[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Regarding the next version of IKE
At 3:04 PM -0800 3/6/02, Scott Fanning wrote:
>I think I brought this issue up a couple of months ago. The
>resounding answer at the time is that the version number in the
>isakmp hdr is enough to direct message to the correct process
>running a specific IKE version. I think there is some code reuse
>here (although that is a debatable requirement as well).
Note that the on-the-wire protocol in JFK is not set in stone. It
could easily be changed to look almost identical to IKEv2; that is, I
have already written up that change. If the WG wants the features of
JFK but to have it run on port 500 and look enough like IKEv2 so that
it will not crash an IKEv1 implementation, that is pretty easy.
>On a very different note:
>
>Also, I was wondering if it would be possible to add a "message
>type" in the isakmp hdr in the IKEv2 (Harkins et al) to indicate
>what part of the exchange the message represents. This would be
>different than the "Exchange Type" as it would offer a finer level
>of granularity. I know you can look at how the message is
>constructed to determine that information, but it seems to be that a
>simple identifier to validate a message against a state machine
>would be a cheaper operation. Of course, it does not remove the
>requirement to examine the payloads to ensure that all is in order.
>Just an idea.
Or, instead of changing the ISAKMP header, you could add granularity
to the new exchange types. Instead of the current:
Phase One 34
CREATE-CHILD-SA 35
Informational 36
You might have:
Phase One message 1 34
Phase One message 2 35
Phase One message 3 36
.
.
.
--Paul Hoffman, Director
--VPN Consortium