[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Where should be the CERT payload in IKE ?
Kalyan Chakravarthy Bade writes:
> In section 3.6 of isakmp draft, it is stated that the Certificate payload
> MUST be accepted at any point during an exchange. Whereas in IKE,
> it is given as part of only fifth and sixth messages in the main mode
> exchange. Can we assume that if at all CERT payload is exchanged,
> it is done ONLY in fifth and sixth messages of main mode ?
In IKE there is only exchange examples, the pictures are not meant to
be authorative (for example they never list initial contact etc
notifications).
The IKE rfc says:
----------------------------------------------------------------------
...
Exchanges in IKE are not open ended and have a fixed number of
messages. Receipt of a Certificate Request payload MUST NOT extend
the number of messages transmitted or expected.
...
5.1 IKE Phase 1 Authenticated With Signatures
...
One or more certificate payloads MAY be optionally passed.
...
----------------------------------------------------------------------
so certificates may exists in all messages. Certificate requests may
exists in all other messages execpt where it would extend the
exchange.
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/