Hi all, I have been reading many comments over the inconsistency of Message ID
of Informational Exchanges of this list, but looks like there is no consenses
on this issue. And here is my suggestions --
1) All Informatioanl Exchange should have unique message ID *EXCEPT*
o Notification which occurs during, or is concerned with, a Phase 2 negotiation
o CONNECTED Notify message
2) For those Informational Exchange that has the same message ID as an on-going
negotiation, they MUST be encrypt/decrypt using the running IV of that negotiation.
and I believe it is clear and also easy to implement.
Thanks,
Biao Wang
RouterWare Inc.
From ISAKMP draft 10
--------------------
"The only exception to this is when
the Commit Bit of the ISAKMP Header is set. When the Commit Bit is set,
the Message ID field of the Informational Exchange MUST contain the Mes-
sage ID of the original ISAKMP Phase 2 SA negotiation, rather than a new
Message ID (MID). This is done to ensure that the Informational Exchange
with the CONNECTED Notify Message can be associated with the correct Phase
2 SA."
"Notification which occurs during, or is concerned with, a Phase 2 nego-
tiation is identified by the Initiator and Responder cookie pair in the
ISAKMP Header and the Message ID and SPI associated with the current nego-
tiation."
From IKE draft 8
--------------------
"After the ISAKMP SA has been authenticated all Informational
Exchanges are encrypted using SKEYID_e. The initiaization vector for
these exchanges is derived in exactly the same fashion as that for a
Quick Mode-- i.e. it is derived from a hash of a concatenation of the
last phase 1 CBC output block and the message id from the ISAKMP
header of the Informational Exchange (not the message id from the
message that may have prompted the Informational Exchange)."