[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues from the bakeoff

To: Dan Harkins <dharkins@network-alchemy.com>
Subject: Re: issues from the bakeoff
From: Tylor Allison <allison@securecomputing.com>
Date: Tue, 6 Jul 1999 16:56:37 -0500 (CDT)
cc: ipsec@lists.tislabs.com
In-Reply-To: <199906151954.MAA21779@potassium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 15 Jun 1999, Dan Harkins wrote:

>   *) Misc
> 
> 	- Does the order of ANDed offers make any difference in IPSec 
>	  encapsulation? No it doesn't.

I have a few questions regarding this statement.  Does this mean that a
IKE or IPSEC implementation needs to figure out the most logical ordering
to be applied when multiple AND proposals are received (e.g. AH & ESP & 
IPCOMP)?  I'd prefer not to have to hard code this logic into my IKE
implementation.  What is the reasoning behind this decision?  It seems to
limit the types of SA bundles that IKE can negotiate and could lead to
interop problems (based on vendors' assumptions on what the most logical
ordering of AND'd SA combinations means for them).  In addition, it makes
the policy decisions harder (since AH & ESP & IPCOMP means the same as
IPCOMP & ESP & AH) ... 

OK, the last statement is more of a whine than anything else, but I'd
really be interested in other people's thoughts on this issue.

Thanks!

Tylor

---
Tylor Allison         tylor_allison@securecomputing.com        (651) 628-1554
Secure Computing Corporation

Follow-Ups:

Re: issues from the bakeoff

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: draft-ietf-ipsec-ike-ext-meth-01.txt
Next by Date: Re: issues from the bakeoff
Prev by thread: New Internet Draft - MIKE
Next by thread: Re: issues from the bakeoff
Index(es):
- Main
- Thread