[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Commit Bit Processing

The only thing I can add to the commit bit issues, and I agree with
what you've got, is that there are implementations out there that
are using the commit bit to force the 'fourth' quick mode message
solely for the purposes of causing re-transmission of the third
quick mode message.

This 1) is not it's intent, and 2) doesn't fix the problem, it only
defers it. (It doesn't fix the problem if the 'fourth' quick mode
message is dropped.)

So, if you add to your list:
        o use of the commit bit is not intended to solve re-transmission
          issues associated with dropped quick mode packets.
(or something like that), I'll consider the usage description of
the commit bit closed.

However, as others have pointed out before me, it doesn't solve the
potential denial-of-service attack associated with the use of the bit.

Regardless, I will keep the stuff about the commit bit in my document
for now.

Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617

> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@Network-Alchemy.COM]
> Sent: March 31, 1999 12:32 PM
> To: Tim Jenkins
> Cc: Derrell D. Piper; S. B. Kulkarni; ipsec@lists.tislabs.com;
> skelly@redcreek.com; Roy Pereira; kivinen@ssh.fi
> Subject: Re: Commit Bit Processing 
> On Wed, 31 Mar 1999 09:55:09 EST Tim Jenkins wrote
> > 
> > I agree that there's much confusion with this bit. (I would argue
> > that reflecting back the commit bit is wrong, since it implies the
> > initiator also wants to send a CONNECTED notification.)
> > 
> > I'll be releasing an update to the re-keying document within a week,
> > and the commit bit gets a fair amount of discussion in this 
> document.
> A couple of IETFs ago I presented a list of the ambiguities and issues
> associated with IKE/ISAKMP/DOI and the commit bit was one of them. It
> seemed to me that the general consensus was that:
>        o the commit bit made sense only in Quick Mode.
>        o using the commit bit only extends Quick Mode by one message--
>          from the responder back to the initiator.
>        o that it is sent as part of the Quick Mode and not as a
>          separate Informational exchange.