[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Bundle or not in negotiation

To: <ipsec@tis.com>
Subject: RE: Bundle or not in negotiation
From: "Jeff Carr" <jcarr@broadcom.com>
Date: Wed, 25 Nov 1998 16:23:43 -0800
Importance: Normal
In-Reply-To: <365464EF.745F8459@redcreek.com>
Sender: owner-ipsec@ex.tis.com

Would someone please address  Scott's earlier questions; copied in the
paragraph below?  This is my understanding according to the "Security
Architecture for the IP" ---- but now I am not sure that I can do this with
ISKAMP without breaking something.  I thought the SPD would dictate these
relationships.

Scott G. Kelly wrote:
> This nails another point that's been nagging at me lately: the
> architecture explicitly permits sharing of SAs, which I take to mean
> between different endpoints which match the policy rule used to
> instantiate the SAs to begin with. However, there is no way (that I can
> see) to negotiate this in IKE. That is, once the SA is instantiated,
> there doesn't seem to be any way to negotiate the addition of more
> endpoints to it. It appears that fresh SAs must be negotiated, with new
> keys, etc. My first thought was that I could just pass the SPI of the
> instantiated SA in the later negotiations, but there's no way to
> indicate that the original keying material should be shared. Am I way
> out there on this, or should we think about a way to permit this in IKE?
>

References:

Re: Bundle or not in negotiation

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: Its officially official now!
Next by Date: Re: Its officially official now!
Next by thread: marketing misuse of IPSECond efforts
Index(es):
- Main
- Thread