[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Thanks for the comments, please see inline.
> -----Original Message-----
> From: Nicolas Williams [mailto:Nicolas.Williams@sun.com]
> Sent: Thursday, February 19, 2004 11:05 AM
> To: Bora Akyol
> Cc: 'Stephen Kent'; 'Tero Kivinen'; Barbara Fraser; 'Charles
> Lynn'; ipsec@lists.tislabs.com
> Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
>
>
> On Thu, Feb 19, 2004 at 10:41:38AM -0800, Bora Akyol wrote:
> > Steve
> >
> > How often do we see multiple IPSEC Sas between the same two peers
> > protecting different ports (or in general different selector sets)?
>
> Consider cases where one peer is a multi-user system and
> different connections are protected by [likely
> transport-mode] SAs with different IDs for different users.
> I would not want such scenarios to be precluded.
>
And they don't need to be, I just think that creating a separate SA
for the fragments is unnecessary. How to handle fragments is
a topic better left to the implementer.
Current IKE semantics allow this granularity BTW.
OTOH, I think implementing the functionality you specify above in
a multi-user kernel would be quite the challenge :-) Sounds like an
excellent project indeed.
Bora