Paul Hoffman writes:
> <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/176>
>
> Pasi says:
>
> Section 3.3.6 says "If one of the proposals offered is for the
> Diffie-Hellman group of NONE, the responder MUST ignore the
> initiator's KE payload and omit the KE payload from the response."
>
> This seems wrong: it seems to say that if the initiator proposes DH group
> NONE, the responder must select it.
>
> However, negotiation of DH groups and KE payload is already well
> described in Sections 1.2 and 1.3 (paragraphs mentioning
> INVALID_KE_PAYLOAD), and it seems the last paragraph of 3.3.6 is
> completely redundant. Thus, I'd propose just deleting the whole
> paragraph.
>
> Paul says:
>
> That whole paragraph has been there since -00. Only the last
> sentence was added in -03 almost a year ago. It was added to fix
> <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/6>, but I can
> easily believe that fix was not correct. However, sections 1.2 and
> 1.3 don't address the issue in the sentence quoted.
The last sentence is the one that is misleading. All of the rest of
the paragraph is just repeation of the text from elsewhere.
The last sentence should be saying:
If one of the proposals offered is for the
Diffie-Hellman group of NONE, and the responder selects that
Diffie-Hellman group, then it MUST ignore the initiator's KE
payload and omit the KE payload from the response.
I.e. the MUST ignore, and omit the KE payload is only applicable if
responder actually selects the Diffie-Hellman group NONE.
--
kivi...@iki.fi
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
