[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CP(CFG_REQUEST) required?

To: "'Gregory Lebovitz'" <Gregory@netscreen.com>, <ipsec@lists.tislabs.com>, <charlie_kaufman@notesdev.ibm.com>
Subject: RE: CP(CFG_REQUEST) required?
From: "Yoav Nir" <ynir@CheckPoint.com>
Date: Sun, 2 Mar 2003 11:09:32 +0200
Cc: "'Darren Dukes \(E-mail\)'" <ddukes@cisco.com>
Importance: Normal
In-Reply-To: <541402FFDC56DA499E7E13329ABFEA87E66A72@SARATOGA.netscreen.com>
Sender: owner-ipsec@lists.tislabs.com

Sounds right to me

Yoav

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Gregory Lebovitz
Sent: Saturday, March 01, 2003 6:43 PM
To: 'ipsec@lists.tislabs.com'; 'charlie_kaufman@notesdev.ibm.com'
Cc: Darren Dukes (E-mail)
Subject: RE: CP(CFG_REQUEST) required?

After talking this through with Darren Dukes, here is what we came up with:

Design Goals:
- we do not want bob to have to perform a config server look up if he
doesn't know for sure that alice can/will accept the CFG_REPLY
- Bob should not send something that conflicts with local (policy)
configuration, i.e. if local policy configuraiton dictates that for
IDi=alice CP is required, if alice does not send CFG_REQUEST, bob needs to
fail the connection
- A CP failure should be accompanied by a reason

So here is the proposed text in sect 2.19:

"Responder MUST not send a CFG_REPLY withouth having first received a
CP(CFG_REQUEST) from Initiator, because we do not want the IRAS to perform
an unneccesary configuration lookup if the IRAC cannot process the REPLY. In
the case where the IRAS's configuration requires that CP be used for a given
identity IDi, but IRAC has failed to send a CP(CFG_REQUEST), IRAS SHOULD
fail the request, and terminate the IKE exchange with the appropriate error
message.

"The protocol terminates when the Responder sends the Initiator
CP(CFG_REPLY) payload , or when the Responder terminates IKE due to a policy
conflict. In the case of a policy conflict, Responder will terminate by
sending [FOO]."

Charlie (others), I need some help with [FOO]. It wasn't immediately clear
to me the best way for Responder to terminate IKE. What is clear is that we
need a specific failure message that communicates something like, "CP
required, but no CP(CFG_REQUEST) received." Possibly the way to do this is
to creat a new NOTIFY MESSAGE for Responder to send, something like
CP-REQUIRED. Here is a proposal, but feel free to suggest something better.
In sect. 3.10.1:

"FAILED-CP-REQUIRED                    37

 "Sent by Responder in the case where CP(CFG_REQUEST) was expected, but not
recieved, and such is a conflict of locally configured policy. There is no
associated data."

We would also need to do the IANA-thing on Notify Type 37.

Let me know what you think,
Gregory.

> -----Original Message-----
> From: Gregory Lebovitz [mailto:Gregory@netscreen.com]
> Sent: Friday, February 28, 2003 6:05 PM
> To: ipsec@lists.tislabs.com
> Subject: CP(CFG_REQUEST) required?
>
>
> What happens in the case where, for a certain IDi, the
> Responder's local
> policy dictates that CP(CFG) is required, but the Initiator
> did not send the
> CP(CFG_REQUEST)? Can Responder simply send the CP(CFG_REPLY)
> as if he had
> gotten the request?
>

!! NETSCREEN HAS MOVED !!
New Contact Info:
408.543.8002
805 11th Ave, Bldg 3
Sunnyvale, CA  94089

+*******************++********************+
Gregory M. Lebovitz
Staff Architect, CTO Office
NetScreen Technologies, Inc.
Ph:   408.543.8002
E:     gregory@netscreen.com
Pg:   page.gregory@netscreen.com
NASDAQ:  NSCN
+*******************++********************+

References:
- RE: CP(CFG_REQUEST) required?
  - From: Gregory Lebovitz <Gregory@netscreen.com>

Prev by Date: RE: Another NAT Traversal question
Next by Date: Re: Another NAT Traversal question
Prev by thread: RE: CP(CFG_REQUEST) required?
Next by thread: Re: CP(CFG_REQUEST) required?
Index(es):
- Date
- Thread