[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do we need ?

To: "srinivasrao.kulkarni" <srinu@trinc.com>
Subject: Re: Do we need ?
From: Karen Seo <kseo@bbn.com>
Date: Mon, 16 Mar 98 23:19:14 EST
cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Hello,

Oops, Section 5.1.1 is correct.  We had changed it in the February draft
(as noted below) and missed the text in 4.4.3.

   [from list of changes -- email 2/20...]

   18. Section "5.1.1. Selecting and Using an SA or SA Bundle" [outbound
       processing] -- Several issues have come up.

    a) How much searching of the SPD and SAD should be done
       before creating a new SA?

        * Several approaches to this have been brought up on the list,
          e.g., see email from S. Kent 12/7/97 in reply to Ly Loi (Subj:
          "Re: IPSEC arch comments").  There is a tradeoff between
          spending more time to search the SAD to avoid creating
          unnecessary SAs and using more space by creating potentially
          redundant SAs by using the first SPD hit (if it does not point
          to a matching SA).  One possible enhancement would be to note
          which policies create overlapping SAs when the SPD is created.
          There weren't many comments, but the general feeling seemed to
          be in favor of creating an SA for the first policy hit rather
          than searching the whole SAD.

Thank you,
Karen

Prev by Date: Re: Revised Pre-Shared and Public Key Sig modes??
Next by Date: Why can't ?
Prev by thread: Do we need ?
Next by thread: Why can't ?
Index(es):
- Main
- Thread