[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SCTP and IPsec issues
This is yet another case (application specific dynamically generated
sessions) addressed by <draft-srisuresh-ike-policy-extensions-00.txt>.
A new Policy Payload, replacing ID payload in Quick mode, does the
trick. There is no need to negotiate a new SA, when changes
to SPD can be acceptable to both IKE peers.
cheers,
suresh
--- Michael Richardson <mcr@sandelman.ottawa.on.ca> wrote:
>
> >>>>> "Angelos" == Angelos D Keromytis <angelos@keromytis.org> writes:
> Angelos> but that can be done by a series of Phase 2 exchanges just as
> Angelos> easily. In any situation that involves automatic keying (e.g.,
> Angelos> "telnet -secure foo.com"), I don't see how this would buy you
> Angelos> anything, other than increased complexity.
> >>
> >> "ftp -secure foo.com"
>
> Angelos> That won't do you any good, since in neither passive or active
> Angelos> FTP do you know
> Angelos> the server side's port until after you've started an exchange.
>
> That's my point. It doesn't work.
> You can't ask to have the data connected added to the control connections'
> SA.
> You have to do a new phase 2 for each file transfered.
>
> ] Train travel features AC outlets with no take-off restrictions|gigabit is
> no[
> ] Michael Richardson, Solidum Systems Oh where, oh where has|problem
> with[
> ] mcr@solidum.com www.solidum.com the little fishy gone?|PAX.port
> 1100[
> ] panic("Just another NetBSD/notebook using, kernel hacking, security guy");
[
=====
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
References: