[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do we actually need dynamic ports?

To: Paul Koning <pkoning@equallogic.com>
Subject: Re: Do we actually need dynamic ports?
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Fri, 5 Apr 2002 09:58:22 -0800 (PST)
cc: <paul.hoffman@vpnc.org>, <ipsec@lists.tislabs.com>
In-Reply-To: <15533.47196.341000.646131@gargle.gargle.HOWL>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 5 Apr 2002, Paul Koning wrote:

> Excerpt of message (sent 4 April 2002) by Paul Hoffman / VPNC:
> > This is an interesting question for IKE implementers: which would
> > make more sense to you?
> > - Keep a policy marker around and add or subtract relative to the marker
> > - Delete the old SA and create a new one when you want to add or subtract
>
> Rekeying is a fine solution if you don't mind the added overhead,

There is no added overhead in either suggestion. Each takes one
round-trip. Creating new/deleting old requires a little extra
bookkeeping and a delete notification, but traffic can start flowing
after 1 round-trip in either case.

jan


> provided that the handling of SA changeover gets cleaned up.  In IKEv1
> it's not well specified; even if you avoid the interop problems it's
> easy to get packet loss.  Tim Jenkins tried to fix that.
>
>      paul
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

References:
- Re: Do we actually need dynamic ports?
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: Do we actually need dynamic ports?
Next by Date: RE: Do we actually need dynamic ports?
Prev by thread: Re: Do we actually need dynamic ports?
Next by thread: Re: Do we actually need dynamic ports?
Index(es):
- Date
- Thread