Yaron Sheffer writes: > So I don't think we need a whole framework. We just need a way for the > two peers to negotiate which method(s) they support early enough, i.e. > in IKE_SA_INIT. In PACE we use a notification, and I strongly urge the > two other documents' authors to do the same. But I'm willing to be > convinced to switch to another method if that's the group's preference.
So you want exactly what my framework is. I.e. common way to negotiate the use of methods. > Other than that, I really don't see the value in uniform "meta-payloads" > and "super-notifications", or how they would simplify implementations. As an implementors all of those methods seem to use mostly similar payloads. Also I do not see any reason to use different exchange type for differnet methods, as they do not really change the way the IKE_AUTH exchange works. The meta-payloads make IKEv2 library code easier, as it just needs to implement parsing, encoding, debug printing etc only one payload. It does not need to know anything of the internals of the payload data. It will just give that to the method, which will then parse and process it further. This means that when we first implement the first mehod we need to write code to parse/generate those meta-payloads and thats it. When we add another method later we do not need to touch that part of code at all, we just add the method specific parsing in the library doing that stuff. The payloads coming out from the IKEv2 require all kind of generic checking that can be shared between these similar payloads, but if each of them is implemented as separate payload type, then it needs to be duplicated. The super-notification is simply just way to make sure the IKE_SA_INIT packet stays small enough. We do not want to add too many notification payloads there. On the other hand as we do make OEM toolkit, I do see that we for example most likely will be implementing multiple of those methods, which means that it is important for us that those methods can easily co-exists in the same implementation. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
