[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do we actually need dynamic ports?

To: vilhuber@cisco.com (Jan Vilhuber), <ipsec@lists.tislabs.com>
Subject: Re: Do we actually need dynamic ports?
From: Tero Kivinen <kivinen@ssh.fi>
Date: Thu, 4 Apr 2002 22:48:00 +0300
CC: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Organization: SSH Communications Security Oy
References: <Pine.LNX.4.33.0203270917400.19980-100000@janpc-home.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

vilhuber@cisco.com (Jan Vilhuber) writes:
> This is no different than creating a second SA, I suppose. You want
> traffic for the FTP data channel? Create a new SA for
> it. Alternatively, and this is what Pyda's and my draft does, pass an
> indicator that identifies the previous SA, and ADD to it. Saves
> memory, at almost no additional cost.

Why have a special case for ADD and DELETE, why not simply renegotiate
new SA with new set of selectors (i.e add new selectors, remove the
ones you do not want), and when that new SA is ready, delete the old
SA. I.e simply make ADD and DELETE to be rekey of the existing SA.

For IKEv1 you could not do that, as there was no way to express the
set of selectors, but with TS we can do that, so now that is an
option.
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- Re: Do we actually need dynamic ports?
  - From: Jan Vilhuber <vilhuber@cisco.com>
- Re: Do we actually need dynamic ports?
  - From: "Scott G. Kelly" <skelly@SonicWALL.com>

Prev by Date: RE: Dead peer detection
Next by Date: Re: Is TS agreement necessary?
Prev by thread: Help
Next by thread: Re: Do we actually need dynamic ports?
Index(es):
- Date
- Thread