On Mon, 4 Dec 2023, Ben Schwartz wrote:
As I've mentioned previously, I think this draft is valuable for "network-to-network" tunneling, where the sender and receiver are both represented by a large (and evolving) collection of gateways (perhaps sharing IPs via anycast).
I don't understand what is a sender, receiver and gateway in this "network-to-network tunneling" setup? Are you talking about a mesh network where each mesh node has its own network behind it and is often changing IPs? That seems more of a MOBIKE mesh deployment where you move the SA with you to a new IP, instead of keeping up tunnels on all possible IPs.
This situation requires O(N^2) SAs in the current protocol, but with sequence number subspaces it can be arranged with O(N) or even O(1) SAs.
Dividing the number spaces still assumes all these IPsec SAs fall under the one IKE SA. So I don't understand how the number of SAs change in what you are describing. Can you elaborate on this use case? Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
