[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Moving PIC forwards

To: "'Yaron Sheffer'" <yaronf@xxxxxxx>, <ietf-ipsra@xxxxxxxx>
Subject: RE: Moving PIC forwards
From: "Andrew Krywaniuk" <andrew.krywaniuk@xxxxxxxxxxx>
Date: Wed, 21 Nov 2001 14:46:35 -0500
Importance: Normal
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Reply-to: <andrew.krywaniuk@xxxxxxxxxxx>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

I think most people will abort the negotiation if they receive an unknown
payload type. This caused a problem for some implementers when the vendor id
payload was added. But without a critical bit, how do you know if it is safe
to ignore them?

However, most people decided not to reject unknown attribute types in an SA
proposal that they don't accept. It seemed the sensible thing to do, since
the inclusion of alternate proposals implies that the attibute is not
critical.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ietf-ipsra@xxxxxxxxxxxxx
> [mailto:owner-ietf-ipsra@xxxxxxxxxxxxx]On Behalf Of Yaron Sheffer
> Sent: Friday, November 16, 2001 2:26 PM
> To: William Dixon; Markus Stenberg; ietf-ipsra@xxxxxxxx
> Subject: RE: Moving PIC forwards
>
>
>
> In a previous mail replying to William I mentioned that PIC
> can be extended
> via the use of additional payload types. However PIC is
> layered on top of
> ISAKMP, and at least my reading of ISAKMP is that if an
> unknown payload is
> received, the entire message is discarded - you don't just
> "silently ignore"
> the payload. Quoting from ISAKMP:
>
> "[Under "Payload Processing":] Check the Next Payload field
> to confirm it is
> valid.  If the Next Payload field validation fails, the
> message is discarded
> and the following actions are taken..."
>
> This obviously makes it hard to use new payload types to
> extend PIC, in
> particular for the first message, before a Vendor ID payload
> can be sent.
>
> Am I misreading ISAKMP? Are real-life IKE implementations
> different? Please
> enlighten me.
>
> Thanks,
> 	Yaron
> -----Original Message-----
> From: owner-ietf-ipsra@xxxxxxxxxxxxx
> [mailto:owner-ietf-ipsra@xxxxxxxxxxxxx]On Behalf Of William Dixon
> Sent: Friday, November 09, 2001 10:37 AM
> To: Yaron Sheffer; Markus Stenberg; ietf-ipsra@xxxxxxxx
> Subject: RE: Moving PIC forwards
>
> [Long discussion deleted]
>
> I guess the only thing I haven't rehashed from my last post
> was that PIC
> protocol extensions really must be provided for, like additional
> authentication data, and NAT traversal and DOS prevention.
>
> Wm
>
>
>

References:
- RE: Moving PIC forwards
  - From: Yaron Sheffer

Prev by Date: PIC version 04
Next by Date: I-D ACTION:draft-ietf-ipsra-pic-04.txt
Previous by thread: RE: Moving PIC forwards
Next by thread: RE: Moving PIC forwards
Index(es):
- Date
- Thread