[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE attributes consistency.


>It was explicitly decided that not including non relevant attributes MUST
>cause rejection of an IPComp proposal.  One of the reasons for the
>was that _no_ implementation was expecting the non relevant attributes
>in an IPComp proposal. Keeping the liberal spirit alive, receivers should
>quietly ignore irrelevant attributes. The decision was posted to the
>ippcp and ipsec lists and later reflected in the rfc2393bis I-D.

Why not change the quick mode consistency requirements to the

    1. the sender SHOULD include a d-h group attribute in every
    2. each occurrence of the d-h group attribute MUST have the
       same value.
    3. the receiver MUST accept the sa payload if there are no
       conflicts in the occurrences of the d-h group attribute,
       regardless of the number of occurrences of the attribute.
       Thus it is acceptable to:
           a) have no d-h group attributes => meaning: no d-h
           b) have one or more d-h group attributes in any
              transforms => use d-h group; the same d-h group
              applies to all proposals.  The receiver MUST check
              that all occurrences have the same value.
    4. if there are conflicting d-h group attributes in the proposals
       (different values) => proposal must be rejected; the receiver
       MUST check for this condition.

This is the most liberal reception guideline I can think of wrt
ike qm d-h group.

Sami Vaarala         /  Pygmy Projects - We make it small!
www.iki.fi/~silvere /
silvere@iki.fi     /  No matter where you go, there you are.

Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.