Hi Scott, > The issue I was pondering was "what if the admin wants to update only part of > their network (say, as a > test)?". As I understood your proposal, the PPK_SUPPORT notify was always on > if any PPKs were > configured; indeed, from a responder side, it has to be that (because the > responder has no other context > to issue it or not). However, from an initiator standpoint, it knows who the > responder is (or, at least, it has > to; it's the one that selects which PPK to use); hence, from the initiator > standpoint, the PPK_SUPPORT > notify could mean "I have a PPK that I would like to use with you, are you > willing?" > > With that proviso, then partial upgrades of the network can work; if an > initiator (in the upgraded portion) > talks to a responder in an nonupgraded section (or in an independently > upgraded section), it just notes it > doesn't have a PPK, and so doesn't send the notify (and similarly, if it was > the initiator who wasn't > upgraded, the responder performs the standard IKE protocol, and when the > responder gets the identity, it > can verify whether or not it would have expected the initiator to be > upgraded). > > So, how does that sound?
Indeed, this a reasonable scenario. Regards, Valery. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
