[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Quick Mode client IDs

To: Paul Koning <pkoning@xedia.com>
Subject: Re: Quick Mode client IDs
From: Shawn Mamros <smamros@BayNetworks.COM>
Date: Thu, 05 Mar 1998 12:30:03 -0500
CC: ipsec@tis.com
References: <199803031743.MAA04697@portal.ex.tis.com> <9803032014.AA02055@kona.>
Sender: owner-ipsec@ex.tis.com

I originally wrote:
>> The identities of the SAs negotiated in Quick Mode are
>> implicitly assumed to be the IP addresses of the ISAKMP peers,
>> without any implied constraints on the protocol or port
>> numbers allowed, unless client identifiers are specified in
>> Quick Mode.  If ISAKMP is acting as a client negotiator on
>> behalf of another party, the identities of the parties MUST be
>> passed as IDci and then IDcr.  Local policy will dictate
>> whether the proposals are acceptable for the identities
>> specified.  If the client identities are not acceptable to the
>> Quick Mode responder (due to policy or other reasons), a
>> Notify payload with Notify Message Type INVALID-ID-INFORMATION
>> (18), followed by an acceptable pair of client identifiers, in
>> two ID payloads (IDci followed by IDcr) SHOULD be sent.

and then Paul Koning <pkoning@xedia.com> replied:
> That sounds right -- except that I'm not sure about the last sentence.

That last sentence was written as a replacement for what's currently
the last sentence in the fourth paragraph of section 5.5 of the IKE
draft, which reads:

   [...] If an ID range
   (see Appendix A of [Pip97]) is not acceptable (for example, the
   specified subnet is too large) a INVALID-ID-INFORMATION notify
   message (18) followed by an acceptible ID range, in an ID payload,
   SHOULD be sent.

This sentence has a number of problems - for starters, there is no longer
an Appendix A in the DOI draft (which is what [Pip97] refers to).  Second,
because there are two client ID payloads sent in Quick Mode, it would
be difficult to determine whether the one being sent back corresponds
to IDci or IDcr.  My intention was to try and replace this sentence with
one that would, ideally, satisfy the intent of the original but state it
in a way that (hopefully) made more sense.  I did show it to some folks
for review before I sent it out; they had no objections.

If someone would like to propose alternate text, or thinks the whole
notion of providing a "hint" as to what is acceptable back to the
Quick Mode initiator should be removed altogether, that's fine by me...
Any opinions (esp. from the draft authors) on what should be done here?

-Shawn Mamros
E-mail to: smamros@BayNetworks.com

References:

Quick Mode client IDs

From: Shawn Mamros <smamros@BayNetworks.COM>

Re: Quick Mode client IDs

From: Paul Koning <pkoning@xedia.com>

Prev by Date: Re: IPsec DOI v7 - comment
Next by Date: Re: Certificate Requesting
Prev by thread: Re: Quick Mode client IDs
Next by thread: CFP - Special Issue - Multimedia Collaborative Environments -
Index(es):
- Main
- Thread