Hi,
a couple of comments.
I think that the profile is generally OK, but it seems to me that a few issues
persist.
1. The
Certificate Encoding "PKCS #7 wrapped X.509 certificate" (1) MUST be
supported. See [IKEV2IANA] for this and other IANA IKEv2 parameter
names used in th
On Tue, 25 Feb 2020, Michael Richardson wrote:
Yoav Nir wrote:
> The profile specifies that the ACP nodes should use tunnel mode (when
> GRE is not used), because: IPsec tunnel mode is required because the
> ACP will route/forward packets received from any other ACP node across
> th
Yoav Nir wrote:
> The draft says “IPsec tunnel mode is required ”, so it’s not
> transport. What goes in the TS payloads?
TSi=HostA-LL/128, TSr=HostB-LL/128, Protocol = GRE(47) or IPIP(41)
>> On 26 Feb 2020, at 3:20, Michael Richardson
>> wrote:
>>
>>
>>> Michael: Y
On Wed, 26 Feb 2020, Valery Smyslov wrote:
1. The
Certificate Encoding "PKCS #7 wrapped X.509 certificate" (1) MUST be
supported. See [IKEV2IANA] for this and other IANA IKEv2 parameter
names used in this text.
“PKCS #7 wrapped X.509 certificate” certificate encoding is deprecate
Paul Wouters wrote:
> I agree it should not try to dictate how certificate based IKE
> certification works, but just reference to IKEv2 and its updates for
> that.
+1
>> Another point: trust anchors certificates usually are not
>> included in CERT payload in IKEv2.
> On 26 Feb 2020, at 19:56, Michael Richardson wrote:
>
>
> Yoav Nir wrote:
>> The draft says “IPsec tunnel mode is required ”, so it’s not
>> transport. What goes in the TS payloads?
>
> TSi=HostA-LL/128, TSr=HostB-LL/128, Protocol = GRE(47) or IPIP(41)
If that’s the intention, I don’t see
