[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on SA Bundle
At 11:42 PM +0300 4/16/03, Markku Savela wrote:
> > From: Stephen Kent <kent@bbn.com>
>>
>> I guess I don't really understand your motivation for not having IKE
>> convey the policy info from the SPDs to avoid future problems. Do you
>> envision other ways to convey this data, or do you not believe that
>> it is worthwhile to avoid the sort of problems noted above?
>
>The current IPSEC/IKE architecture seems to be something like
>
> +-------------------------+
> | TCP/IP Stack + |
> | IPSEC processing |
> | ^ (AH/ESP/RFC-2401) |
> +---|----------|----------+
> | | Key API
> | |
> Policy ---> IKE
>
>I believe the "Policy --> IKE" link should not be there (not for
>PHASE2 SA's at least). For IKE all that is needed, is KEY API.
I would not draw the diagram that way. When I speak on IPsec I don't
have a diagram that looks at all like that. I won't try to convert
my PPT slides for outbound and inbound processing into ASCII diagrams
now, but they will appear in the 2401bis I-D later this summer.
Note that 2401 does not refer to a "Key API" nor does it say how in
detail how the SPD is populated.
Steve