[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Don't remove TS from IKEv2

To: "'Stephen Kent'" <kent@bbn.com>
Subject: RE: Don't remove TS from IKEv2
From: Michael Choung Shieh <mshieh@netscreen.com>
Date: Fri, 22 Mar 2002 08:44:42 -0800
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com



> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
>
>	[skip]
> 
> >	Another problem is we cannot change inbound SPD without totally
> >shuting down tunnel.  If there are 500 remote users out 
> there and admin
> >wants to change inbound policy (eg. remove one server from 
> spd), he needs to
> >change all users' SPD before he can change tunnel setting.
> 
> Where in 2401 do you find the basis for this requirement, as opposed 
> to an implementation choice in a specific product?
> 

if the inbound policy of a tunnel is to allow all user to access 10.0.0.0/16
and admin want to change it to 10.0.0.0/24, he cannot just change the SPD of
the gateway because IKE will check SPD through TS payload and fails.  Tunnel
will be down until all users' SPD get updated.

Michael

Follow-Ups:
- RE: Don't remove TS from IKEv2
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: Don't remove TS from IKEv2
Next by Date: RE: Don't remove TS from IKEv2
Prev by thread: RE: Don't remove TS from IKEv2
Next by thread: RE: Don't remove TS from IKEv2
Index(es):
- Date
- Thread