Hi Yoav, These applications are using same IKE SA for allocating IP to the application specific virtual interfaces, which can be more than one. Let me know if you further clarification.
Thanks & Regards, Raj 2009/8/26 Yoav Nir <y...@checkpoint.com> > Hi Raj. > The issue is concerned with Config payload in Child SA only. Config in > INFORMATIONAL will stay, or at least, there is no current proposal to remove > it. > > It can be useful for querying the application version, which is still a > defined attribute for CP. > > Can you elaborate on the cases where the application needs more than 1 IP > address? > > Yoav > > On Aug 26, 2009, at 6:08 AM, Raj Singh wrote: > > Hi Yaron, > > Also, there are use cases when application needs more than 1 IP address for > internal purpose. > With current ikev2bis, this is possible as we can request address after > session establishment using CP[CFG_REQUEST] in INFORMATIONAL exchange. > If we say that we want to support in ONLY IKE_AUTH. > Are we going to stop supporting CP payload via INFORMATION exchange ? > > Thanks & Regards, > Raj > > On Wed, Aug 26, 2009 at 2:53 AM, Yaron Sheffer <yar...@checkpoint.com>wrote: > >> Yoav: >> >> >> Patricia noted in a post to the IPsec mailing list (12/12/2008) that >> section 2.19 says that "request for such a temporary address can be included >> in any request to create a CHILD_SA (including the implicit request in >> message 3) by including a CP payload." >> >> IMO the normal way of doing things is in this message 3, so rather than a >> parenthetical remark, it's really the only one anyone uses. I don't think >> it makes sense to assign a different IP address for each SA, and I don't >> think anyone actually intended for this to be implied. >> >> >> In RFC 4306, section 3.15, one of the attributes that can be sent in the >> CP payload is the INTERNAL_ADDRESS_EXPIRY. That would be the length of time >> before the client needs to renew the address with the gateway (probably >> renew the lease with a DHCP server). With such an attribute, it made sense >> for the client to renew the address along with rekeying some CHILD_SA. >> >> >> In the bis document, we've deprecated this attribute, and it is now marked >> as "RESERVED". Since we've done that, I suggest we remove the CP payload >> from the Create Child SA exchange in appendix A, and reword section 2.19 to >> reflect that requesting an IP address is only acceptable during IKE_AUTH. >> >> >> >> Everyone, please comment on the above, even if you support Yoav’s >> proposal. This would be a protocol change (even if we don’t understand what >> the current semantics is…), so we shouldn’t do it unless we’re quite sure. >> >> >> Thanks, >> >> Yaron >> > > > > Email secured by Check Point > >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
