Re: proposed changes to ISAKMP/Oakley

["Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Derrell" == Derrell Piper <piper@cisco.com> writes:

    >> I would agree that this should be mandatory. If constraints
    >> (like proxy ids) are given during negotiation they must be
    >> respected by all parties to the negotiation. Any other WG
    >> members have an opinion either way?

    Derrell> I'd prefer mandatory and I think this belongs in the arch
    Derrell> document too.

  Please go read draft-richardson-ipsec-icmp-filter-00.txt.
  If you decide to select the option in 2.1, then please read
draft-richardson-ipsec-pmtu-discov-00.txt, and particularly think
about v6. 
  If you decide to pick option 2.4, ask yourself about R1 generating
ICMP host unreachable or net unreachable. 

  This is IPsecond work. 
  I'd prefer that the IPsec documents not preclude overspecify
policy. Let the VPN documents do that for gateways. Let's not forget
that IPsec is more than just VPN (or, will be, one hopes)

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |   I do IPsec policy code for SSH <http://www.ssh.fi/>
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 


  





-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNEvxz6ZpLyXYhL+BAQF/GQMAkw7iM8da3x2esXD2u4ESIGcAL3EKYQMS
T1tuYSpZjv1kuV7/cAB6H/7Cw7gAgxXdfM31Ow0DshpgD4t8ZVPcIRchmckq3WLn
zzPx6yA4cU4KlKfEe8XaJhGagNQHZDgp
=I1SR
-----END PGP SIGNATURE-----