[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple transforms offered in an aggressive exchange

To: ipsec@tis.com
Subject: Multiple transforms offered in an aggressive exchange
From: Mike Williams <mikewill@ibm.net>
Date: Fri, 22 Jan 1999 09:44:23 -0500
Sender: owner-ipsec@ex.tis.com

RFC2408 (ISAKMP) explains the Aggressive Exchange in section 4.7.  One
of the points made is that "There can be only one Proposal and one
Transform offered (i.e. no choices) in order for the aggressive exchange
to work.".  RFC2409 (IKE) takes this one step further and explains that
SA negotiation is limited with Aggressive Mode.  For example, the DH
group can not be negotiated, additionally some of the different
authentication methods may limit what can be negotiated.

Understanding these limitations, I believe that there are cases where it
would be possible and desirable to send multiple transforms in
aggressive mode.  For example, using pre-shared keys an offer could be
made that includes a single proposal with several transforms all having
the same DH group, but having different encryption and hash algorithms.
Is this true?  Is there any reason why this would not work properly?

Mike Williams

Prev by Date: Re: Q about SA bundles
Next by Date: Re: Q about SA bundles
Prev by thread: update -- next testing event
Next by thread: SSL v IPSEC for management?
Index(es):
- Main
- Thread