Re: divergent interpretations of IKE/IPsec - interop issues

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Markku" == Markku Savela <msa@burp.tkv.asdf.org> writes:
    >> The order of ESP and AH in the proposal
    >> - Don't trust the order; although there is an order, it is actually
    >> a set of proposals.
    >> - Always send in order XYZ  (I prefer ESP followed by AH, some
    >> otherwise).
    >> - The semantic is always the same (ESP inside AH)
    >> - If IPcomp involved, IPcomp, ESP, AH.

    Markku> This and some other entries just show that IKE should not do
    Markku> bundles. Creates unnecessary combinatory complexties.

    Markku> It should negotiate a single SA at time (or to optimize, all
    Markku> SA's, but it should not care about their order), it does not
    Markku> matter. The policy checks in kernel will take care of bundle
    Markku> requirements.

  Assuming that the policy checks in the kernel are in fact the same at both
sides. 

  IKEv1 is not a policy negotiation protocol. This is bad, but it is.
  BUT, in a BCP, we document WHAT IS, not what we'd like.  
  Please do NOT muddy the waters by mixing threads.

  Please see next message under the title: "Policy requirements in Son-Of-IKE"

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPJv7hYqHRg3pndX9AQGK7gP/ZVMslV47X3Dv6hy8SXF3kdyZbDhL0bij
TCfp8AoSSzXY5/HQXp+ax179Eop22P0ajZaFrOHL0n8ocGuNRnh5MdtZ+RGqQfVR
asVqwnYAqAfqWMvyCWBfcJGbfCbhJZCgSQ1tfAgMamPcCrfkFbF8p5mikzKYRQFn
IBwsXuVyoX0=
=cmKj
-----END PGP SIGNATURE-----