Re: [Ipsec] FW: Remaining issues for IKEv2

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 3:13 PM +0300 5/17/04, Tero Kivinen wrote:
>Anyways I can accept method #3 being SHOULD, MAY or even MUST, and
>Method #2 being MAY.

Certainly not a MUST; it really isn't needed for interoperability. It 
is quite conceivable that many systems would only want to work with 
ANY, and not need either #2 or #3.

>Our implementation have been using method #3 since year 1998, so there
>is some experience with that. I do not know if others do that, but my
>guess is that there is also other implementations doing same. For the
>#2 there is no experience, as it do require OPAQUE support, thus there
>is no way to negotiate it in the IKEv1.
>
>The case #3 can be simply be used without any prior negotiation or
>configuration, and if both ends support it then packets will go
>through.

But the negotiation is a pretty important part of #3. I see your 
point about wanting one of #2 or #3 to be a SHOULD, but I think it is 
still way too early to prefer one, and I think it's too early to 
guess that one will work better than the other.

It is appropriate when going from Proposed to Draft to change some of 
the requirements. Maybe leave both of these MAYs for now with the 
intention of upping one or both to SHOULD when the document advances.

>I can already say that #3 is feasible. If it is useful, that I cannot
>say, as most of the people do NOT use port selectors at all.

A very good reason to wait until there is more experience. I suspect 
that the new discussion in 2401bis will cause some developers to pay 
much more attention to this and possibly exposed it more to their 
customers. The results of that (or the continued lack of interest) 
will be valuable.

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec