How should the IV be set for an informational message that is generated
during phase 1? I see conflicting implementations and the V1 RFCs dont say
(or at least dont say it clearly)
Specific example is when doing a cert auth phase1 and the responder rejects
the cert, the responder sends a infor
With racoon you can use racoonctll to launch a phase1 without a phase2
--Original Message--
From: Paul Hoffman
To: denghu...@gmail.com
Cc: ipsec@ietf.org
Cc: y...@checkpoint.com
Sent: May 15, 2009 8:09 AM
Subject: Re: [IPsec] One question for IKE/IPsec
At 8:10 PM +0800 5/15/09, Hui Deng wr
I asked this once and nobody answered - I will try again
How should the IV be set for an informational message that is generated
during phase 1? I see conflicting implementations and the V1 RFCs dont say
(or at least dont say it clearly)
Specific example is when doing a cert auth and the respond
n MLS
(imagine the FIPS-188 freeform tag). This way users who only need to labeling
support are not required to go through the IPsec end node processing while
those users who do not already have a fully trusted network can run IPsec on
the untrusted links to secure the packet, the label and their binding.
--
paul moore
linux @ hp
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
option would be immutable it could also be protected with
AH allowing for intermediate nodes to apply security policy based on the
label. Although I do understand AH is falling out of favor.
--
paul moore
linux @ hp
___
IPsec mailing list
IPsec
On Monday 07 December 2009 04:51:10 pm Nicolas Williams wrote:
> On Mon, Dec 07, 2009 at 04:37:50PM -0500, Paul Moore wrote:
> > I've mentioned all of this before, but my main fundamental concern with
> > the proposed labeled IPsec spec is that not everyone who wants labeled
On Monday 07 December 2009 06:20:31 pm Dan McDonald wrote:
> On Mon, Dec 07, 2009 at 05:53:59PM -0500, Paul Moore wrote:
> > > But this is not a reason to oppose labelled IPsec. It's a reason to
> > > want an extended IP packet labelling standard.
> >
> > Wh
On Monday 07 December 2009 07:41:21 pm Nicolas Williams wrote:
> On Mon, Dec 07, 2009 at 06:59:13PM -0500, Paul Moore wrote:
> > On Monday 07 December 2009 06:20:31 pm Dan McDonald wrote:
> > > On Mon, Dec 07, 2009 at 05:53:59PM -0500, Paul Moore wrote:
> > > > Wh
On Monday 07 December 2009 11:59:51 pm Steven Bellovin wrote:
> On Dec 7, 2009, at 5:26 PM, Paul Moore wrote:
> > On Monday 07 December 2009 05:16:26 pm Stephen Kent wrote:
> >> Paul,
> >>
> >> From your comments it seems as though an IP option would be
el, in whatever representation seems "the best" given what we
currently know. Specify in great detail what the on-the-wire format should
look like and let the individual implementations worry about translating from
their native format to the wire format. I suspect this will provide the
highest level of interoperability and as a result, adoption.
--
paul moore
linux @ hp
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
On Wednesday 09 December 2009 02:06:04 pm David P. Quigley wrote:
> On Wed, 2009-12-09 at 12:31 -0500, Paul Moore wrote:
> > On Wednesday 09 December 2009 10:21:30 am David P. Quigley wrote:
> > > On Tue, 2009-12-08 at 19:57 -0800, Casey Schaufler wrote:
> > > [snip]
&g
On Wednesday 09 December 2009 02:31:16 pm Jarrett Lu wrote:
> Paul Moore wrote:
> > I agree with Casey and David. I think the only way we stand any chance
> > of success is to develop a on-the-wire format that can be easily
> > internalized by a variety of implementations.
on at the end of the draft.
--
paul moore
linux @ hp
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
On Mon, 2010-08-02 at 08:18 -0400, David P. Quigley wrote:
> On Fri, 2010-07-30 at 16:49 -0400, Paul Moore wrote:
> > On Wed, 2010-07-28 at 00:30 -0700, jarrett...@oracle.com wrote:
> > > A new 00 version of IKEv2 extension for security label has just been
> > > p
On Mon, 2010-08-02 at 09:37 -0400, David P. Quigley wrote:
> On Mon, 2010-08-02 at 09:36 -0400, Paul Moore wrote:
> > On Mon, 2010-08-02 at 08:18 -0400, David P. Quigley wrote:
> > > On Fri, 2010-07-30 at 16:49 -0400, Paul Moore wrote:
> > > > On Wed, 2010
On Mon, 2010-08-02 at 10:32 -0400, David P. Quigley wrote:
> On Mon, 2010-08-02 at 10:12 -0400, Paul Moore wrote:
> > I would encourage you to publish the LFS draft as soon as possible so
> > that we can take a look at both specifications together since the IKE
> > draft does
On Mon, 2010-08-02 at 09:09 -0700, Jarrett Lu wrote:
> Paul Moore wrote:
> > On Mon, 2010-08-02 at 10:32 -0400, David P. Quigley wrote:
> >
> >> On Mon, 2010-08-02 at 10:12 -0400, Paul Moore wrote:
> >>> While leaving large chunks of the protocol out of the
17 matches
Mail list logo
