[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTION: 5.3 SPD entries

To: tytso@mit.edu
Subject: Re: SOI QUESTION: 5.3 SPD entries
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Fri, 12 Jul 2002 00:46:28 +0300
CC: ipsec@lists.tislabs.com
In-reply-to: <E17SkbB-0001ON-00@think.thunk.org> (tytso@mit.edu)
References: <E17SkbB-0001ON-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

> X-Authentication-Warning: burp.tkv.asdf.org: Host portal.gw.tislabs.com [192.94.214.101] claimed to be lists.tislabs.com

> Please discuss and answer the following question:
> 
> 
> 5.3 SPD entries
> 
> 5.3.A) Is it important in SOI to allow the the responder to accept a subset 
> of the proposed SA, or should it be an all or nothing acceptance?
> 
> 5.3.B) Should the SOI offer multiple selectors with specific ports and
> addresses, or a single selector with a range of ports and range of
> addresses?  (complicated boolean complexity!)  
> 
> Implications from the scenarios:
> 
> <<<In the case of a pair of SGWs fronting multiple non-contiguous
> subnets, a mechanism that allowed the negotiation of a list of phase 2
> identities will help to alleviate the number of IPsec tunnels that must
> be created.>>> [[[5.3]]]


Irrelevant. IKE does not need to check policy.

Just recording my objection (no need to start discussion) :-)

References:
- SOI QUESTION: 5.3 SPD entries
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: SOI QUESTIONS: 5.1-5.2
Next by Date: Re: SOI QUESTION: 6. Wire protocol issues: Message Encoding
Prev by thread: SOI QUESTION: 5.3 SPD entries
Next by thread: Re: SOI QUESTION: 5.3 SPD entries
Index(es):
- Date
- Thread