[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments about draft-ietf-ipsec-ike-01.txt

To: kivinen@ssh.fi (Tero Kivinen)
Subject: Re: Comments about draft-ietf-ipsec-ike-01.txt
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Tue, 15 Jun 1999 16:50:28 -0700 (PDT)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <199906152206.BAA01501@torni.ssh.fi> from "Tero Kivinen" at Jun 16, 99 01:06:17 am
Sender: owner-ipsec@lists.tislabs.com

> > 6. Modes for IKE Phases
> ...
> > 6.1 Phase 1
> ...
> >    Use of the commit bit from [MSST98] during Phase 1 is forbidden.
> >    Implementations SHOULD respond with an notify message whose type is
> >    set to INVALID-FLAGS (8).
> 
> We should probably add text here saying which identities are allowed
> in phase 1. I think the consensus is something like this:
> 
>    Phase 1 can only use identities that identify one host or security
>    gateway. This includes ipv4/6 address, fqdn, user@fqdn,
>    distinguished name, general name and key id. Subnets or ranges are
>    not allowed in phase 1.

Along with that text, should we talk about how if we do per-user keying, this
means a new phase 1 per-user?  Or would that be obvious from the above
suggested paragraph?

Dan McD.

References:

Comments about draft-ietf-ipsec-ike-01.txt

From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Comments about draft-ietf-ipsec-ike-01.txt
Next by Date: Re: issues from the bakeoff
Prev by thread: Comments about draft-ietf-ipsec-ike-01.txt
Next by thread: Re: Comments about draft-ietf-ipsec-ike-01.txt
Index(es):
- Main
- Thread