[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: divergent interpretations of IKE/IPsec - interop issues
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Markku" == Markku Savela <msa@burp.tkv.asdf.org> writes:
>> The order of ESP and AH in the proposal
>> - Don't trust the order; although there is an order, it is actually
>> a set of proposals.
>> - Always send in order XYZ (I prefer ESP followed by AH, some
>> otherwise).
>> - The semantic is always the same (ESP inside AH)
>> - If IPcomp involved, IPcomp, ESP, AH.
Markku> This and some other entries just show that IKE should not do
Markku> bundles. Creates unnecessary combinatory complexties.
Markku> It should negotiate a single SA at time (or to optimize, all
Markku> SA's, but it should not care about their order), it does not
Markku> matter. The policy checks in kernel will take care of bundle
Markku> requirements.
Assuming that the policy checks in the kernel are in fact the same at both
sides.
IKEv1 is not a policy negotiation protocol. This is bad, but it is.
BUT, in a BCP, we document WHAT IS, not what we'd like.
Please do NOT muddy the waters by mixing threads.
Please see next message under the title: "Policy requirements in Son-Of-IKE"
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPJv7hYqHRg3pndX9AQGK7gP/ZVMslV47X3Dv6hy8SXF3kdyZbDhL0bij
TCfp8AoSSzXY5/HQXp+ax179Eop22P0ajZaFrOHL0n8ocGuNRnh5MdtZ+RGqQfVR
asVqwnYAqAfqWMvyCWBfcJGbfCbhJZCgSQ1tfAgMamPcCrfkFbF8p5mikzKYRQFn
IBwsXuVyoX0=
=cmKj
-----END PGP SIGNATURE-----