[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on SA Bundle



At 11:42 PM +0300 4/16/03, Markku Savela wrote:
>  > From: Stephen Kent <kent@bbn.com>
>>
>>  I guess I don't really understand your motivation for not having IKE
>>  convey the policy info from the SPDs to avoid future problems. Do you
>>  envision other ways to convey this data, or do you not believe that
>>  it is worthwhile to avoid the sort of problems noted above?
>
>The current IPSEC/IKE architecture seems to be something like
>
>     +-------------------------+
>     | TCP/IP Stack +          |
>     |   IPSEC processing      |
>     |   ^  (AH/ESP/RFC-2401)  |
>     +---|----------|----------+
>         |          | Key API
>         |          |
>       Policy ---> IKE
>
>I believe the "Policy --> IKE" link should not be there (not for
>PHASE2 SA's at least). For IKE all that is needed, is KEY API.

I would not draw the diagram that way. When I speak on IPsec I don't 
have a diagram that looks at all like that.  I won't try to convert 
my PPT slides for outbound and inbound processing into ASCII diagrams 
now, but they will appear in the 2401bis I-D later this summer.

Note that 2401 does not refer to a "Key API" nor does it say how in 
detail how the SPD is populated.

Steve