Re: [Ipsec] FW: Remaining issues for IKEv2

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 2:04 PM -0400 5/11/04, Theodore Ts'o wrote:
>Before anyone points this out, I agree that it's unfortunate that we
>have had to settle for documenting multiple approaches to handling
>fragmentation, since this represents an unfortunate complication of
>the standard.

Exactly right.

>So what do people think of the following
>formulation:
>
>	Which of the following requirements woudl you be willing to live with?
>	(You may select more than one):
>
>	A)  Method #2 (fragments to a separate SA) is a MUST
>	B)  Method #3 (stateful fragment inspection) is a MUST
>	C)  Both #2 and #3 is a SHOULD
>	D)  Method #2 is a MAY, Method #3 is a SHOULD
>	E)  Method #3 is a SHOULD, May #2 is a MAY
>
>As I mentioned, there seemed to be someone rough consensus over D: #2
>as MAY, #3 as SHOULD, but it was by no means unanimous.

There is a more logical choice, which would be:
	F)  Method #2 is a MAY, and Method #3 is a MAY

We don't need another MUST or SHOULD to aid interoperability, since 
we already have a MUST for #1. We have zero experience with these new 
proposals for how to deal with fragmentation. Neither proposal should 
be even a SHOULD in 2401bis.

It is likely that some vendors will support one and/or the other in 
2401bis deployments, and after they do, we will have a better idea 
about whether either is feasible and useful in real implementations; 
we can use that experience in changing the requirements levels in 
2401bisbis. Until then, they should both be limited to MAY, 
indicating no preference for either from the specification.

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec