[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Now a question on legacy authentication

To: ipsec@lists.tislabs.com
Subject: Re: Now a question on legacy authentication
From: "Andrew Krywaniuk" <askrywan@hotmail.com>
Date: Wed, 26 Feb 2003 13:27:52 -0500
Sender: owner-ipsec@lists.tislabs.com

- Section 2.16 text:

     "The Initiator of an IKE-SA using EAP SHOULD be capable of extending
      the initial protocol exchange to at least ten IKE_AUTH exchanges in
      the event the Responder sends notification messages and/or retries
      the authentication prompt."

  Why ten? Actually, this sounds a bit small to cover all possible
  methods. Is there a reason why we could not just
  wait until a timeout occurs or something like that?

=> Some implementations are likely to rely on hard timeouts for session 
establishment. E.g. If an exchange is not complete within 1 minute then 
consider it failed. Timing conditions are one of the most difficult things 
to get right. Constraining the number of messages is one way to achieve 
predictability.

As for the responder retrying the authentication, clean handling of that 
case was one of the advantages of a phase 1.5. (I guess the phase 1.5 didn't 
add significant complexity after all.)

Andrew
--------------------------------------
The odd thing about fairness is when
we strive so hard to be equitable
that we forget to be correct.




_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus

Prev by Date: Re: Configuration portion of OPEN ISSUES...
Next by Date: Re: Another NAT Traversal question
Prev by thread: Re: Now a question on legacy authentication
Next by thread: KE payload
Index(es):
- Date
- Thread