[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modefg considered harmful

To: Cheryl Madson <cmadson@cisco.com>
Subject: Re: Modefg considered harmful
From: Geoff Keating <geoffk@geoffk.org>
Date: 31 Jan 2003 11:55:13 -0800
Cc: ipsec@lists.tislabs.com
In-Reply-To: <4.3.2.7.2.20030130170851.04908778@mira-sjcm-4.cisco.com>
References: <Your message of "Thu, 30 Jan 2003 15:09:13 PST."<Pine.LNX.4.44.0301301458430.30276-100000@internaut.com><4.3.2.7.2.20030130170851.04908778@mira-sjcm-4.cisco.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

Cheryl Madson <cmadson@cisco.com> writes:

> I've always contended that for IKEv1 that *both* modecfg and DHCP
> had the same underlying issue -- an introduction of a "special" state
> into the protocol processing (either somewhat explicitly via "phase 1.5"
> or implicitly via the "special phase 2 which if it happens has to happen
> before any other phase 2").

I agree with this.  One of the most annoying parts of implementing
modecfg and XAUTH when I did it was that it adds a large number of
states to IKE negotiation, and the behaviour in each state is not
always obvious.  The modecfg draft I saw, for instance, wasn't clear
on whether the initiator should expect the responder to give it an
address without asking; or whether it had to ask; or whether it could
just tell the responder that it was taking a known-good address.

-- 
- Geoffrey Keating <geoffk@geoffk.org>

Prev by Date: Re: new to VPN
Next by Date: RE: new to VPN
Prev by thread: Re: Modefg considered harmful
Next by thread: RE: Modefg considered harmful
Index(es):
- Date
- Thread