On Fri, 13 Dec 2019, Valery Smyslov wrote:
I don't think that matters. Security labels are never optional but always
mandatory. And it seems very unlikely to have a mix of child sa's with and
without label. So they will all have a label, and then failing the IKE SA
is fine,
Do you want to say, that it's impossible to have two SGWs with multiple
networks behind them so, that traffic from some networks will have security
labels and traffic from the others won't have?
I'm not saying it is impossible. I am saying it is not likely to be a
real life configuration. If you classify network traffic with labels,
your goal is to not have unlabeled traffic come in at all. You might
have a label SEC_WHATEVER, but it still seems far more likely you would
mark the traffic as having come from SGWx with some kind of LABELx to
track the origin throughout your network.
If such a configuration is possible, then it's perfectly OK to have a mix
of labelled and non-labelled IPsec SAs created by one IKE SA.
I'd argue the reverse. It would likely be better not to allow such an
awful configuration :)
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
