[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Ipsec] Number of Proposals in IKE_SA_INIT exchange for IKE_SAandfirst CHILD_SA ??
Strange that nobody wanted this. I guess the model is that both IKE SAs and
child SAs are created on demand. While this is just fine for peer to peer
VPNs, remote access clients usually have a connect button. When the user
clicks it, it makes sense to create the IKE SA, but what selectors are you
going to put for the child SA?
I suppose it's not really important. You can use universal selectors or
peer-to-peer selectors.
-----Original Message-----
From: Tero Kivinen [mailto:kivinen@iki.fi]
Sent: Monday, August 23, 2004 3:40 PM
To: Yoav Nir
Cc: ipsec@ietf.org; 'wadood'
Subject: RE: [Ipsec] Number of Proposals in IKE_SA_INIT exchange for IKE_SA
andfirst CHILD_SA ??
Yoav Nir writes:
> Whoops. For some reason I though it was possible to make an initial
> exchange without creating child SAs. Was it removed in some recent
version
> of the draft?
Lots of people seem to think that there would be option for that, but
there has not been such option, at least draft version 05 didn't have
such option....
It has not been ever explictly said, but the payloads in the pictures
are not optional, and they pictures are not just examples in the draft.
--
kivinen@safenet-inc.com
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec