On Thu, 12 Dec 2019, Tero Kivinen wrote:
Option 1 looks like the clearest from pure theoretical point of view,
however I agree that it could lead to TS types explosion in future.
Yes, I think option 1 would be most proper way of doing the
negotiation. I am not sure if we are going to get that many new
traffic selectors in the future, so I do not think the TS types
explosion is going to be that big issue.
That is fair.
If it gets same information during IKE_SA_INIT (missing
SECLABELS_SUPPORTED), it cannot trust that thing yet as other end is
not authenticated, so it will need to run IKE_AUTH to the end anyways
to make sure that there was no attack removing that
SECLABELS_SUPPORTED notification. So it will detect that error at the
end of IKE_AUTH always.
In that case there is no point of adding notification to the
IKE_SA_INIT.
Indeed.
PUL
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
