$Id: question,v 1.12 2000/02/24 11:38:29 sakane Exp $

HOW DO I DO ?
Q. ID payload handling in phase 2 besides IPSECDOI_ID_IP*.
   e.g. IPSECDOI_ID_DER_ASN1_DN.  Well, are these used in phase 2 ?
Q. What should I do when HARD expiration has come ?
Q. When node has multi address, I check only destination address on phase 2.
	Must be check both with src and dst ?
Q. replay prevention
	limited number of session
	limited session per peer
	number of proposal
	....
Q. how to support multi interfaces ?
	connect to dummy, like ping6.
	bind multi address, like named.
   now is former.
Q. The padding for data attribute.
Q. vendorid's hash algorithm
	For aggressive mode ?.
	In mail mode, should I use negotiated algorithm ?

	-> it's not negotiated
Q. encryption during aggressive mode.
	when receive encrypted packet of 1st exchange from responder,
	it can be decoded.  When we are responder, should we send encrypted ?
Q. packet padding ? in particular, variable attribute.
Q. What is the perpose of exchange of DH attribute on quick mode ?
	-> pfs
Q. Should I do acceptable check of phase 2 pfs group ?.
   If initiator requests PFS, should we accept without acceptable check.
	-> well-known issue

Q. Is it typo that a body of nonce payload during base mode exchange.
            HDR, SA, Idii, Ni_b     =>
                           Ni ???
                                    <= HDR, SA, Idir, Nr_b
                                                      Nr ???
A. Yes, typo. (by network associates.)

Q. What's proto_id in notify message of responder 2nd message with commit bit
  processing when multiple different SA applyed ?
Q. Is it forbidden to clear commit bit during phase2 negotiation ?
	-> not forbidden,

Q. how many time is the notify message sent ?
A. don't resend notify message because peer can use Acknowledged
   Informational if peer requires the reply of the notify message.

Q. What kind of policy configuration is desired?
   policy.conf makes sense in certain situations only, such as:
   - we are the initiator, and trying to enforce certain configuration.

   If we would like to talk with strangers (like IPsec-ready webserver, or
   "IPsec with everyone" configuration), or need to move from place to place
   (like IPsec-ready nomadic node), we need an ability to write "wildcard
   policy entry" which matches situations/packets/whatever, and then install
   non-wildcard policy entry into the kernel.
   For example:
   - policy.conf says 0.0.0.0/0 -> 0.0.0.0/0, protocol "any", type "use",
     for "encrypt everything" configuration.
   - phase 2 ID payload will be exchanged for real address we have, and the
     peer has (a.b.c.d/32).  This is not the same as "0.0.0.0/0" configured
     onto policy entry.
   - with the current code, policy.conf and phase 2 ID does not match, and
     it will fail.

   If we are acting as responder, we will be making policy entry from phase 2
   IDs.  Is it always okay to accept phase 2 IDs as is, into our kernel policy?
   We'll need to have filtering rule, or mapping rules from phase 2 IDs to
   kernel policy.
   For example:
   - we have 10.1.1.0/24 -> 10.1.2.0/24, protocol "any" in policy.conf.
   - what happens if we get, as responder, 10.1.1.0/25 -> 10.1.2.0/25,
     protocol "any"?  should we accept it as is, or should we respect our
     configuration?
     if we respect our configuration, 10.1.1.128/25 -> 10.1.2.128/25 traffic
     will be encrypted from our side, and end up being dropped by the peer.
   - what happens if we get, as responder, 10.1.1.0/24 -> 10.1.2.0/24,
     protocol "tcp"?  should we accept it as is, or should we respect our
     configuration?
     if we respect our configuration, non-tcp traffic will be dropped on
     the peer.

Q. Waht's msgid of informational exchange for error notify message during
   phase2 ?  Is it same as msgid of phase2 negotiation caused error ?
   Or new msgid created ?  If later case, spi must be conveyed.
	-> new msgid should be used
	-> then, how can we deduce phase 2 from the notification?

Q. I don't know the situation to initiate acknowledged informational.

Q. How many certificate payload in a packet are sent ?
   isakmp-test.ssh.fi send both CRL and CERT in a packet.

Q. What should we do if nonce size is greater than size of RSA modulus
   in authentication with public key encryption, also size of body of
   ID payload ?
