Re: Is TS agreement necessary?

[Dan Harkins <dharkins@tibernian.com>]

On Wed, 03 Apr 2002 12:01:05 PST you wrote
> 
> OK.  At the time of sending a packet, the SA lookup would work basically
> the same as it does currently; the SPD and SAD would determine which SA
> is used.  I'm not proposing removing selectors from the SAD, I'm just
> proposing that the selectors aren't sent explicitly in SA establishment.
>
> When I initiate SA negotiation, I get to decide what goes in the
> selectors on my end, just like current IKE implementations.  What's
> different is how the selectors are set up for SAs that were requested by
> my peer.  When my peer asks me to add an SA pair to my SAD, I mark the
> SAs as "completely shared", "address unique" or "session unique" as my
> peer requests.  

The peer requests some "shared" or "unique" -ness to be assigned to
the SA during SA establishment time? How is that to be done exactly and
why is that any better than a TS payload? 

And what is a "session" if it doesn't involve ports and protocols?

> When establishing SAs, the initiator gives an abstract hint to the responder
> about the desired granularity of segregation.

You're proposing to replace a specific indication with an abstract hint.
It looks like there's lots of room for interpretation and disinteroperability
in this. That sounds worse than what we have today with IKEv1 and much,
much worse than what is proposed with the TS payload.

  Dan.