[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: confusion about identity



> >    During Phase I negotiations, the ID port and protocol fields MUST be
> >    set to zero or to UDP port 500.  If an implementation receives any
> >    other values, this MUST be treated as an error and the security
> >    association setup MUST be aborted.  This event SHOULD be auditable.
> 
> > The only time we use HASH_I and HASH_R (described in the long quote
> > above) is during phase 1.  I wonder why one would put UDP port 500
> > here when it causes a contradiction between the documents and yields
> > no useful information (as far as I can tell).
> 
> I added this to the IPSEC DOI document following the Ottawa IPSEC bake-off
> because there were several vendors sending Port 500 in the Phase I Main Mode
> exchange.  I guess that was a mistake on my part.  You're right though and
> unless there are objections raised ASAP, I'll remove it from the next draft.
> It really doesn't add anything to have Port 500 included in the hash.

The port and protocol aren't all that critical but the ID type which is
on the same 4 octet portion of the payload as the port and protocol is.
So let's leave the hash the way it is. 

Now what do we put in these fields then? The DOI of an SA offer in phase I 
is either IPSec DOI or zero. If it's IPSec DOI then the port and protocol 
have relevance and I don't see why someone who wants to can't put UDP port 
500 in there. If it's DOI of zero then the semantics of the ID payload are
that of the base ISAKMP draft (which, it was noted at the document reading
party, does not define any ID types, that should be taken care of in the
next round of edits) and then the port and protocol really must be RESERVED
or zero.

That humming sound you hear is me: "let's leave it alone".

  Dan.



Follow-Ups: References: