[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: problems with draft-jenkins-ipsec-rekeying-06.txt



| From: Tim Jenkins <TJenkins@Catena.com>

In this message, I'll deal only with one key point Tim makes:

| Your justification is that message IDs are required by the RFCs
| to be unique.
| 
| I am unable to find such a requirement. RFC 2408 section 3.1 only says "This
| value is randomly generated by the initiator of the Phase 2 negotiation." In
| practise, this may mean that it is unique, but it's not a requirement.

On 2000 June 20, I sent a message to the list with the subject
"uniqueness of Message IDs and related issues".  It dealt this topic
in detail.  I'll cut and paste a few bits of it here.  For more
complete coverage, have a look at the original message.

RFC2408 "ISAKMP" 3.1 "ISAKMP Header Format" (near end) states that
the Message ID must be unique:

    o  Message ID (4 octets) - Unique Message Identifier used to
       identify protocol state during Phase 2 negotiations.  This value
       is randomly generated by the initiator of the Phase 2
       negotiation.  In the event of simultaneous SA establishments
       (i.e.  collisions), the value of this field will likely be
       different because they are independently generated and, thus, two
       security associations will progress toward establishment.
       However, it is unlikely there will be absolute simultaneous
       establishments.  During Phase 1 negotiations, the value MUST be
       set to 0.


... from RFC2409 "IKE", section 5.5
"Phase 2 - Quick Mode":

   The message ID in the ISAKMP header identifies a Quick Mode in
   progress for a particular ISAKMP SA which itself is identified by the
   cookies in the ISAKMP header.

But another part, 5.7 "ISAKMP Informational Exchanges" says:

   As noted the message ID in the ISAKMP header-- and used in the prf
   computation-- is unique to this exchange and MUST NOT be the same as
   the message ID of another phase 2 exchange which generated this
   informational exchange.

This does not qualify "unique" in any way.  It does clearly use the
admonition "MUST NOT".

Hugh Redelmeier
hugh@mimosa.com  voice: +1 416 482-8253



Follow-Ups: References: