Pekka, > > : This new method will be negotiated using the Notify Payloads in the > : IKE_SA_INIT, and those same payloads can be used to indicate the > : supported hash algoritms. > : > Why is the notify needed? Why can't the new method be like old methods? > If remote doesn't support the new authentication method, authentication > will fail. If it doesn't support the algorithm in the OID, authentication > will fail. Why does the hash algorithm have to be negotiated? Why the > extra complexity? And peer will indicate that it supports the new method > simply by using that method in the Auth payload. What's the use case I'm > missing here?
I think we have to distinguish two aspects: negotiation of the general auth method (old or new) and negotiation of the hash algorithm. Regarding the negotiation of the hash algorithm: If there is no intersection between the sets of hash algorithms supported by the peers, failure is inevitable. But in case that there is an intersection, the negotiation allows to agree on it. -- Johannes _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
