Re: Which comes first?

[Dan.McDonald@Eng.Sun.Com (Dan McDonald)]

First off...

What PF_KEYv2 does is orthogonal w.r.t. the original question.  I like
Karen's text, and where I think she puts is is where it will do the most
good.  I'll trust her judgement on this.

Now on to something else...

> Well since PF_KEYv2 is not an IPSec draft 

Because it's not just for IPsec.

> and the authors of PF_KEYv2 chose to define their own monolithic,
> one-dimensional number space instead of using IPSec-approved DOI values
> (and including a DOI-type field in the sadb_sa struct to multiplex things
> like IPSec and RIPv2 in exactly the same manner that ISAKMP can)

Not every protocol will have a DOI, and not KM scheme will have the same
concept of DOI.

> and since they chose to impose unnecessary restrictions on the behavior of
> ISAKMP/Oakley I'd like to know why PF_KEYv2 implementations (still haven't
> seen one yet) should have _any_ impact on IPSec documents.

The first bit notwithstanding, PF_KEYv2 imps. should not have any impact on
IPsec documents.  If it does, there's a bug somewhere.  They are orthogonal
problems, which is why we, the authors, chose to keep it out of the ipsec
group.

<Sigh.>

My bottom line is that PF_KEYv2 takes its keys separately.  The order in
which you derive said keys (which WAS the original question) is irrelevant.
And snipped text Dan brings up is a question of WHERE that derivation takes
place, not HOW.

Dan McD.

---

References:

• Re: Which comes first?
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: Re: Which comes first?
• Next by Date: Re: Which comes first?
• Prev by thread: Re: Which comes first?
• Next by thread: Re: Which comes first?
• Index(es):
  • Main
  • Thread