Bill Sommerfeld <[EMAIL PROTECTED]> writes:
> > To me it would make sense to have associated data that is the index of
> > the security association used (is that the right term? I'm not really
> > up to date on IPSEC terminology).
>
> The actual spi value is not likely to be very useful to the
> application (when key management is in use, it's a random number which
> lasts as long as the sa does, and sa's are, in the long run,
> ephemeral).
It would be useful to the appliction if either (i) the application is
doing its own key management, and it installed a bunch of values into
the ipsec engine earlier, or (ii) there's some mechanism to map the
value to other useful information.
> On the other hand, other metadata associated with the SA
> would be (the authenticated peer identity, for one).
It still seems reasonable to provide a (short) index with the
ancillary data, and use some other mechanism to look up its
properties.
/Niels
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
