Hi Yoav,
I don't see your point, since you're obviously setting up *some* properties of the tentative IKE SA during IKE_SA_INIT. And it seems to be a very convenient place to send N(SET_WINDOW_SIZE). So why not? Thanks, Yaron _____ From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Yoav Nir Sent: Thursday, April 02, 2009 16:42 To: Scott C Moonen Cc: IPsecme WG Subject: Re: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go? Actually, just "yes", not "definitely". All payloads in the IKE_SA_INIT are protected by the AUTH payload in the IKE_AUTH exchange, so if crypto works, a third party will not be able to tinker with it. On the other hand, at the end of the IKE_SA_INIT exchange, there is no IKE SA, so setting up some properties of that as-yet-non-existant IKE SA seems premature to me. I think it should be in all but the IKE_SA_INIT exchange (and also not in unprotected informational) _____ From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Yoav Nir Sent: Thursday, April 02, 2009 3:52 PM To: Scott C Moonen Cc: IPsecme WG Subject: Re: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go? Definitely _____ From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Scott C Moonen Sent: Thursday, April 02, 2009 3:48 PM To: Yaron Sheffer Cc: IPsecme WG Subject: Re: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go? > From Appendix C: The specification does not say which messages can contain N(SET_WINDOW_SIZE). It can possibly be included in any message, but it is not yet shown below. > > SF discussion: Paul said, "wherever you wish." Should we prohibit or at least discourage it in the IKE_SA_INIT exchange so that it is not susceptible to third-party tinkering? Scott Moonen (smoo...@us.ibm.com) z/OS Communications Server TCP/IP Development <http://scott.andstuff.org/> http://scott.andstuff.org/ <http://www.linkedin.com/in/smoonen> http://www.linkedin.com/in/smoonen From: Yaron Sheffer <yar...@checkpoint.com> To: IPsecme WG <ipsec@ietf.org> Date: 04/01/2009 04:39 PM Subject: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go? _____ >From Appendix C: The specification does not say which messages can contain N(SET_WINDOW_SIZE). It can possibly be included in any message, but it is not yet shown below. SF discussion: Paul said, "wherever you wish." [attachment "smime.p7s" deleted by Scott C Moonen/Raleigh/IBM] _______________________________________________ IPsec mailing list IPsec@ietf.org <https://www.ietf.org/mailman/listinfo/ipsec> https://www.ietf.org/mailman/listinfo/ipsec Email secured by Check Point Email secured by Check Point Scanned by Check Point Total Security Gateway.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec