[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on ...isakmp-mode-cfg-02



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:
    Scott> The fact of the matter is that if the IPsec suite is to continue
    Scott> to grow and improve, implementations will be (temporarily) broken
    Scott> now and then.  You might be able to make an argument for hacking
  
  Yes, I agree. 

  My proposed vendor ID allows a single vendor to deploy any number of
extensions without having to break interoperability with other vendors.

  I propose that when it comes to writing up new drafts, we will be writing
up ISAKMP v1.1. It isn't clear to me what to do when a responder receives
a packet with a minor version that is *greater* than its own. I think that
one should turn around and initiate with a packet containing major/minor
that one can work with. I.e. the initiator's packet is just "lost", but an
ISAKMP SA is setup. 

 [hmm. WAIT:

 o  Minor Version (4 bits) - indicates the minor version of the ISAKMP
    protocol in use.  Implementations based on this version of the ISAKMP
    Internet-Draft MUST set the Minor Version to 0.  Implementations
                                                ***
    based on previous versions of ISAKMP Internet-Drafts MUST set the
    Minor Version to 1.  Implementations SHOULD never accept packets with
                    ***
    a minor version number larger than its own, given the major version
    numbers are identical.

  Isn't the 0/1 minor numbers reversed? Previous == 1, current = 0?]

    Scott> something in temporarily, but when you start going to the trouble
    Scott> of writing drafts, why not design it right?

  I think we are pretty close. 

   :!mcr!:            |  Sandelman Software Works Corporation, Ottawa, ON  
   Michael Richardson |Network and security consulting and contract programming
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 




-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNQ8W+9iXVu0RiA21AQGKeQL9E6FqTNCM80GOc1KUEgtWDK+B9bzZwkOc
jqZf2rc+kp5po7QAW2Waf7eD5XesZJm5GWgDgrl4bxiFd0S7SG9UY+TwZ2NbO4sG
Xn9tMMgznmSAHC47gT5/o+jKd1zcupBV
=C6xe
-----END PGP SIGNATURE-----


Follow-Ups: