> On Jan 8, 2020, at 04:41, Mirja Kuehlewind <i...@kuehlewind.net> wrote: > >> >> I think one or two RTT is too short, moreover since it's an initial request, >> no RTT is yet measured (IKEv2 uses UDP as primary transport). >> We try here to be in line with core IKEv2 spec, which deliberately >> doesn't give any concrete figures of how long to wait for an response >> (section 2.4 of RFC7296). So, I'd leave the text as is. > > Kind of same here. Given you two disagree here already, I think it would be > good to give further advise.
I agree with Valerie. We don’t do that on purpose. A 100gbps connection is different from a satellite connection. Let the implementation handle that part. >> I agree with Panos: the downgrade is possible only if using PPK is optional >> for both, in which case both parties agree that downgrade is OK. > > Having some downgrade detection would enable to log an attack if optional PPK > was used. That would be lost in the noise when using mixed ppl/noppk use I think. As said, one is expected to only allow noppk during migration, which would be very limited in time (like hours or days for static tunnels, maybe weeks or a few months for remote access VPN updates to happen) Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec