3.8.7.1 GSS-API Start

  • Article

When the initiator starts a GSS-API exchange, it MUST begin by sending a packet formatted as specified in the following diagram, and transition into the GSS-API Request Sent state.

GSS-API initial exchange packet

Figure 28: GSS-API initial exchange packet

The initiator MUST start the GSS handshake by using the first GSS-API type that is returned in the Auth payload of the responder (see section 3.2.5.1 for Main Mode, or section 3.7.5.1 for Extended Mode).

The message MUST be constructed as follows:

  • HDR: The ISAKMP header MUST have identical format to the first IKE phase 2 initiator packet (as specified in [RFC2409] section 5.5), except that the exchange type MUST be 243 (MM exchange type). The Encrypted flag SHOULD NOT be set.<20>

  • The remaining payloads MUST follow a non-encrypted Crypto payload.

  • GSS-API: As specified in [GSS] and section 2.2.3.1. If the initiator is using explicit credentials, it MUST set the GSS_EXPLICIT_CREDENTIALS in the Flags field of the GSS-API payload to "1" (see section 2.2.3.1).