[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmp attrubute ordering question
Jeff,
> I have some questions about parsing and constructing SA payloads
> that I was hoping somebody could answer:
>
> 1) The ISAKMP draft (sec 4.2) says "The responder SHOULD retain the
> Proposal # field in the proposal payload and the Transform # field
> in each Transform payload of the selected proposal".
>
> The intent appears to be making it easy for the initiator to determine
> what proposal the responder chose. But since the requirement is SHOULD,
> the intiator cant count on the # fields and therefore needs to
> use other mechanisms, ie compare each attribute, right?
Right.
> 2) The IKE draft (sec 5) states "Responders MUST NOT modify
> attributes...". Does this mean responders must also maintain
> attribute order within a transform?
No, there are no ordering requirments.
> 3) The IKE draft (sec 5 next sentence) states "If the initiator of
> an exchange notices that attribute values have changed..." The term
> "notices" seems to be passive and not require that the initiator
> actually check for changes. Should this sentence be interpreted
> as MUST,SHOULD or MAY check?
Interpret it as a MUST. The initiator's original offers are included in
the authentication to prevent a man-in-the-middle attack but if you don't
check the response I guess you could be violating your own policy. The
offers and response couldn't be changed by a man-in-the-middle without
detection (either the authentication fails or the two parties fail to
communicate due to mis-negotiation) but you could offer, say 3DES and IDEA
and the responder could respond with DES. Since you didn't offer DES it
would be safe to assume you didn't want to do it for a reason and you
shouldn't then start doing it simply because it was offered back to you.
> Thanks in advance to anyone who comments.
Sure, hope it helps. I guess there's a bit more wordsmithing to do. Groan.
Dan.