[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: problems with draft-jenkins-ipsec-rekeying-06.txt
| From: Andrew Krywaniuk <andrew.krywaniuk@alcatel.com>
| Date: Thu, 13 Jul 2000 15:21:40 -0400
| Hugh:
|
| > As noted the message ID in the ISAKMP header-- and used in the prf
| > computation-- is unique to this exchange and MUST NOT be the same as
| > the message ID of another phase 2 exchange which generated this
| > informational exchange.
| >
| > This does not qualify "unique" in any way. It does clearly use the
| > admonition "MUST NOT".
|
| As I mentioned several weeks ago, your statement here is misleading. The
| "MUST NOT" clause only applies to the statement that the informational
| exchange shoudn't use the same message id AS THE QM WHICH (PRESUMABLY)
| CAUSED IT TO BE GENERATED.
What I said about this quote from RFC2409 did not clearly communicate
what I meant. Sorry. Let me try again.
The sentence is best understood as two separate assertions.
| > As noted the message ID in the ISAKMP header-- and used in the prf
| > computation-- is unique to this exchange
The Message ID of the exchange is unique.
| > and MUST NOT be the same as
| > the message ID of another phase 2 exchange which generated this
| > informational exchange.
The MUST NOT is reinforcing an implication of the first part: that the
Message ID on an Informational Exchange won't be the same as the
Message ID of another Phase 2 exchange which generated the
Informational Exchange. This needs to be reinforced because sharing
a Message ID in this case would help connect the Informational
Exchange to the Phase 2 exchange that generated it.
So this use of MUST NOT does not enforce uniqueness in general, only
in this particular case. But it contradicts any interpretation
that "unique" means nothing.
There is still the use of "unique" that I pointed out in RFC2408. RFC2408
"ISAKMP" 3.1 "ISAKMP Header Format" (near end) states that the Message ID
must be unique, without further qualification:
o Message ID (4 octets) - Unique Message Identifier used to
identify protocol state during Phase 2 negotiations. This value
is randomly generated by the initiator of the Phase 2
negotiation. In the event of simultaneous SA establishments
(i.e. collisions), the value of this field will likely be
different because they are independently generated and, thus, two
security associations will progress toward establishment.
However, it is unlikely there will be absolute simultaneous
establishments. During Phase 1 negotiations, the value MUST be
set to 0.
| As for your clear misinterpretation of the word "unique", let's go straight
| to the source. Take a look at the passage I have blocked off and you will
| see how the words "unique to" are commonly interpreted.
|
| According to Webster:
| _______________________________________________________
|
| b : distinctively characteristic : PECULIAR 1 <this is not a condition
| unique to California -- Ronald Reagan>
| _______________________________________________________
I'm having trouble applying this interpretation to the quote from
RGC2409. Are you claiming that the quote means that only
Informational Exchanges have Message IDs? That is easy to refute :-)
Hugh Redelmeier
hugh@mimosa.com voice: +1 416 482-8253
Follow-Ups:
References: