"connection latching" -- comments on rfc2401bis (draft-ietf-ipsec-rfc2401bis-04.txt)]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"connection latching" -- comments on rfc2401bis (draft-ietf-ipsec-rfc2401bis-04.txt)]

To: ietf at ietf.org
Subject: "connection latching" -- comments on rfc2401bis (draft-ietf-ipsec-rfc2401bis-04.txt)]
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Wed, 15 Dec 2004 06:04:28 -0600
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
Sender: ietf-bounces at ietf.org
User-agent: Mutt/1.4.1i

"Connection latching" is a simple concept: connections, for connection-
oriented protocols, such as TCP or SCTP, that are run over IPsec should
be 'bound' to the same quality of protection parameters and initiator
and responder IDs for their duration.

IOW, the SPD should be modified dynamically as a TCP (or SCTP)
connection is attempted/connected/torn down so that during its lifetime
the connection's IP packets are protected only with comparable SAs.

The more I think about it, the more I think that "connection latching"
a) seems very much related to the "populate from packet" feature of
2401bis, b) should be an integral part of the IPsec architecture, c) is
absolutely necessary in situations where applications drive policy
(e.g., through IPsec APIs), particularly where GSS-API and other channel
binding to IPsec is to be used.

BTW, and for full disclosure, there exist implementations of this
concept, in Solaris 9 and 10, for example.

Nico
-- 

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: "connection latching" -- comments on rfc2401bis (draft-ietf-ipsec-rfc2401bis-04.txt)]
  - From: Joe Touch

Prev by Date: Issue #719: Transparency/Openness of the IAOC (IASA transition te am question)
Next by Date: Re: New Last Call: 'Tags for Identifying Languages' to BCP
Previous by thread: Issue #719: Transparency/Openness of the IAOC (IASA transition te am question)
Next by thread: Re: "connection latching" -- comments on rfc2401bis (draft-ietf-ipsec-rfc2401bis-04.txt)]
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

"connection latching" -- comments on rfc2401bis (draft-ietf-ipsec-rfc2401bis-04.txt)]

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.