Yoav Nir writes: > But if it's different IP addresses for different applications, then > there are probably also different traffic selectors for these > applications, and then possibly different IPsec SAs.
Most likely, but it is still most likely going to be few -> many mapping, i.e. you have few (1-3? or so IP-addresses), but you can have many SAs each using few of those addresses. I do not really see any need to use configuration payloads along with create child SA exchanges. The reason we do configuration payloads in the IKE_AUTH is to avoid extra round trips for the most common case when creating IKE SA, getting IP address, and creating IPsec SA. If some implementation needs more IP-addresses, then it can first use INFORMATIONAL exchange with configuration payloads to get the IP-addresses it needs, and then use create child SA to create the IPsec SA using that address. For the GW it is enough to check that traffic selectors for the source address is one of the addresses allocated for the client (or otherwise address allowed by policy). Draft-ietf-ispecme-ikev2-ipv6-config might need configuration payloads in information exchanges also, especially if you use the sharing of VPN access (section 3.4), as in that case you most likely need one new perfix per interface where you share the address, and all of your interfaces might not be up and in use when you first create the IKE SA. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
