[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: revised IPsec processing model

To: Mark Duffy <mduffy@quarrytech.com>
Subject: Re: revised IPsec processing model
From: Stephen Kent <kent@bbn.com>
Date: Mon, 4 Aug 2003 14:11:23 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <5.2.0.9.0.20030802143907.01e64b18@localhost>
References: <5.2.0.9.0.20030801095032.01ffc870@email><5.2.0.9.0.20030731120622.02631138@email><5.2.0.9.0.20030724113200.01feed80@email><5.2.0.9.0.20030724113200.01feed80@email><5.2.0.9.0.20030731120622.02631138@email><5.2.0.9.0.20030801095032.01ffc870@email><5.2.0.9.0.20030802143907.01e64b18@localhost>
Sender: owner-ipsec@lists.tislabs.com

Mark,

>Yes the SPD has always been bound to an interface, but that doesn't 
>mean it must always be so, and the model would be more flexible if 
>it were not so required.  However, maybe this is just too big a 
>change to ask.

If we want to consider that change, we should have folks on both side 
of the debate comment.

>No matter what the standard says, it will be possible for someone to 
>apply the standard twice, or n times, in succession to a packet and 
>the probability approaches 1 that someone will do so.

agreed, but non-complaint behavior should be something we can 
objectively identify. a standard for which one cannot describe a 
non-compliant implementation is not a useful standard (and, or 
course, the conevrse is true too!)

>I'd propose that the standard should say that the requirement to 
>support nesting (as it existed in 2401) has been removed.  And I 
>would just stop there.  If folks really feel it is necessary to say 
>more, I would add a statement acknowledging that it is possible to 
>apply the standard iteratively to a given packet and that this will 
>have the effect of "nesting" SAs.

I'm happy to say that we have removed the requirement re nesting, and 
also say that one can offer the feature via appropriate configuration 
of SPDs and forwarding tables within an implementation, but that 
there is no IKE support for this and thus care must be exercised in 
enabling this capability.

Steve

References:
- Re: revised IPsec processing model
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: revised IPsec processing model
  - From: Mark Duffy <mduffy@quarrytech.com>

Prev by Date: Re: revised IPsec processing model: Q: VID and forwarding function
Next by Date: Re: NAT-T, IKEv2, Vendor ID, port floating??
Prev by thread: Re: revised IPsec processing model
Next by thread: Re: revised IPsec processing model
Index(es):
- Date
- Thread