[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 transport concerns
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Black" == Black David <Black_David@emc.com> writes:
Black> Steve,
Black> The goal here is that any use of IKEv2 to negotiate a tunnel-mode SA
Black> (or UDP-encapsulated tunnel-mode SA for NAT traversal) carry an implied
Black> promise that ECN will be supported and handled correctly for that
Black> tunnel. This avoids any need for IKEv2 to negotiate/report/etc.
Black> ECN handling, in contrast to IKEv1 where a negotiable SA attribute
David, while I understand what you are trying to do, you are assuming that
IKEv2 can only be deployed with an entirely new system. IKEv2 is a trivial
upgrade of system software (perhaps a "Service Pack"), while the upgrade to
the IPsec portions may in fact require changes to hardware.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPgYDLYqHRg3pndX9AQFQPAQAhIARLR3+3zJHttma1196V8hs7fj+Dd9X
SQC+YN4CtfT3ncc3mK6JxZWq7g3J+zhrtSCDy8TQV3gf2Tn1EXFF3y07i3/dfaMy
oYBqYh8MtRiMCNVVb+IdmCL9/fIHlmFbm1HZsqursFYRYWhjMkiDVmDdPoD3LbgL
pYwY7Du/vnI=
=DIY5
-----END PGP SIGNATURE-----