Hi Zhang,
I am confused about the statement in your draft "Unlike SA bundle, one IP packet is still protected by one single SA instead of nested SAs". Does single SA means cluster SA? Or sub-SA? If it is cluster SA, what exactly it meant from SAD point of view? For example, Let us consider the following header, the host is tunneling a packet to the gateway using ESP but is authenticating to the end host B. How do we address this using your proposed solution SA clustering? If multiple packets goes through two different sub-SA's. here my understanding is two different sub-SA's means two separate SA's are ESP SA and AH SA. Does this mean packet go through either ESP SA or AH SA? Please correct me , if I misunderstood. <http://technet.microsoft.com/en-us/library/Bb726946.f4_14_big(l=en-us).gif> Bb726946.f4_14(en-us,TechNet.10).gif Second point, About SA cluster feature support, Does both parties need to exchange vendor ID to express support and use of SA cluster feature? It would be better to address this in draft including proposed vendor id values, if vendor id used in IKE negotiation. Third point, about name of the draft, I feel multiple path sounds like multiple routes, it does not implies multiple SA's. Regards, Dharmanandana Reddy Pothula. This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
<<image001.gif>>
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec