[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Don't remove TS from IKEv2
> The point is that SOI should negotiate keys and SAs, but since each
> endpoint already has a policy that it must apply on every packet
> anyway, we don't need key management also to give policy
> refinements.
As I've explained repeatedly, this is true only when there is
centrally provisioned policy.
> Additionally, no existing or proposed traffic
> selector notation can describe all commonly used services.
That's setting a rather high bar, isn't it?
The use of SA's at transport-connection granularity in conjunction
with looser-grained policy will work for a very large proportion of
services, and works today in Sun's implementation.
- Bill