Paul Hoffman wrote: > > >IOW it's up to the initiator whether or not to do PFS, and both > >configurations are OK to use the suite name. > > That was my intention in RFC 4308; I cannot speak for the > authors of RFC 4869.
You can't speak for them, but Scott has to figure it out. > >As for lifetimes, at least our implementation has a separate > configuration for it. > >Lifetimes in IKEv1 are negotiated, so I don't believe it's > necessary to > >actually specify it in the RFC. > > Fully disagree. "Negotiated" in IKEv1 is the wrong word: the > responder either accepts what the initiator says, or stops. > Most IKEv1 systems require that lifetimes match exactly; > that's why I had to include section 2.3 in RFC 4308. Having > said that, it is fine for a profile not to list lifetimes > explicitly; it just means that the two sides still have to > agree to lifefimes out-of-band. Not necessary at all. The RESPONDER-LIFETIME notification described in section 4.6.3.1 or RFC 2407 allows for a negotiation of the SA lifetime. True, section 4.5.4 says you may also fail the negotiation or stop using the SA prematurely, but that would be the wrong implementation choice. Email secured by Check Point _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
