[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Photuris questions



>  > Can the
>  > initiator indicate to the responder that it demands that the responder choose
>  > privacy for the responder-initiator ESP?
>  >
>  Huh?  All responder->initiator SPIs are chosen BY the initiator from the
>  responder's list of supported attributes.  That takes care of "demand".

No, not really.  The initiator must indicate it supports at least one
hash method, and the responder is free to choose this with AH as its
corresponding security association, without being aware that the
initiator expects, desires, frantically demands ESP in return.

>  But the responder can simply refuse to support privacy.  Photuris was
>  designed to work on all nets including AMPR nets, and they are not allowed
>  to encrypt at all!

If the responder refuses to accede to the expectations of the initiator,
it would be nice for the two of them to part with mutual understanding of
the cause of their estrangement.  In the current situation, the responder
would be baffled if the exchange terminated abnormally.


References: