Re: IKE v2 Requirements and backwards compatability

[Shane Amante <shane@amante.org>]

On Fri, Dec 21, 2001 at 12:17:47AM -0500, Henry Spencer wrote:
> On Thu, 20 Dec 2001, Shane Amante wrote:
> > Aside from whatever method is ultimately decided upon for automagic
> > detection of a remote peer's IKE version number, would it be too much
> > to ask for a knob in IKEv2 implementations that allow operators/users
> > to manually configure the remote peer as being IKEv1 or IKEv2?
> 
> Perhaps.  This amounts to requiring that every IKE2 implementation also
> implement IKE1.

Not necessarily, unless I'm overlooking something.  Two solutions:
1) Only expose the knob, and let end-users configure it, on devices
   that have both IKE1 + IKE2 implementations.
2) Always expose the knob in all combinations of IKE implementations
   and let the end-user possibly shoot themself in the foot.  (This is
   the point of a non-default, manual configuration. :-)

As long as one of the two scenarios is agreed upon by the group and
clearly documented shouldn't it be "caveat emptor"?


> Initially, that is probably a reasonable thing to do...
> but it may not remain so.  IKE1 shouldn't be a mandatory part of IKE2.

-shane

---

References:

• Re: IKE v2 Requirements and backwards compatability
• From: Shane Amante <shane@amante.org>
• Re: IKE v2 Requirements and backwards compatability
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: draft-ietf-ipsec-son-of-ike-protocol-reqts-00.txt
• Next by Date: Re: discussion of IPsec MIB requirements and goals, and my reviewof IPsec Flow Monitoring MIB
• Prev by thread: Re: IKE v2 Requirements and backwards compatability
• Next by thread: Re: IKE v2 Requirements and backwards compatability
• Index(es):
  • Main
  • Thread