[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)

To: Jesse Alpert <jalpert@CheckPoint.com>
Subject: Re: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
From: Uri Blumenthal <uri@bell-labs.com>
Date: Tue, 11 Mar 2003 09:51:53 -0500
Cc: "'Markku Savela'" <msa@burp.tkv.asdf.org>, ipsec@lists.tislabs.com
Organization: Lucent Tehcnologies / Bell Labs
Original-CC: "'Markku Savela'" <msa@burp.tkv.asdf.org>, ipsec@lists.tislabs.com
References: <005b01c2e7d8$b3a23720$7b2e1dc2@jesse>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Jesse Alpert wrote:
>>SPI itself is already "uniquifier". Maybe the problem is not here, but
>>instead in the definition of what is "redundant"?
> 
> You are right, and that will probably work as well.

Then why multiply the entities? Occham's Razor...


> However:
> If I understood correctly, IKEv2 draft was referring to the case where both
> peers initiate a CHILD-SA exchange almost at once, resulting in two
> identical IPsec SAs one of which IS redundant. In such a case you would want
> to close one of the SAs to save on resources. The "uniquifier" can be used
> to indicate this is not the case.

I don't think it would work the way you describe - i.e. both
hosts are unaware and so created SAs with "uniquifier" 0...

I don't know how to deal with the described problem efficiently.

Follow-Ups:
- RE: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
  - From: "Jesse Alpert" <jalpert@CheckPoint.com>

References:
- RE: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
  - From: "Jesse Alpert" <jalpert@CheckPoint.com>

Prev by Date: RE: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
Next by Date: Another field for traffic selector?
Prev by thread: RE: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
Next by thread: RE: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
Index(es):
- Date
- Thread