Re: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go?

Tero Kivinen Fri, 03 Apr 2009 06:14:54 -0700

Scott C Moonen writes:
> > From Appendix C: The specification does not say which messages can 
> contain N(SET_WINDOW_SIZE). It can possibly be included in any message, 
> but it is not yet shown below.
> > 
> > SF discussion: Paul said, $,1r|(Bwherever you wish.$,1r}
(B> 
> Should we prohibit or at least discourage it in the IKE_SA_INIT exchange 
> so that it is not susceptible to third-party tinkering?


The full contents of the IKE_SA_INIT message is also authenticated
after the IKE_AUTH finishes, so there is no security reason to
discourage it in the IKE_SA_INIT. Of course there are other reasons
not to send it in the IKE_SA_INIT. IKE_SA_INIT should be kept as small
as possible. Also the window size only takes effect after the IKE_AUTH
finishes. 
-- 
kivi...@iki.fi

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Issue #2: Where does N(SET_WINDOW_SIZE) go?

Reply via email to