ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: [IPsec] Resolution of the current set of open issues

[IPsec] Resolution of the current set of open issues

From: Paul Hoffman <paul.hoffman_at_nospam>
Date: Sat Sep 19 2009 - 22:39:44 GMT
To: IPsecme WG <ipsec@ietf.org>

#22 - Add section on simultaneous IKE SA rekey

    There was no discussion. We will bring this up one more time     because it is important, but if there is not more interest and     more inclination to review Tero's text, we will write a short     note in the document that simultaneous IKE SA rekey is an issue     but nothing else.

#26 - Missing treatment of error cases

    Will use Tero's last wording as a proposed way forward. There is     an open issue about what other payloads might or might not be in     the error responses, so we will leave the issue open for     discussion after the draft with the new wording is posted. I also     copy editied the section, so it needs to be reviewed.

#28 - Obtaining src/dest IP addresses for UDP-encapsulated transport mode ESP

    Added Tero's text as section 2.23.1. Changed one MUST to a MAY     based on the discussion with Scott. Note that I removed any     mention of RFC 3947, which is not part of IKEv2. I also heavily     copy edited the section, so it needs to be reviewed.

#79 - Remove CP from Create_Child_SA?

    There was no agreement on this. We should probably close out the issue     unless those interested can agree on the semantics.

#107 - Sending certificate chains in IKEv2

    Fixed in -05. Added "Note that with this encoding, if a chain of     certificates needs to be sent, multiple CERT payloads are used,     only the first of which holds the public key used to validate     the sender's AUTH payload."

--Paul Hoffman, Director
--VPN Consortium

IPsec mailing list