Re: [IPsec] Bis issues 16 and 45: order of IKE payloads (now here's a controversial one!)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPsec] Bis issues 16 and 45: order of IKE payloads (now here's a controversial one!)


I am comfortable saying that you SHOULD send the payloads in the indicated order and MUST accept them in any order (except where the order implies meaning, as with CERT and CERTREQ).


Scott Moonen (smoonen at us.ibm.com)
z/OS Communications Server TCP/IP Development
http://scott.andstuff.org/
http://www.linkedin.com/in/smoonen


From: Yaron Sheffer <yaronf at checkpoint.com>
To: IPsecme WG <ipsec at ietf.org>
Date: 01/27/2009 10:13 PM
Subject: [IPsec] Bis issues 16 and 45: order of IKE payloads (now here's a controversial one!)




Current text:

NOTE TO IMPLEMENTERS: Does anyone require that the payloads be in the order shown in the figures in Section 2? Can we eliminate the requirement in the following paragraph? If not, we will probably have to add a new appendix with the order, but there is no reason to do that if no one actually cares. {{ Remove this paragraph before the document is finalized, of course. }}

Tero: Our implementation do not care about the order of the payloads except in some specific places (CERT payloads and so on).

Paul: Not done. We still need to hear from others.
Current text (sec. 2.5):

{{ Demoted the SHOULD in the second clause }}Although new payload types may be added in the future and may appear interleaved with the fields defined in this specification, implementations MUST send the payloads defined in this specification in the order shown in the figures in Section 2; implementations are explicitly allowed to reject as invalid a message with those payloads in any other order.

Tero: I would really like to change this to say that payloads must be accepted in any order, but implementations should try to send them out in the order shown in the figures. Exceptions to this is the CERT payloads (the end entity cert MUST be first), and REKEY and COOKIE notifies.

Paul: Not done. This is interesting, but should be discussed on the list.
Yaron: this really is a major protocol change, we cannot guarantee that no existing implementation cares about payload order. I suggest to leave the protocol as-is, although nobody likes this constraint.



Email secured by Check Point
_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
 

_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.