Scott Fluhrer (sfluhrer) writes: > With your idea, there are three steps (and so the admin would update > each node in the network twice): > > - Step 0 is "never use PPKs"; we're running the standard IKE protocol. > - Step 1 is "if we're the initiator, then use PPKs if the responder > signaled support for it" > "if we're the responder, then signal support, and allow the use of PPKs" > - Step 2 is "insist on PPKs (and also signal support if we're the responder)" > > The issue I was pondering was "what if the admin wants to update > only part of their network (say, as a test)?". As I understood your > proposal, the PPK_SUPPORT notify was always on if any PPKs were > configured; indeed, from a responder side, it has to be that > (because the responder has no other context to issue it or not). > However, from an initiator standpoint, it knows who the responder is > (or, at least, it has to; it's the one that selects which PPK to > use); hence, from the initiator standpoint, the PPK_SUPPORT notify > could mean "I have a PPK that I would like to use with you, are you > willing?"
Yep. > With that proviso, then partial upgrades of the network can work; if > an initiator (in the upgraded portion) talks to a responder in an > nonupgraded section (or in an independently upgraded section), it > just notes it doesn't have a PPK, and so doesn't send the notify > (and similarly, if it was the initiator who wasn't upgraded, the > responder performs the standard IKE protocol, and when the responder > gets the identity, it can verify whether or not it would have > expected the initiator to be upgraded). > > So, how does that sound? Looks good. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec