[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Move TS to optional (RE: Don't remove TS from IKEv2)



Dan Harkins <dharkins@tibernian.com> wrote:
 > >                        and would work with IKE if IKE didn't require the
 > > ends to describe in advance what traffic each SA would carry.
 > 
 > Manually keyed SAs require you to describe the traffic for each SA in
 > advance too!

No, there are two differences.  Manual keying doesn't require each end
to know what the other end's policy is, and manual keying doesn't
require sending a traffic description on the wire.  I can phone you up
and say "Let's set up our gateways to let us talk Telnet on ESP SPI 17
and HTTP on ESP SPI 42."  You configure your implementation your way,
I configure mine my way, and we communicate.  You might actually
configure your end to allow FTP and traceroute as well, and my end
will never know or care (but it will reject those packets if you ever
send them).  I don't need IPsec selectors on my end, and you're free
to use them on your end.

					-=] Mike [=-