[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Where should be the CERT payload in IKE ?



Kalyan Chakravarthy Bade writes:
> In section 3.6 of isakmp draft, it is stated that the Certificate payload 
> MUST be accepted at  any point during an exchange. Whereas in IKE,
> it is given as part of only fifth and sixth messages in the main mode
> exchange. Can we assume that if at all CERT payload is exchanged,
> it is done ONLY in fifth and sixth messages of main mode ? 

In IKE there is only exchange examples, the pictures are not meant to
be authorative (for example they never list initial contact etc
notifications).

The IKE rfc says:
----------------------------------------------------------------------
...
   Exchanges in IKE are not open ended and have a fixed number of
   messages.  Receipt of a Certificate Request payload MUST NOT extend
   the number of messages transmitted or expected.
...
5.1 IKE Phase 1 Authenticated With Signatures
...
   One or more certificate payloads MAY be optionally passed.
...
----------------------------------------------------------------------
so certificates may exists in all messages. Certificate requests may
exists in all other messages execpt where it would extend the
exchange. 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/