FYI, and this is the last one. I think 3GPP should have someone who
knows bit more of IPsec and IKEv2, when they are trying to add things
to IKEv2. It would be better to get comments how they should do things
earlier than in the IANA allocation phase.
--- Begin Message ---
Michelle Cotton via RT writes:
> On Thu Nov 05 09:35:29 2015, [email protected] wrote:
> >
> > Contact Name:
> > Frederic Firmin
> >
> > Contact Email:
> > [email protected]
> >
> > Type of Assignment:
> > New item in the "IKEv2 Configuration Payload Attribute Types" of the
> > "Internet Key Exchange Version 2 (IKEv2) Parameters" as shown at
> > http://www.iana.org/assignments/ikev2-parameters/ikev2-
> > parameters.xhtml#ikev2-parameters-21 and as specified in IETF RFC 4306
> > and updated by IETF RFC 5996 and IETF RFC 7296.
> >
> > Registry:
> > The "IKEv2 Configuration Payload Attribute Types" of the "Internet Key
> > Exchange Version 2 (IKEv2) Parameters" as shown at
> > http://www.iana.org/assignments/ikev2-parameters/ikev2-
> > parameters.xhtml#ikev2-parameters-21 and as specified in IETF RFC 4306
> > and updated by IETF RFC 5996 and IETF RFC 7296.
> >
> > Description:
> > This IKEv2 attribute is used to indicate establishment for emergency
> > session.
> >
> > Additional Info:
> > IETF RFC 4306 defines the registry for the "IKEv2 Configuration
> > Payload Attribute Types". IETF RFC 7296 and IETF RFC 5996 refer to
> > IETF RFC 4306 for the definition of the registry.
> > The following attribute is requested to be registered:
> > - value: (number to be assigned by IANA)
> > - attribute type: EMERGENCY_IND
> > - multi-valued: no
> > - length: 0 octets
> > - reference: http://www.3gpp.org/ftp/Specs/html-info/24302.htm
Again this has similar problems. This is not a configuration value.
This is something that is also needed before the configuration request
is even parsed. Configuration payloads are usually only processed
after the full authentication is done and when the final IKE_AUTH
message is to be sent back, as that is place where we have all the
information to provide the reply, i.e. in that case it might be too
late to change something like how the IDr fields are used. Section
7.4.4 of 24302-d30 says that if this attribute is included, then APN
information in the IDr is ignored.
It actually would be much better to use some special string for the
IDr in the IKE_AUTH request to indicate that we are doing emergency
session establishment. I.e. IDr is supposed to tell which service we
want to connect. If that value would be for example string "EMERGENCY"
or similar than that could be used to select suitable IPsec policy
based on fact that we are doing the emergency session establishment,
and it would be clear separation form the normal session
establishment.
--
[email protected]
--- End Message ---
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
