[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised IPsec processing model
Mark,
I've trimmed the message to keep it readable, since I think we agree
on the facts, just not what to do as a result :-).
So we agree that there is a way to achieve source-based SPD
selection, and to provide independent forwarding, but you don't think
the mechanism is not elegant. If I understand your suggestion,
though, you would remove all specification of this functionality, and
I don't think we have a useful spec if we do that. Did I
misunderstand what you were suggesting here?
I agree that one could manage to configure SPDs so that nested SA
could result. But, it's probably hard for most folks to do this,
and without explicit, support in IKE, if this fails the results will
be hard to diagnose. Also, because one would have to effect two IKE
negotiations to create both sets of SAs, there are timing issues that
could arise that also would result in possibly confusing behavior.
It's easy to have 2401bis not say that nesting of SAs is prohibited.
It's harder to say that that nesting MUST or MAY be supported, and
how. What do you think should be said here? My concern, in part, is
that if we say nothing, then users don't know what to expect re
functionality, nor do they have any sense of whether two
implementations by two different vendors will support this sort of
nesting. That's not a good thing for a standard.
Steve