[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Simplifying IKE
Lars,
If we let routing select an SA, vs. the other way around, it might
seem that we run a new risk of having a routing algorithm push
traffic over the wrong SA. To counter that we would unless we modify
the IPsec processing to check for selector appropriateness after
mapping traffic to an SA, rather than using selectors to pick the SA.
That probably would not work well unless we adopt a de-correlated SPD
model, since otherwise one would have to go back to the SPD to check
"appropriateness" for each packet. However, I am planning to use that
model for the next rev of 2401, so that might not be a problem.
Steve
References: