[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Regarding the next version of IKE
I was thinking about that, but I was not sure if we wanted to overload the
meaning of the field. You might want to say that I am in Message X of
Exchange Type Y.
Scott
----- Original Message -----
From: "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org>
To: <ipsec@lists.tislabs.com>
Sent: Wednesday, March 06, 2002 3:52 PM
Subject: Re: Regarding the next version of IKE
> At 3:04 PM -0800 3/6/02, Scott Fanning wrote:
> >I think I brought this issue up a couple of months ago. The
> >resounding answer at the time is that the version number in the
> >isakmp hdr is enough to direct message to the correct process
> >running a specific IKE version. I think there is some code reuse
> >here (although that is a debatable requirement as well).
>
> Note that the on-the-wire protocol in JFK is not set in stone. It
> could easily be changed to look almost identical to IKEv2; that is, I
> have already written up that change. If the WG wants the features of
> JFK but to have it run on port 500 and look enough like IKEv2 so that
> it will not crash an IKEv1 implementation, that is pretty easy.
>
> >On a very different note:
> >
> >Also, I was wondering if it would be possible to add a "message
> >type" in the isakmp hdr in the IKEv2 (Harkins et al) to indicate
> >what part of the exchange the message represents. This would be
> >different than the "Exchange Type" as it would offer a finer level
> >of granularity. I know you can look at how the message is
> >constructed to determine that information, but it seems to be that a
> >simple identifier to validate a message against a state machine
> >would be a cheaper operation. Of course, it does not remove the
> >requirement to examine the payloads to ensure that all is in order.
> >Just an idea.
>
> Or, instead of changing the ISAKMP header, you could add granularity
> to the new exchange types. Instead of the current:
> Phase One 34
> CREATE-CHILD-SA 35
> Informational 36
> You might have:
> Phase One message 1 34
> Phase One message 2 35
> Phase One message 3 36
> .
> .
> .
>
> --Paul Hoffman, Director
> --VPN Consortium