[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Simplifying IKE



Lars,

If we let routing select an SA, vs. the other way around, it might 
seem that we run a new risk of having a routing algorithm push 
traffic over the wrong SA. To counter that we would  unless we modify 
the IPsec processing to check for selector appropriateness after 
mapping traffic to an SA, rather than using selectors to pick the SA. 
That probably would not work well unless we adopt a de-correlated SPD 
model, since otherwise one would have to go back to the SPD to check 
"appropriateness" for each packet. However, I am planning to use that 
model for the next rev of 2401, so that might not be a problem.

Steve


References: