[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues with IKE that need resolution

To: Daniel Harkins <dharkins@cisco.com>
Subject: Re: issues with IKE that need resolution
From: Shawn_Mamros@BayNetworks.COM (Shawn Mamros)
Date: Thu, 17 Sep 1998 11:26:01 -0400
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

>> So that final Quick Mode message would presumably include the "CONNECTED"
>> Notify payload, right?  Would there also be a Hash payload to authenticate
>> it?  If so, what goes in that hash?  If people are already implementing
>> this, it'd be nice to know how it's done...
>
>  Yes, it would contain the CONNECTED message. And all Quick Mode messages
>are authenticated with an hmac which is keyed with SKEYID_a (and they're
>all encrypted with SKEYID_e). 

Am I right in assuming that the fourth message looks like this (using
IKE draft notation):

        Initiator                        Responder
       -----------                      -----------
                                  <--    HDR*, HASH(4), Notify
where
       HASH(4) = prf(SKEYID_a, M-ID | Notify)

That would be what I'd expect, but some of the other Quick Mode hashes
require Nonce data from previous messages.  Just want to make it all
explicit, that's all...

-Shawn Mamros
E-mail to: smamros@BayNetworks.com

Follow-Ups:

Re: issues with IKE that need resolution

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: AH in NAT device
Next by Date: Network World article on IPSec
Prev by thread: Re: issues with IKE that need resolution
Next by thread: Re: issues with IKE that need resolution
Index(es):
- Main
- Thread