[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec issue #46 -- No need for nested SAs or SA bundles

To: ipsec@lists.tislabs.com
Subject: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 29 Aug 2003 23:15:49 -0400
In-reply-to: Your message of "Fri, 29 Aug 2003 19:39:59 EDT." <200308292339.h7TNdxcJ010996@coredump.cs.columbia.edu>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Angelos" == Angelos D Keromytis <angelos@cs.columbia.edu> writes:
    Angelos> Just to start some discussion on this issue: wouldn't this break
    Angelos> (or make it very difficult) for IPSP to deal with intermediate
    Angelos> gateways etc. ? The advantage of the current model with respect

  It isn't clear to me if it does or doesn't.

  Just because IKEv2 can't negotiate bundles, doesn't mean that I can't
negotiate multiple things to do a 5-tuple with different end
points. FreeS/WAN is currently dealing with the question of how much
information we can derive from the policy about the ordering of this
nesting, vs how much we need to be told about. 

  It also isn't clear to me why it is any business of 2401bis to say anything
about this. Permitting looping in SA processing is not a good idea - the
policy daemon should do the looping and tell the kernel what to do. But
again, WHY IS THIS THE DOMAIN OF THE IETF? 

  As expressed, it appears that 2401bis is addressing the "kernel" issues,
not the architecture. It is turning the problem into a design issue, 
rather than a functional requirements issue. 

  There is a functional requirement for the *SYSTEM* to deal with multiple
operations on a 5-tuple. It is not the place for the IETF to tell me where
to put that functionality.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP1AW44qHRg3pndX9AQFW1AP/amYB2K2ixhqhdG+c4NGvLqyLZ9Atq1i0
Dj7khLu/fTdDcAxWPQeWJIJ72r4AF6wqRdh+H1w2lgjfyeo62JHkioM9CsWQ4QS4
JGXq8xzHUoblN5Pq54T+CY2HKH7bPRIuAeXuTNt30+RSkQQxtaBptCdi1dIxTEwA
atR1jotp8LM=
=J4De
-----END PGP SIGNATURE-----

References:
- Re: IPsec issue #46 -- No need for nested SAs or SA bundles
  - From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>

Prev by Date: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Prev by thread: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Index(es):
- Date
- Thread