Hi Paul, > >> For the 3rd option the ppk_id is constructed using the PPK > >> itself and a session parameters, e.g. ppk_id = prf(PPK, Ni | Nr). > >> This would allow the responder to check whether PPK is correct > >> before verifying AUTH payload. > >> > >> In general, having a type value would simplify PPK management in case > >> a host have PPKs of different types and need to look them up > >> in different storages. > > > > That is one possibility. Should the type be 8-bit or 16-bit? I assume > > the registry itself should be IANA registry with designated expert > > review or something like that. > > I wouldn't want to broadcast my type of PPK used in IKE_INIT or > IKE_AUTH, as an active attacker could then learn this information.
She could learn a lot of more useful information - your identity, traffic selectors, authentication method you are using, your certificates, Configuration Attributes you request, IKE features you support etc. Among all this a type of PPK is not very interesting. Use type "opaque" if you are paranoid about that. > Paul Regards, Valery. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec