[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP Draft: Notifications about Phase II

To: wdm@epoch.ncsc.mil
Subject: Re: ISAKMP Draft: Notifications about Phase II
From: John Burke <jburke@cylink.com>
Date: Fri, 27 Feb 1998 15:45:14 -0800
Cc: ipsec@tis.com, jburke@cylink.com
Sender: owner-ipsec@ex.tis.com

Doug,

The question of the use of the Message ID in a Notification is still not
addressed, and I see it as still an opportunity for interoperation failure.
 The question is, does one ever use the Message ID to locate the SA which
is being notified?  I believe the answer is no; I think there was
discussion on this subject some time ago and this was the concensus; but
I'm not sure.

What I think I remember people asking was this: if the Responder to QM
cannot decode a good SPI from the message, is there any means to give
notification at all?  And people answered, no, because the Message ID does
not identify the affected exchange.

I'm not claiming precise memory; I'm asking others to weigh in on this.

- John Burke

At 01:48 PM 2/19/98 -0800, I wrote:
>Doug, two suggestions for ISAKMP v-09 to bring it into line with the IP DOI
>and what I believe to be implementors' current understanding and working
code:
>
>Notification Codes
>
[ ... ]

>The Phase II description asserts that Message ID identifies the session. 
>
>    Notification which occurs during, or is concerned with, a Phase 2 nego-
>    tiation is identified by the Initiator and Responder cookie pair in the
>    ISAKMP Header and the Message ID and SPI associated with the current
nego-
>    tiation.  
>
>This would require that the notification be sent as part of the Quick Mode
>exchange;  but between ISAKMP v-08 and IKE (was "Resolution"), I understand
>that all Notifications are supposed to be sent as an Informational
>Exchange; it is asserted that an exchange prescribes exactly what messages
>and payloads are permissible, and no exchanges have a place for
>Notifications, particularly, a Notification returned in reply to the final
>message sent.  An exception is that the IP DOI prescribes additional Status
>Notifications and prescribes they get combined into the standard exchange
>messages.
>
>My understanding, which I am not at all sure reflects current practice:
>
>    Notification which occurs during, or is concerned with, a Phase 2 nego-
>    tiation is identified by a current Initiator and Responder cookie pair 
>    in the ISAKMP Header, and the protocol and SPI associated with the
>    affected negotiation.  The Message ID of the ISAKMP header DOES NOT
>    identify the negotiation targetted by the Notification.
>
>Other people may have different understandings of the above. If so, I hope
>they'll speak now; we may all have to resolve differences where we are not
>be interoperable.
  [wups! wool-gathering?]

Prev by Date: Re: ISAKMP: Issues
Next by Date: ESP - authenticationless OR encryptionless?
Prev by thread: Re: ISAKMP: Issues
Next by thread: ESP - authenticationless OR encryptionless?
Index(es):
- Main
- Thread