[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: inconsistencies in IKE specs
On Tue, 24 Aug 1999 14:17:13 EDT you wrote
> There are notational inconsistencies about the Phase 2 (Quick Mode)
> identities in IKE. These exist in both RFC 2409, and in
> draft-ietf-ipsec-ike-01.txt.
>
> In RFC 2409, they are initially defined as IDui and IDur. But, when
> used, they are cited as IDci and IDcr.
Good eye.
> In the I-D versions, they are initially defined as ID_i2 and ID_r2.
> But, when cited, they are still cited as IDci and IDcr. (Perhaps the
> victim of search & replace blindness to the prior error.)
Yup, the hash descriptions are wrong there (the textual description of
Quick Mode though uses IDi2 and IDr2). Thanks for pointing that out.
It'll get fixed in the next rev.
> Also, is there any restriction on the allowable Identification Type
> for a Phase 2 identity? Would ID_IPV4_ADDR_RANGE be allowable? That
> would be defining an SA for a range of IP addresses, all using the
> same SPI. What would it possibly mean to have a Phase 2
> Identification Type of ID_FQDN?!
This has come up quite a bit on the list, most recently last week.
> Personally, I think it would make a great deal of sense to say that
> Phase 2 ID's may only be ID_IPV4_ADDR or ID_IPV6_ADDR. I'd really
> love to see more MUST NOT's in these specs.
Limiting these to only a single IP addr would mean that IKE would be
unable to express selectors with wildcarded addresses. Since those
are required for all implementation (i.e. you MUST support them per
RFC2401) I don't think it would make too much sense to remove support
for them from RFC2409 (or the draft that will hopefully depricate RFC2409).
Dan.
Follow-Ups:
References: