[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Use of Encryption in Keepalive Packets

To: "'Dan Harkins'" <dharkins@network-alchemy.com>, "Andrew Krywaniuk" </o=TimeStepCorporation/ou=TIMESTEP/cn=Recipients/cn=akrywaniuk@ns01.newbridge.com>
Subject: RE: Use of Encryption in Keepalive Packets
From: "Andrew Krywaniuk" <akrywani@newbridge.com>
Date: Tue, 7 Mar 2000 15:44:09 -0500
Cc: "'Tero Kivinen'" <kivinen@ssh.fi>, "'Chris Trobridge'" <CTrobridge@baltimore.com>, "'IPSEC Mailing List @ tis labs'" <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <200003072008.MAA22889@potassium.network-alchemy.com>
Reply-To: <akrywani@newbridge.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Dan,

>   Have you spoken to any of the other vendors that have implemented
> proprietary keepalive functions? It would be nice to encorporate any
> insight they might've gotten into your draft.

I based my draft on the comments I received during the December thread on
this list and on private discussions with interested parties.

>   Also, please do not take magic numbers you need from the
> "Reserved to
> IANA" (or reserved to anyone else for that matter) numberspace. And
> include a value to put in a vendor ID payload to identify a consenting
> party. I know of one vendor that includes the keepalive value in its
> vendor ID payload as a way to "negotiate" to the lowest
> acceptable value.

Don't worry about the IANA issues. I took all values from the private range
and used a vendor id. I know that we (TimeStep) haven't always been thorough
in that regard, but this will change.

The idea of using vendor IDs to "negotiate" values drew a lot of criticism
last time this topic was broached. So instead I used Config Mode.

I know that the people who don't like the DHCP-like features of Config Mode
might object to this, but shoe-horning another protocol (e.g. vendor ids,
ack'ed notifies) into performing negotiation seemed too kludgy.

So if you don't want to support DHCP via Config Mode then just don't
implement those attributes.

Andrew
_______________________________________________
 Beauty without truth is insubstantial.
 Truth without beauty is unbearable.


> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@Network-Alchemy.COM]
> Sent: Tuesday, March 07, 2000 3:09 PM
> To: akrywani@newbridge.com
> Cc: 'Tero Kivinen'; 'Chris Trobridge'; 'IPSEC Mailing List @ tis labs'
> Subject: Re: Use of Encryption in Keepalive Packets
>
>
>   Have you spoken to any of the other vendors that have implemented
> proprietary keepalive functions? It would be nice to encorporate any
> insight they might've gotten into your draft.
>
>   Also, please do not take magic numbers you need from the
> "Reserved to
> IANA" (or reserved to anyone else for that matter) numberspace. And
> include a value to put in a vendor ID payload to identify a consenting
> party. I know of one vendor that includes the keepalive value in its
> vendor ID payload as a way to "negotiate" to the lowest
> acceptable value.
>
>   Dan.
>
> On Tue, 07 Mar 2000 14:28:34 EST you wrote
> > (For those who may be wondering, Tero's numbers are based
> on the packet
> > format which I am planning to use in my forthcoming draft.)
> >
> > If anyone has any further comments, please send them ASAP,
> as I plan to
> > submit the draft later today.
>

References:

Re: Use of Encryption in Keepalive Packets

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: RE: Use of Encryption in Heartbeat Packets
Next by Date: RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Prev by thread: Re: Use of Encryption in Keepalive Packets
Next by thread: RE: Use of Encryption in Heartbeat Packets
Index(es):
- Main
- Thread