ipsec October 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Closing the IKEv2bis open issues

Re: [IPsec] Closing the IKEv2bis open issues

From: Paul Hoffman <paul.hoffman_at_nospam>
Date: Wed Oct 21 2009 - 20:01:17 GMT
To: Yoav Nir <ynir@checkpoint.com>

At 9:46 AM +0200 10/21/09, Yoav Nir wrote:
>Content-Language: en-US
>Content-Type: multipart/signed; micalg=sha1;
> boundary="Apple-Mail-15-778597419"; protocol="application/pkcs7-signature"
>A few lines above this section it already says "If the responder's policy allows it to accept the first selector of TSi and TSr, then the responder MUST narrow the traffic selectors to a subset that includes the initiator's first choices."
>So there is a MUST requirement to select the initiator's first choice (if possible), so I don't think the SHOULD and MAY are appropriate here. The way I read this section, it only clarifies what to do if the initiator traffic selector (first or not) is too broad. In that case, we shouldn't mention the initiator's choices.

Yeeps, good catch. That will teach me not to read above and below far enough.

Given this, maybe we need to close out this issue with no change, given the disagreement for other additions to the text.

--Paul Hoffman, Director
--VPN Consortium

IPsec mailing list