At 9:45 AM -0700 3/12/09, Keith Welter wrote: >Thanks Paul. I have a couple follow-up questions. > >First, I don't see where the following IP validation check described in >section 3.1.1 for IKEv1 is specified for IKEv2: >"In addition, implementations MUST be capable of verifying that the address >contained in the ID is the same as the peer source address, contained in the >outer most IP header." > >Though that particular check is not required for IKEv2, I assume it would be >acceptable for an implementation to support such a check for IKEv2. Is that >correct?
Of course. Implementations can add as many checks as they want. >Second, section 4.2.1 refers to section 3.2.3: >"IKEv2 does not support Certificate Payload sizes over approximately 64K. See >Section 3.2.3 for the problems this can cause." > >Does that mean section 3.2.3 applies to IKEv2? Yes, by reference. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
