[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question about draft-ietf-ipsec-nat-t-ike-07

Tom Hu writes:
> 1.4 The INFORMATIONAL Exchange
>    At various points during the operation of an IKE_SA, peers may desire
>    to convey control messages to each other regarding errors or
>    notifications of certain events. To accomplish this IKE defines an
>    INFORMATIONAL exchange.  INFORMATIONAL exchanges MAY ONLY occur after
>    the initial exchanges and are cryptographically protected with the
>    negotiated keys.
> 
> Here initial exchange includes 1 to 4 messages.

Informational exchange != Notification payload.

Any exchange (IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA and
INFORMATIONAL) can have notifications in them. For example most error
messages are replies to the IKE_SA_INIT or IKE_AUTH exchanges, not
separate INFORMATIONAL exchange. Also there are lots of status
notifications that are put in the IKE_SA_INIT, IKE_AUTH or
CREATE_CHILD_SA exchanges. Examples of those are SET_WINDOW_SIZE,
ADDITIONAL_TS_POSSIBLE, IPCOMP_SUPPORTED, NAT_DETECTION_*_IP, COOKIE,
USE_TRANSPORT_MODE etc.

Informational exchange is only used when you do not have any other
exchange where you could put the notification...

> And by the way, IKE_SA_INIT message does not have AUTH payload.

True, but AUTH payload does not have anything to do with being
cryptographically protected. In IKEv2 draft the packet is
cryptographically protected if its contents is inside the Encrypted
payload.

> AUTH payload is sending at #3 and #4 messages.

And that AUTH payload is inside the encrypted payload, which protects
those messages. Messages #1 and #2 are authenticated because they are
included in the AUTH message calculations. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/