Yaron Sheffer writes: > >> Alternatively it would simplify things immensely if we mandate that SPIs > >> be random for implementations that support QCD (possibly only on the > >> gateway side). Can we do it without having to "update RFC 4306"? > > > > I think it's enough to require this of the token taker. > > > > Issue #191 > > http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/191 > > > This protocol cannot require anything from the token taker, because you > don't *know* it's a token taker - there's no signaling. So either we add > signaling, or we can only require random SPIs from the token maker.
I think best option is to add text saying that token makers MUST use SPIs that looks like random, and that should be enough to make the QCD_TOKENs generated by token makers unpredictable. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
