[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Two issues: AH death, and SA identification
> Let's get a new protocol number, call it something like SESP (SPI-only
> ESP), and use that as the protocol that only uses the SPI as a
> selector. This way we don't have to touch AH or ESP, and most of the
> code can be shared between ESP and SESP.
Why would you need a new protocol number if you changed this? "On the
wire" format for IPSEC AH and ESP packets would not change at all. [or
did I miss some sarcasm in the proposal?]
Whether IPSEC implementation allows "any destination" on incoming SA,
is visible to outside observer only through the key management. If a
change is made, it will affect IKE negotiations and the way IKE
communicates with the kernel part of the IPSEC.
As for "death of AH", I agree that AH was messy to implement. But,
it's a done deal, so I'm sort neutral. It's there and it works.
--
Markku Savela <Markku.Savela@iki.fi>
Follow-Ups:
References: