[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inconsistencies in IKE specs

To: John Shriver <jas@shiva.com>, ipsec@lists.tislabs.com
Subject: Re: inconsistencies in IKE specs
From: Wang Huaibo <whb60292@mail1.sjtu.edu.cn>
Date: Thu, 26 Aug 1999 13:45:06 +0800
References: <199908241817.OAA07246@brill.shiva.com>
Sender: owner-ipsec@lists.tislabs.com



John Shriver wrote:

> There are notational inconsistencies about the Phase 2 (Quick Mode)
> identities in IKE.  These exist in both RFC 2409, and in
> draft-ietf-ipsec-ike-01.txt.
>
> In RFC 2409, they are initially defined as IDui and IDur.  But, when
> used, they are cited as IDci and IDcr.
>
> In the I-D versions, they are initially defined as ID_i2 and ID_r2.
> But, when cited, they are still cited as IDci and IDcr.  (Perhaps the
> victim of search & replace blindness to the prior error.)
>
> Also, is there any restriction on the allowable Identification Type
> for a Phase 2 identity?  Would ID_IPV4_ADDR_RANGE be allowable?  That
> would be defining an SA for a range of IP addresses, all using the
> same SPI.  What would it possibly mean to have a Phase 2
> Identification Type of ID_FQDN?!
>
> Personally, I think it would make a great deal of sense to say that
> Phase 2 ID's may only be ID_IPV4_ADDR or ID_IPV6_ADDR.  I'd really
> love to see more MUST NOT's in these specs.

I agree with you.

I think that there are many other needs of MUST NOT and MUST in these
specs.
o    there must be security policy for ISAKMP SA's setup.between two SGW,

      what kind of SA should be built during phase I negotiation?for
phase II
      negotiation,should I check whether the ISAKMP SA which carries on
the
      communication is security enough?if different protocol SAs' setup
between
     two SGW need different ISAKMP SA,such problem arises.

o   how to prepare the list of SA proposals? the intiator list proposals
in
     descending order of his perference , how my ISAKMP daemon know
      such preference?
     is it implepmentation dependent?

o   Can I take it for granted that when I start a phase I negotiation,
each SA
     proposal should list only one protocol(e.g. ISAKMP)?logically
speaking,
     it is so.

o   during a session, if I receiv a message with different Exhange
Type(other
     than  Information Exhange Type),should I drop the message or cancel
the
     session?

    Acrobat
    Today

References:

inconsistencies in IKE specs

From: John Shriver <jas@shiva.com>

Prev by Date: RE: Weak authentication in Xauth and IKE, CMC token enroll
Next by Date: Re: attack on identity protection in IKE
Prev by thread: Re: inconsistencies in IKE specs
Next by thread: RE: inconsistencies in IKE specs
Index(es):
- Main
- Thread