[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Specification of tunnel/transport attribute in IKEv2
At 10:24 AM +0300 5/23/02, Markku Savela wrote:
>This is supposed to be technical discussion and I consider a
>non-policy checking IKE technically a better solution to the problem.
Note, however, that Dan has pointed out with very clear examples why
simply moving "policy" from IKE to 2401 will lead to lack of
interoperability in implementations. It seems like your proposed new
view of 2401 will either:
- need some policy negotiation outside of IKE before packets start to flow
- need some policy announcement when bad packets are received
("you're sending me packets that I have no intention of passing to
the inside network")
- cause black holes that cannot be detected
Could you say briefly which of the above you are proposing? If it one
of the first two, which protocol are you saying would be used?
--Paul Hoffman, Director
--VPN Consortium