ISAKMP - Remaining Issues

wdm@epoch.ncsc.mil (W. Douglas Maughan) Tue, 21 April 1998 11:26 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA23317 for ipsec-outgoing; Tue, 21 Apr 1998 07:26:50 -0400 (EDT)
Date: Tue, 21 Apr 1998 07:36:45 -0400
From: wdm@epoch.ncsc.mil
Message-Id: <9804211136.AA09244@dolphin.ncsc.mil>
To: ipsec@tis.com
Subject: ISAKMP - Remaining Issues
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

All,

In an attempt to finalize any remaining issues with ISAKMP, I think
there are two outstanding issues. They are:

> 1. ISAKMP Message Header Length field and data do not match
>
>    (Matt Thomas - 29 Sep 97 e-mail)
> 	What if the ISAKMP Message Header Length field indicates a
>	different length than the actual data? Length > Data = no
>	action?, but Data > Length = Data Ignored or Message Trashed?

I know there was a flurry of e-mail surrounding this issue, but I don't
think there was any consensus about how things should be worded in the
I-D. Anybody want to give a *definitive* answer?


2. From Michael Richardson's e-mail and Roy Pereira's presentation at
the L.A. IETF IPSEC meeting.

>  11. Some vendors did not like ISAKMP packet to be padded to a multiple of 4
> 	bytes.
> 	Q: Does the spec allow this?
> 	A: There was some argument about whether this is REQUIRED.
> 	{ed: It would seem to fall into the "be conservative in what
> 	you generate and liberal in what you accept" }

Currently, section 3 of ISAKMP-09 says "Additionally, all ISAKMP
messages MUST be aligned at 4-octet boundaries." There has been some
debate about this in the past. How do the ISAKMP implementers want this
specified in the I-D so we can have interoperability?

Thanks,

Doug