Re: Is TS agreement necessary?

[Stephen Kent <kent@bbn.com>]

At 3:56 PM -0800 4/5/02, Kalyan Bade wrote:
	<SNIP>

>
>  >
>>  RFC 2401 is reasonably clear in noting that the SPD is nominally per
>>  interface. What sort of management interface is provided to a client
>>  is up to the vendor, so long as one can achieve the same effects as a
>>  per-interface SPD.  Otherwise, the implementation would not be
>>  compliant.
>
>Well, the point is whether TS agreement is necessary ? IPsec doesn't
>really need to know about the phase2 selectors as the routing protocols
>decide what selectors are allowed on a particular IPsec tunnel. It is
>decided dynamically depending on the topology and I would say we should
>be able to do an IKE negotiation without any TS.
>
>Thanks,
>Kalyan.

IPsec is implemented in end systems, BITW devices, and security 
gateways. I'm not convinced that your comment above applies to all of 
these cases. For example, which routing protocols running in my host 
are you referring to?

The question of the need to exchange TS values in IKE is much broader 
than the narrow issue that this thread is now focusing on.

Steve