[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A question on SA establishment in RFC 2408

To: Mike Williams <mikewill@ibm.net>, pau@watson.ibm.com
Subject: RE: A question on SA establishment in RFC 2408
From: Tim Jenkins <tjenkins@TimeStep.com>
Date: Fri, 4 Jun 1999 09:51:25 -0400
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Even if the responder kept the original proposal # and transform #, wouldn't
it be prudent to check that they match the contents of those that the
initiator sent?

If so, what's the point of keeping the numbers the same? (Other than a
faster lookup for comparison?) You still have to check the contents of the
returned proposal against your policy again anyway...

Or is this too paranoid?

---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617



> -----Original Message-----
> From: Mike Williams [mailto:mikewill@ibm.net]
> Sent: June 4, 1999 9:42 AM
> To: pau@watson.ibm.com
> Cc: ipsec@lists.tislabs.com
> Subject: Re: A question on SA establishment in RFC 2408
> 
> 
> We ran into this at the bakeoff last week.....
> 
> This would provide value if it was required that the 
> responder retain the
> Proposal # and Transform #.  Since it is only suggested as a 
> SHOULD and since
> we have found several implementations that have not followed this
> recommendation, it provide little if no value.
> 
> Take for example the situation where the initiator proposes 3 
> proposals, each
> having 4 transforms and the responder chooses transform #3 in 
> proposal #2.
> Most implementations followed the recommendation and would 
> send back an SA
> payload with a single proposal payload with a proposal #2 
> containing a single
> transform payload with a transform #3.  Others did not follow this
> recommendation and would return the contents of proposal #2 
> and transform #3,
> however numbering them proposal #1 and transform #1. Given 
> this different
> behavior, the initiator has very little choice other than to 
> go back through
> all proposed proposals and transforms with the reply looking 
> for a match.
> 
> Mike Williams
> 
> IBM AS4/00 TCP/IP Development
> 
> 
> 
> pau@watson.ibm.com wrote:
> 
> >  My apology if this question has been raised before.
> >
> >    Section 4.2 of RFC2408 (the ISAKMP RFC) describes SA 
> establishment,
> >    in its last paragraph before section 4.2.1, it states :
> >
> >      ".......The responder
> >       SHOULD retain the Proposal # field in the Proposal 
> payload and the
> >       Transform # field in each Transform payload of the 
> selected Proposal.
> >       ..."
> >
> >    My question is about the word "SHOULD". This word means 
> the responder
> >    does not have to retain the proposal and transform 
> numbers. If it does
> >    not retain the numbers, then what numbers should be used in the
> >    "proposal number" and "transform number" fields in the 
> proposal and
> >    transform payloads sent from the responder to the initiator ?
> >
> >    A related and more fundamental question is that how the initiator
> >    could determine if the responder retains the numbers or not ?
> >
> >  Thanks in advance.
> >
> >  Pau-Chen
>

Prev by Date: Re: A question on SA establishment in RFC 2408
Next by Date: RE: A question on SA establishment in RFC 2408
Prev by thread: Re: A question on SA establishment in RFC 2408
Next by thread: RE: A question on SA establishment in RFC 2408
Index(es):
- Main
- Thread