[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is TS agreement necessary?

To: "Wang, Cliff" <CWang@smartpipes.com>
Subject: Re: Is TS agreement necessary?
From: Joe Touch <touch@ISI.EDU>
Date: Fri, 12 Apr 2002 13:30:26 -0700
CC: Mark Duffy <mduffy@quarrytech.com>, Lars Eggert <larse@ISI.EDU>, StephenKent <kent@bbn.com>, kalyan@juniper.net, ipsec mailling list<ipsec@lists.tislabs.com>
References: <4652644B98DFF34696801F8F3070D3FE02008333@D2CSPEXM001.smartpipes.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311

Wang, Cliff wrote:
> I don't understand the recursive part from both implementation and standards
> point.

It's recursive as in 'self referential', not as in 'packets loop'. 
Perhaps self-referential would have been more precise.

The point is that RFC2401 talks about tunnel SAs being in the SPD of the 
interface over which the tunneled packets go, not the tunnel itself. 
I.e., putting the SA in an SPD of a tunnel which exists only because the 
SA says "please encapsulate these packets" uses an SA that refers to the 
tunnel (i.e., self-referential).

> The SPD is used to decide what should go into the tunnel, normally a clear
> packet, not an IPsec packet.

Ihe SPD decides only whether a packet already sent to the tunnel by 
routing is tunneled and IPsec'd; having an SPD on a tunnel deciding what 
gets tunneled is the self-referential part.

Joe

Follow-Ups:
- regarding the DELETE payload
  - From: "Jin Zhang" <jzhang@elmic.com>

References:
- RE: Is TS agreement necessary?
  - From: "Wang, Cliff" <CWang@smartpipes.com>

Prev by Date: RE: Is TS agreement necessary?
Next by Date: Re: Is TS agreement necessary?
Prev by thread: RE: Is TS agreement necessary?
Next by thread: regarding the DELETE payload
Index(es):
- Date
- Thread