[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Processing multiple phase 2 SA payloads

To: "Heyman, Michael" <Michael_Heyman@nai.com>
Subject: Processing multiple phase 2 SA payloads
From: Tero Kivinen <kivinen@ssh.fi>
Date: Mon, 2 Aug 1999 02:15:01 +0300 (EET DST)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <DBF2F9C6F6BAD211BB1B00A0C99D9702049765@MD-EXCHANGE2>
Organization: SSH Communications Security Oy
References: <DBF2F9C6F6BAD211BB1B00A0C99D9702049765@MD-EXCHANGE2>
Sender: owner-ipsec@lists.tislabs.com

Heyman, Michael writes:
> The document does not specify that the SA payloads returning to the
> initiator are in the same order as the SA payloads transmitted (they

RFC 2409 doesn't seem to state that, but I think that is only way to
get it working. I think we should add text to draft-ietf-ipsec-ike-xx
to say that. 

> If the responder must send the SA payload responses back in the same
> order that the SA payloads they were derived from were received, does
> that mean that the negotiation must proceed all or nothing? That is,

I would say yes. All or nothing. 

> A new attribute could be defined with the sole purpose of 
> distinguishing otherwise identical transforms (this attribute must 
> have a different value every time it is used).

I think it is easier to just clarify the draft, and add text saying
that the reply SA payloads must be in same order than the proposal SA
payloads. 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Prev by Date: RE: XAUTH is broken
Next by Date: weakness in IKE/DOI specs
Prev by thread: RE: XAUTH is broken
Next by thread: weakness in IKE/DOI specs
Index(es):
- Main
- Thread