[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Son of Ike status



At 7:46 PM -0400 8/21/02, Charlie_Kaufman@notesdev.ibm.com wrote:
>I considered that, but judged it to be marginally more complicated.
>Its advantage and its disadvantage is that it invites having more
>than one encrypted block and having unencrypted information before
>and after the encrypted information. It seemed like flexibility that we
>didn't need but that people would have to code for.

One of the nice things of IKEv2 is that there is much less 
flexibility in the messages; this leads to better interoperability. 
It is quite easy for the spec to say that message 3 can only have one 
encrypted blob, just like it is in JFKr.

>If we can encrypt any of message 4, we can encrypt all of it. In message
>4 encryption is optional - certain errors would not be encrypted. But
>I can't think of any reason message 4 would be partially encrypted.
>Can you?

Nope. I was proposing that both messages 3 and 4 have the encrypted 
blob be optional, and only present if there is no error. The current 
IKEv2 draft doesn't specify well what to do with errors in messages 3 
and 4, which will of course lead to lack of interoperability not al 
that different than with IKEv1. If we could tighten this up now, it 
would be great.

--Paul Hoffman, Director
--VPN Consortium