[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new ISAKMP ping draft

To: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: new ISAKMP ping draft
From: Mark Baugher <mbaugher@xxxxxxxxx>
Date: Fri, 01 Mar 2002 06:27:37 -0800
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
References: <Your message of "Thu, 21 Feb 2002 23:55:19 EST." <Pine.LNX.4.44.0202212134530.22972-100000@redshift.mimosa.com>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 06:36 PM 2/28/2002 -0500, Michael Richardson wrote:

<text deleted>

>4.8 Informational Exchange
>
>   The Informational Exchange is designed as a one-way transmittal of
>   information that can be used for security association management.

  The intention is not one, way and is not for SA management. Basically,
I'd like to stay completely out of that place.

I don't get it: If you're not managing SAs then what are you doing with ISAKMP?

regards, Mark

2) why not use a notify?
   Well, using a notify means sending it in some kind of exchange, e.g. an
Informational Exchange. If not using Informational Exchanges, I see no reason
to use a notify.
3) combine with the heartbeat/make-dead systems.

These are used to detect a dead phase 1 SA. They are, AFAIK, encrypted Notifies. I do not want the ISAKMP echo request/reply to take any crypto resources (in particular, no entropy!) and I do not want anyone to be confused into thinking that these have anything to do with the things sent within a phase 1 SA.
4) It has been suggested that the cookies match the current IKE style rather
   than any proposed replacement.
  I made up the cookie stuff. I didn't want the responder to waste a single
iota of entropy, but to do something easily noticable to the packet. I do not
really care about the cookies, and upon reflection, the current proposal
likely won't get through "IKE enabled" NAT boxes.
  I'm open to anything.
5) echo response
  I considered having the responder copy the source IP and port number into
the body of the reply. It could even stick it in as its cookie. That would
permit a request'or to diagnose that they are in fact behind a NAT.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPH6+5IqHRg3pndX9AQHk2AP9GkqWleMmC1uSEddWWgC4hRNDwEKAgYL1
KgpXD6SxPfe6VhtTaOCtEE90koIKYnNwJNiuRdg09fydhG7zwMsrAurOYU/SVK6G
Vx2kXOSMDgdsrP1zLI1iM95s7HKgzlar1n+w8mbQM4ninTqPTmq74VDYGZfU3stB
2ja52RmKAF0=
=gYj4
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: new ISAKMP ping draft
  - From: Michael Richardson

References:
- new ISAKMP ping draft
  - From: Michael Richardson

Prev by Date: Re: NAT Traversal
Next by Date: Re: NAT Traversal
Previous by thread: new ISAKMP ping draft
Next by thread: Re: new ISAKMP ping draft
Index(es):
- Date
- Thread