Hi.
I've read through the draft again, and here are a few comments:
Section 3 has the following line:
If the
IKE_SA_INIT request did not include the REDIRECT_SUPPORTED payload,
the responder MUST NOT send the REDIRECT payload to the VPN
Yoav Nir writes:
> Section 10 sets up an IANA registry for identity types. Couldn't we
> just reuse the "IKEv2 Identification Payload ID Types"? There's
> already IPv4, IPv6 and FQDN, and additionally KEY_ID for locally
> meaningful names and a range of private use IP addresses. Why set up
> a new
OK. In that case I would add to the initial registry
4 - locally meaningful name
In our product, the gateways have "names" that appear both in the GUI and the
configuration files (and logs). It's easier for them to fetch another gateway's
"object" by name than by IP address. Such a name could
Hi folks,
I'm having difficulty interpreting RFC3526, "More Modular
Exponential (MODP) Diffie-Hellman groups" section 1, "Introduction".
Quoting from the RFC
-cut
The exponent size used in the Diffie-Hellman must be selected so that
it matches other parts of the sys
> -Original Message-
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org]
> On Behalf Of Ricky Charlet
> Sent: Wednesday, May 27, 2009 1:02 PM
> To: ipsec@ietf.org; kivi...@ssh.fi; mika.k...@helsinki.fi;
> hila...@purplestreak.com; paul.hoff...@vpnc.org
> Subject: [IPsec] Que
Hi Scott,
Thanks for your reply. Unfortunatly, your reply continues my
exact same confusion. Should e be twice the size of the key you need or
twice the size of the dh group in use?
You state that
> the reason that the examples seem to indicate a correlation with the
> symmetric key siz
> -Original Message-
> From: Ricky Charlet [mailto:rchar...@nortel.com]
> Sent: Wednesday, May 27, 2009 2:58 PM
> To: Scott Fluhrer; ipsec@ietf.org; kivi...@ssh.fi;
> mika.k...@helsinki.fi; hila...@purplestreak.com; paul.hoff...@vpnc.org
> Subject: RE: [IPsec] Question on exponent size
Ah, thanks. You helped me tremedously there with the size-of-group vs
strength-of-group distinction.
Very much appreciated.
--
Ricky Charlet
rchar...@nortel.com
USA 408-495-5726
> -Original Message-
> From: Scott Fluhrer [mailto:sfluh...@cisco.com]
> Sent: Wednesday, May 27, 2009 1:54
Hi Pasi,
On 5/26/09 1:17 AM, "pasi.ero...@nokia.com" wrote:
> There's one remaining issue that was changed due to WGLC comments, but
> the result isn't quite what it IMHO should be.
>
> When doing redirection during IKE_AUTH, in some situations the
> IKE_AUTH response with the REDIRECT is the la
Hi,
On 5/26/09 10:10 PM, "Raj Singh" wrote:
> Hi Vijay,
>
> I have some question on ikev2-redirect-10 draft.
>
> In section 5,
> --
> Once the client sends an acknowledgment to the gateway, it SHOULD
> delete the existing security associations with the old gateway by
> sending an
Hello,
On 5/27/09 12:36 AM, "Yoav Nir" wrote:
> Hi.
>
> I've read through the draft again, and here are a few comments:
>
> Section 3 has the following line:
>
> If the
>IKE_SA_INIT request did not include the REDIRECT_SUPPORTED payload
Hi Yoav,
On 5/27/09 3:11 AM, "Yoav Nir" wrote:
> OK. In that case I would add to the initial registry
>
> 4 - locally meaningful name
The client should be able to resolve this "locally meaningful name" to an IP
address to which it can initiate a new IKE_SA_INIT exchange. These "locally
meanin
The client has to have a PAD that includes the gateways.
Our implementation has the client downloading the configuration (by a
proprietary protocol) that includes the gateway names (and how to find them -
IP address or DNS name). These gateway names can optionally be shown to the
user in the
The change is sufficient
OK about the status (rather than error) type
OK about using a new registry (though I still think you need to allocate the
"locally meaningful name" and some space for private use)
Thanks
Yoav
From: Vijay Devarapalli [vi...@wicho
Hi Vijay,
On Thu, May 28, 2009 at 3:24 AM, Vijay Devarapalli wrote:
> Hi,
>
> On 5/26/09 10:10 PM, "Raj Singh" wrote:
>
> > Hi Vijay,
> >
> > I have some question on ikev2-redirect-10 draft.
> >
> > In section 5,
> > --
> > Once the client sends an acknowledgment to the gateway, it SHOULD
15 matches
Mail list logo
