[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Decorrelated SPD and IKEv2 traffic selectors

To: "Michael Roe" <mroe@microsoft.com>
Subject: Re: Decorrelated SPD and IKEv2 traffic selectors
From: Stephen Kent <kent@bbn.com>
Date: Wed, 3 Mar 2004 16:19:44 -0500
Cc: <ipsec@lists.tislabs.com>
In-reply-to: <579E83556A36E44EB2945CCE990B31740111E096@EUR-MSG-02.europe.corp.microsoft.com>
References: <579E83556A36E44EB2945CCE990B31740111E096@EUR-MSG-02.europe.corp.microsoft.com>
Sender: owner-ipsec@lists.tislabs.com

Mike,

I think the latest version says that when you decorrelate, you keep 
the decorrelated entries linked together, so that when you match any 
individual entry, you grab all of the other entries that were created 
due to decorrelation.  we need to do this so that the externally 
visible operation is identical to what would happen w/o 
decorrelation, at least so far as the number of SAs that are created 
and what traffic flows over each SA. We said this in terms of 
creating SPD-cache and SAD entries, but the same thing shoud be done 
for IKE interactions. Perhaps it would be better, for IKE, to keep 
the original SPD entry as well, and pass that back to IKE for use in 
negotiation.

steve

Follow-Ups:
- Re: Decorrelated SPD and IKEv2 traffic selectors
  - From: Derrell Piper <ddp@electric-loft.org>

References:
- Decorrelated SPD and IKEv2 traffic selectors
  - From: "Michael Roe" <mroe@microsoft.com>

Prev by Date: Re: IPsec -- new versions of AH and ESP
Next by Date: Re: Decorrelated SPD and IKEv2 traffic selectors
Previous by thread: Decorrelated SPD and IKEv2 traffic selectors
Next by thread: Re: Decorrelated SPD and IKEv2 traffic selectors
Index(es):
- Date
- Thread