[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposed changes to ISAKMP/Oakley




--- On Mon, 20 Oct 1997 20:05:37 -0400  "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca> wrote:

>   I'd prefer that the IPsec documents not preclude overspecify
> policy. Let the VPN documents do that for gateways. Let's not forget
> that IPsec is more than just VPN (or, will be, one hopes)

Michael,

  I agree that overspecification would be bad.  In the scenario being discussed, 
however, the two parties had already negotiated the policy.  Your suggestion 
is that one party should then be standards-conforming while not conforming 
to the policy it just agreed to with the remote end.  This does not
seem right.

  Policy drives what attributes are sent via ISAKMP/Oakley and what the
values of those attributes are.  Conforming implementations that don't
like the proposed policy are free to decline to complete the KM negotiation
or to terminate that KM exchange and start a new KM exchange with a policy 
that would be agreeable to that node.  However, once the policy has been
mutually negotiated via ISAKMP, both sides must be required to adhere to 
the negotiated policy.

  Note that none of my verbage says anything about what policies any
particular box might consider acceptable.  IMHO, the matter of what
policy is acceptable is purely up to the local administrator and is
not the business of an IETF VPN WG or any other standards body.

All IMHO,

Ran
rja@home.net




References: