comments on draft-ietf-isakmp-mode-cfg-02.txt

"Partha P. Bhattacharya" <partha@watson.ibm.com> Thu, 12 March 1998 20:47 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA02365 for ipsec-outgoing; Thu, 12 Mar 1998 15:47:44 -0500 (EST)
Message-Id: <9803122100.AA30816@gimili.watson.ibm.com>
To: ipsec@tis.com
Subject: comments on draft-ietf-isakmp-mode-cfg-02.txt
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 12 Mar 1998 16:00:20 -0500
From: "Partha P. Bhattacharya" <partha@watson.ibm.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

   
Comments on draft-ietf-ipsec-isakmp-mode-cfg-02.txt  
 
1. The draft specifies ways to exchange configuration information 
    either within an ISAKMP Phase 1 exchange or by ISAKMP Informational
    exchange. Couple of points here:
 
    -when done over Phase 1, the HASH has to include the configuration
     information being exchanged, otherwise it is not authenticated. This 
     means though that HASH_I and HASH_R in the IKE exchange has to 
     be augmented to include NOTIFY payloads. Not desirable for reasons 
     of compatibility.

    -hence the information exchange shd be done after Phase 1 is 
     complete, although this may mean more message exchanges. The format 
     specified in section 5.7 of the IKE draft (ISAKMP-OAKLEY draft 06)
     shd be used.

 
 2. The draft proposes to distribute policy and certificates 
    by this method across road warrior-gateway tunnels. I don't see 
    the benefit in doing as opposed to running generic client applications.
    Hence I would restrict this method to only distribute basic routing
    related information, such as local address and DNS address. 
 

Comments?
            
Partha P. Bhattacharya 
Pau-Chen Cheng 

IBM Research

comments on draft-ietf-isakmp-mode-cfg-02.txt Partha P. Bhattacharya