[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKE COMMIT/CONNECTED processing

To: ipsec@tis.com
Subject: IKE COMMIT/CONNECTED processing
From: "Derrell D. Piper" <ddp@network-alchemy.com>
Date: Sat, 13 Jun 1998 11:36:37 -0700
Sender: owner-ipsec@ex.tis.com

Bitheads,

In implementing support for the ISAKMP COMMIT bit and associated CONNECTED
notify message, I uncovered an ambiguity in the ISAKMP draft that I don't
recall reading on this list.

The draft says that a Phase 2 informational exchange should generate its own
message id (Section 4.8, pg. 56).  ISAKMP also defines how a CONNECTED Notify
is sent under an ISAKMP Informational Exchange as a result of the COMMIT bit
(Section 3.1, pp. 24-25).

The ambiguity is whether the ISAKMP Informational with the CONNECTED message
is sent under its own unique message id, per Section 4.8, or whether it's sent
under the associated QM message id.  If the former, there's no way to
associated the message with the particular QM exchange.  If the latter, we're
in violation of section 4.8's guidelines.

Two solutions spring to mind: 

    o  ammend the ISAKMP COMMIT description to state that the message id for
       the CONNECTED Notify MUST be the associated QM message id

    o  ammend the ISAKMP COMMIT description to state that the Notify payload
       for a CONNECTED message MUST contain the associated QM message id

I implemented the first solution because the CONNECTED message is intricately
tied to a previous QM exchange.

Derrell

Prev by Date: Re: Rest of World encryption hardware products?
Next by Date: RE: IKE COMMIT/CONNECTED processing
Prev by thread: I-D ACTION:draft-ietf-ipsec-isakmp-oakley-08.txt
Next by thread: RE: IKE COMMIT/CONNECTED processing
Index(es):
- Main
- Thread