[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec issue #46 -- No need for nested SAs or SA bundles

To: Stephen Kent <kent@bbn.com>
Subject: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
Date: Tue, 02 Sep 2003 13:06:58 -0400
Cc: Karen Seo <kseo@bbn.com>, ipsec@lists.tislabs.com, kivinen@ssh.fi
In-reply-to: Your message of "Tue, 02 Sep 2003 12:51:56 EDT." <p05210607bb7a7ac772ff@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com


Now you know why I went into CS and not English lit :-)

Let me decode the sentence: under the current IPsec architecture, it is 
possible
for a host to build a sequence of nested IPsec tunnels iteratively, i.e., 
simply
by setting up the appropriate SPD entries, and then letting IKE set up the SAs.
My initial impression is that this is not possible under the new model ?
Cheers,
-Angelos

In message <p05210607bb7a7ac772ff@[128.89.89.75]>, Stephen Kent writes:
>At 19:39 -0400 8/29/03, Angelos D. Keromytis wrote:
>>Just to start some discussion on this issue: wouldn't this break (or make it
>>very difficult) for IPSP to deal with intermediate gateways etc. ? The
>>advantage
>>of the current model with respect to nested IPsec processing is that it allow
>s
>>an implementation to inject a new SPD entry (and associated SAs), and not
>>having
>>to link that SA to a bundle but instead deal with the SPD.
>>-Angelos
>>
>
>Angelos,
>
>I find it difficult to parse your comment. In fact, I think the last 
>string of words is not a sentence :-)
>
>Steve

References:
- Re: IPsec issue #46 -- No need for nested SAs or SA bundles
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Next by Date: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Prev by thread: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Next by thread: Re: IPsec issue #46 -- No need for nested SAs or SA bundles
Index(es):
- Date
- Thread