[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEV2: Issue #2: Cipher suites
kivinen@ssh.fi (Tero Kivinen) writes:
> There was also proposal to split the suites to IKE and IPsec suites,
> i.e put all IKE suites to have numbers 0-8191 and IPsec suites from
> 8192-16383 or similar.
To reply my own comment, I think it would be even better to split
those tables completely. The crypto suite numbers should be allocated
in two different pools, one for the phase 1 and one for the phase 2.
This would remove prolems and errors where someone includes suite for
ESP in the phase 1 or IKE suite for child_sa. The parsing of SA
payload can be identical but the meaning of the values in the payloads
should depend on if it is phase 1 or 2 SA negotiation payload.
--
kivinen@ssh.fi
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/