Re: revised IPsec processing model

[Stephen Kent <kent@bbn.com>]

Mark,

I've trimmed the message to keep it readable, since I think we agree 
on the facts, just not what to do as a result :-).

So we agree that there is a way to achieve source-based SPD 
selection, and to provide independent forwarding, but you don't think 
the mechanism is not elegant.  If I understand your suggestion, 
though, you would remove all specification of this functionality, and 
I don't think we have a useful spec if we do that.  Did I 
misunderstand what you were suggesting here?


I agree that one could manage to configure SPDs so that nested SA 
could result.   But, it's probably hard for most folks to do this, 
and without explicit, support in IKE, if this fails the results will 
be hard to diagnose. Also, because one would have to effect two IKE 
negotiations to create both sets of SAs, there are timing issues that 
could arise that also would result in possibly confusing behavior.

It's easy to have 2401bis not say that nesting of SAs is prohibited. 
It's harder to say that that nesting MUST or MAY be supported, and 
how. What do you think should be said here? My concern, in part, is 
that if we say nothing, then users don't know what to expect re 
functionality, nor do they have any sense of whether two 
implementations by two different vendors will support this sort of 
nesting. That's not a good thing for a standard.

Steve