[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on IKEv2
On 5 Dec 01, at 4:41, Dan Harkins wrote:
> > (3) S 2.9 says:
> >
> > The Responder is allowed to narrow the choices by selecting a subset
> > of the traffic, for instance by eliminating one or more members of
> > the set of traffic selectors provided the set does not become the
> > NULL set.
> >
> > Can the responder widen the choices? If not, why not?
>
> We want the two sides to converge on the largest intersection of their
> policy in the fewest possible number of messages. If the Responder added
> things it might be unacceptable to the Initiator and result in more
> round trips.
Dan,
on what criteria could responder base his decision to narrow TS?
Assume the following situation: initiator offers wildcard TSS, while
responder's SPD consists of several adjacent ranges. The very natural
decision for him is to select and sent back to initiator one of these
ranges. But which? He doesn't have enough information because
initiator has no ability to tell him what exact packet she is trying
to make SA for. If this information were provided by initiator (via
special payload or by requiring the first TSS in TS to always
represent the actual IP packet triggered this negotiation), this
would increase robustness of the protocol.
And one more comment. The peers seem to have no ability to inform
each other about what kind of signature (RSA or DSA) they will use.
Why so? This will require all implementation to support both (or even
more if ECDSA come later) to be interoperable. Wouldn't it be better
to negotiate this, as well as cipher, hash and group?
Best regards,
Smyslov Valery.
Follow-Ups:
References: