[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Modefg considered harmful
- To: Cheryl Madson <cmadson@cisco.com>
- Subject: Re: Modefg considered harmful
- From: Geoff Keating <geoffk@geoffk.org>
- Date: 31 Jan 2003 11:55:13 -0800
- Cc: ipsec@lists.tislabs.com
- In-Reply-To: <4.3.2.7.2.20030130170851.04908778@mira-sjcm-4.cisco.com>
- References: <Your message of "Thu, 30 Jan 2003 15:09:13 PST."<Pine.LNX.4.44.0301301458430.30276-100000@internaut.com><4.3.2.7.2.20030130170851.04908778@mira-sjcm-4.cisco.com>
- Sender: owner-ipsec@lists.tislabs.com
- User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Cheryl Madson <cmadson@cisco.com> writes:
> I've always contended that for IKEv1 that *both* modecfg and DHCP
> had the same underlying issue -- an introduction of a "special" state
> into the protocol processing (either somewhat explicitly via "phase 1.5"
> or implicitly via the "special phase 2 which if it happens has to happen
> before any other phase 2").
I agree with this. One of the most annoying parts of implementing
modecfg and XAUTH when I did it was that it adds a large number of
states to IKE negotiation, and the behaviour in each state is not
always obvious. The modecfg draft I saw, for instance, wasn't clear
on whether the initiator should expect the responder to give it an
address without asking; or whether it had to ask; or whether it could
just tell the responder that it was taking a known-good address.
--
- Geoffrey Keating <geoffk@geoffk.org>