David Wierbowski writes:
> >Do you think it is legal to create a system where one Child SA can
> >fail in such way that IKE SA cannot send delete notification?
>
> I do not think a robust IKE implementation would allow this.
I agree, and the current text says you cannot do that (i.e. it says
taht
Jitender Arora writes:
> 1. I will point the section 5.1 in the introduction itself that way
> the purpose and applications of the draft are clear.
After I read the section 5.1 (I skipped most of the other draft as I
needed to know first WHY this is needed before I care about HOW it is
implemente
Hi Jitender,
regarding your point #3: I am not sure that if I trust a gateway to
connect to, I also trust it to say that all ESP traffic from an
arbitrary IP address should be treated as a Child SA of this gateway. I
cannot see a concrete attack based on this assumption, but it can surely
result i
Or think of a single IKE gateway that sets up IPsec SAs for multiple IPsec
boxes. Like the key server in MSEC.
On Apr 27, 2010, at 3:27 PM, Yaron Sheffer wrote:
> Hi Jitender,
>
> regarding your point #3: I am not sure that if I trust a gateway to
> connect to, I also trust it to say that all
