[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ike2 v4 couple of comments

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: ike2 v4 couple of comments
From: "jpickering%creeksidenet.com" <jpickering@xxxxxxxxxxxxxxxx>
Date: Thu, 09 Jan 2003 11:38:50 -0500
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; m18) Gecko/20001108 Netscape6/6.0

Couple of comments and a question on V4:

- Section 3.2

"All but the headers of all messages that follow are encrypted and integrity protection protected."

This is true, but a bit misleading. Could it be rephrased:

"For messages that follow all of the message except the header are encrypted. All of the message including the header are intergrity protected."

- Section 4.6:

"If it matches, the responder knows that SPIr was generated since the last change to <secret>..."

Where is SPIr coming from here, given that from the previous page, the responder does not choose an SPI?

- Section 4.14

The specification of SK_d,etc computation still refers to CKY-I and CKY-R. Should this be replaced with SPIi and SPIr?

Question on CREATE_CHILD_SA initiator/ responder determination. (probably due to misreading something) Section 4.2 states:

"There is no ambiguity in the messages, however, because each packet contains enough information to determine which of the four messages a particular one is."

When a CREATE_CHILD_SA message is received, I dont see anything in the header that would allow the recipient to determine if the message is a request or response. I also dont see anyting in the payload types that would allow a determination. So how is this done?

Thanks,
Jeff

Prev by Date: Re: peer address protection
Next by Date: AES cipher suites
Previous by thread: I-D ACTION:draft-ietf-ipsec-nat-t-ike-05.txt
Next by thread: AES cipher suites
Index(es):
- Date
- Thread