[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: use of client IDs



Pyda Srisuresh wrote:
> 
> > >  If the selection criteria is set to be based on packet
> > > (as opposed to policy), every new packet matching the same policy but
> > > differing in one regard(say, IP address or TCP/UDP port) would require
> > > a new SA.
> > >
> > > In the case where selection criteria is set to be based on policy,
> > > the SA selection would match the selection of an SP. It is also
> > > possible for an SA to match multiple policies.
> > >
> >
> > Again, your terminology confuses me. When you say 'the selection
> > criteria is set to be based on packet (as opposed to policy)', what do
> > you mean?
> >
> 
> My terminology is based on the IP architecture draft,
> <draft-ietf-ipsec-arch-sec-05.txt>, section 4.4.1, pg 17 below.
> 
<trimmed...>

Okay, now I think I understand what you are trying to say.  Still, if
you read a little further in the same draft, you'll find that your
assertion that every packet differing in one or another regard would
require a new SA is incorrect. In section 4.4.3, page 22, you'll find
the text which explains why this is not so. I won't include it here, but
it's in the paragraph which begins with

  For each of the selectors defined in Section 4.4.2, the SA entry in
  the SAD MUST contain the value or values which were negotiated at the
  time the SA was created.  For the sender, these values are used to...


References: