[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Items for ISAKMP draft.



Points for the ISAKMP draft:

  o Clarify what is legal in an SA response attribute list.

    I think the belief is abroad, though I can't find it in ISAKMP v-08,
    that a responder must return exactly the attribute list sent in an
    accepted Transform without modification.

    We here would be happiest if it acknowledged that Negotiable
    attributes can exist, these attributes can be returned with a
    value permitted by the DOI's specific rules, and success of the SA
    means the returned value is accepted.  There was totally unnecessary
    fol-de-rol on the list about how you can't reduce Lifetimes, with
    truly strange alternate suggestions made, due to this not being in
    the ISAKMP draft.

    Alternatively this could all be left to the DOI's.  Doug: could you
    communicate directly with Derrell Piper on this point and resolve it
    between you in the next drafts of ISAKMP and DOI?  (Look at the new,
    gratuitous prescription in DOI v-04 for Notification of Lifetime).


  o Need definite statement about whether payload order is restricted.

    The sense of discussion on the list apparently has been that generally
    one should permit payloads in any order but position of certain
    payloads should be prescribed: SA, HASH, SIG.

    I would think the ISAKMP doc should say that for exchanges defined by
    another document, order restrictions are entirely up to that document,
    and otherwise order is free; then it should make definite statements
    about the Exchanges which appear in it: Base Mode, ID-Protect, and
    Aggressive.

    Since Oakley uses variations on the prescribed exchanges, the Oakley
    Resolution document would then need its own clear statements that
    its restrictions/freedoms are the same as ISAKMP, or stating
    exceptions.  This is the place which currently affects implementors.