[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ike2 v4 couple of comments

Couple of comments and a question on V4:

- Section 3.2

"All but the headers of all messages that follow are encrypted and integrity protection protected."

This is true, but a bit misleading. Could it be rephrased:

"For messages that follow all of the message except the header are encrypted. All of the message including the header are intergrity protected."

- Section 4.6:

"If it matches, the responder knows that SPIr was generated since the last change to <secret>..."

Where is SPIr coming from here, given that from the previous page, the responder does not
choose an SPI?

- Section 4.14

The specification of SK_d,etc computation still refers to CKY-I and CKY-R. Should this be replaced
with SPIi and SPIr?

Question on CREATE_CHILD_SA initiator/ responder determination. (probably due to misreading something)
Section 4.2 states:

"There is no ambiguity in the messages, however, because each packet contains enough information to
determine which of the four messages a particular one is."

When a CREATE_CHILD_SA message is received, I dont see anything in the header that would allow
the recipient to determine if the message is a request or response. I also dont see anyting in the payload
types that would allow a determination. So how is this done?