[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SAs that carry fragments Was: Re: Some IKEv2 issues

To: "Bora Akyol" <bora@xxxxxxxxx>
Subject: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
From: Stephen Kent <kent@xxxxxxx>
Date: Thu, 19 Feb 2004 14:39:33 -0500
Cc: "'Tero Kivinen'" <kivinen@xxxxxx>, "Barbara Fraser" <byfraser@xxxxxxxxx>, "'Charles Lynn'" <clynn@xxxxxxx>, <ipsec@xxxxxxxxxxxxxxxxx>
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 10:41 -0800 2/19/04, Bora Akyol wrote:

Steve

How often do we see multiple IPSEC Sas between the same two peers
protecting different ports (or in general different selector sets)?

I don't know, but I do know that we have mandated the ability to support this for over 5 years.

There are better and straightforward ways of getting around the
issue of fragmented packets in the implementation
without requiring a separate SA for fragments.

what are they and why are they better?

As a side-note, configuring even the most basic traffic selectors in
some host OS that are widely-deployed is a big chore (really
hit-and-miss).
The most deployed IPSEC scenarios supporting road warriors don't even
use a traffic
selector at the head-end.

I am aware of at least one very poor, definitely non-conforming, management UI for a widely deployed IPsec implementation. But I don't think that a vendor's failures in this area ought to dictate our standards going forward.

Steve

Follow-Ups:
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Bora Akyol

References:
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Bora Akyol

Prev by Date: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by Date: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Previous by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread