Re: Fwd: IPsec issue #46 -- No need for nested SAs or SA bundles

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Karen" == Karen Seo <kseo@bbn.com> writes:
    >> "The requirement to support nesting of SAs and the concept of
    >> SA bundles has been removed. An SPD entry specifies application
    >> or removal of only one IPsec header. An implementation MAY
    >> choose to offer SA nesting via appropriate configuration of
    >> SPDs and forwarding tables. After the packet has passed through
    >> IPsec processing, it can be redirected through the IPsec module
    >> again via local, ipsec-virtual-interfaces and use of the [still
    >> under discussion] forwarding lookup function, to cause more

  This is way too specific.
  It can be looped would be sufficient comment.

    >> than one layer of IPsec headers to be applied or removed. Note

  removed is seldom a problem really, except that if you don't do it
all within the IPsec module, you may not be able to determine that an
ESP packet did in fact come within another ESP packet.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP1U6DYqHRg3pndX9AQEZnwP+Oqnx79inqfT25LvI7YneVXRfW+jNS445
PU1BMDSMac+CILh3JlMVcKbMAcLtbTkGa1WsyHpiHJeGdlXQY7r2yITz2pX3d/Od
j3Jisxyo1Ss3KDLKyIu0u+tbFclCPJybiWzkE+eMwMrX0zUYc6P+XvSb1ub6P0sc
rHYN8PAJJuc=
=jViZ
-----END PGP SIGNATURE-----