[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: Re: ike2-v4: request or response] == major issue

To: radia.perlman@sun.com
Subject: Re: [Fwd: Re: ike2-v4: request or response] == major issue
From: "jpickering@creeksidenet.com" <jpickering@creeksidenet.com>
Date: Wed, 19 Feb 2003 09:56:34 -0500
CC: Charlie_Kaufman@notesdev.ibm.com, Francis.Dupont@enst-bretagne.fr, ipsec@lists.tislabs.com
References: <200302182138.h1ILcKM10761@sydney.East.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; m18) Gecko/20001108 Netscape6/6.0



I guess getting it fixed is really my concern, but if we really want a
single letter, 'A' gets my vote.

Jeff


Radia Perlman - Boston Center for Networking wrote:

> I suspect this error was introduced as a result of
> going back to having the cookies be in the order
> (IKE initiator's cookie, IKE responder's cookie) rather
> than (receiver's SPI, transmitter's SPI) (a change
> made for NAT traversal).
> 
> So, yes, we need a bit, but does it have to be called
> "R"? I'll never remember if it's for "request" or
> "response".
> 
> How about "C" (for command vs response).
> Or perhaps "A" (for "acknowledgement, sent on 
> the response).
> 
> Radia
> 
> 
> <Charlie_Kaufman@notesdev.ibm.com> wrote:
> 
>> 
>> 
>> 
>> You're right! And I'm embarrassed that such an obvious error could have
>> persisted so late into the review process. But much better to find it now
>> than after it goes RFC... I've added a R (response) bit (must be cleared
>> for requests, must be set for responses).
>> 
>>          --Charlie
>> 
>> Opinions expressed may not even be mine by the time you read them, and
>> certainly don't reflect those of any other entity (legal or otherwise).
>> 
>>> I do not believe that the I bit in the ikev2 header provides its
>>> stated function
>>> of allowing a recipient to determine if a pdu is a request or response. I
>>> believe that the header needs to be augmented with an R (request) bit.
>>> 
>>> -------- Original Message --------
>>> 
>>> Subject:
>>> 
>>> Re: ike2-v4: request or response
>>> 
>>> Date:
>>> 
>>> Tue, 11 Feb 2003 10:45:56 +0100
>>> 
>>> From:
>>> 
>>> Francis Dupont <Francis.Dupont@enst-bretagne.fr>
>>> 
>>> To:
>>> 
>>> jeff pickering <jpickering@creeksidenet.com>
>>> 
>>> 
>>>  In your previous mail you wrote:
>>> 
>>>    I really appreciate your response.
>>>    This is exacltly the statement in the spec that seems to be
>>>    self-contradictory:
>>> 
>>>    - I-bit is set by oriiginal IKE-SA initiator. (Alice)
>>>    - Original responder (Bob)can also be the sender of a request.
>>>    => Therefore, I-bit contains no information about which end initiated
>> 
>> a
>> 
>>>    particular request.
>>> 
>>>    OR am I crazy??
>>> 
>>> => no, I believe you're right and there is a real problem.
>>> A request bit should solve the issue. Note the I bit is still
>>> needed if the IKEv1 order of the SPIs (aka cookies) is kept.
>>> 
>>> Regards
>>> 
>>> Francis.Dupont@enst-bretagne.fr
>>> 
>>> PS: please ask for a request bit in the message header!
>>> 
>>> 
>>>

References:
- Re: [Fwd: Re: ike2-v4: request or response] == major issue
  - From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>

Prev by Date: Re: [Fwd: Re: ike2-v4: request or response] == major issue
Next by Date: I-D ACTION:draft-ietf-ipsec-ikev2-ecnfix-01.txt
Prev by thread: Re: [Fwd: Re: ike2-v4: request or response] == major issue
Next by thread: IKE-hybrid mode authentication
Index(es):
- Date
- Thread