[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suggested clarification regarding port handling in ike



   From: Gabriel.Montenegro@eng.sun.com (Gabriel Montenegro)
   Date: Sun, 21 Nov 1999 10:31:09 -0800

   >IKE uses ISAKMP as a transport and it seems to me that any verbage
   >needed to clarify the use of that transport should go in a son-of-ISAKMP
   >draft. 

   i hate to admit it, but i tend to agree with you here. the only reason
   i suggested putting in ike is that it is currently under revision,
   whereas isakmp is not. unless, of course, ted and the isakmp folks
   know something we don't. i don't think this clarification justifies
   opening up isakmp or doi again, so if it doesn't go in the new ike,
   it probably won't make it anywhere.

   ted? perhaps an addition to section 2.5.1 (transport protocol) in 
   isakmp (rfc2408)? btw, there's also related text in the DOI.

Umm...  I don't think this Isakmp issue at all.  The definition of the
ID Payload is in the DOI documentation.  At the ISAKMP level, the fact
that you put IP addresses and Port numbers in an ID payload doesn't come
up at all.   All ISAKMP has to say about the matter is as follows:

>   ISAKMP can be implemented over any transport protocol or over IP
>   itself.  Implementations MUST include send and receive capability for
>   ISAKMP using the User Datagram Protocol (UDP) on port 500.  UDP Port
>   500 has been assigned to ISAKMP by the Internet Assigned Numbers
>   Authority (IANA). Implementations MAY additionally support ISAKMP
>   over other transport protocols or over IP itself.

What goes into the ID Payload if you use UDP port 500 versus some other
UDP port, versus TCP/IP, etc. isn't something for the ISAKMP document to
define; I'm not sure how you would even add that to the ISAKMP document
without dragging in all sorts of IKE specific issues into it.

Perhaps some folks are seeing something I'm not seeing, but I don't see
why it shouldn't be an IKE/DOI issue.  That being said, if there are
enough reasons why we think we want to reopen IKE (such as a
clarification about how to do IKE extensions, etc.), we can do so.

						- Ted


References: