[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: I-D ACTION:draft-lordello-ipsec-vpn-doi-00.txt



Overall, I think this is a good idea.  It's extremely useful to be able
to avoid the overhead of a separate ISAKMP SA for each VPN.

But, I'm a little surprised to see that you're defining an entirely new
DOI, rather than extending the IPsec DOI.  Is that because there is no
provision for a DOI version number?

I'm concerned because I can envision multiple DOIs derived from the IPsec
DOI, all differing ever so slightly.  For example, this draft adds new ID
types.  Another DOI might add a new security protocol (other than AH and
ESP).  Now, what happens when an implementation wants to support both
extensions?

Is it feasible to extend the IPsec DOI?  If ISAKMP is ever revisited, is
there a possibility of adding a version field to the security association
payload?

					- Ken