[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new version of ESP ID

To: Andrea Colegrove <acc@columbia.sparta.com>
Subject: Re: new version of ESP ID
From: Stephen Kent <kent@bbn.com>
Date: Tue, 2 Jul 2002 15:02:35 -0400
Cc: ipsec@lists.tislabs.com, msec@securemulticast.org
In-Reply-To: <3D21F566.94EBB6C8@columbia.sparta.com>
References: <4.3.2.7.2.20020701090942.04d7cef8@mira-sjc5-6.cisco.com> <4.3.2.7.2.20020701090942.04d7cef8@mira-sjc5-6.cisco.com> <4.3.2.7.2.20020702081612.04a49dc8@mira-sjc5-6.cisco.com> <3D21D287.8B0CA939@columbia.sparta.com> <p05100304b9478598f01e@[128.89.88.34]> <3D21DEB8.CF254EC1@columbia.sparta.com><p05100307b94798fc7e32@[128.89.88.34]><3D21F566.94EBB6C8@columbia.sparta.com>
Sender: owner-ipsec@lists.tislabs.com

At 2:48 PM -0400 7/2/02, Andrea Colegrove wrote:

	<SNIP>

>Re:  IKEv2 and JFK -- a couple of recent postings have mentioned the 
>use of both.
>But, yes, I agree it would be an interoperability nightmare.
>
>Nevertheless, even the different domains of pairwise dynamic keying, 
>single-source
>multicast, multi-sender multicast, pre-placed (if it survives) 
>update management,
>and centralized keying, all have slightly different needs for the 
>SPD.  I would
>suspect that unless the policy issues were pushed up to the 
>application layer, that
>the SPD will need to have a flexible format for any implementation.  Indeed, I
>would suspect that for management purposes, it would even make sense 
>in the future
>to take on standardized approaches for remote management of SPDs.  (2401-bis).
>
>This complexity probably does fly in the face of the simplicity 
>needed for high
>speed applications.
>
>--- Andrea

I think your final sentence is most telling. The changes we are 
anticipating for the SPD, in terms of selectors, are consistent with 
the excellent suggestion incorporated in JFK, and picked up by IKE 
v2, i.e., the uniform treatment for expressing concrete values (vs. 
symbolic names) for for address, port fields, and the protocol field. 
This already adds some complexity, but not as much as I think you may 
be suggesting for MSM. We can handle SSM with our current scheme, and 
since we don't know how to deal with various other IPsec problems in 
MSM (if we try to map an MSM group to a single SA), I think that hard 
case will be deferred for 2401bis.

Steve

References:
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: new version of ESP ID
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: new version of ESP ID
  - From: Andrea Colegrove <acc@columbia.sparta.com>
- Re: new version of ESP ID
  - From: Stephen Kent <kent@bbn.com>
- Re: new version of ESP ID
  - From: Andrea Colegrove <acc@columbia.sparta.com>
- Re: new version of ESP ID
  - From: Stephen Kent <kent@bbn.com>
- Re: new version of ESP ID
  - From: Andrea Colegrove <acc@columbia.sparta.com>

Prev by Date: Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
Next by Date: Re: identifying IPsec SAs (was Re: IPsec AH and ESP I-Ds; source address as possible SA selector for multicast SA?
Prev by thread: Re: new version of ESP ID
Next by thread: Re: new version of ESP ID
Index(es):
- Date
- Thread