[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Vendor ID issues
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Dan" == Dan Harkins <dharkins@Network-Alchemy.COM> writes:
Dan> I had a similar exchange with Bob over this. I don't know why ICSA
Dan> is testing this stuff. They're having enough trouble just figuring out
Dan> how to test main mode with pre-shard keys! As far as interoperability
Dan> is concerned, if you barf upon receipt of a vendor ID payload you don't
Dan> recognize then you're broken.
They aren't testing it. Rather they are experiencing the brokenness because
some product does not accept it, but at the time it was tested, nobody
Dan> required vendor ID payload then you can't initiate the mode to it. When
Dan> the I-D advances it can be assigned valid exchange and payload numbers
Dan> by IANA and the verbage discussing the vendor ID payload to use for
Dan> testing can be dropped. But that didn't happen. :-( Now we have several
It isn't clear to me what one does if one receives an ISAKMP initiator
packet that has a version number greater than one's own.
I think that if you receive minor > ME, that you do not respond, but rather
you initiate again with your major/minor, and the *same* cookies.
I think that if you receive major > ME that you initiate with new cookies.
We have to work this out. I would think that major number increments mean
that major things have changed, i.e. interpretation of payloads, etc.
Dan> The BCP is definitely needed before this is repeated. Can you post it
Dan> to the list?
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | IPsec, VPN, Firewalls, PKI, network design, Unix admin
ON HUMILITY: To err is human, to moo bovine.
-----BEGIN PGP SIGNATURE-----
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
-----END PGP SIGNATURE-----