[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] IPsec AH and ESP -- changes

To: Paul Koning <pkoning@equallogic.com>
Subject: Re: [Ipsec] IPsec AH and ESP -- changes
From: Brian Weis <bew@cisco.com>
Date: Tue, 27 Apr 2004 17:58:12 -0700
Cc: kseo@bbn.com, ipsec@ietf.org
In-reply-to: <16526.55573.84822.45654@gargle.gargle.HOWL>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <f05200f1ebcb0d79cbf7d@[128.89.89.115]> <408D56BF.20601@cisco.com> <p05200f03bcb48442364e@[128.89.89.115]> <16526.55573.84822.45654@gargle.gargle.HOWL>
Sender: ipsec-admin@ietf.org
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113

Paul Koning wrote:

>>>>>>"Karen" == Karen Seo <kseo@bbn.com> writes:
>>>>>>            
>>>>>>
>
> Karen> Brian, Markku, George, Thank you for the comments.  Is the
> Karen> following a correct summary?
>
>  
>
It looks right to me.

> Karen> 1. It's OK for Searches (1) and (2) to NOT use protocol (AH or
> Karen> ESP). With unicast SAs, the receiver chooses the SPI and can
> Karen> have separate SPI spaces for AH and ESP if it wishes; but for
> Karen> multicast/etc SAs, a central Group Controller/Key server is
> Karen> assigning the SPIs and will ensure that there is no overlap
> Karen> between AH SPIs and ESP SPIs.
>
> Karen> 2. Searches (1) and (2) will be changed from "destination
> Karen> multicast address" to "destination address".
>
> Karen> 3. Search (3) will be changed to "Search the SAD for a match
> Karen> on only {SPI}, or optionally {SPI, protocol}".
>
>Perhaps more accurate would be "on only {SPI} if the receiver has
>chosen the SPI to maintain separate SPI spaces for AH and EPS, and on
>{SPI, protocol} otherwise".  That makes the dependency with the
>implementation choice described under item 1 explicit.
>
>  
>
That should really be "on only {SPI} if the receiver has chosen to 
maintain a single SPI space for AH and ESP, and on {SPI, protocol} 
otherwise".

Thanks,
Brian

>       paul
>
>
>_______________________________________________
>Ipsec mailing list
>Ipsec@ietf.org
>https://www1.ietf.org/mailman/listinfo/ipsec
>
>  
>


-- 
Brian Weis
Advanced Security Development, ITD, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] IPsec AH and ESP -- changes
  - From: kseo@bbn.com
- Re: [Ipsec] IPsec AH and ESP -- changes
  - From: Brian Weis <bew@cisco.com>
- Re: [Ipsec] IPsec AH and ESP -- changes
  - From: Karen Seo <kseo@bbn.com>
- Re: [Ipsec] IPsec AH and ESP -- changes
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: [Ipsec] IPsec AH and ESP -- changes
Next by Date: Re: [Ipsec] Specification of BGP IPsec policy
Previous by thread: Re: [Ipsec] IPsec AH and ESP -- changes
Next by thread: Re: [Ipsec] IPsec AH and ESP -- changes
Index(es):
- Date
- Thread