|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI - SA changeCan we put an end to this rathole please? This discussion thread is about helping out implementers who ignore a SHOULD, an exercise that strikes me as increasingly pointless. Thanks, --David > Excerpt of message (sent 23 May 2002) by Black_David@emc.com: > > [... various snips to focus on the SA replacement issue ...] > > > > > > The encryption can probably be removed by negotiating a > new SA that > > > > doesn't encrypt and deleting the old one, but that > still requires > > > > ESP integrity. > > > > > > Could we have a more complete example of this (SA changing in > > > mid-stride)? > > > > It is literally as described - the sender sets up a new SA, > and deletes > > the old one. These are done via IKE in the usual fashion. > > Unfortunately, it's NOT the usual fashion. It would be extremely > unusual, to say the least, for an IPsec implementation to be willing > to offer both encrypted and unencrypted SAs to the same destination. > > It is probably true that the protocol permits it, but as Milan pointed > out, IPsec implementers will give you very funny looks if you suggest > this to them. > > paul >
Home Last updated: Thu May 23 17:18:33 2002 10268 messages in chronological order |