[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Don't remove TS from IKEv2



Mike,

The issue here is that you don't want to create an SA that will
end in a black hole.  If you create an "opportunistic" SA with
someone you've never heard of before, you need to know what your
peer will accept over the SA.  If your peer will only accept,
e.g. packets to tcp/80, then you know you shouldn't send anything
else.  This keeps you from creating a black hole.

-derek

Mike Ditto <ford@incog.com> writes:

> > > Besides, how do you decide if tunnel can be created 
> > 
> > two words:
> > 
> > "transport mode"
> 
> I'm sure Michael meant tunnel in the generic sense, not in the
> encapsulation sense.  The point is that SOI should negotiate keys and
> SAs, but since each endpoint already has a policy that it must apply
> on every packet anyway, we don't need key management also to give
> policy refinements.  Additionally, no existing or proposed traffic
> selector notation can describe all commonly used services.
> 
> 					-=] Mike [=-

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available