[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP SA negotiation



> 
> That might be what you'd do but my implmementation chooses P2. In the
> example, B has his own policy priority settings; he wants P2 over P1.
> In fact, if A offered P1, P2, P3, P4 and B wanted P4, P2, P1, P3, B
> would select P4. I never let someone else override my local policy. It
> was set like that for a reason.

And what was that reason? :-)

If A offered P1, you'd select P1.
If A offered P2, you'd select P2.
If A offered P3, you'd select P3.
But if A offered P1,P2,P3,P4 you'd select P4.

If all of the proposals are acceptable to your local policy, it's hard
to make the argument that one is "more acceptable" than another, or
that A's definition of "more acceptable" should be more or less valid
than B's.

One could document that one or the other behavior is required in this
situation, but that wouldn't result in any greater interoperability
than leaving it unspecified.  I claim that it wouldn't result in "more
security" either.