[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

comments on draft-ietf-ipsec-ipsec-doi-06.txt



This document is long enough that I would have found a table of
contents useful.

Section 4.6.2 describes the Identification Payload.

This layout contradicts the ISAKMP description for this payload (the
Protocol ID and Port fields are reserved (0) according the ISAKMP).  I
have recommended that ISAKMP be changed.

   During Phase I negotiations, the ID port and protocol fields MUST be
   set to zero or to UDP port 500.  If an implementation receives any
   other values, this MUST be treated as an error and the security
   association setup MUST be aborted.  This event SHOULD be auditable.

I sometimes run an ISAKMP/Oakley Daemon from another port.  If it were
to fill in the Port field, 500 would then be a lie.  Should this Port
number not be the actual one?

At the very least, the *meaning* of 500 should be mentioned.  I'm not
sure where to find it, but draft-ietf-ipsec-isakmp-08.txt claims that
it has been assigned to ISAKMP.  In the same spot, it says:
    Implementations MAY additionally support ISAKMP over other
	transport protocols or over IP itself.
This re-enforces the previous point.

During Phase 1, it might be better to match the ISAKMP DOI.  These
fields should then be zero.

Having a choice here seems not very useful, but it does add
complexity.

     o  Protocol ID (1 octet) - Value specifying an associated
        IP protocol ID (e.g. UDP/TCP).  A value of zero means that the
        Protocol ID field should be ignored.

There should be a reference to nail down the encoding.  I know that we
all know it.

Hugh Redelmeier
hugh@mimosa.com  voice: +1 416 482-8253