[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] FW: Remaining issues for IKEv2

To: Stephen Kent <kent@bbn.com>
Subject: Re: [Ipsec] FW: Remaining issues for IKEv2
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Thu, 20 May 2004 10:01:41 -0700
Cc: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org
In-reply-to: <p06100500bcd26cd36d87@[128.89.89.75]>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <F5F4EC6358916448A81370AF56F211A502B2F688@RED-MSG-51.redmond.corp.microsof t.com> <20040511180439.GE8839@thunk.org><p06100584bccc5e3ebaf5@[10.20.30.249]><16552.44133.542923.965806@fireball.kivinen.iki.fi><p06100553bccffc881204@[10.20.30.249]><16555.5046.667046.853895@fireball.kivinen.iki.fi><p06100585bcd125bb179f@[10.20.30.249]><p06100500bcd26cd36d87@[128.89.89.75]>
Sender: ipsec-admin@ietf.org

At 10:18 AM -0400 5/20/04, Stephen Kent wrote:
>At 7:56 AM -0700 5/19/04, Paul Hoffman / VPNC wrote:
>>At 10:58 AM +0300 5/19/04, Tero Kivinen wrote:
>>>One wierd thing it thas 4.4.1.1 says support for OPAQUE is MUST.
>>
>>Then that *needs* to be corrected in the next version of the draft.
>
>Support for the selector type in the SPD is trivial, and if we 
>mandate support for OPAQUE now, then we're set for later elevation 
>of one of these options to SHOULD from MAY, for example.

True, but I worry about mandating the ability for a 2401bis system to 
support a selector type when it doesn't support the mechanics that 
goes with the selector. It gets tricky in 2401bis because the new 
fragmentation ideas are spread throughout the document. We might just 
have to live with that.

>>>My preferred way would be #3 being SHOULD and #2 being MAY.
>>
>>That makes some sense too; it's just more adventurous than I would 
>>be with this protocol without a lot more support from other vendors.
>
>I agree with Tero that #3 as SHOULD is appropriate. My only concern 
>re #3, as Ted noted earlier, is that it imposes an unacceptable 
>burden on high speed implementations. Thus, if #3 is SHOULD, then I 
>think it would be legitimate for such implementations to not support 
>it (consistent with the interpretation of SHOULD).

Agree. Not following a SHOULD because you know that you won't be able 
to consistently figure out where the fragment would go is perfectly 
legitimate.

>   I would like these implementations to support #2 in that case. A 
>statement that an implementation SHOULD support either #2 or #3 
>might be one way of expressing this notion.

A very good suggestion. The paragraph currently at the end of page 49 
could be changed from:
     To address the above requirements, three approaches have been
     defined:
To:
     To address the above requirements, three approaches have been
     defined. Implementations MUST support method #1 below, and SHOULD
     support method #2 or method #3 (or both).

Editorial suggestion: breaking out the three proposals as subsections 
(7.1, 7.2, 7.3) would make it easier to read, particularly if you add 
more text to them.

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Stephen Kent <kent@bbn.com>
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Tero Kivinen <kivinen@iki.fi>

References:
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: "Theodore Ts'o" <tytso@MIT.EDU>
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: [Ipsec] FW: Remaining issues for IKEv2
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: [Ipsec] FW: Remaining issues for IKEv2
Next by Date: Re: [Ipsec] FW: Remaining issues for IKEv2
Previous by thread: Re: [Ipsec] FW: Remaining issues for IKEv2
Next by thread: Re: [Ipsec] FW: Remaining issues for IKEv2
Index(es):
- Date
- Thread