[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)

To: jalpert@CheckPoint.com
Subject: Re: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
From: Markku Savela <msa@burp.tkv.asdf.org>
Date: Tue, 11 Mar 2003 15:08:28 +0200
CC: radia.perlman@sun.com, ipsec@lists.tislabs.com
In-reply-to: <005801c2e7c0$3b2d0b20$7b2e1dc2@jesse> (jalpert@CheckPoint.com)
References: <005801c2e7c0$3b2d0b20$7b2e1dc2@jesse>
Sender: owner-ipsec@lists.tislabs.com

Just stirring the soup, food for thought...

> From: "Jesse Alpert" <jalpert@CheckPoint.com>
> 
> In this scenario the "uniquifier" will help, since it will indicate that
> these tunnels are not redundant - they are used by the peer for some
> (unknown) purpose.

SPI itself is already "uniquifier". Maybe the problem is not here, but
instead in the definition of what is "redundant"?

Perhaps it should be changed, remove the following from spec:

> ... is that IKEv2 says that two child-SAs with the same traffic
> selectors are redundant, and extra ones should be closed.

..especially the "should be closed part". The same thing that would
decide whether to include "uniquifier", could also decide whether to
issue DELETE's for the "redundant SA" or not.

Follow-Ups:
- RE: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
  - From: "Yoav Nir" <ynir@CheckPoint.com>
- RE: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
  - From: "Jesse Alpert" <jalpert@CheckPoint.com>

References:
- IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
  - From: "Jesse Alpert" <jalpert@CheckPoint.com>

Prev by Date: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
Next by Date: Re: suites vs. a la carte and IPcomp in IKEv2-05
Prev by thread: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
Next by thread: RE: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
Index(es):
- Date
- Thread