-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nicolas Williams wrote:
| "Connection latching" is a simple concept: connections, for connection-
| oriented protocols, such as TCP or SCTP, that are run over IPsec should
| be 'bound' to the same quality of protection parameters and initiator
| and responder IDs for their duration.
|
| IOW, the SPD should be modified dynamically as a TCP (or SCTP)
| connection is attempted/connected/torn down so that during its lifetime
| the connection's IP packets are protected only with comparable SAs.
|
| The more I think about it, the more I think that "connection latching"
| a) seems very much related to the "populate from packet" feature of
| 2401bis, b) should be an integral part of the IPsec architecture, c) is
| absolutely necessary in situations where applications drive policy
| (e.g., through IPsec APIs), particularly where GSS-API and other channel
| binding to IPsec is to be used.
|
| BTW, and for full disclosure, there exist implementations of this
| concept, in Solaris 9 and 10, for example.
|
| Nico
There's nothing in IPsec that knows about TCP connections now, and there
shouldn't be.
There might be utility to coordinating TCP with IKE, but that means that
the SA used by a packet needs to be set explicitly by the upper layer
rather inferring it from policy rules.
I.e., TCP may need to know about IPsec, not the other way around.
Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD4DBQFBwHq5E5f5cImnZrsRAl1LAJ9kRkYChjk8TFVhv+x9q492r6OfdwCUCPgg
YZTAlDSygZP4nfg/sKUhcA==
=gUAc
-----END PGP SIGNATURE-----
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf