Re: [Ipsec] Rekeying SA bundles

To: Alejandro Perez Mendez <alejandro.perez.mendez%gmail.com@localhost>
Subject: Re: [Ipsec] Rekeying SA bundles
From: Thor Lancelot Simon <tls%rek.tjls.com@localhost>
Date: Sat, 1 Oct 2005 14:47:22 -0400

On Sat, Oct 01, 2005 at 02:23:19PM +0200, Alejandro Perez Mendez wrote:
> 
> c) The REKEY_SA identifies only one of the SAs in the bundle, but this
> is enough to identify the entire SA bundle. The responder knows all the
> SPI values.

>From my point of view, this is the only option that really makes sense.
Anything else would seem to either waste space on the wire, require the
peer to keep extra state across multiple IKE messages or payloads, or
both.

-- 
 Thor Lancelot Simon	                                      tls%rek.tjls.com@localhost

"The inconsistency is startling, though admittedly, if consistency is to be
 abandoned or transcended, there is no problem."		- Noam Chomsky

Prev by Date: DISCUSS comments on publickeyfile-09
Next by Date: Re: DISCUSS comments on publickeyfile-09
Previous by Thread: DISCUSS comments on publickeyfile-09
Next by Thread: Please publish the attached draft-ietf-secsh-filexfer-10.txt
Indexes:

Home | Main Index | Thread Index | Old Index