Hi, > >> I think that a way to negotiate this is as if it was unique cipher. > > BTW: I recognize that this might require a new value for each cipher. > > As such, it's not a great long term solution, but I would claim that it > probably applies to a few ciphers very specifically at first. > > Once the new layout is so popular, then we could persue some other way to do > this. Probably that means the same Notify() mechanism we use for > TRANSPORT_MODE/etc. > I'm not especially fond of this architecturally, but it certainly works.
I guess this would be an option for our particular problem. Nevertheless, I agree the inflationary use of IDs is a problem. Also, I see the possibility of confusion of the readers, ie. having three AES-GCM modes. This would also reduce the number of interop tests, as we would have one cipher that works a little different. In contrast of having an option for full 64-bit sequence numbers, multiple replay windows, etc. and a combination of each. Hence, in a data center environment one could simply use two code paths depending on the IKE negotiation.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
