[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Don't remove TS from IKEv2



At 8:44 AM -0800 3/22/02, Michael Choung Shieh wrote:
>  > -----Original Message-----
>>  From: Stephen Kent [mailto:kent@bbn.com]
>>
>>	[skip]
>>
>>  >	Another problem is we cannot change inbound SPD without totally
>>  >shuting down tunnel.  If there are 500 remote users out
>>  there and admin
>>  >wants to change inbound policy (eg. remove one server from
>>  spd), he needs to
>>  >change all users' SPD before he can change tunnel setting.
>>
>>  Where in 2401 do you find the basis for this requirement, as opposed
>>  to an implementation choice in a specific product?
>>
>
>if the inbound policy of a tunnel is to allow all user to access 10.0.0.0/16
>and admin want to change it to 10.0.0.0/24, he cannot just change the SPD of
>the gateway because IKE will check SPD through TS payload and fails.  Tunnel
>will be down until all users' SPD get updated.
>
>Michael

yes, if you want to change the security policy for an active tunnel, 
then you do need to tear it down and establish a new one. if, as I 
believe you propose, you make a purely local change, then you may 
begin dropping packets that previously were OK for the tunnel. 
creating a black hole is hardly a recommended way to advertise a 
policy change.

Steve