[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Don't remove TS from IKEv2
At 8:44 AM -0800 3/22/02, Michael Choung Shieh wrote:
> > -----Original Message-----
>> From: Stephen Kent [mailto:kent@bbn.com]
>>
>> [skip]
>>
>> > Another problem is we cannot change inbound SPD without totally
>> >shuting down tunnel. If there are 500 remote users out
>> there and admin
>> >wants to change inbound policy (eg. remove one server from
>> spd), he needs to
>> >change all users' SPD before he can change tunnel setting.
>>
>> Where in 2401 do you find the basis for this requirement, as opposed
>> to an implementation choice in a specific product?
>>
>
>if the inbound policy of a tunnel is to allow all user to access 10.0.0.0/16
>and admin want to change it to 10.0.0.0/24, he cannot just change the SPD of
>the gateway because IKE will check SPD through TS payload and fails. Tunnel
>will be down until all users' SPD get updated.
>
>Michael
yes, if you want to change the security policy for an active tunnel,
then you do need to tear it down and establish a new one. if, as I
believe you propose, you make a purely local change, then you may
begin dropping packets that previously were OK for the tunnel.
creating a black hole is hardly a recommended way to advertise a
policy change.
Steve