[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: The remaining IKEv2 issues - #64
At 9:56 AM -0400 8/20/03, Black_David@emc.com wrote:
>Charlie,
>
>As part of this (unless I missed it), please add sentences
>to make the following points:
>
>- IKEv2 deliberately allows parallel SAs with the same traffic
> selectors between common endpoints. One of the purposes of
> this is to support traffic QoS differences among the SAs;
> see Section 4.1 of RFC 2983 (informative reference).
>- Hence unlike IKEv1, given two endpoints, traffic selectors need
> not uniquely identify an SA between those endpoints.
>- Therefore the IKEv1 rekeying heuristic (use of same traffic
> selectors as an existing SA indicates rekeying, so existing
> SA should be deleted shortly after new one is up) SHOULD NOT
> be used, as it will result in unintended SA deletion.
>
>This may help avoid some surprises arising from implementation code
>reuse.
I fully agree that these sentences (or something like them) needs to
be added to avoid interop problems that will be similar to the
"dangling SA" disagreemetns we see in IKEv1.
--Paul Hoffman, Director
--VPN Consortium