Re: Do we actually need dynamic ports?

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 12:10 PM -0800 4/4/02, Jan Vilhuber wrote:
>The only minor difference (and I'm not saying it's important) is that
>you have to go through 'more' computation to delete and add a new SA,
>rather than adding to it, but that may be minor and not an issue at
>all. In particular: using up 'precious' entropy by having to come up
>with new key material, having to create a new SPI (and associated IKE
>delete payloads), and possibly having to rebuild some internal tree
>for the SA's (depends on implementation). Simply adding some selectors
>to an existing SA and keeping keys and SPI, *seems* easier, but may
>not actually make that much difference.

This is an interesting question for IKE implementers: which would 
make more sense to you?
- Keep a policy marker around and add or subtract relative to the marker
- Delete the old SA and create a new one when you want to add or subtract

--Paul Hoffman, Director
--VPN Consortium