[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Reliable delete notifies
I like the idea of replacing Aggressive Mode with Base Mode. Preshared keys
will remain useful until IPSRA completes its work. I would like to see
Manual key IPsec changed from MUST to MAY.
I would like to see Quick Mode as always 4 messages. Solves the commit bit
problem (I would like to see the commit bit go away but realize some people
can't seem to live without it for some reason). In the four message QM, the
initiator's key exchange payload could go in the third message allowing for
DH group negotiation in phase 2.
-dave
-----Original Message-----
From: Tero Kivinen [mailto:kivinen@ssh.fi]
Sent: Monday, October 09, 2000 8:58 AM
To: Dan Harkins
Cc: Ben McCann; ipsec
Subject: Re: Reliable delete notifies
Dan Harkins writes:
> I'm doing this work for the Working Group and I can't just
> unilaterally declare that Aggressive Mode is out. I was
> noting that it's out of my drafty-draft. If the Working Group
> wants Aggressive Mode in the protocol then it is in. So let's
> start a discussion. Does the Working Group want to keep
> Aggressive Mode? Is Aggressive Mode "standards bloat" or
> is it a necessary addition to do what Ben wants to do?
When I talked to implementors in the ipsec interop meeting most of
them said, that aggressive mode should be REPLACED with base mode.
Aggressive mode has lots of problems. Base mode fixes most of them,
and at the same time allows dynamic ip-addresses for all kind of
authentication methods.
I would say we get rid of aggressive mode and add base mode instead.
If we are going to keep aggressive mode, then I will say we must not
add base mode, as I think even 2 different modes is little too much, 3
modes is definately too much.
--
kivinen@ssh.fi Work : +358 303 9870
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/