Re: ISAKMP & IPSEC DOI Drafts - Notify Payload - Certificate
"W. Douglas Maughan" <wdm@epoch.ncsc.mil> Tue, 03 December 1996 15:33 UTC
Received: from cnri by ietf.org id aa22318; 3 Dec 96 10:33 EST
Received: from portal.ex.tis.com by CNRI.Reston.VA.US id aa11847; 3 Dec 96 10:33 EST
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA24108 for ipsec-outgoing; Tue, 3 Dec 1996 10:25:02 -0500 (EST)
Date: Tue, 03 Dec 1996 10:26:01 -0500
From: "W. Douglas Maughan" <wdm@epoch.ncsc.mil>
Message-Id: <9612031526.AA19314@dolphin.ncsc.mil>
To: carterg@entrust.com
Subject: Re: ISAKMP & IPSEC DOI Drafts - Notify Payload - Certificate
Authorities Cc: ipsec@tis.com Sender: owner-ipsec@portal.ex.tis.com Precedence: bulk Greg, > Questions on ISAKMP draft: > > Can Notify Payloads be sent in any exchange or are they valid only in > Informational Exchanges? Because Notify and Delete messages are one-way, i.e. no acknowledgement expected, they were separated out to their own exchange. Nothing precludes you from defining an exchange that allows Notify or Delete payloads anywhere in the exchange. We defined a default set of exchanges in ISAKMP. None of those exchanges (Base, ID Protect, Aggressive, and Auth Only) allow Notify or Delete payloads as part of the exchange. We separated out the Notify and Delete payload into their own exchange, i.e. Informational. > What action should be taken when a Notify Payload is received and the > Message Type is not known. i.e. My ISAKMP server is using some of the > private Message Types to exchange Environment information, but the peer > ISAKMP server has no concept of this info (and hence the private message > types). Section 5.12 specifies a RECOMMENDED way to handle the problem. We probably should add more to this section to make it like the other sections (similar detail and clarity for error handling). Additionally, I would expect that ISAKMP servers using Private Message Types would be able to handle them appropriately. As you state, it is only when an ISAKMP server has no idea what to do with the Private Message Type that this becomes an issue. > Section 3.10 Certificate Request Payload of ISAKMP - draft 6 > > For the Certificate Authorities field it references the IPSEC DOI > document, however I couldn't find any reference to 'Distinguished Name > Attribute Type' value in the IPSEC DOI doc. > > Could someone expand on this? I think this might have been something that got lost or overlooked in the transfer of stuff from the appendices of ISAKMP-05 to the IPSEC DOI document. I'll check with Derrell Piper (piper@tgv.com) Feel free to contact him as well. > ---- > Greg Carter > Nortel Secure Networks - Entrust > carterg@entrust.com * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Douglas Maughan Voice: (301) 688-0847 * * Technical Director, R23 Fax: (301) 688-0255 * * National Security Agency E-mail: wdmaugh@tycho.ncsc.mil * * 9800 Savage Road maughan@cs.umbc.edu * * Fort Meade, MD. 20755-6000 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
- Re: ISAKMP & IPSEC DOI Drafts - Notify Payload - … W. Douglas Maughan