[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Move TS to optional (RE: Don't remove TS from IKEv2)



On Tue, 02 Apr 2002 12:04:56 PST you wrote
> 
>            What you seem to keep missing is that it is possible and
> useful to classify packets by criteria that don't directly correspond to
> port numbers.  There is no translation from such a classifier to a list
> of IPsec-style selectors.  

Well then it is possible to configure your box to classify a flow in a
way that is not possible to configure on an IPsec-compliant box. Therefore
you are a non-interoperable implementation EVEN WHEN IKE IS NOT USED.
Therefore this problem you have is not one of IKE using TS payloads because
even if it didn't YOU STILL WOULD NOT INTEROPERATE.

I don't keep missing it. I'm just ignoring it because you are trying to
simultaneously maintain two contradictory positions and I am trying to
pin you down. The utility of what you describe is irrelevant to the problem
you brought up (you can't interoperate with IKE) and the solution you 
proposed (to get rid of the TS payload). 

You basically can't have it both ways (even though you are trying to by
selectively bringing up one side in one email and another in a different).
Either you can interoperate with manually-keyed SAs, and therefore all you
need to do is write some code and you'd work with IKE; or you can't
interoperate with manually-keyed SAs in which case it is your problem because
you are intentionally non-compliant.

  Dan.