Paul Wouters writes: > Received PPK_SUPPORT Have PPK PPK Mandatory Action > ------------------------------------------------------------------ > Yes No * Standard IKE protocol > Yes Yes * Include PPK_SUPPORT > > Basically, we are in the case where "Have PPK" is not yet known.
I think the discussion earlier was that we solve this by policy, where responder is configured BEFORE initiator. I.e., if responder sees initiator that says PPK is supported (meaning initiator has PPK) then responder is safe to assume that it has also been configured PPK for that ID. Anyways if this guess turns out to be wrong, it can then fail the exchange later, and mark that peer as not having PPK when it reconnects, i.e., add peer IP-address to temporary list saying that if connection comes from this IP-address, and says it has supports PPK, we do not have PPK for it, so fall back to standard IKE. Anyways this kind of text needs to be added to the protocol draft. I do not like to make this document any more complicated than what is required, as I like to get this document out so it can be implemented, even when we know there are some corner cases which require manual configuration. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
