[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Moving PIC forwards

In a previous mail replying to William I mentioned that PIC can be extended
via the use of additional payload types. However PIC is layered on top of
ISAKMP, and at least my reading of ISAKMP is that if an unknown payload is
received, the entire message is discarded - you don't just "silently ignore"
the payload. Quoting from ISAKMP:

"[Under "Payload Processing":] Check the Next Payload field to confirm it is
valid.  If the Next Payload field validation fails, the message is discarded
and the following actions are taken..."

This obviously makes it hard to use new payload types to extend PIC, in
particular for the first message, before a Vendor ID payload can be sent.

Am I misreading ISAKMP? Are real-life IKE implementations different? Please
enlighten me.

-----Original Message-----
From: owner-ietf-ipsra@xxxxxxxxxxxxx
[mailto:owner-ietf-ipsra@xxxxxxxxxxxxx]On Behalf Of William Dixon
Sent: Friday, November 09, 2001 10:37 AM
To: Yaron Sheffer; Markus Stenberg; ietf-ipsra@xxxxxxxx
Subject: RE: Moving PIC forwards

[Long discussion deleted]

I guess the only thing I haven't rehashed from my last post was that PIC
protocol extensions really must be provided for, like additional
authentication data, and NAT traversal and DOS prevention.