[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

comments on draft-ietf-isakmp-mode-cfg-02.txt

To: ipsec@tis.com
Subject: comments on draft-ietf-isakmp-mode-cfg-02.txt
From: "Partha P. Bhattacharya" <partha@watson.ibm.com>
Date: Thu, 12 Mar 98 16:00:20 -0500
Sender: owner-ipsec@ex.tis.com


   
Comments on draft-ietf-ipsec-isakmp-mode-cfg-02.txt  
 
1. The draft specifies ways to exchange configuration information 
    either within an ISAKMP Phase 1 exchange or by ISAKMP Informational
    exchange. Couple of points here:
 
    -when done over Phase 1, the HASH has to include the configuration
     information being exchanged, otherwise it is not authenticated. This 
     means though that HASH_I and HASH_R in the IKE exchange has to 
     be augmented to include NOTIFY payloads. Not desirable for reasons 
     of compatibility.

    -hence the information exchange shd be done after Phase 1 is 
     complete, although this may mean more message exchanges. The format 
     specified in section 5.7 of the IKE draft (ISAKMP-OAKLEY draft 06)
     shd be used.

 
 2. The draft proposes to distribute policy and certificates 
    by this method across road warrior-gateway tunnels. I don't see 
    the benefit in doing as opposed to running generic client applications.
    Hence I would restrict this method to only distribute basic routing
    related information, such as local address and DNS address. 
 

Comments?
            
Partha P. Bhattacharya 
Pau-Chen Cheng 

IBM Research

Prev by Date: Re: clarification
Next by Date: RE: comments on draft-ietf-ipsec-ciph-cbc-02.txt
Prev by thread: RE: comments on draft-ietf-ipsec-ciph-cbc-02.txt
Next by thread: ESP_NULL internet draft submitted
Index(es):
- Main
- Thread