RE: QM/PFS/MultipleProposals/MultipleGroups question

[Sumit Vakil <SVakil@vpnet.com>]

What you are recommending is already in IKE.  From section 5.5 of IKE,

   All offers made during a Quick Mode are logically related and must be
   consistant. For example, if a KE payload is sent, the attribute
   describing the Diffie-Hellman group (see section 6.1 and [Pip97])
   MUST be included in every transform of every proposal of every SA
   being negotiated. Similarly, if client identities are used, they MUST
   apply to every SA in the negotiation.

So you'd have only one KE payload, and the group for that payload would be
present in all the proposals of all the SA payloads.

Sumit A. Vakil
VPNet Technologies, Inc.
(408) 445-6600 x264

> -----Original Message-----
> From:	Bronislav Kavsan [SMTP:bkavsan@ire-ma.com]
> Sent:	Wednesday, September 23, 1998 1:44 PM
> To:	ipsec@tis.com
> Subject:	QM/PFS/MultipleProposals/MultipleGroups question
> 
> Scenario: Initiator uses PFS and wants to make multiple proposals in QM,
> where each proposal offers different group. Therefore each proposal will
> contain different public key for each group proposed (e.g DH Group
> 1,2,3,....)
> 
> Question: isn't it very wastefull to generate and send all these
> different public keys, while only one will be chosen by the responder?
> Wouldn't be much simpler to restrict Initiator to use only one group for
> all proposals it wants to make?
> 
> --
> Bronislav Kavsan
> IRE Secure Solutions, Inc.
> 100 Conifer Hill Drive  Suite 513
> Danvers, MA  01923
> voice: 978-739-2384
> http://www.ire.com
> 
>

---

• Prev by Date: Minutes from the Chicago IETF meeting
• Next by Date: Fwd: Re: VPN bakeoff in October & export licensing.
• Prev by thread: QM/PFS/MultipleProposals/MultipleGroups question
• Next by thread: Minutes from the Chicago IETF meeting
• Index(es):
  • Main
  • Thread