Re: [IPsec] Closing the IKEv2bis open issues
Paul Hoffman <paul.hoffman@vpnc.org> Wed, 21 October 2009 20:06 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A7EE73A690C for <ipsec@core3.amsl.com>; Wed, 21 Oct 2009 13:06:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.384
X-Spam-Level:
X-Spam-Status: No, score=-5.384 tagged_above=-999 required=5 tests=[AWL=0.662, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zDcF58K8ntsx for <ipsec@core3.amsl.com>; Wed, 21 Oct 2009 13:06:14 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id E79963A68D0 for <ipsec@ietf.org>; Wed, 21 Oct 2009 13:06:13 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n9LK1IR6044730 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Oct 2009 13:01:20 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240808c70518ce3788@[10.20.30.158]>
In-Reply-To: <349076FF-487D-4B6C-91EB-1E845B2303F6@checkpoint.com>
References: <p06240849c7039304f1d1@[10.20.30.158]> <349076FF-487D-4B6C-91EB-1E845B2303F6@checkpoint.com>
Date: Wed, 21 Oct 2009 13:01:17 -0700
To: Yoav Nir <ynir@checkpoint.com>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Closing the IKEv2bis open issues
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2009 20:06:14 -0000
At 9:46 AM +0200 10/21/09, Yoav Nir wrote: >Content-Language: en-US >Content-Type: multipart/signed; micalg=sha1; > boundary="Apple-Mail-15-778597419"; protocol="application/pkcs7-signature" > >A few lines above this section it already says "If the responder's policy allows it to accept the first selector of TSi and TSr, then the responder MUST narrow the traffic selectors to a subset that includes the initiator's first choices." > >So there is a MUST requirement to select the initiator's first choice (if possible), so I don't think the SHOULD and MAY are appropriate here. The way I read this section, it only clarifies what to do if the initiator traffic selector (first or not) is too broad. In that case, we shouldn't mention the initiator's choices. Yeeps, good catch. That will teach me not to read above and below far enough. Given this, maybe we need to close out this issue with no change, given the disagreement for other additions to the text. --Paul Hoffman, Director --VPN Consortium
- [IPsec] Closing the IKEv2bis open issues Paul Hoffman
- Re: [IPsec] Closing the IKEv2bis open issues Yoav Nir
- Re: [IPsec] Closing the IKEv2bis open issues Paul Hoffman
- Re: [IPsec] Closing the IKEv2bis open issues Keith Welter
- [IPsec] Finishing #22 (was: Re: Closing the IKEv2… Paul Hoffman
- [IPsec] Closing #25 Paul Hoffman
- [IPsec] Closing #25 Paul Hoffman
- [IPsec] Closing #22 (was: RE: Closing #25) Yaron Sheffer
- Re: [IPsec] Closing #22 (was: RE: Closing #25) Paul Hoffman
- [IPsec] Closing #25 Tero Kivinen