[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vendor ID issues


>>>>> "Dan" == Dan Harkins <dharkins@Network-Alchemy.COM> writes:
    Dan>   I had a similar exchange with Bob over this. I don't know why ICSA
    Dan> is testing this stuff. They're having enough trouble just figuring out 
    Dan> how to test main mode with pre-shard keys! As far as interoperability 
    Dan> is concerned, if you barf upon receipt of a vendor ID payload you don't
    Dan> recognize then you're broken.

  They aren't testing it. Rather they are experiencing the brokenness because
some product does not accept it, but at the time it was tested, nobody
sent it.

    Dan> required vendor ID payload then you can't initiate the mode to it. When
    Dan> the I-D advances it can be assigned valid exchange and payload numbers
    Dan> by IANA and the verbage discussing the vendor ID payload to use for
    Dan> testing can be dropped. But that didn't happen. :-( Now we have several
  It isn't clear to me what one does if one receives an ISAKMP initiator
packet that has a version number greater than one's own.
  I think that if you receive minor > ME, that you do not respond, but rather
you initiate again with your major/minor, and the *same* cookies.
  I think that if you receive major > ME that you initiate with new cookies.
  We have to work this out. I would think that major number increments mean
that major things have changed, i.e. interpretation of payloads, etc.

    Dan>   The BCP is definitely needed before this is repeated. Can you post it 
    Dan> to the list?


   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson | IPsec, VPN, Firewalls, PKI, network design, Unix admin
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.

Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface