[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE attributes consistency.
Sami,
What if the sender elects NOT to include
the d-h group attribute in one of the transforms?
avram
On Mon, 18 Dec 2000, Sami Vaarala wrote:
> Hi,
>
> >It was explicitly decided that not including non relevant attributes MUST
> >NOT
> >cause rejection of an IPComp proposal. One of the reasons for the
> >decision
> >was that _no_ implementation was expecting the non relevant attributes
> >in an IPComp proposal. Keeping the liberal spirit alive, receivers should
> >quietly ignore irrelevant attributes. The decision was posted to the
> >ippcp and ipsec lists and later reflected in the rfc2393bis I-D.
> [...]
>
> Why not change the quick mode consistency requirements to the
> following:
>
> 1. the sender SHOULD include a d-h group attribute in every
> transform.
> 2. each occurrence of the d-h group attribute MUST have the
> same value.
> 3. the receiver MUST accept the sa payload if there are no
> conflicts in the occurrences of the d-h group attribute,
> regardless of the number of occurrences of the attribute.
> Thus it is acceptable to:
> a) have no d-h group attributes => meaning: no d-h
> b) have one or more d-h group attributes in any
> transforms => use d-h group; the same d-h group
> applies to all proposals. The receiver MUST check
> that all occurrences have the same value.
> 4. if there are conflicting d-h group attributes in the proposals
> (different values) => proposal must be rejected; the receiver
> MUST check for this condition.
>
> This is the most liberal reception guideline I can think of wrt
> ike qm d-h group.
>
> Sami
> --
> Sami Vaarala / Pygmy Projects - We make it small!
> www.iki.fi/~silvere /
> silvere@iki.fi / No matter where you go, there you are.
>
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
References: