Re: issues with IKE that need resolution

[Markku Savela <msa@anise.tte.vtt.fi>]

As I have not much followed the IKE and only doing the IPSEC/PFKEY,
the following comes to me as a kind of surprise...

> From: Daniel Harkins <dharkins@cisco.com>
> 
>   Addressing Scott's point: the ID payload is woefully overloaded. We're
> trying to express SPD policy in it and that was not its original purpose. 
....
>   Anybody have any ideas on how to express policy _right_? At the TrustMgt
> BOF in Chicago KeyNote was presented and that seems like a good
> start. 

... I have had the impression that SPD contents is totally local to
host and configured by means outside of IPSEC. In what situations
would people want to change the SPD dynamically based on the IKE
negotiations? I thought the SPD was kind of "static" in respect to
IKE/IPSEC, and works as an activator of the negotiation sequences
(PFKEY ACQUIRE), and whatever the IKE does, the SPD doesn't change as
a result of it.

Is this (original purpose of SPD) being changed now?

As to expressing SPD, for me it is just a static file that describes
what kind of SA bundles are applied to packets matching a
selector. (ps. Any chance that there would be a RFC or some
specification for the format of this file? So that admins could just
deliver their policy files to the client machines without having
different versions for different implementations.)

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

---

References:

• Re: issues with IKE that need resolution
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: Re: issues with IKE that need resolution
• Next by Date: Re: issues with IKE that need resolution
• Prev by thread: Re: issues with IKE that need resolution
• Next by thread: Re: issues with IKE that need resolution
• Index(es):
  • Main
  • Thread