Yoav Nir writes: > I guess the best thing is to do as in RFC 4308: > " ...The initiator of this > exchange MAY include a new Diffie-Hellman key; if it is included, it > MUST be of type..."
That makes sense philosophically, but I would like to get the RFC updated or clarified rather than assume that. > As for lifetimes, at least our implementation has a separate configuration for it. > Lifetimes in IKEv1 are negotiated, so I don't believe it's necessary to actually > specify it in the RFC. But that equivocates on the notion of what constitutes a "suite" when compared to RFC 4308, and it also doesn't make sense considering that lifetime and lifesize are represented alongside algorithm choice in the IKEv1 proposal. So this creates problems for implementations like ours (unlike yours) that take the natural approach of including lifetime and lifesize in their notion of a reusable suite object. We now must implement some sort of partially-defined suite object as a kind of abstract class that leaves the lifetime and lifesize undefined. That's not an elegant approach to workaround what I am hoping is just an oversight in the RFC. Scott Moonen ([email protected]) z/OS Communications Server TCP/IP Development http://scott.andstuff.org/ http://www.linkedin.com/in/smoonen From: Yoav Nir <[email protected]> To: Scott C Moonen/Raleigh/i...@ibmus, "[email protected]" <[email protected]> Date: 05/13/2009 04:53 PM Subject: RE: [IPsec] RFC 4869 questions Scott C Moonen wrote: > > I'm reviewing RFC 4869 and it seems to under-specify the attributes that > are needed to achieve real interoperability: it doesn't specify whether to > do a phase 2 Diffie-Hellman exchange for perfect forward secrecy, nor > does it specify IKEv1 lifetime and lifesize values. So I am left having to > guess at what are appropriate values to use for these attributes. And > once I do choose particular values for PFS and lifesize, is it still correct > for me to use the RFC's suite names in reference to them? Interesting. I hadn't noticed that. I guess the best thing is to do as in RFC 4308: " ...The initiator of this exchange MAY include a new Diffie-Hellman key; if it is included, it MUST be of type..." IOW it's up to the initiator whether or not to do PFS, and both configurations are OK to use the suite name. As for lifetimes, at least our implementation has a separate configuration for it. Lifetimes in IKEv1 are negotiated, so I don't believe it's necessary to actually specify it in the RFC. But you are right. Especially since this is a followup to RFC 4869, they should have included these parameters. Email secured by Check Point
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
