[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suites vs. a la carte and IPcomp in IKEv2-05

To: ipsec@lists.tislabs.com
Subject: Re: suites vs. a la carte and IPcomp in IKEv2-05
From: Tero Kivinen <kivinen@iki.fi>
Date: Tue, 11 Mar 2003 21:53:41 +0200 (EET)
Organization: Helsinki University of Technology
References: <kjptoy4xyz.fsf@romeo.rtfm.com>
Sender: owner-ipsec@lists.tislabs.com

ekr@rtfm.com (Eric Rescorla) writes:
> Say, for the sake of argument that you have a piece of hardware
> that processes single IPsec records and supports 3DES and SHA.
> You then add another CSP that supports AES and MD5. You can't

Then the IKE must select one of those and offer only that. If the
negotiation fails it can try the other. As told earlier in this thread
most of the IPsec initiators are configured to only send one offer
anyways, so I don't really think this is very big issue. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:
- Re: suites vs. a la carte and IPcomp in IKEv2-05
  - From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: RE: Another field for traffic selector?
Next by Date: Re: bidding down attach on NAT-T
Prev by thread: Re: suites vs. a la carte and IPcomp in IKEv2-05
Next by thread: Re: suites vs. a la carte and IPcomp in IKEv2-05
Index(es):
- Date
- Thread