[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Regardind IPsec Databases
ranjeet barve
<ranjeet_barve@yaho To: ipsec@lists.tislabs.com
o.co.in> cc:
Sent by: Subject: Regardind IPsec Databases
owner-ipsec@lists.t
islabs.com
11/23/01 04:37 AM
>>2) It was mentioned in a few postings that the SPD and
>>SAD databases are STATIC. Does this mean that one is
>>not supposed to Delete entries(policies)from these
>>Databases? Actually deleting a single entry from the
>>SPD database could lead to recursive deletions and
>>re-arranging of the SAD Database and consequently
>>re-ordering of numerous pointers from the SPD to SAD
>>database.
>>Or does it mean that they dont change dynamically?
STEVE: When in doubt, always refer to the RFC's. RFC2401 says nothing
about the databases being static -- so if someone implemented their code
like that (are you referring to Freeswan?) that's their decision. You can
set up your databases however you want internally. I linked the security
associations to the individual policies, so that I can dynamically add and
remove policies fairly easily. It also reduces look-up times during packet
processing -- but it does add code complexity to keep things dynamic. It
really depends on your application needs. What is your application doing?
Will it be on a very static network for a long period of time, or are you
going to have to reboot every week to add/remove nodes from the network you
are on? The bottom line is, do you want your solution to be scalable?
Look at why DNS was created, will your application suffer from similar
problems 5 years down the road?