Re: Do we actually need dynamic ports?

[Jan Vilhuber <vilhuber@cisco.com>]

On Thu, 4 Apr 2002, Paul Hoffman / VPNC wrote:

> At 12:10 PM -0800 4/4/02, Jan Vilhuber wrote:
> >The only minor difference (and I'm not saying it's important) is that
> >you have to go through 'more' computation to delete and add a new SA,
> >rather than adding to it, but that may be minor and not an issue at
> >all. In particular: using up 'precious' entropy by having to come up
> >with new key material, having to create a new SPI (and associated IKE
> >delete payloads), and possibly having to rebuild some internal tree
> >for the SA's (depends on implementation). Simply adding some selectors
> >to an existing SA and keeping keys and SPI, *seems* easier, but may
> >not actually make that much difference.
>
> This is an interesting question for IKE implementers: which would
> make more sense to you?

A bit hard to tell (or maybe not? Let's see what others say)..

> - Keep a policy marker around and add or subtract relative to the marker
> - Delete the old SA and create a new one when you want to add or subtract
>

The second doesn't require any new code, really. It reuses existing
code (set up SA, delete Sa, send delete notify), but does raise some
synchronization issues (which is why I asked about the jenkins-rekey
draft).

The prior may be less 'work', but more internal machinery. I'll try to
find out for our implementation (I don't generally look at the IPsec
code much :)

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847