[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

more...changes to ISAMKP/Oakley

To: ipsec@tis.com
Subject: more...changes to ISAMKP/Oakley
From: Daniel Harkins <dharkins@cisco.com>
Date: Tue, 14 Oct 1997 10:42:47 -0700
Sender: owner-ipsec@ex.tis.com

  I received another unicast email in which the author raised an issue
regarding the use of the DOI in ISAKMP/Oakley.

  Right now we have just the IPSec DOI. Eventually (I hope), we'll have
the SNMPv3 DOI, the BGP DOI, the RIPv2 DOI, etc. Any service that needs
an authenticated key for whatever purpose can defined a magic number 
range, claim a DOI value and we're off....

  With that in mind the issue is one of crossing one's streams so to speak.
If I initiate an exchange for IPSec I'm gonna set the DOI field of the
phase 1 offer to the value for the IPSec DOI. Then when we negotiate the
actual IPSec SAs I do the same. But what if we negotiate "SAs" for the
BGP DOI. We're doing that under the protection of the ISAKMP SA that was
created with the IPSec DOI. Problem? I dunno. This has been raised as a
problem though.

  So, I'd like to make a proposal for a change. I haven't made the change
and I won't unless I get some backing. 

  The ISAKMP/Oakley draft will define a DOI value of 0 as being perfectly
acceptable for phase 1 offers. In that case the situation is similarly 0.
This will state that the ISAKMP SA is free to protect any other DOI in
phase 2 without fear of crossing one's streams and the calamity that will
befall one who does. If the DOI value in the phase 1 offer is other than
0 it will be up to the implementation to declare whether it is acceptable
to use this ISAKMP SA to protect the services of other DOIs whose values
don't match the phase 1 DOI value. It will be legal to restrict an IPSec
DOI-established ISAKMP SA to only establish IPSec SAs. Then if a need for
a SNMPv3 "SA" arrives, an entire phase 1 + phase 2 will have to be performed
and now there'll be 2 ISAKMP SAs-- one only for IPSec; one only for SNMP.

  This won't affect bits-on-the-wire because we have just the IPSec DOI
right now and the behaviour we're engaging in now is perfectly acceptable.
When new DOIs become available implementations which support them will
have to take this new concept into account.

  What say you?

  Dan.

Follow-Ups:

more...changes to ISAMKP/Oakley

From: Ben Rogers <ben@Ascend.COM>

Prev by Date: Re: proposed changes to ISAKMP/Oakley
Next by Date: RE: more...changes to ISAMKP/Oakley
Prev by thread: Re: proposed changes to ISAKMP/Oakley
Next by thread: more...changes to ISAMKP/Oakley
Index(es):
- Main
- Thread