[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: exchange type 6?

To: wprice@cyphers.net
Subject: Re: exchange type 6?
From: Dan Harkins <dharkins@potassium.cips.nokia.com>
Date: Thu, 22 Feb 2001 00:08:36 -0800
cc: ipsec@lists.tislabs.com
In-Reply-To: Your message of "Wed, 21 Feb 2001 20:34:25 PST." <3A9496D2.B6F67807@cyphers.net>
Sender: owner-ipsec@lists.tislabs.com

  Implementors of XAUTH will be in for a huge compatibility nightmare
as _they_ will be the ones at fault. Then they'll have to do the same 
thing that people did who erroneously assumed that RIPEMD-160 would
be awarded the value 5.

  It might be a fait accompli if this was news but the improper use of 
this exchange type was discussed over 2 years ago when the number of 
people implementing XAUTH (or mode config or whatever) was enough to 
count on one hand and still be able to simultaneously pick your nose
and suck your thumb. So now all these vendors ignored that fact and 
chose to implement it as 6 anyway and it's supposed to be OK? Saying, 
"but everyone's doing it" never worked for me. Has it ever worked for 
anyone else?

  We've already had a case where magic numbers were improperly assigned 
to new Diffie-Hellman groups and now the improper use of a still reserved
number is supposed to be condoned? Can you explain when these rules are 
really supposed to matter? 

  Dan.

On Wed, 21 Feb 2001 20:34:25 PST you wrote
> At the last bakeoff, it seemed like every commercial vendor I spoke with
> was implementing both config mode and xauth.  Most had one or both
> already, others were hard at work on it and all were eager to test it.
> 
> There's got to be a point at which a working group decision not to endorse
> something has to take into account the fact that most deployed
> implementations of the standard are in fact using exchange type 6 for this
> purpose (quite happily I believe), and that efforts to deny that are at
> this point just not going to be fruitful and only add confusion to the
> working group. Were a different standard to be allocated that exchange
> type in the future, implementors of said standard would be in for a huge
> compatibility nightmare. For better or worse, these drafts have been mass
> deployed by many vendors, and that seems very unlikely to slow down.
> 
> 
> 
> Stephen Kent wrote:
> > 
> > At 5:24 PM -0500 2/21/01, Andrew Krywaniuk wrote:
> > >  >   Don't you think that the response Derrell received should
> > >  > be the response
> >  > you receive?
> > >
> > >No, I thought the WG and IANA should have accomodated Derrell's request.
> > >
> > >I believe it is more important to be sensible than to be consistent. Others
> > >may disagree.
> > >
> > >Reserving exchange mode 6 doesn't mean the WG has to give credence to confi
>g
> > >mode. They can allocate it as "deprecated" for all I care.
> > >
> > 
> > I tend to agree with Dan here, although there is legitimate room for
> > disagreement. Formally allocating a number to a proposed anything
> > gives it credence in the eyes of many users. Some folks feel that
> > it's OK to do this allocation even if the proposed thing does not
> > become a standard, e.g., to facilitate testing etc.
> > 
> > Personally I vote for sensible AND consistent :-)
> > 
> > Steve
> 
> -- 
> 
> Will Price, Director of Engineering
> PGP Security, Inc.
> a division of Network Associates, Inc.

Follow-Ups:

RE: exchange type 6?

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:

Re: exchange type 6?

From: Will Price <wprice@cyphers.net>

Prev by Date: Re: Question about the ISAKMP Notification Payload
Next by Date: Re: exchange type 6?
Prev by thread: Re: exchange type 6?
Next by thread: RE: exchange type 6?
Index(es):
- Main
- Thread