[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Don't remove TS from IKEv2
Mike,
The issue here is that you don't want to create an SA that will
end in a black hole. If you create an "opportunistic" SA with
someone you've never heard of before, you need to know what your
peer will accept over the SA. If your peer will only accept,
e.g. packets to tcp/80, then you know you shouldn't send anything
else. This keeps you from creating a black hole.
-derek
Mike Ditto <ford@incog.com> writes:
> > > Besides, how do you decide if tunnel can be created
> >
> > two words:
> >
> > "transport mode"
>
> I'm sure Michael meant tunnel in the generic sense, not in the
> encapsulation sense. The point is that SOI should negotiate keys and
> SAs, but since each endpoint already has a policy that it must apply
> on every packet anyway, we don't need key management also to give
> policy refinements. Additionally, no existing or proposed traffic
> selector notation can describe all commonly used services.
>
> -=] Mike [=-
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available