Hi Paul, Please see inline.
Cheers, Med > -----Message d'origine----- > De : Paul Wouters [mailto:[email protected]] > Envoyé : jeudi 2 mai 2019 20:25 > À : BOUCADAIR Mohamed TGI/OLN > Cc : [email protected] > Objet : Re: [IPsec] Draft-ietf-ipsecme-ipv6-ipv4-codes > > On Tue, 30 Apr 2019, [email protected] wrote: > > >> Why would the initiator that is allowed by policy to do both v4 and v6 > >> not ask for both at once? > > > > [Med] I do fully agree that requesting both when supported would be > straightforward, but I'm afraid that some implementations may not follow that > behavior. > > Do we currently have a large scale implementation issue, or are you > predicting that this may happen in the future. While I am okay with > doing it if it fixes a large deployment issue, I'm not okay with it > to pre-emptively support expected implementation issues. > > > Such implementations may do that: > > * for arbitrary reasons given that existing specs do not forbid such > separate requests. > > So what is the problem with bad implementations doing bad things? [Med] This may double the load on the responder. Sending systematically a second request while a responder will discard it because it does support only one AF is suboptimal (think about IPv6-only voice over WLAN for example). Why > would this notify tell them to do things differently next time? [Med] The notification message will provide an information to the initiator whether it is useful or not to send a request for the other AF. > > > * or, in some contexts such cellular devices, mimic a similar behavior for > requesting separate PDP contexts instead of a dual-stack one. > > Is this actually happening at scale, or is this just a feared bad way > things will get implemented? > > >> I don't see the "use of separate requests" as a real use case. Can you > >> explain how this would actually happen in a real world? > > > > [Med] See the cases above. There is also the case of a responder that wants > (for policy reasons) requests to be made as separate IKE SAs. For this case, > requests will need to be done separately. > > If the "policy reason" is there, why would a notify change their > behaviour? If they are already sending a v4 and a separate v6 > request, what value does the notify add? [Med] I'm not sure to understand your comment. The policy is at the responder side. The responder will honor one AF per request. Returning the supported AFs to the initiator will trigger a separate request from the initiator to get the other AF (if needed). > > Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
