[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DOI field in ISAKMP

To: "Sathya Perla" <sperla@rampnet.com>
Subject: Re: DOI field in ISAKMP
From: "Derrell D. Piper" <ddp@network-alchemy.com>
Date: Sun, 30 Jan 2000 09:50:22 -0800
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Fri, 28 Jan 2000 18:01:56 PST." <051601bf69fc$d238dc00$a62df0d0@TIMSADMIN_NTD.rampnet.com>
Sender: owner-ipsec@lists.tislabs.com

>As I understand it the value 1 means that current ISAKMP instantiation =
>is IPSec. What would value 0 mean?

ISAKMP theoretically allows you to negotiate SA's under multiple DOI's in a
single negotiation.  One might, it was argued, want to use a value of zero
when you're using ISAKMP in this manner.  The idea would be that the ISAKMP
Notify isn't necessarily tied to any of the underlying DOI's being negotiated.

In practice, most everyone uses the IPSEC DOI in their Notify messages, though
I do know of one vendor who sends zero, and I recently fixed my implementation
to accept zero.  If you do accept zero, you should ensure that whatever
message is received with zero cannot affect any of the IPSEC SA's.  If you
want to target something negotiated under the IPSEC DOI than you MUST use the
IPSEC DOI in the Notify message.

Derrell

References:

DOI field in ISAKMP

From: "Sathya Perla" <sperla@rampnet.com>

Prev by Date: RSIP/IPSEC integration
Next by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Prev by thread: DOI field in ISAKMP
Next by thread: RSIP/IPSEC integration
Index(es):
- Main
- Thread