At 5:29 PM +0300 9/10/10, Tero Kivinen wrote: >Paul Hoffman writes: >> >True, we need some other term for it. Something like the original >> >IKE_SA_INIT initiator or the party initiating the initial connection >> >(i.e. triggering). Or simply say that the QCD_TOKENs in INFORMATIONAL >> >exchanges and rekeys can only be sent by the peer who originally sent >> >them in the IKE_AUTH, and in IKE_AUTH limit the QCD_TOKEN to the >> >responder. >> >> Is this added complexity really needed? It sounds like a dangerous >> addition. Please be sure the value is actually worth the risk. > >I am suggesting simplyfying the protocol, not adding complexity. It >might add some text to the specification, but reduce code from the >implementation, as then implementation is always either token maker or >taker, never both.
Ah! I hadn't seen it that way. That works. :-) --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
