[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP DOI Question (General, Not IP Specific) more ...
I should have noted that the processing I described in my previous message
(and in my slides at the IETF) is most appropriate when one looks at a
security gateway (firewall) implemenmtation of IPSEC, or a stack "shim"
implementation. In a socket-interface environment, this function can be
applied to the set of parameters passed to the OS as part of creating a
socket, and thus the steady-state processing for outbound traffic need not
include this IPSEC processing selector funciton. Moreover, if one creates
an API for IPSEC and applications are IPSEC-aware, then the function is
applied as a result of an explicit call to create an SA (or a sequence of
linked SAs), again making the per-packet, steady-state processing much
simpler and faster.
Steve