RE: Move TS to optional (RE: Don't remove TS from IKEv2)

["sankar ramamoorthi" <sankar@nexsi.com>]

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Jan Vilhuber
> Sent: Monday, March 25, 2002 7:30 PM
> To: Andrew Krywaniuk
> Cc: 'Dan Harkins'; 'IP Security List'
> Subject: RE: Move TS to optional (RE: Don't remove TS from IKEv2) 
> 
> 
> Yes, I posted a link to it earlier.
> 
> It's worth noting that during the presenation Pyda presented two
> different ways that the policy could get updated on both ends:
> 
> - In IKE (which is what the draft talks about), but changing IKE is BAD.
> - In some as yet unspecified IPSP protocol (and we again have the
>   problem that someone else pointed out: that doesn't exist yet :)
> 
> So as each endpoint learns new policy (a new dynamic port), it
> *somehow* (i.e. via IKE or an external protocol) tells the other end
> to add or remove policy from the SA.

Are dynamic protocols a requirement for ikev2?
There have no comments to that regard.

Assuming that they are..

One concern I have with the proposed approaches is the additional
latency between discovery of the dynamic information and updating the
peer with the dynamic information. Using any of the proposed mechanisms 
(via IKE or external protocol), the latency may be unacceptably high
for some type of traffic.

Another alternative worth considering is to do policy change
inband to ipsec traffic. After all, if a secure a channel has
already been established with the peer, why not use the same channel
for updating the selector information?

-- sankar --