Re: peer address update payload

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   Francis.Dupont@enst-bretagne.fr (Francis Dupont) writes:
   > Here is a proposal for the peer address update payload if
   > we decide to include it in the next IKEv2 draft. The modifs
   > are:
   
   I am still not sure we need to have the ability to have different IP
   address per each CHILD SA of the IKE SA.

=> between multi-homed SGs this is very useful, both for resilience
to failures and for load sharing. In the mobile node to mobile node
case, one should like to setup an ESP tunnel using the care-of addresses
in the outer header but with an IKE SA running over the stable home
addresses: this is the easiest way to handle simultaneous handoffs.

   I think we should simply say
   that if you want to modify the IP addresses of the CHILD SAs
   independently then create them using separate IKE SAs.

=> this can be very expensive. I believe this trade-off was
intensely discussed when we decide to keep a two phase protocol,
i.e., the choice is to run *one* IKE SA between two peers.

   If you happen
   to have all of the CHILD SAs created by one IKE SA and you want to
   split them to two different classes, create another IKE SA and
   recreate those CHILD SAs you want to move inside this new IKE SA and
   delete them from the old IKE SA.
   
   Or you can create each CHILD SA with separate IKE SA. 
   
=> I agree this gives the same level of flexibility.

   I think it is simplier, and offeres same features than peer address
   update payload. 

=> I don't believe we agree about what is simplier. My opinion is
to use one IKE SA per IPsec SA group is against the rationale for
a two phase protocol...

Thanks

Francis.Dupont@enst-bretagne.fr