Hi Tobias, > Hi Valery, > > >> If there is a chance that this is a potential thread (and I fear it'll be > >> impossible to proof the opposite), my > >> feeling is that the document should say that IKE_INTERMEDIATE MUST NOT be > >> supported without the > >> support of at least one document defining the payload. > > That is implied. I can make this more explicit, by adding something like > > that: > > > > Successful exchange of INTERMEDIATE_EXCHANGE_SUPPORTED > > notification only confirms that both parties support INTERMEDIATE > > exchange. It is not enough condition to start doing INTERMEDIATE exchange. > > A separate documents that utilize this exchange MUST define > > the conditions in which peers would do INTERMEDIATE exchanges, > > the conditions for ending the sequence of these exchanges and start > > IKE_AUTH, > > and the payloads these exchanges should carry. > > > > Is it OK for you? > I was wondering about what happens when multiple documents utilize the > IKE_INTERMEDIATE exchange > at the same time. > Can two different documents utilize a single exchange of > IKE_INTERMEDIATE messages, > or must every document add an additional exchange of IKE_INTERMEDIATE > messages?
It's a good question. My idea is that each application document must define this, as well as the order of INTERMEDIATE exchanges, if it matters. So, I assume that by default each application will utilize its own INTERMEDIATE , but some applications could benefit from piggybacking. But this must be clearly described in corresponding document. > Currently the only "user" is the Hybrid PQKE draft which adds up to > seven INTERMEDIATE exchanges before the IKE_AUTH, > could i just define a draft that includes an additional payload in the > first INTERMEDIATE exchange (not knowing whether Hybrid KE is used or not) > or would i have to add an eighth INTERMEDIATE exchange? I think that corresponding application document must define this. QSKE exchanges would most probably take place before any other INTERMEDIATE exchange, since they update the keys and increase IKE SA protection, but again, it must be defined in the application documents. > I couldn't find any info on this in the current draft and i feel like > this is quite relevant for future users of the exchange. I don't think it must be defined in this draft. Instead, it must be defined in the documents utilizing this exchange. Note, that these documents will appear one by one, so every next published document must have a section describing how this application of INTERMEDIATE should deal with the already defined applications (whether it is OK to combine payloads or not, what is the relative order etc.) Regards, Valery. > Regards, > (another) Tobias _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
