Re: issues with IKE that need resolution

[Shawn_Mamros@BayNetworks.COM (Shawn Mamros)]

>     3. Clarification of use of the commit bit in IKE. This will constrain
>	the freeform (and confusing) verbage in the base ISAKMP document.
>	For IKE the commit bit only makes sense in Quick Mode. Most people
>	I spoke to said that they return a "INVALID_FLAGS" notify message
>	if the peer tries to set it in any other mode. They also only use it
>	to extend Quick Mode by a single message-- from the responder back
>	to the initiator. This was its intended use anyway. Also, most
>	people send this message as a final Quick Mode exchange message
>	and not an Informational. The only person I spoke to who did
>	otherwise said Quick Mode made more sense and was going to change.

So that final Quick Mode message would presumably include the "CONNECTED"
Notify payload, right?  Would there also be a Hash payload to authenticate
it?  If so, what goes in that hash?  If people are already implementing
this, it'd be nice to know how it's done...

Also, is the initiator required to send the commit bit in the third Quick
Mode message if it requires the fourth "CONNECTED" message, or does the
responder always need to keep an eye out for it earlier on in the exchange
(perhaps even as early as Phase 1?)?

-Shawn Mamros
E-mail to: smamros@BayNetworks.com

---

Follow-Ups:

• Re: issues with IKE that need resolution
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: Re: ike source port (was: issues with IKE that need resolution)
• Next by Date: Re: issues with IKE that need resolution
• Prev by thread: Re: issues with IKE that need resolution
• Next by thread: Re: issues with IKE that need resolution
• Index(es):
  • Main
  • Thread