAKMP v-08,
that a responder must return exactly the attribute list sent in an
accepted Transform without modification.
We here would be happiest if it acknowledged that Negotiable
attributes can exist, these attributes can be returned with a
value permitted by the DOI's specific rules, and success of the SA
means the returned value is accepted. There was totally unnecessary
fol-de-rol on the list about how you can't reduce Lifetimes, with
truly strange alternate suggestions made, due to this not being in
the ISAKMP draft.
Alternatively this could all be left to the DOI's. Doug: could you
communicate directly with Derrell Piper on this point and resolve it
between you in the next drafts of ISAKMP and DOI? (Look at the new,
gratuitous prescription in DOI v-04 for Notification of Lifetime).
o Need definite statement about whether payload order is restricted.
The sense of discussion on the list apparently has been that generally
one should permit payloads in any order but position of certain
payloads should be prescribed: SA, HASH, SIG.
I would think the ISAKMP doc should say that for exchanges defined by
another document, order restrictions are entirely up to that document,
and otherwise order is free; then it should make definite statements
about the Exchanges which appear in it: Base Mode, ID-Protect, and
Aggressive.
Since Oakley uses variations on the prescribed exchanges, the Oakley
Resolution document would then need its own clear statements that
its restrictions/freedoms are the same as ISAKMP, or stating
exceptions. This is the place which currently affects implementors.