[anonsec] A note about connection latchin.

kent at bbn.com (Stephen Kent) Mon, 10 September 2007 17:44 UTC

From: kent at bbn.com (Stephen Kent)
Date: Mon, 10 Sep 2007 13:44:32 -0400
Subject: [anonsec] A note about connection latchin.
In-Reply-To: <20070907220757.GL22639@Sun.COM>
References: <20070907220757.GL22639@Sun.COM>
Message-ID: <p0624051bc30b325c9907@[128.89.89.71]>

At 5:07 PM -0500 9/7/07, Nicolas Williams wrote:
>The connection latching I-D puts forward two informative models.  The
>next version, which I'm working on right now, will make one of those
>models normative.
>
>The two models, you might recall, are:
>
>a) ULPs interface with IPsec via "template" PAD and SPD entries that get
>    "cloned" upon triggering events.
>
>    For example, a TCP connect() would create a template PAD entry with
>    the connection's 5-tuple as child SA constraints, prior to sending
>    the TCP SYN packet.  A TCP listen() would create a template PAD entry
>    with the listener's 3-tuple as child SA constraints, prior to
>    accepting any TCP SYN packets.

For SPD entries, the applicable term is "populate from packet" and we 
have a flag for that.  PAD entries don't have 5-tuples, so did you 
mean SPD above? If so, do you want to specify the template PAD entry 
separately above?

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.postel.org/pipermail/anonsec/attachments/20070910/279bf772/attachment.html