On 7/24/20 2:28 PM, William Allen Simpson wrote:
Therefore, I'd recommend that IPsec instead implement a block of related SPIs.
Each SPI should have its unique session-key as usual, but all would have the
same next protocol header and TCP/UDP port associated with the same flow.
In the Photuris Extended Attributes internet-draft circa July 1997, we defined
the SPI-Block option. Without the overhead of multiple negotiations, a single
exchange could generate a list of many related SPIs.
You could send on several SPIs concurrently.
Although there has been some pushback, have we agreed that instead of multiple
windows (however defined), a more general solution is multiple SPIs?
Who is going to write the SPI block/group extension for IKEv2?
Would it be best to add to an existing draft already in the pipeline?
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
