[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LAST CALL: IKE



In anticipation of several proposed changes to RFC 2401, I would like 
to suggest a few additional payloads to be added to IKE v2.

Several folks have asked for the ability to place traffic with 
different TOS values on different SAs, which requires that the TOS 
field (IPv4) and the flow spec field (IPv6) be useable as selectors. 
If we agree to add this feature, we need the ability to negootiate 
this in IKE.

A few folks have observed that the current mandate for black side 
fragmentation poses DoS vulnerabilities for receivers. Thus we may 
choose to allow (or recommend) red side fragmentation. If so, we need 
to be able to negotiate use of this capability on a per-SA basis, and 
to notify the receiver that NO black fragments should be accepted, 
because none will be sent on this SA.


As a separate matter, I had requested a few months ago that we allow 
IKE peers to negotiate use of groups other than the set defined in 
Oakley. I see that there is a provision to negotiate other choices 
for P, but not for G. I apologize for not noticing this sooner. I 
would like to see the negotiation made more general, so that both the 
generator as well as the exponent are values that peers can negotiate.

Thanks,

Steve