[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DataStructure for Storing SPD,SA Entries

To: <Steve.Robinson@psti.com>, "Mason, David" <David_Mason@nai.com>
Subject: RE: DataStructure for Storing SPD,SA Entries
From: "Joseph D. Harwood" <jharwood@vesta-corp.com>
Date: Fri, 19 Oct 2001 08:29:01 -0700
Cc: "ipsec" <ipsec@lists.tislabs.com>, "Puja Puri" <puja.puri@cdac.ernet.in>, "ranjeet barve" <ranjeet_barve@yahoo.co.in>, "William Dixon" <wdixon@windows.microsoft.com>, "'Wei-Jen Yeh'" <weijyeh@nortelnetworks.com>
Importance: Normal
In-Reply-To: <OF20EF5556.3B27FFA0-ON80256AEA.004BC2A6@psti.com>
Sender: owner-ipsec@lists.tislabs.com

I don't see that interoperability is linked to decorrelation.  The
decorreclation needs to be functionally equivalent to a search through the
ordered SPD.  The interoperability problem mentioned below, where the two
sides have their policies in a different order, would result in an
interoperability problem regardless of how either side does the policy look
up.

Best Regards,
Joseph D. Harwood
(408) 838-9434
jharwood@vesta-corp.com
www.vesta-corp.com



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of
> Steve.Robinson@psti.com
> Sent: Friday, October 19, 2001 6:58 AM
> To: Mason, David
> Cc: ipsec; Puja Puri; ranjeet barve; William Dixon; 'Wei-Jen Yeh'
> Subject: RE: DataStructure for Storing SPD,SA Entries
>
>
>
> You know, I never considered the interoperability issue!  I would love to
> see a discussion on the issue of a decorrelated host interacting with a
> host that uses an ordered SPD.  I don't see a problem on the decorrelated
> side, since you can guarantee that you are using the correct policy, but
> how do you coordinate with 3rd party hosts and/or negotiate with them to
> set up the policies on the fly?  Everything seems OK to me (even
> negotiating with the ordered host -- as you are negotiating algorithms and
> selectors, not database structure)-- but I'll be up front in pointing out
> that I haven't put a great deal of research into the subject yet.  Any
> pointers would be welcome.
>
>
> Steve
>
>
>
>
>
>
>                     "Mason, David"
>
>                     <David_Mason@N       To:     "'Wei-Jen Yeh'"
> <weijyeh@nortelnetworks.com>, William Dixon
>                     AI.com>
> <wdixon@windows.microsoft.com>
>                                          cc:     "Steve.Robinson"
> <Steve.Robinson@psti.com>, Puja Puri
>                     10/19/01 09:32
> <puja.puri@cdac.ernet.in>, ipsec <ipsec@lists.tislabs.com>, ranjeet
>                     AM                    barve
> <ranjeet_barve@yahoo.co.in>
>                                          Subject:     RE:
> DataStructure for Storing SPD,SA Entries
>
>
>
>
>
>
> One of the reasons for having ordered SPDs is interoperability.  If you
> have
> overlapping SPDs and they are in different orders on both sides of the VPN
> link, then you may run into connectivity problems.  To correct a
> problem of
> this sort, one of the sides will need to change the order of their SPDs.
>
> -dave
>
>
>
>

References:

RE: DataStructure for Storing SPD,SA Entries

From: Steve.Robinson@psti.com

Prev by Date: Re: question about Nonce
Next by Date: RE: Status of ID: IPsec Flow Monitoring MIB
Prev by thread: RE: DataStructure for Storing SPD,SA Entries
Next by thread: Precedence on selectors, policy entries or both?
Index(es):
- Main
- Thread