[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Commit Bit

To: "ipsec@lists.tislabs.com" <ipsec@lists.tislabs.com>
Subject: RE: Commit Bit
From: Ruheena Rashid <RuheenaR@future.futsoft.com>
Date: Mon, 5 Jun 2000 17:31:24 +0530
Cc: "'Ruheena Rashid'" <ruheenar@kailash.future.futsoft.com>
Organization: future software
Reply-To: "RuheenaR@future.futsoft.com" <RuheenaR@future.futsoft.com>
Sender: owner-ipsec@lists.tislabs.com

Hello 			

I have some queries regarding the commit bit.

RFC 2408 states that -
"The Commit Bit can be set (at anytime) by either party participating in 
the SA establishment, and can be used during both phases of an ISAKMP SA 
establishment. However, the value MUST be reset after the Phase 1 
negotiation."

1. What is the use of  setting the commit bit in Phase 1 negotiation 
because it has to be reset after the completion of Phase 1 negotiation ?

2. What will be the behavior when the responder has set the commit bit in 
the Phase 2  negotiation ? Will it wait for the receipt of the NOTIFY 
payload with CONNECTED Notify message ?

3. Also, since the setting of commit bit requests the other end (peer) to 
wait until the receipt of NOTIFY payload with CONNECTED Notify message, 
this has to be informed to the IPsec so that no packets are dropped. How is 
this taken care ? Do we need to define a PF_KEY message to serve this 
purpose ?

Regards
Ruheena.

Ruheena Rashid
Software Engineer
Future Software Pvt. Ltd.
Nandanam
Chennai


-----Original Message-----
From:	antonio.barrera@nokia.com [SMTP:antonio.barrera@nokia.com]
Sent:	Monday, June 05, 2000 1:33 PM
To:	ipsec@lists.tislabs.com
Subject:	RE: Commit Bit

	So the Commit bit is set in the last message of the initiator QM3
only.
If the other side doesn't support the Commit bit, then we can begin sending
packets after a certain timer, can't we?
I mean because we won't receive any CONNECT message in return.

Toni


-----Original Message-----
From: EXT Stephane Beaulieu [mailto:stephane@cisco.com]
Sent: 02. June 2000 17:14
To: antonio.barrera@nokia.com; ipsec@lists.tislabs.com
Subject: Re: Commit Bit


Hi Toni,

The commit bit is used because the initiator of QM has an IPsec SA set up
before the responder does.

The initiator has the IPsec SA set up as soon as he sends QM3, whereas the
responder doesn't have his IPsec SA set up until he processes QM3.

If the responder is a slow machine, or is overloaded, it could take a while
to process QM3, and therefore could take a while to set up the IPsec SA.

If the initiator sends an ESP packet to the responder right after sending
QM3, the responder may not be ready to process it (or it could arive out of
order).

So, the commit bit was introduced to give the responder a method of telling
the intiator "OK, my SA is set up now", so that no packets were dropped due
to the timing issues described above.

Stephane.

----- Original Message -----
From: <antonio.barrera@nokia.com>
To: <ipsec@lists.tislabs.com>
Sent: Friday, June 02, 2000 8:30 AM
Subject: Commit Bit


> Could someone give me an example of the usefulness of the Commit Bit
> in IKE?
> I've read the RFC 2408 explaining how it works but I can't understand
> completely its use.
> A small example would clarify me a lot how it works. Just need to know
> exactly when it's set and reset and when to send the CONNECT 
informational
> message.
> I understand the bit must be set when The ISAKMP SA is established
> and reset afetr the phase I as it says in the RFC, but I can't see 
exactly
> what do we win using it.
> I know the subject was discussed some time ago but I haven't been
> able to find a clear answer to my doubts.
> Thnaks and sorry for the inconvenience.
>
> Toni Barrera
>
>

Prev by Date: Re: Interoperability (was: Death to AH?)
Next by Date: Query on cookies - RFC 2408
Prev by thread: Re: Commit Bit
Next by thread: RE: Commit Bit
Index(es):
- Main
- Thread