In line as [Hu Jun] -----Original Message----- From: Paul Wouters <p...@nohats.ca> Sent: Thursday, December 12, 2019 1:25 PM To: Hu, Jun (Nokia - US/Mountain View) <jun...@nokia.com> Cc: ipsec@ietf.org WG <ipsec@ietf.org>; Sahana Prasad <sah...@redhat.com> Subject: Re: [IPsec] Labeled IPsec options
On Wed, 11 Dec 2019, Hu, Jun (Nokia - US/Mountain View) wrote: > Subject: Re: [IPsec] Labeled IPsec options > > +1 for option4, +0.5 for option3 > One factor to consider is the granularity of label, for me it is per > CHILD_SA; option1 is per TS (e.g TS with label and TS without label > could be mixed in the same payload), option2 is per TS payload (e.g. > you could have TSi with label, TSr without label) If you select multiple TS's these all become part of one Child SA. So I think the granularity of the label does not change between the solutions? [Hu Jun] if we agree that label is per CHILD_SA, then with option 1 or 2, there is possibility for invalid TS combination, following are some examples of invalid TS: - with option-1: There are two TS in TSi, first TS contains label-1, 2nd TS contains label-2 - with option-2: TSi contains label-1, while TSr contains a different label-2 With option-3/4 there is no such concern > Option3 is a bit "abusing" the semantic of notification payload, since a > "label notification" is not communicating a status, error or capability. A bit yes :) Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
