Hi Yoav,
I don't see your point, since you're obviously setting up *some* properties
of the tentative IKE SA during IKE_SA_INIT. And it seems to be a very
convenient place to send N(SET_WINDOW_SIZE). So why not?
Thanks,
Yaron
_____
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
Yoav Nir
Sent: Thursday, April 02, 2009 16:42
To: Scott C Moonen
Cc: IPsecme WG
Subject: Re: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go?
Actually, just "yes", not "definitely".
All payloads in the IKE_SA_INIT are protected by the AUTH payload in the
IKE_AUTH exchange, so if crypto works, a third party will not be able to
tinker with it.
On the other hand, at the end of the IKE_SA_INIT exchange, there is no IKE
SA, so setting up some properties of that as-yet-non-existant IKE SA seems
premature to me. I think it should be in all but the IKE_SA_INIT exchange
(and also not in unprotected informational)
_____
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
Yoav Nir
Sent: Thursday, April 02, 2009 3:52 PM
To: Scott C Moonen
Cc: IPsecme WG
Subject: Re: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go?
Definitely
_____
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
Scott C Moonen
Sent: Thursday, April 02, 2009 3:48 PM
To: Yaron Sheffer
Cc: IPsecme WG
Subject: Re: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go?
> From Appendix C: The specification does not say which messages can contain
N(SET_WINDOW_SIZE). It can possibly be included in any message, but it is
not yet shown below.
>
> SF discussion: Paul said, "wherever you wish."
Should we prohibit or at least discourage it in the IKE_SA_INIT exchange so
that it is not susceptible to third-party tinkering?
Scott Moonen (smoo...@us.ibm.com)
z/OS Communications Server TCP/IP Development
<http://scott.andstuff.org/> http://scott.andstuff.org/
<http://www.linkedin.com/in/smoonen> http://www.linkedin.com/in/smoonen
From:
Yaron Sheffer <yar...@checkpoint.com>
To:
IPsecme WG <ipsec@ietf.org>
Date:
04/01/2009 04:39 PM
Subject:
[IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go?
_____
>From Appendix C: The specification does not say which messages can contain
N(SET_WINDOW_SIZE). It can possibly be included in any message, but it is
not yet shown below.
SF discussion: Paul said, "wherever you wish."
[attachment "smime.p7s" deleted by Scott C Moonen/Raleigh/IBM]
_______________________________________________
IPsec mailing list
IPsec@ietf.org
<https://www.ietf.org/mailman/listinfo/ipsec>
https://www.ietf.org/mailman/listinfo/ipsec
Email secured by Check Point
Email secured by Check Point
Scanned by Check Point Total Security Gateway.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
