[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDi/IDr distinction

To: "Michael Richardson" <mcr@sandelman.ottawa.on.ca>, <ipsec@lists.tislabs.com>
Subject: Re: IDi/IDr distinction
From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Date: Sun, 30 Mar 2003 15:34:42 -0500
Reply-To: <radia.perlman@sun.com>
Sender: owner-ipsec@lists.tislabs.com

I agree with Michael. Seems confusing to have the same
number for IDi and IDr. I can imagine scenarios in which we might want
to have multiple of either IDi or IDr or both, or have one or
both of them
be optional, in which case ordering would no longer be sufficient
to distinguish them. Furthermore, I don't think
payload numbers are a sufficiently scarce resource
that we need to conserve them. (I hope not...I'd hate
to have to document 65,000 different ones).

Radia


"Michael Richardson" <mcr@sandelman.ottawa.on.ca> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>The IDi and IDr payloads in the exchanges use the same payload number (5). 
>
>The IDr may presently be appear in message 3 along with IDi. I see no
>way to distinguish them except by the ordering. Further, it is apparent
>to me that it would be beneficial if a third party (i.e. tcpdump or 
>another tool that was given access to the IKE-SA keys) could distinguish
>the payloads.
>
>I therefore propose that the IDr be given a distinct payload number.
>
>marajade-[ietf/id/ietf/ipsec] mcr 1051 %diff -u ikev2-05.txt ikev2-05-mcr.txt
>- --- ikev2-05.txt        Mon Feb 24 08:47:20 2003
>+++ ikev2-05-mcr.txt    Sun Mar 30 13:31:35 2003
>@@ -2660,7 +2660,10 @@
>       the Identification Type. The length of the Identification Data
>       is computed from the size in the ID payload header.
> 
>- -   The payload type for the Identification Payload is five (5).
>+   The payload type for the Identification Payload when used by the
>+   initiator is five (5).
>+   The payload type for the Identification Payload when used by the
>+   responder is 25 (25).
> 
>    The following table lists the assigned values for the Identification
>    Type field, followed by a description of the Identification Data
>
>]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
>]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
>] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
>] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>Comment: Finger me for keys
>
>iQCVAwUBPoc4OIqHRg3pndX9AQGxigP+JuXlnfuFHfvHV353ayPJ+pSjDt4MU3JE
>kZk0JshmcBwYe/Esja7BV/qcm1wdXYQQxtKF4QlTzzH8W1CpsLe3eDIjHv/AN4qd
>I2XwWKub0SOmcBkLIb5MJDIoeUHtyoWqKRwgwMlbXSnRm3F7+0BOGPIziHKm/ELx
>yaIywpNmx4M=
>=25OB
>-----END PGP SIGNATURE-----

Prev by Date: IDi/IDr distinction
Next by Date: Re: IDi/IDr distinction
Prev by thread: Re: IDi/IDr distinction
Next by thread: I-D ACTION:draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt
Index(es):
- Date
- Thread