[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Which comes first?
First off...
What PF_KEYv2 does is orthogonal w.r.t. the original question. I like
Karen's text, and where I think she puts is is where it will do the most
good. I'll trust her judgement on this.
Now on to something else...
> Well since PF_KEYv2 is not an IPSec draft
Because it's not just for IPsec.
> and the authors of PF_KEYv2 chose to define their own monolithic,
> one-dimensional number space instead of using IPSec-approved DOI values
> (and including a DOI-type field in the sadb_sa struct to multiplex things
> like IPSec and RIPv2 in exactly the same manner that ISAKMP can)
Not every protocol will have a DOI, and not KM scheme will have the same
concept of DOI.
> and since they chose to impose unnecessary restrictions on the behavior of
> ISAKMP/Oakley I'd like to know why PF_KEYv2 implementations (still haven't
> seen one yet) should have _any_ impact on IPSec documents.
The first bit notwithstanding, PF_KEYv2 imps. should not have any impact on
IPsec documents. If it does, there's a bug somewhere. They are orthogonal
problems, which is why we, the authors, chose to keep it out of the ipsec
group.
<Sigh.>
My bottom line is that PF_KEYv2 takes its keys separately. The order in
which you derive said keys (which WAS the original question) is irrelevant.
And snipped text Dan brings up is a question of WHERE that derivation takes
place, not HOW.
Dan McD.
References: