"Connection latching" is a simple concept: connections, for connection- oriented protocols, such as TCP or SCTP, that are run over IPsec should be 'bound' to the same quality of protection parameters and initiator and responder IDs for their duration. IOW, the SPD should be modified dynamically as a TCP (or SCTP) connection is attempted/connected/torn down so that during its lifetime the connection's IP packets are protected only with comparable SAs. The more I think about it, the more I think that "connection latching" a) seems very much related to the "populate from packet" feature of 2401bis, b) should be an integral part of the IPsec architecture, c) is absolutely necessary in situations where applications drive policy (e.g., through IPsec APIs), particularly where GSS-API and other channel binding to IPsec is to be used. BTW, and for full disclosure, there exist implementations of this concept, in Solaris 9 and 10, for example. Nico -- _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf