[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issue with "per-interface SAD/SPD"

Hi Steve,
     I was talking to my one of my colleagues on this and you are right that there may be need 
    for interoperability.  Today, implementations ( I am not sure of others, we do this way)
    identify the VID,during IKE  phase1 negotiations by the IP address on which 
    packets have come (Destination IP of phase1 messages). Due to this the system should 
    have as many   IP addresses as number of VIDs supported in the system. By having some
    interoperable way of sending VID as part of phase1 might solve this problem.

    If you think we should wait until details you plan to send by next week, then that
    is fine.

Intoto Inc. 
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
----- Original Message ----- 
From: "Stephen Kent" <kent@bbn.com>
To: "Srinivasa Rao Addepalli" <srao@intotoinc.com>
Cc: <ipsec@lists.tislabs.com>
Sent: Friday, June 27, 2003 12:09 PM
Subject: Re: issue with "per-interface SAD/SPD"

> What we are envisioning for 2401bis is a virtual interface ID, which 
> would allow a local administrator considerable flexibility in 
> deciding the granularity at which SPDs are managed. One could map all 
> traffic to on VID and have just one SPD instance, or one could map 
> different SSIDs to different VIDs to address the WLAN scenario you 
> described. Leaving this sort of thing completely undefined is not 
> attractive to me, because such ambiguity creates possible interop 
> problems. I'd like to think that the VID concept, which we will 
> describe in greater detail in messages next week, is a good, uniform 
> interface capability that can be adapted to a wide range of 
> environments.
> Steve