[Swan-dev] pluto: Change some connection loading IKE version checks
Paul Wouters
paul at nohats.ca
Mon Aug 5 22:51:30 UTC 2019
On Mon, 5 Aug 2019, D. Hugh Redelmeier wrote:
> I don't understand why 211c2b7b1fce9c72f15e68de6b69580c050e954d is a good
> idea.
>
> The old tests were of the form "if we are not the right version, complain"
> The new versions are of the form "if we are a particular wrong version,
> complain"
>
> The original versions seem more robust.
>
> Paul: can you explain why you think that the new version is an
> improvement?
Most of the tests are for features we only support in IKEv2, which
really means "from IKEv2 onwards". For example, we would expect
IKEv2.1 or IKEv3 to still support MOBIKE or RFC7427 style Digitial
Signatures.
Once we would implement IKEv2.1 or IKEv3, we would only need to look
at the difference between IKEv2 and IKEv3. The old code would however
break everything because it wrongly assumes "not IKEv2" means "IKEv1".
Paul
More information about the Swan-dev
mailing list