Scott C Moonen wrote: > > I'm reviewing RFC 4869 and it seems to under-specify the attributes that > are needed to achieve real interoperability: it doesn't specify whether to > do a phase 2 Diffie-Hellman exchange for perfect forward secrecy, nor > does it specify IKEv1 lifetime and lifesize values. So I am left having to > guess at what are appropriate values to use for these attributes. And > once I do choose particular values for PFS and lifesize, is it still correct > for me to use the RFC's suite names in reference to them?
Interesting. I hadn't noticed that. I guess the best thing is to do as in RFC 4308: " ...The initiator of this exchange MAY include a new Diffie-Hellman key; if it is included, it MUST be of type..." IOW it's up to the initiator whether or not to do PFS, and both configurations are OK to use the suite name. As for lifetimes, at least our implementation has a separate configuration for it. Lifetimes in IKEv1 are negotiated, so I don't believe it's necessary to actually specify it in the RFC. But you are right. Especially since this is a followup to RFC 4869, they should have included these parameters. Email secured by Check Point _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
