(racoon 898) Re: "DOI value of CONNECTED Notify Message has problem"

[Satoshi Inoue <inoue@ntes.ipv6.nec.co.jp>]

On Fri, 14 Jan 2005 20:55:43 +0900
"Haoda" <haoda@ysh.com.cn> wrote:

> I agree with your option, but I think it is different from the
> test case which wrote in my previous email.

Yes, it's different. My figure shows a responder as the sending entity,
but in your figure the sending entity is an initiator. As I wrote in
my previous mail, IMHO, only the AM(Aggressive Mode)/QM(Quick Mode)
responders get the advantage of this functionality, i.e. not much use
for initiators to set the commit bit. AM/QM consists of 3 sequences,
and it always ends up with an initiator as the sending entity. So
what's the point of adding an extra sequence from an initiator? It
does make sense to add an extra sequence from a responder, I suppose.
Imagine a VPN concentrator to manage a couple of thousands of IPsec
connections, always acting as a AM/QM responder. I suppose this VPN
concentrator wants to get control of all the connections, i.e. let
initiators wait IPsec/IKE SA establishment until the concentrator is
ready for it.

> I think our test specification is matched with RFC. Do you think it is
> acceptable?

IMHO, no, it's not acceptable.

Any other opinions?

P.S.
This is not really a racoon related matter. IETF ipsec-ml maybe the
right place to ask on these things, I think.