Valery Smyslov writes: > The fixed 8 bytes were used for simplicity. The purpose of this field > is only to avoid use of misconfigured PPKs, so it is believed > that 2^-64 is an adequate chance for misusing PPK. > In the worst case the SA won't be established with no clear > reason in the log file - just "invalid ICV". > > If you really concern the length might be insufficient, then we can change > PPK_IDENTITY_KEY > to have the confirmation length at the beginning (1 octet) following > by the confirmation following by the PPK_ID.
I am not really concerned that fixed 8-bytes would not be enough, but more that we are fixing the length and that might limit the way it can be used in the future. I would actually be more happy by format where we have PPK_ID len, and PPK Confirmation lengths in the beginning and then followed by the PPK_ID and PPK Confirmation, or having PPK_ID len, PPK_ID, PPK Confirmation len, PPK Confirmation, i.e., format that does not require using notify data length for anything else than verifying that data is properly formatted inside. > > Yes, actually it would be better if the PPK_IDENTIFY notify would > > have included bit more of than just one octet of the type, then we > > could have taken another byte for the confirmation length and have > > that as zero if it is not needed. > > This still would be a new notification and not a new ID type. It could be either way, i.e., we could defined PPK_ID Format called PPK_ID_OPAQUE_WITH_CONF, which would be exactly same as PPK_ID_OPAQUE, except the 2nd octet would be original PPK_ID_OPAQUE length, and then next would be PPK_ID_OPAQUE value, and afte that would be PPK Confirmation len followed by PPK Confirmation. But anyways if you think it is easier the way it is now, thats fine by me. > > Anyways this is minor point, I am just bit concerned of the fixed 8 octet > > stuff we > > have there... They have a habit of causing problems. > > See above. If we would have had PPK_ID format originally so it has type, and length and then actual data, then we could simply have added stuff at the end for confirmation (length + confirmation), now we need new notify as we can't modify the original format. -- kivi...@iki.fi _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
