Re: Specification of tunnel/transport attribute in IKEv2

[Markku Savela <msa@burp.tkv.asdf.org>]

> From: Jan Vilhuber <vilhuber@cisco.com>
> 
> Sure sounds like an administrative nightmare (as well as wasted
> bandwidth) to me, when we could simply do it via negotiation in an
> automated fashion.

I assume you must be referring to the policy maintenance, because
there is nothing "administrative" in my proposed "policy mismatch
notification".

As to policy, you *cannot* negotiate it automaticly. What use is a policy
which can be automaticly modified by at will?

If I have a policy

  - allow HTTP traffic to my WEB server using IPSEC
  - drop other

Surely you don't want anyone "negotiating" this into

  - allow HTTP traffic to my WEB server using IPSEC
  - allow ANY with NUL ESP
  - drop other

So, I assume when you are talking about "negotiating policy", it is
something which I don't consider as a part of policy? As I have said
earlier, I have no problem allowing choices in SA algorithm. If
desired, the policy just lists the allowed alternatives and IKE can
pick one which is common. (If you are using PFKEY, then just look at
ACQUIRE message: it has list of alternatives).



.