[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

notify message payloads

To: "Scott G. Kelly" <skelly@redcreek.com>
Subject: notify message payloads
From: Tero Kivinen <kivinen@ssh.fi>
Date: Sun, 4 Jul 1999 04:39:45 +0300 (EET DST)
Cc: Tamir Zegman <zegman@checkpoint.com>, ipsec@lists.tislabs.com
In-Reply-To: <377266B0.8371132D@redcreek.com>
Organization: SSH Communications Security Oy
References: <377266B0.8371132D@redcreek.com>
Sender: owner-ipsec@lists.tislabs.com

Scott G. Kelly writes:
> I have a couple of questions. First, what prompted the selection of the
> attribute numbers? I can't find any defined attribute types in the
> isakmp doc, and all it says about them is 
> 
>     o  Attribute Type (2 octets) - Unique identifier for each type of
>        attribute.  These attributes are defined as part of the DOI-
>        specific information.

So for notifications I would say the attribute types have separate
name space, and the name space used might depend on the notification
type itself.

For example if the notification type was defined in the DOI document,
the name space of the attribute types belongs to that document. So
when IPSEC DOI defines the RESPONDER-LIFETIME notification, it defines
that the name space for those data attributes inside the notification
data is the IPSEC DOI SA data attributes.

> In the DOI doc, the only attributes defined are SA attrs. As I see it,
> there are two issues here. First, there are (apparently) no attributes
> defined for DOI zero (0), though some of our notify messages clearly
> could be outside of the ipsec doi. Second, the attributes defined for
> the ipsec doi aren't yet segregated into attribute classes. I guess you
> could argue that they *are* since there is currently only one class :-)
> but on the other hand, there is no mechanism defined for adding new
> attributes in a manner which insures adequate contiguous number space
> for existing attr class expansion, etc.

I think we can just define our own "ISAKMP Notification Attributes" in
the "Content Requirements for ISAKMP Notify Messages" document. We
should then leave that newly created name space to IANA. 

> The IKE document says
> 
>    11.1 Attribute Classes
> 
>    Attributes negotiated in this protocol are identified by their class.
>    Requests for assignment of new classes must be accompanied by a
>    standards-track RFC which describes the use of this attribute.
> 
> but I did a quick search at IANA and didn't find any attribute classes
> defined (not even for the ipsec doi). I guess I could have missed
> something, in which case someone can correct me, but otherwise, we need
> to figure out what to do about this.

The IKE document describes the attribute classes (== attribute types)
in the Appendix A for the Phase 1 SA payload. The IPSEC DOI defines
the attribute types for the quick mode SA. 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Prev by Date: draft-ietf-ipsec-notifymsg-00.txt (long again)
Next by Date: draft-ietf-ipsec-ike-ext-meth-01.txt
Prev by thread: Re: draft-ietf-ipsec-notifymsg-00.txt (long again)
Next by thread: draft-ietf-ipsec-ike-ext-meth-01.txt
Index(es):
- Main
- Thread