[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE v2 Requirements and backwards compatability
On Fri, Dec 21, 2001 at 12:17:47AM -0500, Henry Spencer wrote:
> On Thu, 20 Dec 2001, Shane Amante wrote:
> > Aside from whatever method is ultimately decided upon for automagic
> > detection of a remote peer's IKE version number, would it be too much
> > to ask for a knob in IKEv2 implementations that allow operators/users
> > to manually configure the remote peer as being IKEv1 or IKEv2?
>
> Perhaps. This amounts to requiring that every IKE2 implementation also
> implement IKE1.
Not necessarily, unless I'm overlooking something. Two solutions:
1) Only expose the knob, and let end-users configure it, on devices
that have both IKE1 + IKE2 implementations.
2) Always expose the knob in all combinations of IKE implementations
and let the end-user possibly shoot themself in the foot. (This is
the point of a non-default, manual configuration. :-)
As long as one of the two scenarios is agreed upon by the group and
clearly documented shouldn't it be "caveat emptor"?
> Initially, that is probably a reasonable thing to do...
> but it may not remain so. IKE1 shouldn't be a mandatory part of IKE2.
-shane
References: