Manish,
Steve,
NHRP is used to resolve the remote peer which serves/owns the address
we're interested in. The information in this resolution culminates in
the creation of SPD.
So the NHRP interaction creates a new SPD entry as a side effect? This
entry is
more specific re selector values (for IP addresses), and that causes
traffic to trigger
an IKE SA for the shortcut route, and then child SAs are created, right?
I presume this is new functionality for NHRP (given te age of that RFC),
and is viewed as
an external management interface to IPsec, for SDP maintenance. Is it
safe to assume that
the SPD selectors are the same for every NHRP-triggered SA pair? Since
(I believe) that NHRP
doesn't care about higher layer protocols, and since the SA is transport
mode and
encapsulating GRE, that means that no transport protocol/port access
controls are imposed on
the SA, right?
Is there a corresponding management mechanism, tied to NHRP, to cause
these SAs to
terminate, or do you rely on the SA lifetime values to time out these
shortcut SAs?
How are these values managed?
Steve
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
