[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple payloads via "ID_LIST"



  This may be an issue but is it a problem? Do your customers actually
want to do this? (As opposed to just wanting to raise it "as an issue"). By 
doing IPSec on such a network aggregation point you're saying that all those 
hundred+ networks share the same policy and are not mutually suspicious. 
This seems unrealistic to me. Does this aggregations point's IPSec peer also 
have a hundred+ disjoint, non-combinable networks behind it? 

  Can you explain what it is these people are trying to do? 

  Dan.

On Thu, 24 Sep 1998 12:48:01 EDT you wrote
> >  If they needed it yesterday tell them to establish 2 SAs, one soley
> >for X and the other soley for Y. It would be *nice* to be able to have a 
> >single one but I think this clearly falls in the "if it ain't broke..." 
> >category. It can be easily solved today (and yesterday too) using existing 
> >mechanisms.
> 
> What if, instead of there being only two subnets behind a security
> gateway, there were a hundred or more?  All disjoint, non-combinable,
> etc.  It becomes a serious resource utilization issue, not to mention
> that negotiating all those Quick Modes takes time (especially when
> you're doing PFS), and it seems a waste when you're applying the same
> security policy to all of them.
> 
> And yes, I've had customers (plural) that have cited this as an issue.



References: