Prashant Batra (prbatra) writes: > If the user knows that it has to establish 2/3 CHILD_SA, will it not be > good to have a provision to specify the information for all in a single > message (IKE_AUTH). > > This might save a lot of CHILD_SA exchanges.
CREATE_CHILD_SA exchange is quite light weight exchange, especially if no Diffie-Hellman is needed. If your SAs are between same endpoints and has similar lifetimes there is no need to do Diffie-Hellman exchanges in the CREATE_CHILD_SA, meaning the cost of doing CREATE_CHILD_SA is just sending and receiving one packet. If your implementation also supports window size larger than 1 then you can send those 2-3 CREATE_CHILD_SA request at the same time and then start waiting reply to them. Also why do you need those multiple Child SAs? What is the difference between them. If they just have different Traffic Selectors, then you could also consider combining all the traffic selectors to the one Child SA. If they have different algorithms, then the question is why do they need different algorithms? Why some one algorithm is not safe for all of the them? IKEv1 did have feature of negotiating multiple Child SAs in one exchange, but that was not taken in to the IKEv2. I do not know any implementation which properly supported that IKEv1 feature and I have not seen anybody asking for that feature before this for IKEv2. What is the use case you have that would require that feature? -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
