At 11:51 PM +0300 5/13/09, Yoav Nir wrote: >Scott C Moonen wrote: >> >> I'm reviewing RFC 4869 and it seems to under-specify the attributes that >> are needed to achieve real interoperability: it doesn't specify whether to >> do a phase 2 Diffie-Hellman exchange for perfect forward secrecy, nor >> does it specify IKEv1 lifetime and lifesize values. So I am left having to >> guess at what are appropriate values to use for these attributes. And >> once I do choose particular values for PFS and lifesize, is it still correct >> for me to use the RFC's suite names in reference to them? > >Interesting. I hadn't noticed that. > >I guess the best thing is to do as in RFC 4308: >" >...The initiator of this > exchange MAY include a new Diffie-Hellman key; if it is included, it > MUST be of type..." > >IOW it's up to the initiator whether or not to do PFS, and both configurations >are OK to use the suite name.
That was my intention in RFC 4308; I cannot speak for the authors of RFC 4869. >As for lifetimes, at least our implementation has a separate configuration for >it. >Lifetimes in IKEv1 are negotiated, so I don't believe it's necessary to >actually >specify it in the RFC. Fully disagree. "Negotiated" in IKEv1 is the wrong word: the responder either accepts what the initiator says, or stops. Most IKEv1 systems require that lifetimes match exactly; that's why I had to include section 2.3 in RFC 4308. Having said that, it is fine for a profile not to list lifetimes explicitly; it just means that the two sides still have to agree to lifefimes out-of-band. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
