[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Now a question on legacy authentication

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: Re: Now a question on legacy authentication
From: "Andrew Krywaniuk" <askrywan@xxxxxxxxxxx>
Date: Wed, 26 Feb 2003 13:27:52 -0500
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

- Section 2.16 text:

    "The Initiator of an IKE-SA using EAP SHOULD be capable of extending
     the initial protocol exchange to at least ten IKE_AUTH exchanges in
     the event the Responder sends notification messages and/or retries
     the authentication prompt."

 Why ten? Actually, this sounds a bit small to cover all possible
 methods. Is there a reason why we could not just
 wait until a timeout occurs or something like that?

=> Some implementations are likely to rely on hard timeouts for session establishment. E.g. If an exchange is not complete within 1 minute then consider it failed. Timing conditions are one of the most difficult things to get right. Constraining the number of messages is one way to achieve predictability.

As for the responder retrying the authentication, clean handling of that case was one of the advantages of a phase 1.5. (I guess the phase 1.5 didn't add significant complexity after all.)

Andrew
--------------------------------------
The odd thing about fairness is when
we strive so hard to be equitable
that we forget to be correct.

_________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus

Prev by Date: RE: Configuration portion of OPEN ISSUES...
Next by Date: Re: Configuration portion of OPEN ISSUES...
Previous by thread: Re: Now a question on legacy authentication
Next by thread: KE payload
Index(es):
- Date
- Thread