Re: ISAKMP - Remaining Issues

["Derrell D. Piper" <ddp@network-alchemy.com>]

RE: mismatch header/payload lengths

If the message header lengths and the payload lengths are inconsistent then
the message MUST be rejected.  Padding issues (whatever they are) MUST be
addressed in the ISAKMP, IKE, and DOI drafts so there should not be any open
interpretation for things like Length > Data.  That's a broken implementation.

RE: padding

I'm slightly confused by the question of padding on payloads.  There has not
been a padding requirement since Munich.

Observation 1: Encypted ISAKMP exchanges will be padded to a cipher block
boundary, per the IKE draft.  This leaves the entire ISAKMP message padded
to something like a quadword alignment, in the normal case.

Observation 2: As for the individual payloads, my belief is that this isn't a
particularly aligned protocol.  Most of the payloads are intrinsically
byte-oriented after the initial header.

As you know, earlier versions of the ISAKMP drafts had stated that each
payload should begin on a longword-aligned boundary.  This was changed around
Munich based on feedback from a number of folks to simply align the entire
message, which really only aligns the unprotected exchanges.

I don't feel that there's a significant processing win to aligning the
individual payloads, but I don't object to that either.  However, we have
changed the draft already once to remove the payload alignment requirement.

So, I'd prefer to keep the draft as currently written.

Derrell

---

Follow-Ups:

• Re: ISAKMP - Remaining Issues
• From: Tero Kivinen <kivinen@ssh.fi>

References:

• ISAKMP - Remaining Issues
• From: wdm@epoch.ncsc.mil (W. Douglas Maughan)

---

• Prev by Date: Re: Hop Limit in Inner Header (IPv6)
• Next by Date: Re: IPsec re-defining IP-in-IP
• Prev by thread: ISAKMP - Remaining Issues
• Next by thread: Re: ISAKMP - Remaining Issues
• Index(es):
  • Main
  • Thread