From Dan's mail:
Misc. Negotiation Stuff
* If the initiator wants PFS and you don't have it configured what should
you do? Similarly, if the initiator offers group 2 (5) and you have group
1 (2) configured what should you do? Similarly, variable lengthed keys
for ciphers which have variable lengthed keys.
General acceptance for doing what is offered provided it is not expressly
prohibited by policy.
Sorry I wasn't able to comment in person at the bakeoff. We found that this suggestion is difficult to support in the field. For instance, take the PFS example. Initiator configured with QM PFS, responder not configured with QM PFS. When the responder gets the QM, since doing PFS is more secure, its no big deal for the responder to allow the PFS connection. However, the support hit comes if the responder initiates a rekey. Now, the responder will not propose PFS, and the initiator will expect it, so the initiator MUST fail the negotiation. This is much more difficult to troubleshoot in the field than if it failed every time. So I'd recommend either outright failure of the negotiation in the first case to signal to the admins that something is amiss, or have the responder remember that it needs to do PFS with the peer.
bs