[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP: Issues

To: wdm@epoch.ncsc.mil
Subject: Re: ISAKMP: Issues
From: John Burke <jburke@cylink.com>
Date: Fri, 27 Feb 1998 15:17:30 -0800
Cc: ipsec@tis.com, jburke@cylink.com
Sender: owner-ipsec@ex.tis.com

It's not clear to me that the mentioned items ALL have to be resolved for
the draft to be adequate for approval.  Let's avoid changing more than we
have to (see interspersed comments).

- John Burke

At 02:38 PM 2/27/98 EST, wdm@epoch.ncsc.mil (W. Douglas Maughan) wrote:
>----------
[ ... ]
>Attached is a list of unresolved issues concerning ISAKMP-09. They are
>in no particular order.
>
>I think the first 3 MUST be resolved before moving ahead.
>The other 3 can be done later.
>
>Thanks,
>
>Doug
[ ... ]
>Unresolved Issues from ISAKMP-08 to ISAKMP-09
>---------------------------------------------
>1. ISAKMP Message Header Length field and data do not match
>
>   (Matt Thomas - 29 Sep 97 e-mail)
>	What if the ISAKMP Message Header Length field indicates a
>	different length than the actual data? Length > Data = no
>	action?, but Data > Length = Data Ignored or Message Trashed?

What is the argument for trashing the message?  Leave it unless there is a
strong such argument.

>2. Resolution of the Certificate Request generation of continued exchange
>
>   Even with all of the discussion that has gone on for the last couple
>   of days, I don't see anything "concrete". As I proposed on 24 Feb
>   98, we can do one of the following:
>
>	1. Write text stating that the CertReq must be sent prior to
>	the last message of an exchange
>
>	2. Change ISAKMP to allow the extended exchange for CertReq
>	(and potentially other payloads?)
>
>	3. Something else - like saying that the Commit Bit of the
>	Flags field can be used to extend the CertReq continued
>	exchange

More precisely, about the Commit option: Party A has to send a Commit bit,
to give itself the opportunity to send more after Party B sends the final
message of the exchange proper.  Options 1 and 2 leave some of the stated
problems unsolved.

>3. Alignment of ISAKMP messages
>
>   (Matt Thomas - 18 Feb 98 e-mail
>	Can't align message on 4-byte boundary
>	Align Attribute Tag fields of Transform payload
>   (John Burke - 19 Feb 98 e-mail)
>	Not possible for ISAKMP to demand alignment of a message. State
>	explicitly that any payload can be of arbitrary length,
>	depending on the content of previous payloads

I hope we are not contemplating introducing alignments where none were before.

>4. Negotiation of SA Response Attribute List - Should it be allowed?
>
>   (John Burke - 1 Oct 97 e-mail)
>	Allow within context of DOI specific rules
>
>	NOTE: Current method is send Info Exchange with Notify Payload

I would rather rescind this suggestion at this late date.  For IPSecond,
yes, but now, no.  The DOI's Lifetime Notification may seem a cumbersome
alternative to this, but it has the benefit of working and having passed
without objections from the list. By the way has anyone implemented sending
this Notification?

Follow-Ups:

Re: ISAKMP: Issues

From: "Derrell D. Piper" <ddp@network-alchemy.com>

Prev by Date: IPSec Conference Loaner Hardware
Next by Date: Re: ISAKMP Draft: Notifications about Phase II
Prev by thread: IPSec Conference Loaner Hardware
Next by thread: Re: ISAKMP: Issues
Index(es):
- Main
- Thread