[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple payloads via "ID_LIST"



Shawn Mamros wrote:
> 
> Pardon me for coming into this discussion a bit late...

<trimmed...> 

> What if, instead of there being only two subnets behind a security
> gateway, there were a hundred or more?  All disjoint, non-combinable,
> etc.  It becomes a serious resource utilization issue, not to mention
> that negotiating all those Quick Modes takes time (especially when
> you're doing PFS), and it seems a waste when you're applying the same
> security policy to all of them.
> 
> And yes, I've had customers (plural) that have cited this as an issue.

I don't think there's really any question that your point is correct. I
think we (the participants thus far) have finally agreed on the
following, and I'm sure I'll be corrected if I'm wrong :-)

(1) This functionality is needed

(2) Much other such functionality may be needed, and at least 'would be
nice to have'

(3) Resolution of this is more complex than just throwing in a new
payload, and involves at least thinking about whether we need to change
the way we represent identities for indexing into the SPD. This being
the case, perhaps it is best to use the vendor ID payload + private ID
lists in the interim, while also moving forward toward resolution.

The bottom line is (I think) that there is rough consensus among the
participants thus far that this issue requires a good deal more thought,
and that we ought not to act in haste.

Scott


References: