Valery Smyslov writes: > So, the question to the WG is - what should we do with this: > > 1. Re-define calculation of IntAuth to make it constant in size. > This will most probably require another WGLC and will break > interoperablity of existing products. The latter seems not so > important (no product has been released yet), but the former > may delay publication process. > > 2. Leave calculation of IntAuth as is and add some text to the > Security Considerations section that describes potential > problems and makes advise to the responder (e.g. > limit the number of accepted IKE_INTERMEDIATE exchanges). > This will not change bits on the wire and hopefully > will not require another WGLC.
My suggestion (as an individual not as a chair) is to add text to security considerations section where we point out that implementations should limit the number of IKE_INTERMEDIATE exchanges they allow to something sensible, like 10 or so. These are exchanges we are doing before authentication so limiting the number of them is something we want to do anyways. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec