[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE attributes consistency.


What if the sender elects NOT to include
the d-h group attribute in one of the transforms?


On Mon, 18 Dec 2000, Sami Vaarala wrote:

> Hi,
> >It was explicitly decided that not including non relevant attributes MUST
> >NOT
> >cause rejection of an IPComp proposal.  One of the reasons for the
> >decision
> >was that _no_ implementation was expecting the non relevant attributes
> >in an IPComp proposal. Keeping the liberal spirit alive, receivers should
> >quietly ignore irrelevant attributes. The decision was posted to the
> >ippcp and ipsec lists and later reflected in the rfc2393bis I-D.
> [...]
> Why not change the quick mode consistency requirements to the
> following:
>     1. the sender SHOULD include a d-h group attribute in every
>        transform.
>     2. each occurrence of the d-h group attribute MUST have the
>        same value.
>     3. the receiver MUST accept the sa payload if there are no
>        conflicts in the occurrences of the d-h group attribute,
>        regardless of the number of occurrences of the attribute.
>        Thus it is acceptable to:
>            a) have no d-h group attributes => meaning: no d-h
>            b) have one or more d-h group attributes in any
>               transforms => use d-h group; the same d-h group
>               applies to all proposals.  The receiver MUST check
>               that all occurrences have the same value.
>     4. if there are conflicting d-h group attributes in the proposals
>        (different values) => proposal must be rejected; the receiver
>        MUST check for this condition.
> This is the most liberal reception guideline I can think of wrt
> ike qm d-h group.
> Sami
> --
> Sami Vaarala         /  Pygmy Projects - We make it small!
> www.iki.fi/~silvere /
> silvere@iki.fi     /  No matter where you go, there you are.
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.