I just reread the introduction of RFC 4945 and I don't understand its
purpose. So I'm not sure it should be referenced from 5996bis.
It is definitely not a "profile" in the sense that Tero is alluding to.
Tero's own "minimal IKEv2" is a profile for a specific use. RFC 4945
just attempts to fill in the holes (or perceived holes) in RFC 4306 and
PKIX docs wrt PKI use in IPsec. Which just happens to be the main use
case of IKE/IPsec!
Quoting: "This profile of the IKE and PKIX frameworks is intended to
provide an agreed-upon standard for using PKI technology in the context
of IPsec by profiling the PKIX framework for use with IKE and IPsec, and
by documenting the contents of the relevant IKE payloads and further
specifying their semantics."
Thanks,
Yaron
On 09/19/2013 02:45 PM, Tero Kivinen wrote:
Valery Smyslov writes:
And this not the only contradiction between RFC5996 and RFC4945 -
the latter requires ID_IPV*_ADDR to match source IP address of IKE
packet by default, while the former explicitely allows not to do it
in any case.
[...]>
Perhaps adding reference to the RFC4945 at the end of section 3.5.
Identification Payloads in the RFC5996bis?
Yes, and some explanation text about inconsistencies between the approaches
to match ID to certificate.
No. I do not think we need such text. RFC5996 text is for general
IKEv2 implementation. RFC4945 text is only for those implementations
which support that RFC, not for all IKEv2 implementations. RFC4945 is
supposed to be stricter than RFC5996.
If there is case where RFC4945 requires operations which are not
allowed by RFC5996 then we do have inconsistancy.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
