[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bundle or not in negotiation

To: dharkins@dharkins-ss20.cisco.com
Subject: Re: Bundle or not in negotiation
From: Mohan Parthasarathy <Mohan.Parthasarathy@Eng.Sun.Com>
Date: Thu, 19 Nov 1998 13:36:57 -0800 (PST)
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com


> 
> It doesn't really need anything but you have to express your wishes to
> the peer as unambiguously as possible. If your wishes are "protect all 
> these packets with both AH and ESP" but you say "protect all these packets
> with AH" and then at some later time say "protect all these packets with
> ESP" the peer can two things. He can refuse your AH offer because his
> policy says he needs ESP in addition to AH and you just offered AH or
> he could create the AH SA and hope, perhaps in vain, for you to offer
> ESP later. That's ambiguous and ripe for failure. But by offering them 
> together you're expressing to the peer your wishes: "I want to do these 
> together on this traffic".
> 
Is there an implication that one of them (ESP or AH) in the
bundle will not be used separately ?

I understand your argument that unless you provide both, the other
end really can't negotiate properly. But I should be able to
use the individual SAs for a different connection - which is left
to the policy i.e if policy permits, i can use it. Because
there is nothing in the IKE that says "these SA's can't be
used for anything else". How it is used depends on the policy.

Any comments ?

-mohan

Prev by Date: Re: FW: IPSec Monitoring MIB works for IPv4 only?
Next by Date: Re: FW: IPSec Monitoring MIB works for IPv4 only?
Next by thread: marketing misuse of IPSECond efforts
Index(es):
- Main
- Thread