[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised IPsec processing model
Stephen Kent wrote:
> Joe,
>
> I believe the bottom line here is that you view situations where dynamic
> routing will affect the choice of an SPD as common, whereas many of us
> view them as relatively rare. We each have our own models of common vs.
> rare operation and there is probably no point inn debating further which
> is more common in what context and/or at what time (now vs. future).
Steve,
An IP security architecture ought to support IP, which includes dynamic
routing. Dynamic routing necessarily involves overlapping traffic
selectors; it is a disservice to assert this is a mere 'difference of
opinions'.
> As I revise the processing model to take into account the comments I
> have received, I will try to reword it to be as clear as possible about
> the security implications associated with different assumptions about
> routing tables and the extent to which they may change without secure
> intermediation, as the security implications of such changes.
That is a good first step, but I remain concerned about whether this
realization/clarification warrants other, more significant changes.
Joe