[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Choosing between IKEv2 and JFK
Angelos D. Keromytis writes:
>
> Jan,
> Let me point out that, in the test scenario you are describing, different
> certificates would be used for the different QoS levels, even if though it
> is the same two peers (hosts) establishing multiple SAs. I ran into
> the exact same situation in a different context: per-user (or per-socket)
> keying using distinct SAs for each TCP connection. Since certificates are
> exchanged only during Phase 1 (in both IKE and IKEv2), you end up running
> complete Phase 1/Phase 2 exchanges for each such connection.
Huh? The certs are only there for identity. If I
want to have two different SA's so I get differential
queuing treatment, there's nothing that says that I
need two different identities. I just change the
traffic selectors. This isn't any different than
RSVP flow selectors and queuing treatment.
Mike