[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE draft - Aggressive mode auth-ted with encryption

To: Yuri Poeluev <ypoeluev@certicom.com>
Subject: Re: IKE draft - Aggressive mode auth-ted with encryption
From: Daniel Harkins <dharkins@cisco.com>
Date: Wed, 12 Aug 1998 07:46:06 -0700
cc: ipsec@tis.com
In-reply-to: Your message of "Tue, 11 Aug 1998 22:36:52 EDT." <Pine.BSF.3.96.980811215650.15076A-100000@eng1.certicom.com>
Sender: owner-ipsec@ex.tis.com

  The draft (RFC?) specifically states that payloads can be in any
order unless otherwise stated. For example, the SA payload has to be
first but after that you can put the KE payload next or the hash next.
What you propose is perfectly fine to do. No need to change anything,
just don't make your implementation expect a certain ordering because
doing it differently is perfectly legal.

  Dan.

On Tue, 11 Aug 1998 22:36:52 EDT you wrote
> Hi,
> 
> I'd like to bring your attention to aggressive mode
> authenticated with public key encryption described in section
> 5.2 in "draft-ietf-ipsec-isakmp-oakley-08.txt".
> 
> >   When using encryption for authentication, Main Mode is defined as
> >   follows.
> >
> >        Initiator                        Responder
> >       -----------                      -----------
> >        HDR, SA                   -->
> >                                  <--    HDR, SA
> >        HDR, KE, [ HASH(1), ]
> >          <IDii_b>PubKey_r,
> >            <Ni_b>PubKey_r        -->
> >                                         HDR, KE, <IDir_b>PubKey_i,
> >                                  <--            <Nr_b>PubKey_i
> >        HDR*, HASH_I              -->
> >                                  <--    HDR*, HASH_R
> >
> >   Aggressive Mode authenticated with encryption is described as
> >   follows:
> >
> >        Initiator                        Responder
> >       -----------                      -----------
> >        HDR, SA, [ HASH(1),] KE,
> >          <IDii_b>Pubkey_r,
> >           <Ni_b>Pubkey_r           -->
> >                                         HDR, SA, KE, <IDir_b>PubKey_i,
> >                                  <--         <Nr_b>PubKey_i, HASH_R
> >        HDR, HASH_I               -->
> >
> 
> Aggressive mode reduces amount of messages in the protocol
> by combining two messages into a single message.
> It would be more reasonable, on my opinion, in aggressive
> mode to keep the same order of payloads as used in main mode.
> It would be easier to remember the payload order as well,
> if we know that the payloads order in the main mode is
> similar. I assume that there might not be the perfect
> rule for each mode of protocol, but we should make it
> so where it is possible.
> 
> I propose that we change
> 
> >        HDR, SA, [ HASH(1),] KE,
> 
> to
> 
> >        HDR, SA, KE, [ HASH(1),]
> 
> 
> I know that it is not very critical for the
> technical part of protocol. However, I think
> there is no point to leave it as it is.
> 
> Thanks.
> 
> Yuri Poeluev
> Certicom Corp.
>

Follow-Ups:

Re: IKE draft - Aggressive mode auth-ted with encryption

From: Yuri Poeluev <YPoeluev@certicom.com>

References:

IKE draft - Aggressive mode auth-ted with encryption

From: Yuri Poeluev <ypoeluev@certicom.com>

Prev by Date: implementation of IPsec
Next by Date: Re: IKE draft - Aggressive mode auth-ted with encryption
Prev by thread: IKE draft - Aggressive mode auth-ted with encryption
Next by thread: Re: IKE draft - Aggressive mode auth-ted with encryption
Index(es):
- Main
- Thread