At 3:22 PM -0500 9/10/07, Nicolas Williams wrote:
>On Mon, Sep 10, 2007 at 01:44:32PM -0400, Stephen Kent
wrote:
>>  At 5:07 PM -0500 9/7/07, Nicolas Williams wrote:
>>  >a) ULPs interface with IPsec via
"template" PAD and SPD entries that get
>>  >   "cloned" upon triggering events.
>>  >
>>  >   For example, a TCP connect() would create a
template PAD entry with
>>  >   the connection's 5-tuple as child SA
constraints, prior to sending
>>  >   the TCP SYN packet.  A TCP listen() would
create a template PAD entry
>>  >   with the listener's 3-tuple as child SA
constraints, prior to
>>  >   accepting any TCP SYN packets.
>>
>>  For SPD entries, the applicable term is
"populate from packet" and we
>>  have a flag for that.  PAD entries don't have
5-tuples, so did you
>>  mean SPD above? If so, do you want to specify the
template PAD entry
>>  separately above?
>
>Although PFP seems appropriate, it's not quite
sufficient.  Since my
>post on Friday I've realized just how best to describe
connection
>latching as an extension of the IPsec child SA
authorization process.
>
>As for what I meant by referenceing 5-tuples and PAD
entries, keep in
>mind that I wrote "template PAD entries" --
which in my I-D as it stood
>on Friday (not submitted) referred to something somewhat
different from
>PAD entries.  I'm abandoning that terminology; it's not
just confusing:
>there's a better way to describe the state that is being
created.
>
>Nico
>--

never mind .... 

Steve
_______________________________________________