[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] FW: Remaining issues for IKEv2
Paul Hoffman / VPNC writes:
> > Which of the following requirements woudl you be willing to live with?
> > (You may select more than one):
> >
> > B) Method #3 (stateful fragment inspection) is a MUST
> > D) Method #2 is a MAY, Method #3 is a SHOULD
> > E) Method #3 is a SHOULD, May #2 is a MAY
What is the difference between D and E. Should the E be "Method #2 is
SHOULD and Method #3 is a MAY"?
Anyways I can accept method #3 being SHOULD, MAY or even MUST, and
Method #2 being MAY.
> F) Method #2 is a MAY, and Method #3 is a MAY
Which is to say we do not have any preferred method for fragments when
using port selectors. I would really like to have one method SHOULD
(and that being method #3).
> We don't need another MUST or SHOULD to aid interoperability, since
> we already have a MUST for #1. We have zero experience with these new
> proposals for how to deal with fragmentation. Neither proposal should
> be even a SHOULD in 2401bis.
Our implementation have been using method #3 since year 1998, so there
is some experience with that. I do not know if others do that, but my
guess is that there is also other implementations doing same. For the
#2 there is no experience, as it do require OPAQUE support, thus there
is no way to negotiate it in the IKEv1.
The case #3 can be simply be used without any prior negotiation or
configuration, and if both ends support it then packets will go
through.
> It is likely that some vendors will support one and/or the other in
> 2401bis deployments, and after they do, we will have a better idea
> about whether either is feasible and useful in real implementations;
> we can use that experience in changing the requirements levels in
> 2401bisbis. Until then, they should both be limited to MAY,
> indicating no preference for either from the specification.
I can already say that #3 is feasible. If it is useful, that I cannot
say, as most of the people do NOT use port selectors at all.
--
kivinen@safenet-inc.com
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec