Re: more...changes to ISAMKP/Oakley

[Daniel Harkins <dharkins@cisco.com>]

> I think the change as proposed by Dan (i.e., allowing a DOI value of
> zero for Phase 1 negotiations) is fine.

Great. I think we have critical mass-- 4 people!

> OTOH, I'm having a difficult time seeing the need for a separate
> ISAKMP/Oakley DOI, or for eliminating/deprecating PROTO_ISAKMP.
> Using a DOI of zero in Phase 1 should achieve whatever "logical
> separation" between IPsec and ISAKMP might be desired.  PROTO_ISAKMP
> is defined as a reserved value across all DOIs (see the isakmp-08
> draft, section A.2.2), and I see no reason why that should not
> continue to be the case.  Unless there's some additional justification
> for these changes, I'd rather see things remain as they are.

Agreed. So then, how does this sound everyone:

	"This protocol does not define its own DOI per se. The ISAKMP SA, 
	 established in phase 1, MAY use the DOI and situation from a 
	 non-ISAKMP service (such as the IETF IPSec DOI [Pip97]). In this 
	 case an implementation MAY choose to restrict use of the ISAKMP 
	 SA for establishment of SAs for services of the same DOI. 
	 Alternately, an ISAKMP SA MAY be established with the value zero 
	 in both the DOI and situation (see [MSST97] for a description of 
	 these fields) and in this case implementations will be free to 
	 establish security services for any defined DOI using this ISAKMP 
	 SA."

  Dan.

---

Follow-Ups:

• Re: more...changes to ISAMKP/Oakley
• From: Derrell Piper <piper@cisco.com>

References:

• Re: more...changes to ISAMKP/Oakley
• From: smamros@newoak.com (Shawn Mamros)

---

• Prev by Date: Re: more...changes to ISAMKP/Oakley
• Next by Date: Re: more...changes to ISAMKP/Oakley
• Prev by thread: Re: more...changes to ISAMKP/Oakley
• Next by thread: Re: more...changes to ISAMKP/Oakley
• Index(es):
  • Main
  • Thread