[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 stuff.. Re: More MODP Diffie-Hellman groups for IKE



Michael Richardson wrote:
> 
> >>>>> "Ari" == Ari Huttunen <Ari.Huttunen@F-Secure.com> writes:
>     Ari> 40000 + number of bits in the group.
> 
>     Ari> It would be nice to have officially assigned numbers, though.
>     Ari> Especially since you cannot negotiate this by having a VID, since
>     Ari> they are used in the first message.
> 
>     Ari> The same restriction applies to the.. dare I say it?.. here goes..
>     Ari> X-Auth authentication type. There's no way to negotiate it's usage
>     Ari> by using a VID. Our new software version sends this automatically,
>     Ari> and a couple of vendors whose software refused any connection when
>     Ari> they received an attribute they didn't understand, agreed to change
>     Ari> their software that it skips a transform it doesn't fully understand
>     Ari> and tries to match the next transform.
> 
>     Ari> The current RFCs do not state what to do when something like this
>     Ari> happens.. i.e. an unknown attribute is received in a transform payload.
> 
>   I thought that you are supposed to ignore proposals that you do not
> understand. Where "understand" means either that you match:
>             assigned #,
>             (VID, private#)

That's the sensible thing to do. Can you please point out where it
reads in the RFCs? It's at least not in "5.6 Transform Payload Processing" 
of ISAKMP RFC.

Ari

-- 
Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Securing the Mobile Enterprise


References: