inconsistencies in IKE specs

[John Shriver <jas@shiva.com>]

There are notational inconsistencies about the Phase 2 (Quick Mode)
identities in IKE.  These exist in both RFC 2409, and in
draft-ietf-ipsec-ike-01.txt.

In RFC 2409, they are initially defined as IDui and IDur.  But, when
used, they are cited as IDci and IDcr.

In the I-D versions, they are initially defined as ID_i2 and ID_r2.
But, when cited, they are still cited as IDci and IDcr.  (Perhaps the
victim of search & replace blindness to the prior error.)

Also, is there any restriction on the allowable Identification Type
for a Phase 2 identity?  Would ID_IPV4_ADDR_RANGE be allowable?  That
would be defining an SA for a range of IP addresses, all using the
same SPI.  What would it possibly mean to have a Phase 2
Identification Type of ID_FQDN?!

Personally, I think it would make a great deal of sense to say that
Phase 2 ID's may only be ID_IPV4_ADDR or ID_IPV6_ADDR.  I'd really
love to see more MUST NOT's in these specs.

---

Follow-Ups:

• Re: inconsistencies in IKE specs
• From: Dan Harkins <dharkins@network-alchemy.com>
• Re: inconsistencies in IKE specs
• From: Wang Huaibo <whb60292@mail1.sjtu.edu.cn>

---

• Prev by Date: RE: Weak authentication in Xauth and IKE, CMC token enroll
• Next by Date: Re: inconsistencies in IKE specs
• Prev by thread: RE: Weak authentication in Xauth and IKE, CMC token enroll
• Next by thread: Re: inconsistencies in IKE specs
• Index(es):
  • Main
  • Thread