Stephen Kent writes:
>This kind of setup can be used for normal web-traffic etc, where you
>actually do not normally need to create IPsec SAs, but if you happen
>to have SA up, you can use it (it does not cause any harm either).
it makes behavior non-deterministic, which is generally a bad thing
from a security perspective.
In those cases the encryption is not for the real security, but simply
encryption just because it is fun, and it will cause more traffic in
the net to be encrypted, making large scale traffic analysis harder.
> >Might be true, but there are implemenations which support this kind of
>operations.
Then they are non-complaint.
Does the RFC2401 really say, that you cannot expand the SPD at all,
and all implementations MUST only support what is defined there. I
thought that it specified mostly the minimum requirements not exact
requirements what can and cannot be implemented (i.e. I would not call
those extended versions non-complaint, I would call them IPsec +
extensions versions :-).