[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: The remaining IKEv2 issues - #64

To: Black_David@emc.com, Charlie_Kaufman@notesdev.ibm.com
Subject: RE: The remaining IKEv2 issues - #64
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Thu, 21 Aug 2003 09:49:01 -0700
Cc: ipsec@lists.tislabs.com
In-Reply-To: <B459CE1AFFC52D4688B2A5B842CA35EA7A4E61@corpmx14.us.dg.com>
References: <B459CE1AFFC52D4688B2A5B842CA35EA7A4E61@corpmx14.us.dg.com>
Sender: owner-ipsec@lists.tislabs.com

At 9:56 AM -0400 8/20/03, Black_David@emc.com wrote:
>Charlie,
>
>As part of this (unless I missed it), please add sentences
>to make the following points:
>
>- IKEv2 deliberately allows parallel SAs with the same traffic
>	selectors between common endpoints.  One of the purposes of
>	this is to support traffic QoS differences among the SAs;
>	see Section 4.1 of RFC 2983 (informative reference).
>- Hence unlike IKEv1, given two endpoints, traffic selectors need
>	not uniquely identify an SA between those endpoints.
>- Therefore the IKEv1 rekeying heuristic (use of same traffic
>	selectors as an existing SA indicates rekeying, so existing
>	SA should be deleted shortly after new one is up) SHOULD NOT
>	be used, as it will result in unintended SA deletion.
>
>This may help avoid some surprises arising from implementation code
>reuse.

I fully agree that these sentences (or something like them) needs to 
be added to avoid interop problems that will be similar to the 
"dangling SA" disagreemetns we see in IKEv1.

--Paul Hoffman, Director
--VPN Consortium

References:
- RE: The remaining IKEv2 issues - #64
  - From: Black_David@emc.com

Prev by Date: Re: EAP-IKEv2 MITM prevention
Next by Date: Re: The remaining IKEv2 issues
Prev by thread: RE: The remaining IKEv2 issues - #64
Next by thread: lists.tislabs.com being affected by SoBig
Index(es):
- Date
- Thread