[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
In your previous mail you wrote:
If I'm understanding this thread correctly,
=> the main thread is about peer source addresses in IKE
but there is a sub-thread about the same thing than this message.
I agree with your concern that tunnel endpoints
ought to be moveable. However, my understanding is
that this is mainly a *signaling* issue: eg IKE
doesn't have a way to tell the other IKE to move
the tunnel endpoint.
=> there is today an indirect way through rekeying (new phase 2)
but:
- with PFS this is a bit expensive
- so a new readdressing exchange should be wellcome
(in IKEv2 which mandates "phase 2" PFS)
- of course, implementations which use addresses in place of
the SPI (aka cookies in IKEv1) to get the from phase 1 context
have to be fixed!
Another point: spurious checks on the outer source address should not
be performed.
(BTW I believe we agree about these points)
Thanks
Francis.Dupont@enst-bretagne.fr