[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: QoS selectors (was LAST CALL: IKE)

To: Stephen Kent <kent@bbn.com>
Subject: Re: Re: QoS selectors (was LAST CALL: IKE)
From: Charles Lynn <clynn@bbn.com>
Date: Thu, 26 Jun 2003 09:41:08 -0400 (EDT)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <p05210617bb1fd57aecb2@[10.1.71.211]>
Sender: owner-ipsec@lists.tislabs.com

Steve and IKEv2 folks,

> So, what this seems to suggest is that there is a good use for 
> DiffServ bits (or PHIBs, or whatever) as selectors,

Yes, I agree.

> but that if one uses them, one need not tell the receiver. Is that right?

I am not sure.  Consider the receiver.  If the receiver has the same
"policy" as the sender, then it will also want to have multiple SAs.
Since, to its knowledge, none of the existing SAs from the initiator
have DiffServ markings, and it wants to use them, then it will setup
its own SAs back to the original initiator.  Now there are 2 * N SAs
half of which will never be used by each endpoint. We can do better.

Can the responder even setup its own SAs? Do the duplicate detection
rules need to be expanded?

What about detection of unused or half-dead SAs?  Do they need to be
more complicated to achieve the desired results?

Recent text says half open connections should be audited.  The false
positives would lead to reduced confidence in auditing: "ignore it".

Are there other ramifications that we need to consider?

Charlie

References:
- Re: QoS selectors (was LAST CALL: IKE)
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: IKE negotiation for fragmentation controls in IPsec
Next by Date: Re: IKE negotiation for ICMP message type selectors
Prev by thread: Re: QoS selectors (was LAST CALL: IKE)
Next by thread: Re: QoS selectors (was LAST CALL: IKE)
Index(es):
- Date
- Thread