[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 stuff.. Re: More MODP Diffie-Hellman groups for IKE
>>>>> "Ari" == Ari Huttunen <Ari.Huttunen@F-Secure.com> writes:
Ari> 40000 + number of bits in the group.
Ari> It would be nice to have officially assigned numbers, though.
Ari> Especially since you cannot negotiate this by having a VID, since
Ari> they are used in the first message.
Ari> The same restriction applies to the.. dare I say it?.. here goes..
Ari> X-Auth authentication type. There's no way to negotiate it's usage
Ari> by using a VID. Our new software version sends this automatically,
Ari> and a couple of vendors whose software refused any connection when
Ari> they received an attribute they didn't understand, agreed to change
Ari> their software that it skips a transform it doesn't fully understand
Ari> and tries to match the next transform.
Ari> The current RFCs do not state what to do when something like this
Ari> happens.. i.e. an unknown attribute is received in a transform payload.
I thought that you are supposed to ignore proposals that you do not
understand. Where "understand" means either that you match:
assigned #,
(VID, private#)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
Follow-Ups: