Re: IPsec and Oakley test items

Daniel Harkins <dharkins@cisco.com> Fri, 05 September 1997 16:08 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id MAA29754 for ipsec-outgoing; Fri, 5 Sep 1997 12:08:51 -0400 (EDT)
Message-Id: <199709051618.JAA22079@dharkins-ss20>
X-Authentication-Warning: dharkins-ss20.cisco.com: Host localhost.cisco.com didn't use HELO protocol
To: Greg Carter <greg.carter@entrust.com>
Cc: "'anx-sec@dot.netrex.net'" <anx-sec@dot.netrex.net>, "'isakmp-oakley@cisco.com'" <isakmp-oakley@cisco.com>, "'ipsec@tis.com'" <ipsec@tis.com>
Subject: Re: IPsec and Oakley test items
In-Reply-To: Your message of "Fri, 05 Sep 1997 08:35:40 EDT." <c=CA%a=_%p=NorTel_Secure_Ne%l=APOLLO-970905123540Z-36246@mail.entrust.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 05 Sep 1997 09:18:08 -0700
From: Daniel Harkins <dharkins@cisco.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

  Greg,

  Yes, the M-ID is only for the informational exchange. If the notify is
a result of a failed Quick Mode the M-ID of the informational exchange
will not be that of the failed Quick Mode; they are different. And once
the message has been sent the unique M-ID (only for the Info exchange) is
thrown away.

  Dan.

Greg Carter responding to me:
> >  Informational exchanges are protected by SKEYID_e and SKEYID_a. Section
> >5.6 doesn't mention how an IV is generated to use with encryption nor does
> >it mention where 'M-ID' in the HASH definition came from. The intent is that
> >this is similar to a Quick Mode initiation. A unique message id for this
> >single message is chosen and it is used to generate an IV ala Quick Mode.
> >Once this message is sent all the state associated with it-- the IV, the
> >message id, plus whatever else your implementation chooses to generate--
> >is deleted. This is how it should be done.
> 
> Hi Dan,
> 
> I a little confused now.  For Info exchange (an example - a notify of a
> failed QUICK_MODE) associated with a quick mode what M-ID do we use?
> The M-ID associated with the quick mode (what we had previously done) or
> generate a new unique ID.  Is the generation of a unique ID only for
> 'independent' Informational exchanges (assuming an ISAKMP SA has been
> setup),  I hope so...