[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CP(CFG_REQUEST) required?

To: ddukes@cisco.com, "Scott G. Kelly" <scott@airespace.com>, charlie_kaufman@notesdev.ibm.com
Subject: RE: CP(CFG_REQUEST) required?
From: Gregory Lebovitz <Gregory@netscreen.com>
Date: Mon, 3 Mar 2003 22:44:32 -0800
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

> -----Original Message-----
> From: Darren Dukes [mailto:ddukes@cisco.com]
> > From: Scott G.Kelly
> >
> > Gregory Lebovitz wrote:
> > <trimmed...>
> > > So here is the proposed text in sect 2.19:
> > >
> > > "Responder MUST not send a CFG_REPLY withouth having 
> first received a
> > > CP(CFG_REQUEST) from Initiator, because we do not want the IRAS
> > to perform
> > > an unneccesary configuration lookup if the IRAC cannot process
> > the REPLY. In
> > > the case where the IRAS's configuration requires that CP be
> > used for a given
> > > identity IDi, but IRAC has failed to send a 
> CP(CFG_REQUEST), IRAS SHOULD
> > > fail the request, and terminate the IKE exchange with the
> > appropriate error
> > > message.
> >
> > Whatever form a CP payload ultimately takes, in the case 
> where security
> > policy *requires* that the IRAS send the request and yet it 
> does not,

Scott, did you mean to say "IRAC"?

> > shouldn't the language read "...IRAS MUST fail the request..." (MUST
> > rather than SHOULD)?
> 
> I agree. 

What I originally said was that the IRAS local configuration was set for CP.
I did not say that the local configuration requires IRAC to send anything.
(The difference between the two is biproduct of our chosen protocol design).

Anyway, the reason I chose SHOULD instead of MUST is that "configuration"
has more to do with customers' implementation and policy desires, and less
to do with the operation of the protocol. So I was thinking we ought leave
it implementation specific. 

However, Thinking through it a little further, if IRAS were to send an
unsolicited CFG_RESPONSE, how should IRAC respond? According to it's local
configuration, right? Well, if IRAC's configuration (on |off) for CP was set
ON, then it would have sent a CFG_REQUEST in the first place. If IRAC'c
configuration had CP set OFF, then it probably ought (would) not respond to
an unsolicited CFG_RESPONSE, right?

So, I guess I agree too. The "... IRAS MUST fail the request..." will be
cleaner.

Charlie, can you make that change to the text I suggested?

Gregory.

Follow-Ups:
- Re: CP(CFG_REQUEST) required?
  - From: "Scott G. Kelly" <scott@airespace.com>

Prev by Date: Re: comments on ikev2 05 (editorial)
Next by Date: QoS and IKEv2
Prev by thread: RE: CP(CFG_REQUEST) required?
Next by thread: Re: CP(CFG_REQUEST) required?
Index(es):
- Date
- Thread