On Thu, 30 Nov 2017, David Schinazi wrote:
Regarding the original email, I'm not a fan of (1) as then implementations have to handle receiving two different FQDN IDr's for example. Having something like (2) where the new notify can only appear once and it explicitly is there to select the key sounds best IMHO.
Thanks :)
Regarding the hidden-in-TLS feature (I like that name, thanks Paul), I don't think this would help as the goal is to not reply to SA_INIT from an untrusted party so changing the AUTH is too late.
Ohh, that's correct.... Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec