IETF Logo Mail Archive

Re: Do we need ?

Karen Seo <kseo@bbn.com> Tue, 17 March 1998 04:11 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id XAA12342 for ipsec-outgoing; Mon, 16 Mar 1998 23:11:37 -0500 (EST)
Message-Id: <199803170422.XAA21852@relay.hq.tis.com>
Date: Mon, 16 Mar 1998 23:19:14 -0500
From: Karen Seo <kseo@bbn.com>
To: "srinivasrao.kulkarni" <srinu@trinc.com>
cc: ipsec@tis.com
Subject: Re: Do we need ?
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Hello,

Oops, Section 5.1.1 is correct.  We had changed it in the February draft
(as noted below) and missed the text in 4.4.3.

   [from list of changes -- email 2/20...]

   18. Section "5.1.1. Selecting and Using an SA or SA Bundle" [outbound
       processing] -- Several issues have come up.

    a) How much searching of the SPD and SAD should be done
       before creating a new SA?

        * Several approaches to this have been brought up on the list,
          e.g., see email from S. Kent 12/7/97 in reply to Ly Loi (Subj:
          "Re: IPSEC arch comments").  There is a tradeoff between
          spending more time to search the SAD to avoid creating
          unnecessary SAs and using more space by creating potentially
          redundant SAs by using the first SPD hit (if it does not point
          to a matching SA).  One possible enhancement would be to note
          which policies create overlapping SAs when the SPD is created.
          There weren't many comments, but the general feeling seemed to
          be in favor of creating an SA for the first policy hit rather
          than searching the whole SAD.

Thank you,
Karen

v2.29.0 | Report a Bug | By Email | System Status