Re: Bundle or not in negotiation

[Mohan Parthasarathy <Mohan.Parthasarathy@Eng.Sun.Com>]

> Of course you don't have to do that. You can do multiple negotiations
> and be inefficient if you want. But if you do negotiate things seperately
> then what do you do with the packets that are queued up after the 1st
> negotiation is finish but before the 2nd is finished? 
> 
> If your plumbing can't handle a set of requirements and can only dole
> things out one at a time and your policy says "AH AND ESP for traffic
> from foo to bar with frobnitz as the peer" then you'll do an AH negotiation
> with frobnitz and then a separate ESP negotiation with frobnitz. When the
> first is finished whaddya do? Send packets with AH but not ESP? Or do
> you wait until all negotiations are finished? If the latter then what's
> the point of doing them separate. I'm missing something.
>
Assume i wait until all negotiations are finished. What is wrong with
negotiating them separately, except for some slow performance ? Assume the
policy does not mandate unique SAs i.e sharing of SAs are permitted, what
is wrong in having AH and ESP SA separately ? Some other connection may want
to use just the AH SA and not the ESP SA. Some connection may want use both
of them.  Is there any reason to bundle them together ? 

-mohan

---

Follow-Ups:

• Re: Bundle or not in negotiation
• From: "Scott G. Kelly" <skelly@redcreek.com>

References:

• Re: Bundle or not in negotiation
• From: Daniel Harkins <dharkins@dharkins-ss20.cisco.com>

---

• Prev by Date: Re: FW: IPSec Monitoring MIB works for IPv4 only?
• Next by Date: RE: FW: IPSec Monitoring MIB works for IPv4 only?
• Next by thread: marketing misuse of IPSECond efforts
• Index(es):
  • Main
  • Thread