[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do we actually need dynamic ports?

To: paul.hoffman@vpnc.org
Subject: Re: Do we actually need dynamic ports?
From: Paul Koning <pkoning@equallogic.com>
Date: Fri, 5 Apr 2002 09:44:44 -0500
Cc: vilhuber@cisco.com, ipsec@lists.tislabs.com
References: <Pine.LNX.4.33.0204041155460.22034-100000@janpc-home.cisco.com><p05101503b8d291a46811@[165.227.249.20]>
Sender: owner-ipsec@lists.tislabs.com

Excerpt of message (sent 4 April 2002) by Paul Hoffman / VPNC:
> This is an interesting question for IKE implementers: which would 
> make more sense to you?
> - Keep a policy marker around and add or subtract relative to the marker
> - Delete the old SA and create a new one when you want to add or subtract

Rekeying is a fine solution if you don't mind the added overhead,
provided that the handling of SA changeover gets cleaned up.  In IKEv1
it's not well specified; even if you avoid the interop problems it's
easy to get packet loss.  Tim Jenkins tried to fix that.

     paul

Follow-Ups:
- Re: Do we actually need dynamic ports?
  - From: Jan Vilhuber <vilhuber@cisco.com>

References:
- Re: Do we actually need dynamic ports?
  - From: Jan Vilhuber <vilhuber@cisco.com>
- Re: Do we actually need dynamic ports?
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: SPD and SADB per interface
Next by Date: Re: SPD and SADB per interface
Prev by thread: Re: Do we actually need dynamic ports?
Next by thread: Re: Do we actually need dynamic ports?
Index(es):
- Date
- Thread