[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LAST CALL: IKE
In anticipation of several proposed changes to RFC 2401, I would like
to suggest a few additional payloads to be added to IKE v2.
Several folks have asked for the ability to place traffic with
different TOS values on different SAs, which requires that the TOS
field (IPv4) and the flow spec field (IPv6) be useable as selectors.
If we agree to add this feature, we need the ability to negootiate
this in IKE.
A few folks have observed that the current mandate for black side
fragmentation poses DoS vulnerabilities for receivers. Thus we may
choose to allow (or recommend) red side fragmentation. If so, we need
to be able to negotiate use of this capability on a per-SA basis, and
to notify the receiver that NO black fragments should be accepted,
because none will be sent on this SA.
As a separate matter, I had requested a few months ago that we allow
IKE peers to negotiate use of groups other than the set defined in
Oakley. I see that there is a provision to negotiate other choices
for P, but not for G. I apologize for not noticing this sooner. I
would like to see the negotiation made more general, so that both the
generator as well as the exponent are values that peers can negotiate.