[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding the next version of IKE

To: <ipsec@lists.tislabs.com>, "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org>
Subject: Re: Regarding the next version of IKE
From: "Scott Fanning" <sfanning@cisco.com>
Date: Wed, 6 Mar 2002 17:17:42 -0800
References: <2F3EC696EAEED311BB2D009027C3F4F4058699D1@vhqpostal.verisign.com> <009801c1c563$509794b0$272745ab@cisco.com> <p05101401b8ac5a8faf6f@[165.227.249.20]>
Sender: owner-ipsec@lists.tislabs.com

I was thinking about that, but I was not sure if we wanted to overload the
meaning of the field. You might want to say that I am in Message X of
Exchange Type Y.

Scott
----- Original Message -----
From: "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org>
To: <ipsec@lists.tislabs.com>
Sent: Wednesday, March 06, 2002 3:52 PM
Subject: Re: Regarding the next version of IKE


> At 3:04 PM -0800 3/6/02, Scott Fanning wrote:
> >I think I brought this issue up a couple of months ago. The
> >resounding answer at the time is that the version number in the
> >isakmp hdr is enough to direct message to the correct process
> >running a specific IKE version. I think there is some code reuse
> >here (although that is a debatable requirement as well).
>
> Note that the on-the-wire protocol in JFK is not set in stone. It
> could easily be changed to look almost identical to IKEv2; that is, I
> have already written up that change. If the WG wants the features of
> JFK but to have it run on port 500 and look enough like IKEv2 so that
> it will not crash an IKEv1 implementation, that is pretty easy.
>
> >On a very different note:
> >
> >Also, I was wondering if it would be possible to add a "message
> >type" in the isakmp hdr in the IKEv2 (Harkins et al) to indicate
> >what part of the exchange the message represents. This would be
> >different than the "Exchange Type" as it would offer a finer level
> >of granularity. I know you can look at how the message is
> >constructed to determine that information, but it seems to be that a
> >simple identifier to validate a message against a state machine
> >would be a cheaper operation. Of course, it does not remove the
> >requirement to examine the payloads to ensure that all is in order.
> >Just an idea.
>
> Or, instead of changing the ISAKMP header, you could add granularity
> to the new exchange types. Instead of the current:
>                         Phase One                34
>                         CREATE-CHILD-SA          35
>                         Informational            36
> You might have:
>                         Phase One  message 1     34
>                         Phase One  message 2     35
>                         Phase One  message 3     36
>                            .
>                            .
>                            .
>
> --Paul Hoffman, Director
> --VPN Consortium

References:
- RE: Regarding the next version of IKE
  - From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
- Re: Regarding the next version of IKE
  - From: "Scott Fanning" <sfanning@cisco.com>
- Re: Regarding the next version of IKE
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Choosing between IKEv2 and JFK
Next by Date: RE: NAT Traversal
Prev by thread: Re: Regarding the next version of IKE
Next by thread: Choosing between IKEv2 and JFK
Index(es):
- Date
- Thread