[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] FW: Remaining issues for IKEv2

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: [Ipsec] FW: Remaining issues for IKEv2
From: Tero Kivinen <kivinen@iki.fi>
Date: Mon, 17 May 2004 15:13:25 +0300
Cc: ipsec@ietf.org
In-reply-to: <p06100584bccc5e3ebaf5@[10.20.30.249]>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <F5F4EC6358916448A81370AF56F211A502B2F688@RED-MSG-51.redmond.corp.microsoft.com><20040511180439.GE8839@thunk.org><p06100584bccc5e3ebaf5@[10.20.30.249]>
Sender: ipsec-admin@ietf.org

Paul Hoffman / VPNC writes:
> >	Which of the following requirements woudl you be willing to live with?
> >	(You may select more than one):
> >
> >	B)  Method #3 (stateful fragment inspection) is a MUST
> >	D)  Method #2 is a MAY, Method #3 is a SHOULD
> >	E)  Method #3 is a SHOULD, May #2 is a MAY

What is the difference between D and E. Should the E be "Method #2 is
SHOULD and Method #3 is a MAY"?

Anyways I can accept method #3 being SHOULD, MAY or even MUST, and
Method #2 being MAY.

> 	F)  Method #2 is a MAY, and Method #3 is a MAY

Which is to say we do not have any preferred method for fragments when
using port selectors. I would really like to have one method SHOULD
(and that being method #3).

> We don't need another MUST or SHOULD to aid interoperability, since 
> we already have a MUST for #1. We have zero experience with these new 
> proposals for how to deal with fragmentation. Neither proposal should 
> be even a SHOULD in 2401bis.

Our implementation have been using method #3 since year 1998, so there
is some experience with that. I do not know if others do that, but my
guess is that there is also other implementations doing same. For the
#2 there is no experience, as it do require OPAQUE support, thus there
is no way to negotiate it in the IKEv1.

The case #3 can be simply be used without any prior negotiation or
configuration, and if both ends support it then packets will go
through. 

> It is likely that some vendors will support one and/or the other in 
> 2401bis deployments, and after they do, we will have a better idea 
> about whether either is feasible and useful in real implementations; 
> we can use that experience in changing the requirements levels in 
> 2401bisbis. Until then, they should both be limited to MAY, 
> indicating no preference for either from the specification.

I can already say that #3 is feasible. If it is useful, that I cannot
say, as most of the people do NOT use port selectors at all.
-- 
kivinen@safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Thor Lancelot Simon <tls@rek.tjls.com>

References:
- [Ipsec] FW: Remaining issues for IKEv2
  - From: "Charlie Kaufman" <charliek@microsoft.com>
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: "Theodore Ts'o" <tytso@MIT.EDU>
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: [Ipsec] is that your car?
Next by Date: Re: [Ipsec] Proposed Last Call based revisions to IKEv2
Previous by thread: Re: [Ipsec] FW: Remaining issues for IKEv2
Next by thread: Re: [Ipsec] FW: Remaining issues for IKEv2
Index(es):
- Date
- Thread