2007/449 Detangle IPsec NAT Traversal
Dan McDonald
danmcd at Sun.COM
Fri Aug 3 10:21:35 PDT 2007
On Fri, Aug 03, 2007 at 01:07:52PM -0400, James Carlson wrote:
> > It's up to Key Management (e.g. IKE) to pin these sockets up. And usually
> > the KM traffic uses the 0-SPI value with its peer.
>
> Ah, that's the bit I needed to understand, thanks. I was expecting a
> closer tie here.
It's a point of principle for me --> KM and traffic keys should be as loosely
coupled as possible. Historically, too many KM schemes have turned out to
have holes in them.
Dan
More information about the opensolaris-arc
mailing list