[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SCTP and IPsec issues
In message <200103270123.f2R1NU701399@marajade.sandelman.ottawa.on.ca>, Michael
Richardson writes:
>
> As an alternative, it would be nice if the architecture said that the
>mapping of SPD->SA was an N:1 mapping, then no textual change would be
>necessary to support this.
I don't think this is sufficient; after all, SPDs can currently do an
N:1 mapping.
> But, should the document be rev'ed each time a new protocol comes along
>that has a new set of selectors?
Unclear, and something for the WG to decide; since the architecture document
is being rev'ed anyway, I think this should go in.
> It would also be nice if phase 2 SAs could be referenced in a consistent
>way such that additional selectors could be *added* to an existing SA.
I agree, although this has more to do with policy and thus should be
brought up at the appropriate WG (and I don't want to complicate this
document any more than I have to).
> My preference is to define three "recursion" types: AND, OR and NOT.
> Permit at most *three* levels of such logic.
I don't see how these would be used in practice. I can imagine situations in
manual configuration where you'd want to specify complicated combinations of
hosts and networks to be protected, but that can be done by a series of Phase 2
exchanges just as easily. In any situation that involves automatic keying
(e.g., "telnet -secure foo.com"), I don't see how this would buy you anything,
other than increased complexity.
> This begins to sound like negotiation.
Yup.
-Angelos
Follow-Ups:
References: