Hi Raj,
1. As far as I understand, only one data channel can be created
within one IKE SA. So, if application needs several different
channels,
it have to create several separate IKE SAs, performing authentication
several times (probably involving human activity, if EAP is used).
This is makes the whole architecture not so lightweight.
[RSJ] Most of deployment use only single IPsec SA per peer, either
They want to use security for all data for a peer/network or
don't.
The network for which we don't want security protection can be
excluded using Access Control Lists (ACLs).
So, in deployment where different application want to use
IKEv2 data channel, we can use same IKEv2 SA
for same peer for different application.
We are working on how to multiplex different applications using
single IKEv2 SA, currently, we are thinking of
using adding source and destination Port in IKEv2 data channel
payload.
To clarify my comment - I meant that your draft allows to create data
channels
with different properties - aknowledged unacknowledged, integrity only etc.
Different applications will need different properties. If you create only
one
data channel per IKE SA, its properties won't probably satisfy all
applications
that need it. So you will need to create several IKE SA.
But let's wait for next version of the draft.
Regards,
Valery.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
