[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Don't remove TS from IKEv2



> The IPsec "SPD" is rather poorly named.  It's a distinctly low-level
> concept, precisely dictating details of packet handling.  In some
> implementations (such as FreeS/WAN), the SPD is dynamic, not static, with
> SPD entries set up and torn down as tunnels come and go, based on IKE
> negotiations constrained by policy specifications at a much higher level
> of abstraction. 

So, here's where our implementation differs.  Our SPD is somewhat more
flexible, allowing a single policy rule to specify multiple
alternatives.  It's not dynamic.

When we set up SA's, we verify that the SA matches something in the
SPD but we don't modify the SPD at that time.  Instead, we have an
additional concept of "policy latching" -- we lock down the SA
attributes used at the time a transport connection is established.

				- Bill