> > I'd rather add a type field to ppk_id. So the ppk_id is constructed > > of 2 fields: type and value. Types could be: > > 1. raw id > > 2. OTF file offset > > 3. PPK dependent id > > ... > > > > For the 3rd option the ppk_id is constructed using the PPK > > itself and a session parameters, e.g. ppk_id = prf(PPK, Ni | Nr). > > This would allow the responder to check whether PPK is correct > > before verifying AUTH payload. > > > > In general, having a type value would simplify PPK management in case > > a host have PPKs of different types and need to look them up > > in different storages. > > That is one possibility. Should the type be 8-bit or 16-bit?
8 bits seems enough, but I'd rather use 16 bits so that we (hopefully) never run out of available values. > I assume the registry itself should be IANA registry with designated expert > review or something like that. Sure. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec