Actually, just "yes", not "definitely". All payloads in the IKE_SA_INIT are protected by the AUTH payload in the IKE_AUTH exchange, so if crypto works, a third party will not be able to tinker with it.
On the other hand, at the end of the IKE_SA_INIT exchange, there is no IKE SA, so setting up some properties of that as-yet-non-existant IKE SA seems premature to me. I think it should be in all but the IKE_SA_INIT exchange (and also not in unprotected informational) ________________________________ From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Yoav Nir Sent: Thursday, April 02, 2009 3:52 PM To: Scott C Moonen Cc: IPsecme WG Subject: Re: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go? Definitely ________________________________ From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Scott C Moonen Sent: Thursday, April 02, 2009 3:48 PM To: Yaron Sheffer Cc: IPsecme WG Subject: Re: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go? > From Appendix C: The specification does not say which messages can contain > N(SET_WINDOW_SIZE). It can possibly be included in any message, but it is not > yet shown below. > > SF discussion: Paul said, "wherever you wish." Should we prohibit or at least discourage it in the IKE_SA_INIT exchange so that it is not susceptible to third-party tinkering? Scott Moonen (smoo...@us.ibm.com) z/OS Communications Server TCP/IP Development http://scott.andstuff.org/ http://www.linkedin.com/in/smoonen From: Yaron Sheffer <yar...@checkpoint.com> To: IPsecme WG <ipsec@ietf.org> Date: 04/01/2009 04:39 PM Subject: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go? ________________________________ >From Appendix C: The specification does not say which messages can contain >N(SET_WINDOW_SIZE). It can possibly be included in any message, but it is not >yet shown below. SF discussion: Paul said, "wherever you wish." [attachment "smime.p7s" deleted by Scott C Moonen/Raleigh/IBM] _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec Email secured by Check Point Email secured by Check Point
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
