Hi Paul,
> >>> <-- HDR, SK {AUTH, SAr2, TSi, TSr
> >>> [, N(PPK_IDENTITY)]}
> >>>
> >>> Am I missing something subtle as to why N(PPK_IDENTIFY) is listed as
> >>> optional here in the EAP case but not in the previous diagram for the
> >>> non-EAP case?
> >>
> >> In the previous diagram we consider only the case when using
> >> PPK is agreed upon, so N(PPK_IDENTITY) is not optional.
>
> This btw, is a little weird. I think it is better to have the "generic"
> exchange documented, and in the text write specific examples of when
> payloads are or aren't t there. I think the figures/diagrams should be
> drawn to represent the generic case, where it should be optional because
> if it does not know the right PPK_ID, it will not send the notify.
Do you think the current diagrams are confusing?
> That is, the diagrams should represent the state machine, not an
> example of the state machine.
Hmmmm... It's an open question :-) Aa a counter-example,
the EAP and non-EAP case of IKEv2 are not shown
on the same diagrams - these are different diagrams,
however the state machine for IKE_AUTH is the same.
I think diagrams (at least in IKE) don't replace state machine
description and are mostly used for clarity.
Regards,
Valery.
>
> Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
