[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: peer address update payload



Francis.Dupont@enst-bretagne.fr (Francis Dupont) writes:
> Here is a proposal for the peer address update payload if
> we decide to include it in the next IKEv2 draft. The modifs
> are:

I am still not sure we need to have the ability to have different IP
address per each CHILD SA of the IKE SA. I think we should simply say
that if you want to modify the IP addresses of the CHILD SAs
independently then create them using separate IKE SAs. If you happen
to have all of the CHILD SAs created by one IKE SA and you want to
split them to two different classes, create another IKE SA and
recreate those CHILD SAs you want to move inside this new IKE SA and
delete them from the old IKE SA.

Or you can create each CHILD SA with separate IKE SA. 

I think it is simplier, and offeres same features than peer address
update payload. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/