[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 transport concerns



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Black" == Black David <Black_David@emc.com> writes:
    Black> Steve,

    Black> The goal here is that any use of IKEv2 to negotiate a tunnel-mode SA
    Black> (or UDP-encapsulated tunnel-mode SA for NAT traversal) carry an implied
    Black> promise that ECN will be supported and handled correctly for that
    Black> tunnel.  This avoids any need for IKEv2 to negotiate/report/etc.
    Black> ECN handling, in contrast to IKEv1 where a negotiable SA attribute

  David, while I understand what you are trying to do, you are assuming that
IKEv2 can only be deployed with an entirely new system. IKEv2 is a trivial
upgrade of system software (perhaps a "Service Pack"), while the upgrade to
the IPsec portions may in fact require changes to hardware.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPgYDLYqHRg3pndX9AQFQPAQAhIARLR3+3zJHttma1196V8hs7fj+Dd9X
SQC+YN4CtfT3ncc3mK6JxZWq7g3J+zhrtSCDy8TQV3gf2Tn1EXFF3y07i3/dfaMy
oYBqYh8MtRiMCNVVb+IdmCL9/fIHlmFbm1HZsqursFYRYWhjMkiDVmDdPoD3LbgL
pYwY7Du/vnI=
=DIY5
-----END PGP SIGNATURE-----