[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: divergent interpretations of IKE/IPsec - interop issues

To: silvere@iki.fi
Subject: Re: divergent interpretations of IKE/IPsec - interop issues
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Fri, 22 Mar 2002 01:41:17 +0200
CC: henry@spsystems.net, silvere@iki.fi, mcr@sandelman.ottawa.on.ca, ipsec@lists.tislabs.com
In-reply-to: <20020321223512.86615.qmail@web12201.mail.yahoo.com> (messagefrom Sami Vaarala on Thu, 21 Mar 2002 14:35:12 -0800 (PST))
References: <20020321223512.86615.qmail@web12201.mail.yahoo.com>
Sender: owner-ipsec@lists.tislabs.com


> The order of ESP and AH in the proposal
>     - Don't trust the order; although there is an order, it is actually
>       a set of proposals.
>     - Always send in order XYZ  (I prefer ESP followed by AH, some
>       otherwise).
>     - The semantic is always the same (ESP inside AH)
>     - If IPcomp involved, IPcomp, ESP, AH.

This and some other entries just show that IKE should not do
bundles. Creates unnecessary combinatory complexties.

It should negotiate a single SA at time (or to optimize, all
SA's, but it should not care about their order), it does not
matter. The policy checks in kernel will take care of bundle
requirements.

Follow-Ups:
- Re: divergent interpretations of IKE/IPsec - interop issues
  - From: Henry Spencer <henry@spsystems.net>
- Re: divergent interpretations of IKE/IPsec - interop issues
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- Re: divergent interpretations of IKE/IPsec - interop issues
  - From: Sami Vaarala <svaarala@yahoo.com>

Prev by Date: Re: Don't remove TS from IKEv2
Next by Date: Re: divergent interpretations of IKE/IPsec - interop issues
Prev by thread: Re: divergent interpretations of IKE/IPsec - interop issues
Next by thread: Re: divergent interpretations of IKE/IPsec - interop issues
Index(es):
- Date
- Thread