On Wed, Feb 22, 2006 at 05:03:26PM -0500, Stephen Kent wrote: > >...but even if it is in scope, connection latching[*] (though there is > >no ULP connection to speak of) can still work, as can channel binding. > > > >[*] See draft-btns-connection-latching-00, when it appears in the I-D > > directory. > > > >Think of having a layer 7 protocol for authenticating to the SG and the > >SG enabling packet forwarding only once the client is authenticated; > >conversely the tunnel (and latch) are to be torn down only when the > >client agrees or a sufficiently long inactivity timer expires. The > >latch and inactivity timer prevent theft of a client's packet flows (the > >attack that Michael described a few days ago). > > This almost sounds like a MIDCOM-style solution. I think this would > be a very big change to the current IPsec architecture, probably out > of scope for this WG. 'Change' is probably not the right word here; perhaps 'addition' would be more appropriate. But let's leave this out of scope, if it isn't already.
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.