[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 stuff.. Re: More MODP Diffie-Hellman groups for IKE
Michael Richardson wrote:
>
> >>>>> "Ari" == Ari Huttunen <Ari.Huttunen@F-Secure.com> writes:
> Ari> 40000 + number of bits in the group.
>
> Ari> It would be nice to have officially assigned numbers, though.
> Ari> Especially since you cannot negotiate this by having a VID, since
> Ari> they are used in the first message.
>
> Ari> The same restriction applies to the.. dare I say it?.. here goes..
> Ari> X-Auth authentication type. There's no way to negotiate it's usage
> Ari> by using a VID. Our new software version sends this automatically,
> Ari> and a couple of vendors whose software refused any connection when
> Ari> they received an attribute they didn't understand, agreed to change
> Ari> their software that it skips a transform it doesn't fully understand
> Ari> and tries to match the next transform.
>
> Ari> The current RFCs do not state what to do when something like this
> Ari> happens.. i.e. an unknown attribute is received in a transform payload.
>
> I thought that you are supposed to ignore proposals that you do not
> understand. Where "understand" means either that you match:
> assigned #,
> (VID, private#)
That's the sensible thing to do. Can you please point out where it
reads in the RFCs? It's at least not in "5.6 Transform Payload Processing"
of ISAKMP RFC.
Ari
--
Ari Huttunen phone: +358 9 2520 0700
Software Architect fax : +358 9 2520 5001
F-Secure Corporation http://www.F-Secure.com
F(ully)-Secure products: Securing the Mobile Enterprise
References: