Thanks Yoav. >> First the responder should match the SA payload to its own policy. If a >> match it found, the responder can compare the DH group in the matched >> proposal to the one in the KE payload
I agree this option seems to make the most sense. From: Yoav Nir [mailto:[email protected]] Sent: Sunday, January 16, 2011 11:54 PM To: Gaurav Poothia; [email protected] Cc: Stephen Bensley; Brian Swander; Gabriel Montenegro Subject: RE: IKEv2 Diffie Hellman retry logic 1. Yes 2. No. In that case, the correct response in NO PROPOSAL CHOSEN. 3. That is not correct processing. First the responder should match the SA payload to its own policy. If a match it found, the responder can compare the DH group in the matched proposal to the one in the KE payload The hint in the INVALID_KE_PAYLOAD notification is the group in the common proposal. ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Gaurav Poothia Sent: 16 January 2011 23:01 To: [email protected] Cc: Stephen Bensley; Brian Swander; Gabriel Montenegro Subject: [IPsec] IKEv2 Diffie Hellman retry logic Scenario: When the IKEv2 initiator guesses an incorrect DH group and the responder sends back the DH group hint in INVALID_KE_PAYLOAD notification. Couple of questions around this: On what basis does the responder reject the DH group: 1. Because the best match initiator SA payload proposal (against responder policy) has a different DH group from KE payload 2. Because the responder after looking all the SA payload initiator proposals with DH group from KE payload finds none of the initiator proposals acceptable 3. Because the responder altogether ignores the initiator proposals (SA payload) and only checks to see that the DH group in KE payload doesn't figure in its own policy at all To paraphrase: Case 1 looks like it will have IKEv1 parity in terms of using the best policy match and restarting negotiation if the initial KE guess doesn't match up to that. Case 2 will do worse than IKEv1 by not forcing the best policy match but by proceeding with an inferior and acceptable match will save an extra round trip. Case 3 is actually non deterministic because the hint is not guaranteed to work (since other transforms have not been evaluated while choosing hint) Once rejected on what basis does the responder choose the DH group to put in the INVALID_KE_PAYLOAD hint (corresponding to above rejection criteria): * For cases 1 & 2: It is the DH group in the initiator SA proposal that facilitates the best policy match (against responder policy). * For case 3 it the DH group in responder's most preferred proposal. Thanks Scanned by Check Point Total Security Gateway.
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
