Re: an SPD syntax example

[Stephen Kent <kent@xxxxxxx>]

> It is better to make this as close to IKEv2 Traffic Selector as
> possible. Based on that, each IP address range should be combined with
> Protocol/Port Range. This ASN1 description seems to be creating a set with
> multiple IP address ranges to a single Protocol and Port (Range).


Good point. I'll change the syntax, and the 2401bis text to align 
with the IKEv2 proposal format more closely.  The effect is the same, 
ultimately, in terms of associating a set of values with the same SA.

> AddrList ::= AddrOrRangeOrSubnet
>
> >  AddrOrList ::= CHOICE {
> > 			iPAddr	IPaddr	-- individual IP address
> > 			range	IPRange} -- IP address range
>
> Above should become
> AddrOrRangeOrSubnet ::= CHOICE {
>                          ipAddr IPaddr
>                          range IPRange
>                          subnet subNet
>                       }

I don't see a need to refer to subnets separately. ranges suffice.

>  >
> >  IPaddr	::= CHOICE {
> > 			v4Addr		INTEGER, -- 32 bits
> > 			v6Addr [0]	INTEGER } -- 128 bits
> >
> >  IPRange	::=	CHOICE {
> > 			v4range		SEQUENCE {
> > 						start	INTEGER, -- 32 bits
> > 						end	INTEGER } -- 32 bits
> > 			v6range [0]	SEQUENCE {
> > 						start	INTEGER, -- 128 bits
> > 						end	INTEGER } } -- 128 bits
>
> Internally, subnet and IPAddr should be converted to range, if IKEv2 is
> used for key management.

Yes, we ultimately convert to range for the selector payload.

Steve