[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments about draft-ietf-ipsec-ike-01.txt
> > 6. Modes for IKE Phases
> ...
> > 6.1 Phase 1
> ...
> > Use of the commit bit from [MSST98] during Phase 1 is forbidden.
> > Implementations SHOULD respond with an notify message whose type is
> > set to INVALID-FLAGS (8).
>
> We should probably add text here saying which identities are allowed
> in phase 1. I think the consensus is something like this:
>
> Phase 1 can only use identities that identify one host or security
> gateway. This includes ipv4/6 address, fqdn, user@fqdn,
> distinguished name, general name and key id. Subnets or ranges are
> not allowed in phase 1.
Along with that text, should we talk about how if we do per-user keying, this
means a new phase 1 per-user? Or would that be obvious from the above
suggested paragraph?
Dan McD.
References: