[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Issue #46 Proposed change: no need for iterated processing
The msg130 says:
----------------------------------------------------------------------
Description: There is no mandate to support nested SAs or SA bundles.
It would be easy to include support for the simple
AH+ESP combination that IKEv1 was able to negotiate, and
that 2401 mandates, if that combination is still viewed
as needed. However, IKEv1 was not able to negotiate any
other nested protocol combinations and IKEv2 does not
support negotiation of SA bundles.
----------------------------------------------------------------------
Actually the IKEv2 can negotiate exactly same AH, ESP, AH+ESP
combinations than IKEv1 (and also the IPcomp). The Security
association payload contains list of proposal substructures, and each
proposal substructure have protocol ID and proposal #, which indicate
if this is "AND" or "OR" between the protocols.
I do not know if that actually affects the text described in the issue
46 as it only changes the actual implementation issues, but there is
way to negotiate AH+ESP in IKEv2 too...
--
kivinen@ssh.fi
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/