IKE implementation issues

[Stephen Waters <Stephen.Waters@digital.com>]

		1)  Processing of INBOUND Quick mode processing seems to
have a problem.  
		The SPD is searched to find an appropriate policy, but
given the information available at the time, 
		this has to be a 	guess, at best.

		The consequences are that data packets arriving on the
resulting INBOUND SA may need to 
		search the SPD for the correct match.  This is not
optimal.  What is needed is a way to 
		exchange (securely) the selectors used on the initiators
policy.

		2) Is it mandatory to respond to an Inbound SA request
(responder) with an Outbound SA 
		establishment (in a single Quick mode)?  I would prefer
not to set up the Outbound SA until 
		outbound traffic presents itself. This allows me to use
separate keys for inbound and outbound 
		processes as well.

		As for question 1,  if I am forced to setup an Outbound
SA as a responder to an inbound request, 
		I am likely to end up with a bad matching inbound policy
AND a bad matching outbound policy 
		(i.e. one that may never get used).

		3) Why does Phase1 SA (IKE SA) need to be deleted when
pfs is selected?  Since DH is used in 
		Phase-2, doesn't that remove the need to trash the
Phase1 SA?

		Regards, Steve.

---

Follow-Ups:

• Re: IKE implementation issues
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: Multi-homed nodes and SAs for incoming packets
• Next by Date: Re: Multi-homed nodes and SAs for incoming packets
• Prev by thread: Re: Multi-homed nodes and SAs for incoming packets
• Next by thread: Re: IKE implementation issues
• Index(es):
  • Main
  • Thread