[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Commit Bit and SPI?
On Tue, Feb 01, 2000 at 03:01:39PM -0600, Will Fiveash wrote:
> Dan, can we change the draft-ieft-ipsec-ike-01.txt so that we get a
> standardized way of interpreting the reflection or non-reflection of the
> CB? I think this will give implementors reasonable flexibility in that if
> they do not want to implement CB they just have to make sure they don't
> reflect the CB. If they do support CB then they have to check for
> reflection which is easy.
And while I am on the subject of connect-notify. Can someone tell me
whether I need to check the SPI in the connect-notify against the SPI in my
P2 SA? I ask this because I saw almost every permutation of SPI in the
connect-notify payload from various vendors. And I noticed that few
vendors checked the SPI I sent in the connect-notify.
If I am supposed to check the SPI, can someone make it painfully clear as
to which SPI is supposed to be sent in the connect-notify? Given the
confusion in the last bakeoff it seems to me that this issue should be
addressed in one of the documents.
As an aside, I am somewhat disappointed that I haven't seen any responses
from the document owners stating whether they agree with the recent e-mails
regarding commit bit processing and SPIs. Does anyone else find it ironic
that Bruce Schneier's paper which criticizes the IPSec workgroup method of
standards development is receiving lots of discussion on this list while
the discussion on commit bit which is trying to clarify the protocol
documentation is receiving little attention?
--
Will Fiveash
IBM AIX System Development
Follow-Ups:
References: