[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Avoiding tricking IKE v2 nodes into talking v1

To: ipsec@lists.tislabs.com
Subject: Re: Avoiding tricking IKE v2 nodes into talking v1
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Mon, 26 Aug 2002 10:48:44 -0700
In-Reply-To: <200208261700.g7QH0cIn000340@fatty.lounge.org>
References: <200208261700.g7QH0cIn000340@fatty.lounge.org>
Sender: owner-ipsec@lists.tislabs.com

At 10:00 AM -0700 8/26/02, Dan Harkins wrote:
>   If something really has to be done I suggest we come up with an
>IKEv1 "vendor ID" payload that says something like "I can actually
>speak a higher version of IKE". This payload would be sent in the
>5th and 6th message in Main Mode or the 2nd and 3rd in Aggressive
>Mode.

This sounds like the cleanest approach, and it matches what most 
implementations use vendor ID payloads for.

>Most implementations can handle "vendor ID" payloads in these
>parts of the exchanges.

If the WG is worried about this, VPNC could probably test this fairly 
quickly among our members' products.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- Re: Avoiding tricking IKE v2 nodes into talking v1
  - From: "David Faucher" <dfaucher@lucent.com>

References:
- Re: Avoiding tricking IKE v2 nodes into talking v1
  - From: Dan Harkins <dharkins@tibernian.com>

Prev by Date: RE: Avoiding tricking IKE v2 nodes into talking v1
Next by Date: Re: Avoiding tricking IKE v2 nodes into talking v1
Prev by thread: Re: Avoiding tricking IKE v2 nodes into talking v1
Next by thread: Re: Avoiding tricking IKE v2 nodes into talking v1
Index(es):
- Date
- Thread