Re: IKE negotiation/rekeying problem with RSIP

Gabriel.Montenegro@Eng.Sun.Com (Gabriel Montenegro) Wed, 17 November 1999 15:12 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA04369; Wed, 17 Nov 1999 07:12:26 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id IAA28951 Wed, 17 Nov 1999 08:31:37 -0500 (EST)
From: Gabriel.Montenegro@Eng.Sun.Com
Message-Id: <199911170451.UAA06955@ha1mpk-mail.eng.sun.com>
Date: Tue, 16 Nov 1999 20:59:48 -0800
To: ipsec@lists.tislabs.com, "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Reply-To: gab@sun.com
Subject: Re: IKE negotiation/rekeying problem with RSIP
X-Mailer: Sun NetMail 2.3
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

"Michael C. Richardson" <mcr@sandelman.ottawa.on.ca> wrote:
(some stuff elided...)
>Aha...
>	 http://www.sandelman.ottawa.on.ca/ipsec/1998/09/msg00124.html
>
>according to section 5 of IKE:
>
>        The entire ID payload (including ID type,
>        port, and protocol but excluding the generic header) is hashed into
>        both HASH_I and HASH_R.
>
>However, I looked at the DOI, and it does impose severe constraints
>on the port number used:
>
>   During Phase I negotiations, the ID port and protocol fields MUST be
>   set to zero or to UDP port 500.  If an implementation receives any
>   other values, this MUST be treated as an error and the security
>   association setup MUST be aborted.  This event SHOULD be auditable.

yes, the above text is from a message i sent to the list.

>  Well, I can see why I beleived that the source port had to 500.
>  An implementation which replies to any port would work seemlessly
>with implementations that sent from port 500, and if you have port 500 
>open to receive, it seems simple enough to receive on that port as well.

are you saying my msg had the opposite effect from what was intended?
hmmm... good thing i'm not a peace negotiator...

anyway, after all the exchange between tero and mcr it can be concluded that
(notice it starts with 'if'):

	If an implementation allows other-than-port-500 for IKE,
	it no longer sets the value of the port numbers as reported in the 
	ID payload to 500, but 0 (meaning "any port"). UDP port numbers
	(500 or not) are handled by the common "swap src/dst port and reply" 
	method. 

should some wording to clarify this (perhaps along the lines above)
go into the currently-being-updated ike document?

-gabriel