[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Re: [Ipsec] Query regarding draft-ietf-ipsec-isakmp-mode-cfg-05.txt
From: Vineet <vineetk () intoto ! com>
Date: 2007-09-03 4:30:06
Message-ID: 200709030416.l834GMXw017611 () brahma ! hyd ! intoto ! com
[Download RAW message or body]
As per the standards only Negotiated selectors should be present in
the SAs created as part of that negotiation.
One can have implementations (as mentioned in original mail) that can
negotiate one selector and can locally add some more selectors at the
time of SA creation or later.
But such implementation will certainly have inter operability issues.
Other side implementation would verify the plain packet (Post IPSec
Processing) selectors with the SA selectors. And this verification
can fail since other side SAs wouldn't be updated with the
non-negotiated selectors as it is done by above said implementations.
Since IKEv1 doesn't support negotiation of multiple selectors, the
client can negotiate separate SAs for different addresses.
But the requirement can be met using IKEv2 i.e., one SA can be
negotiated for multiple addresses.
-Vineet Agarwal
At 09:30 PM 9/1/2007, ipsec-request@ietf.org wrote:
>Send Ipsec mailing list submissions to
> ipsec@ietf.org
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://www1.ietf.org/mailman/listinfo/ipsec
>or, via email, send a message with subject or body 'help' to
> ipsec-request@ietf.org
>
>You can reach the person managing the list at
> ipsec-owner@ietf.org
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Ipsec digest..."
>
>
>Today's Topics:
>
> 1. Re: Query regarding draft-ietf-ipsec-isakmp-mode-cfg-05.txt
> (Yoav Nir)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Fri, 31 Aug 2007 21:36:40 +0300
>From: Yoav Nir <ynir@checkpoint.com>
>Subject: Re: [Ipsec] Query regarding
> draft-ietf-ipsec-isakmp-mode-cfg-05.txt
>To: karthikheya <karthikheya@huawei.com>
>Cc: ipsec@ietf.org
>Message-ID: <7E6290AC-BB33-4375-A118-4AE73EB01237@checkpoint.com>
>Content-Type: text/plain; charset="us-ascii"
>
>CFG exchanges, much like CFG payloads in IKEv2, do not implicitly
>update any existing SAs.
>
>To actually use an assigned address, you need to negotiate
>appropriate phase 2 SAs for them. If your existing SAs are not
>suitable, you need to negotiate new ones.
>
>
>On Aug 31, 2007, at 3:57 PM, karthikheya wrote:
>
> >
> > Hi all
> >
> > I have a query regarding CFG mode exchange in the draft draft-ietf-
> > ipsec-isakmp-mode-cfg-05
> >
> > In case of multiple address request from the server, during phase 2
> > negotiation does the client need to initiate individual phase 2 SA
> > exchange as per each of the address obtained from the server or it
> > can trigger only one phase 2 SA and update this SA with the traffic
> > information as per the other addresses obtained from the server
> >
> >
> > Thanks & Regards
> >
> > Karthik varma
> >
> >
> > This e-mail and attachments contain confidential information from
> > HUAWEI, which is intended only for the person or entity whose
> > address is listed above. Any use of the information contained
> > herein in any way (including, but not limited to, total or partial
> > disclosure, reproduction, or dissemination) by persons other than
> > the intended recipient's) is prohibited. If you receive this e-mail
> > in error, please notify the sender by phone or email immediately
> > and delete it!
> >
> >
> > _______________________________________________
> > Ipsec mailing list
> > Ipsec@ietf.org
> > https://www1.ietf.org/mailman/listinfo/ipsec
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>http://www1.ietf.org/pipermail/ipsec/attachments/20070831/1bc64aff/attachment.html
>
>------------------------------
>
>_______________________________________________
>Ipsec mailing list
>Ipsec@ietf.org
>https://www1.ietf.org/mailman/listinfo/ipsec
>
>
>End of Ipsec Digest, Vol 41, Issue 1
>************************************
********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.
Intoto Inc.
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic