[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE attributes consistency.
>It was explicitly decided that not including non relevant attributes MUST
>cause rejection of an IPComp proposal. One of the reasons for the
>was that _no_ implementation was expecting the non relevant attributes
>in an IPComp proposal. Keeping the liberal spirit alive, receivers should
>quietly ignore irrelevant attributes. The decision was posted to the
>ippcp and ipsec lists and later reflected in the rfc2393bis I-D.
Why not change the quick mode consistency requirements to the
1. the sender SHOULD include a d-h group attribute in every
2. each occurrence of the d-h group attribute MUST have the
3. the receiver MUST accept the sa payload if there are no
conflicts in the occurrences of the d-h group attribute,
regardless of the number of occurrences of the attribute.
Thus it is acceptable to:
a) have no d-h group attributes => meaning: no d-h
b) have one or more d-h group attributes in any
transforms => use d-h group; the same d-h group
applies to all proposals. The receiver MUST check
that all occurrences have the same value.
4. if there are conflicting d-h group attributes in the proposals
(different values) => proposal must be rejected; the receiver
MUST check for this condition.
This is the most liberal reception guideline I can think of wrt
ike qm d-h group.
Sami Vaarala / Pygmy Projects - We make it small!
firstname.lastname@example.org / No matter where you go, there you are.
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.