[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
question about Security OPN Msg
- To: <rap@ops.ietf.org>
- Subject: question about Security OPN Msg
- From: "sunjian" <jians@huawei.com>
- Date: Fri, 23 Feb 2001 09:50:31 +0800
- Delivery-date: Thu, 22 Feb 2001 17:43:10 -0800
- Envelope-to: rap-data@psg.com
In the COPS protocol RFC2748
====================================================
4.1 Security and Sequence Number Negotiation
............
Otherwise, security can be initiated by the PEP if it sends the PDP a
Client-Open message with Client-Type=0 before opening any other
Client-Type. If the PDP receives a Client-Open with a Client-Type=0
after another Client-Type has already been opened successfully it
MUST return a Client-Close message (for Client-Type=0) to that PEP.
This first Client-Open message MUST specify a Client-Type of zero and
MUST provide the PEPID and a COPS Integrity object. This Integrity
object will contain the initial sequence number the PEP requires the
..........
====================================================
It is said that :
" If the PDP receives a Client-Open with a Client-Type=0
after another Client-Type has already been opened successfully it
MUST return a Client-Close message (for Client-Type=0) to that PEP.
"
The first question :
I think the "another Client-Type " here does not equal to 0.
Then there are two cases corresponding with this statment.
A.
PEP PDP
OPN 1(Client-Type = 0)->
<- CAT 1(Client-Type = 0)
OPN 2(Client-Type A) ->
<- CAT 2(Client-Type A)
...........
OPN 3(Client-Type B) ->
<- CAT 3(Client-Type B)
...........
OPN 4(Client-Type = 0)->----------------------------I think when the PDP got
this, then PDP can do just as the description in the RFC 2748 4.1
================================
If any subsequent received message
contains the wrong sequence number, an unknown Key ID, an invalid
message digest, or is missing an Integrity object after integrity was
negotiated, then a Client-Close message MUST be generated for the
Client-Type zero containing a valid Integrity object and specifying
the appropriate error code. The connection should then be dropped.
================================
<- step1:CC 4(Client-Type = 0)
step2: close all the Client-Type A,B(do not send
CC(Client-Type AB))
step3:after some time,close the TCP connection.
Dose the step right?
B.
PEP PDP
OPN 1(Client-Type A) ->
<- CAT 2(Client-Type A)
...........
OPN 2(Client-Type B) ->
<- CAT 3(Client-Type B)
...........
OPN 3(Client-Type = 0)->
<- step1:CC 3(Client-Type = 0)
step following should be what? I think in this case I
should not close the Client-Type A,B, it's the responsibility of PEP to close
the Client-Type A,B(send PDP the Client-Type A,B CC), then send OPN
3(Client-Type = 0).
The Second question :
Do not know if there's any other cases with the statement at the beginning of
the letter,
I really fall into some logic confusion with this statement!
I think it can be controled all by PEP itself to decide when to send out the OPN
(Client-Type = 0). If it want another security negotiate, why not close all the
established Client-Type first or it will always get a CC (Client-Type = 0). Then
the statement
========================================================
"If the PDP receives a Client-Open with a Client-Type=0
after another Client-Type has already been opened successfully it
MUST return a Client-Close message (for Client-Type=0) to that PEP.
"
========================================================
seems unecessary and cases in the first question will not exist.
Can someone help me out?
Thank you very much!
Sunjian