[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft-ietf-ipsec-ikev2-05.txt comments
>1.4 The INFORMATIONAL Exchange
...
> A node SHOULD regard half open connections as anomalous and audit
I think we should talk about half closed connections instead of half
open.
=> Agreed. "Half open" should be used to refer to connections where one side
has sent the final packet of the exhange, but the peer hasn't received it.
Or where the peer rejects it, but the notify message is lost (which
hopefully shouldn't happen much any more).
> signature or MAC will be computed using algorithms dictated by the
> type of key used by the signer, an RSA-signed PKCS1-padded-hash for
^^^^
I assume this is the negotiatiated hash algorithm like it was in the
IKEv1?
=> Didn't we change it to the hash algorithm in the certificate? Or has that
been changed back since?
> Multi-
> Attribute Type Value Valued Length
> ======================= ===== ====== ==================
> INTERNAL_IP4_SUBNET 13 NO 0 or 8 octets
> INTERNAL_IP6_SUBNET 15 NO 17 octets
I think those two should be multi-valued, at least the description
later indicates that there might be multiple subnets behind (at least
you can request multiple subnets).
=> And while we're at it, shouldn't INTERNAL_IP6_SUBNET be 0 or 17 octets?
Andrew
--------------------------------------
The odd thing about fairness is when
we strive so hard to be equitable
that we forget to be correct.
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus