[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: Re: ike2-v4: request or response] == major issue



I suspect this error was introduced as a result of
going back to having the cookies be in the order
(IKE initiator's cookie, IKE responder's cookie) rather
than (receiver's SPI, transmitter's SPI) (a change
made for NAT traversal).

So, yes, we need a bit, but does it have to be called
"R"? I'll never remember if it's for "request" or
"response".

How about "C" (for command vs response).
Or perhaps "A" (for "acknowledgement, sent on 
the response).

Radia


<Charlie_Kaufman@notesdev.ibm.com> wrote:
>
>
>
>
>You're right! And I'm embarrassed that such an obvious error could have
>persisted so late into the review process. But much better to find it now
>than after it goes RFC... I've added a R (response) bit (must be cleared
>for requests, must be set for responses).
>
>          --Charlie
>
>Opinions expressed may not even be mine by the time you read them, and
>certainly don't reflect those of any other entity (legal or otherwise).
>
>> I do not believe that the I bit in the ikev2 header provides its
>> stated function
>> of allowing a recipient to determine if a pdu is a request or response. I
>> believe that the header needs to be augmented with an R (request) bit.
>>
>> -------- Original Message --------
>>
>> Subject:
>>
>> Re: ike2-v4: request or response
>>
>> Date:
>>
>> Tue, 11 Feb 2003 10:45:56 +0100
>>
>> From:
>>
>> Francis Dupont <Francis.Dupont@enst-bretagne.fr>
>>
>> To:
>>
>> jeff pickering <jpickering@creeksidenet.com>
>>
>>
>
>>  In your previous mail you wrote:
>>
>>    I really appreciate your response.
>>    This is exacltly the statement in the spec that seems to be
>>    self-contradictory:
>>
>>    - I-bit is set by oriiginal IKE-SA initiator. (Alice)
>>    - Original responder (Bob)can also be the sender of a request.
>>    => Therefore, I-bit contains no information about which end initiated
>a
>>    particular request.
>>
>>    OR am I crazy??
>>
>> => no, I believe you're right and there is a real problem.
>> A request bit should solve the issue. Note the I bit is still
>> needed if the IKEv1 order of the SPIs (aka cookies) is kept.
>>
>> Regards
>>
>> Francis.Dupont@enst-bretagne.fr
>>
>> PS: please ask for a request bit in the message header!
>>
>>
>>
>