[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Agenda for the Minneapolis meeting
Most of the more mature IKE implementations probably already do this. The
advantage of the 4 message phase two is that the group can be negotiated. If
PFS is removed as someone suggested (I think it was Andrew's suggestion to
just do another phase 1 as the means to provide PFS), then a 4 message phase
2 doesn't provide any benefit. But, I wouldn't object to having it for
those people that don't want to do the buffering. The main thing is to get
rid of the commit bit.
-dave
-----Original Message-----
From: Bill Sommerfeld [mailto:sommerfeld@East.Sun.COM]
Sent: Thursday, March 15, 2001 2:51 PM
To: andrew.krywaniuk@alcatel.com
Cc: 'Scott Fanning'; Mike_Borella@3com.com; 'Dan Harkins';
ipsec@lists.tislabs.com
Subject: Re: Agenda for the Minneapolis meeting
> - Dave Mason's 4 message QM instead of the commit bit fiasco.
IMHO, both the commit bit and 4-message QM are unnecessary.
Before you can set up SA's, each end has to reserve an SPI and then
communicate it to the peer. We create a "larval" SA at this time as a
placeholder, since the SA tables are where we check for uniqueness of
SPI values.
You can buffer a (limited number) of received packets in the larval
SA, and then process them once the keying material is available. This
is exactly like buffering packets while you wait for an arp reply..
not strictly necessary for interoperability, but extremely useful in
avoiding awkward pauses.