[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Son of Ike status
At 7:46 PM -0400 8/21/02, Charlie_Kaufman@notesdev.ibm.com wrote:
>I considered that, but judged it to be marginally more complicated.
>Its advantage and its disadvantage is that it invites having more
>than one encrypted block and having unencrypted information before
>and after the encrypted information. It seemed like flexibility that we
>didn't need but that people would have to code for.
One of the nice things of IKEv2 is that there is much less
flexibility in the messages; this leads to better interoperability.
It is quite easy for the spec to say that message 3 can only have one
encrypted blob, just like it is in JFKr.
>If we can encrypt any of message 4, we can encrypt all of it. In message
>4 encryption is optional - certain errors would not be encrypted. But
>I can't think of any reason message 4 would be partially encrypted.
>Can you?
Nope. I was proposing that both messages 3 and 4 have the encrypted
blob be optional, and only present if there is no error. The current
IKEv2 draft doesn't specify well what to do with errors in messages 3
and 4, which will of course lead to lack of interoperability not al
that different than with IKEv1. If we could tighten this up now, it
would be great.
--Paul Hoffman, Director
--VPN Consortium