[anonsec] A note about connection latchin.

[kent at bbn.com (Stephen Kent)]

At 3:22 PM -0500 9/10/07, Nicolas Williams wrote:
>On Mon, Sep 10, 2007 at 01:44:32PM -0400, Stephen Kent wrote:
>>  At 5:07 PM -0500 9/7/07, Nicolas Williams wrote:
>>  >a) ULPs interface with IPsec via "template" PAD and SPD entries that get
>>  >   "cloned" upon triggering events.
>>  >
>>  >   For example, a TCP connect() would create a template PAD entry with
>>  >   the connection's 5-tuple as child SA constraints, prior to sending
>>  >   the TCP SYN packet.  A TCP listen() would create a template PAD entry
>>  >   with the listener's 3-tuple as child SA constraints, prior to
>>  >   accepting any TCP SYN packets.
>>
>>  For SPD entries, the applicable term is "populate from packet" and we
>>  have a flag for that.  PAD entries don't have 5-tuples, so did you
>>  mean SPD above? If so, do you want to specify the template PAD entry
>>  separately above?
>
>Although PFP seems appropriate, it's not quite sufficient.  Since my
>post on Friday I've realized just how best to describe connection
>latching as an extension of the IPsec child SA authorization process.
>
>As for what I meant by referenceing 5-tuples and PAD entries, keep in
>mind that I wrote "template PAD entries" -- which in my I-D as it stood
>on Friday (not submitted) referred to something somewhat different from
>PAD entries.  I'm abandoning that terminology; it's not just confusing:
>there's a better way to describe the state that is being created.
>
>Nico
>--

never mind .... :-)

Steve