[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Don't remove TS from IKEv2

To: Mike Ditto <ford@incog.com>
Subject: Re: Don't remove TS from IKEv2
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Wed, 20 Mar 2002 17:56:02 -0500
cc: sommerfeld@east.sun.com, mshieh@netscreen.com, ipsec@lists.tislabs.com
In-Reply-To: Your message of "Wed, 20 Mar 2002 14:41:16 PST." <200203202241.OAA04551@potomac.incog.com>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

> The point is that SOI should negotiate keys and SAs, but since each
> endpoint already has a policy that it must apply on every packet
> anyway, we don't need key management also to give policy
> refinements.

As I've explained repeatedly, this is true only when there is
centrally provisioned policy.

> Additionally, no existing or proposed traffic
> selector notation can describe all commonly used services.

That's setting a rather high bar, isn't it?  

The use of SA's at transport-connection granularity in conjunction
with looser-grained policy will work for a very large proportion of
services, and works today in Sun's implementation.

					- Bill

Follow-Ups:
- Re: Don't remove TS from IKEv2
  - From: Mike Ditto <ford@incog.com>

References:
- Re: Don't remove TS from IKEv2
  - From: Mike Ditto <ford@incog.com>

Prev by Date: Re: Don't remove TS from IKEv2
Next by Date: Re: Don't remove TS from IKEv2
Prev by thread: Re: Don't remove TS from IKEv2
Next by thread: Re: Don't remove TS from IKEv2
Index(es):
- Date
- Thread