Hi Valery, Previously, I’ve reviewed this draft before the working group adoption. I’ve reviewed the lasted version and I think it’s in the good shape.
Here I have only two questions for your confirmation. 1. If the initiator proposes USE_PPK_INT in the request but the responder doesn’t include it in the response, then the initiator still includes PPK_IDENTITY_KEY when creating the Child SA, how should the responder process at this time? The other similar situation is that the initiator doesn’t include USE_PPK_INT when creating the IKE_SA but includes PPK_IDENTITY_KEY when creating the Child SA. Should the responder reply with NO_PROPOSAL_CHOSEN, or ignore the PPK_IDENTITY_KEY and process as usual? 2. Currently, PPK confirmation in the PPK_IDENTITY_KEY is only generated by the initiator and validated by the responder, is there a need to let the responder generate a new PPK confirmation in the response and validated by the initiator? One nit in the second paragraph in section 3.2: s/THe PPK Confirmation/The PPK Confirmation. Regards & Thanks! Wei PAN (潘伟)
_______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
