[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD Syntax Example

To: ravivsn@xxxxxxxxx
Subject: Re: SPD Syntax Example
From: Stephen Kent <kent@xxxxxxx>
Date: Mon, 26 Jan 2004 09:53:43 -0500
Cc: <ipsec@xxxxxxxxxxxxxxxxx>
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 6:51 +0530 1/24/04, ravivsn@xxxxxxxxx wrote:

Hi,
  After some thinking, I also feel that providing kind of flexibility
  is good. It is really going to solve the problem
  of creating security tunnel between two sites, having multiple
  subnets, when combined with services.

  To support, this kind of flexibility, current TS is not good
  enough. Based on example given, 3000 Traffic Selectors need to
  be sent ( Did I get my math correct? ) which results to 40K of
  data in IKE message.

  I could think of two approaches.
  - Provide flexibility in TS, where IP address ranges represented
    independently from Port ranges.
  - TS payload carrying symbolic name

  I see that rfc2401bis talks about symbolic name and same can
  be sent in TS to facilitate this.

I hope, IKEv2 can accommodate this.

Thanks
Ravi

Ravi,

Symbolc names are not sent in payloads. Their use of very restricted. We'll be explaining more about this in an upcoming 2401bis revision message.

I don't recall the example in detail, but it seems unlikely that, in practice. one would need to send such a big TS payload. We have ranges for addresses and one can express any subnet via a range, so the suggestion to add subnets as a separate type of selector specification adds no new functionality.

And, as others have mentioned, we're too far along in the process to make a change of the sort suggested.

Steve

References:
- Re: SPD Syntax Example
  - From: ravivsn

Prev by Date: Re: SPD Syntax Example
Next by Date: Re: SPD name entries & IKE
Previous by thread: Re: SPD Syntax Example
Next by thread: Re: SPD Syntax Example
Index(es):
- Date
- Thread