Re: Do we actually need dynamic ports?

["Scott G. Kelly" <skelly@SonicWALL.com>]

Hi Tero,

Comments below...

Tero Kivinen wrote:
> 
> vilhuber@cisco.com (Jan Vilhuber) writes:
> > This is no different than creating a second SA, I suppose. You want
> > traffic for the FTP data channel? Create a new SA for
> > it. Alternatively, and this is what Pyda's and my draft does, pass an
> > indicator that identifies the previous SA, and ADD to it. Saves
> > memory, at almost no additional cost.
> 
> Why have a special case for ADD and DELETE, why not simply renegotiate
> new SA with new set of selectors (i.e add new selectors, remove the
> ones you do not want), and when that new SA is ready, delete the old
> SA. I.e simply make ADD and DELETE to be rekey of the existing SA.
> 
> For IKEv1 you could not do that, as there was no way to express the
> set of selectors, but with TS we can do that, so now that is an
> option.

After giving this some thought, it strikes me that if we replace the
phase 2 SA pair every time the selectors change, then an FTP session
with a single GET (file transfer) would take 3 SA negotiations: one for
the original command channel, one for the new command + data channel,
and one for the removal of a data channel. Leaving the original SA pair
intact and negotiating a new one reduces this to 2 SA negotiations, but
consumes more memory. In the case of transferring lots of files, we
would need something 1 + 2n negotiations for n files if replacing SAs,
and 1 + n if we simply add/delete new ones as needed. 

Scott