[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
comments on draft-ietf-isakmp-mode-cfg-02.txt
Comments on draft-ietf-ipsec-isakmp-mode-cfg-02.txt
1. The draft specifies ways to exchange configuration information
either within an ISAKMP Phase 1 exchange or by ISAKMP Informational
exchange. Couple of points here:
-when done over Phase 1, the HASH has to include the configuration
information being exchanged, otherwise it is not authenticated. This
means though that HASH_I and HASH_R in the IKE exchange has to
be augmented to include NOTIFY payloads. Not desirable for reasons
of compatibility.
-hence the information exchange shd be done after Phase 1 is
complete, although this may mean more message exchanges. The format
specified in section 5.7 of the IKE draft (ISAKMP-OAKLEY draft 06)
shd be used.
2. The draft proposes to distribute policy and certificates
by this method across road warrior-gateway tunnels. I don't see
the benefit in doing as opposed to running generic client applications.
Hence I would restrict this method to only distribute basic routing
related information, such as local address and DNS address.
Comments?
Partha P. Bhattacharya
Pau-Chen Cheng
IBM Research