[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE attributes consistency.

To: shacham@shacham.net, silvere@iki.fi
Subject: Re: IKE attributes consistency.
From: "Sami Vaarala" <svaarala@hotmail.com>
Date: Tue, 19 Dec 2000 08:27:36 +0200
Cc: kivinen@ssh.fi, sakane@ydc.co.jp, ipsec@lists.tislabs.com, bobmonsour@home.com, royp@cisco.com, matt@3am-software.com, ippcp@external.cisco.com
Reply-To: silvere@iki.fi
Sender: owner-ipsec@lists.tislabs.com

>Sami,
>
>What if the sender elects NOT to include
>the d-h group attribute in one of the transforms?

If there is at least one d-h group attribute in the whole sa
payload (in any transform), then you interpret it to mean that
you ARE using d-h in any case, and that there MUST be a KE
payload in the message.

>avram
>
>On Mon, 18 Dec 2000, Sami Vaarala wrote:
>
> > Hi,
> >
> > >It was explicitly decided that not including non relevant attributes 
>MUST
> > >NOT
> > >cause rejection of an IPComp proposal.  One of the reasons for the
> > >decision
> > >was that _no_ implementation was expecting the non relevant attributes
> > >in an IPComp proposal. Keeping the liberal spirit alive, receivers 
>should
> > >quietly ignore irrelevant attributes. The decision was posted to the
> > >ippcp and ipsec lists and later reflected in the rfc2393bis I-D.
> > [...]
> >
> > Why not change the quick mode consistency requirements to the
> > following:
> >
> >     1. the sender SHOULD include a d-h group attribute in every
> >        transform.
> >     2. each occurrence of the d-h group attribute MUST have the
> >        same value.
> >     3. the receiver MUST accept the sa payload if there are no
> >        conflicts in the occurrences of the d-h group attribute,
> >        regardless of the number of occurrences of the attribute.
> >        Thus it is acceptable to:
> >            a) have no d-h group attributes => meaning: no d-h
> >            b) have one or more d-h group attributes in any
> >               transforms => use d-h group; the same d-h group
> >               applies to all proposals.  The receiver MUST check
> >               that all occurrences have the same value.
> >     4. if there are conflicting d-h group attributes in the proposals
> >        (different values) => proposal must be rejected; the receiver
> >        MUST check for this condition.
> >
> > This is the most liberal reception guideline I can think of wrt
> > ike qm d-h group.
> >
> > Sami
> > --
> > Sami Vaarala         /  Pygmy Projects - We make it small!
> > www.iki.fi/~silvere /
> > silvere@iki.fi     /  No matter where you go, there you are.
> >
> > 
>_________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at 
>http://www.hotmail.com.
> >
>

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Follow-Ups:

Re: IKE attributes consistency.

From: Avram Shacham <shacham@shacham.net>

Prev by Date: Re: Fw: IPSec vs. SSL
Next by Date: Re: Fw: IPSec vs. SSL
Prev by thread: Re: IKE attributes consistency.
Next by thread: Re: IKE attributes consistency.
Index(es):
- Main
- Thread