[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Specification of tunnel/transport attribute in IKEv2

To: andrew.krywaniuk@alcatel.com
Subject: Re: Specification of tunnel/transport attribute in IKEv2
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Sat, 11 May 2002 00:33:40 +0300
CC: ipsec@lists.tislabs.com
In-reply-to: <001a01c1f866$26f2bf00$1e72788a@ca.alcatel.com>(andrew.krywaniuk@alcatel.com)
References: <001a01c1f866$26f2bf00$1e72788a@ca.alcatel.com>
Sender: owner-ipsec@lists.tislabs.com


> The merit of this ordering is not the point. Since 90% of IPsec
> implementations either fundamentally do not support this feature, or maybe
> could support it but have no desire to do so, yours is a rather edge case.
> Therefore, I suggest that you enable it via a proprietary extension.
> 
> Leaving the specification vague on some critical issues because a few people
> had some esoteric objections is exactly where we went wrong with IKEv1.

In my opinion, IKE went wrong when it started doing policy checking,
instead of just being a key negotiation.

If IKE negotiated only keys, these ordering issues would never have
surfaced.

As far as RFC-2401 is concerned, any ordering is possible (and policy
dictates the required order). Requiring something to be "proprietary
extension" just because some couldn't read the RFC-2401 properly, is
somewhat sad thing.

Follow-Ups:
- Re: Specification of tunnel/transport attribute in IKEv2
  - From: Henry Spencer <henry@spsystems.net>

References:
- RE: Specification of tunnel/transport attribute in IKEv2
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: RE: Specification of tunnel/transport attribute in IKEv2
Next by Date: addresses and IKEv2
Prev by thread: RE: Specification of tunnel/transport attribute in IKEv2
Next by thread: Re: Specification of tunnel/transport attribute in IKEv2
Index(es):
- Date
- Thread