[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE attributes consistency.

To: silvere@iki.fi
Subject: Re: IKE attributes consistency.
From: Avram Shacham <shacham@shacham.net>
Date: Tue, 19 Dec 2000 21:19:25 -0800 (PST)
cc: kivinen@ssh.fi, sakane@ydc.co.jp, ipsec@lists.tislabs.com, bobmonsour@home.com, royp@cisco.com, matt@3am-software.com, ippcp@external.cisco.com
In-Reply-To: <F130bDt3HvoFOAmEaJs0000231a@hotmail.com>
Sender: owner-ipsec@lists.tislabs.com


If one of the transforms, say IPComp,  may elect
not to include the d-h group attribute, how does your 
suggestion differ from the discussed statement of 
rfc2393bis?

avram

On Tue, 19 Dec 2000, Sami Vaarala wrote:

> >Sami,
> >
> >What if the sender elects NOT to include
> >the d-h group attribute in one of the transforms?
> 
> If there is at least one d-h group attribute in the whole sa
> payload (in any transform), then you interpret it to mean that
> you ARE using d-h in any case, and that there MUST be a KE
> payload in the message.
> 
> >avram
> >
> >On Mon, 18 Dec 2000, Sami Vaarala wrote:
> >
> > > Hi,
> > >
> > > >It was explicitly decided that not including non relevant attributes 
> >MUST
> > > >NOT
> > > >cause rejection of an IPComp proposal.  One of the reasons for the
> > > >decision
> > > >was that _no_ implementation was expecting the non relevant attributes
> > > >in an IPComp proposal. Keeping the liberal spirit alive, receivers 
> >should
> > > >quietly ignore irrelevant attributes. The decision was posted to the
> > > >ippcp and ipsec lists and later reflected in the rfc2393bis I-D.
> > > [...]
> > >
> > > Why not change the quick mode consistency requirements to the
> > > following:
> > >
> > >     1. the sender SHOULD include a d-h group attribute in every
> > >        transform.
> > >     2. each occurrence of the d-h group attribute MUST have the
> > >        same value.
> > >     3. the receiver MUST accept the sa payload if there are no
> > >        conflicts in the occurrences of the d-h group attribute,
> > >        regardless of the number of occurrences of the attribute.
> > >        Thus it is acceptable to:
> > >            a) have no d-h group attributes => meaning: no d-h
> > >            b) have one or more d-h group attributes in any
> > >               transforms => use d-h group; the same d-h group
> > >               applies to all proposals.  The receiver MUST check
> > >               that all occurrences have the same value.
> > >     4. if there are conflicting d-h group attributes in the proposals
> > >        (different values) => proposal must be rejected; the receiver
> > >        MUST check for this condition.
> > >
> > > This is the most liberal reception guideline I can think of wrt
> > > ike qm d-h group.
> > >
> > > Sami
> > > --
> > > Sami Vaarala         /  Pygmy Projects - We make it small!
> > > www.iki.fi/~silvere /
> > > silvere@iki.fi     /  No matter where you go, there you are.
> > >
> > > 
> >_________________________________________________________________________
> > > Get Your Private, Free E-mail from MSN Hotmail at 
> >http://www.hotmail.com.
> > >
> >
> 
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>

References:

Re: IKE attributes consistency.

From: "Sami Vaarala" <svaarala@hotmail.com>

Prev by Date: Re: MODP groups draft concern
Next by Date: RE: MODP groups draft concern
Prev by thread: Re: IKE attributes consistency.
Next by thread: Re: IKE attributes consistency.
Index(es):
- Main
- Thread