[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

next pass at SPD syntax

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: next pass at SPD syntax
From: Stephen Kent <kent@xxxxxxx>
Date: Mon, 26 Jan 2004 16:31:56 -0500
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Folks,

I made changes based on suggestions from Tero, and added descriptions for drop/bypass entries vs. protect (IPsec) entries. I put in the PFP flags, which apply to ALL corresponding traffic selectors (directionally) in an entry, or to none, for simplicity. I also put in Names, for matching against the IKE ID payload, plus the parameters needed to define the protection afforded IPsec SAs (mode, sequence number size, protocol, and algorithms).

Steve
-------

SPD ::= SEQUENCE of SPDEntry -- List of SPD Entries

SPDEntry ::=	CHOICE (
			iPsecEntry	IPsecEntry, -- protect traffic
			bypassOrDrop	BypassOrDropEntry } -- drop/bypass

IpsecEntry ::=  SEQUENCE {		-- Each entry consist of
	name		SET OF GeneralName OPTIONAL,
				--  for matching against IKE ID payload
	source		TrafficSelectorList,	-- source and
	destination	TrafficSelectorList,	-- destination selector lists
	processing	SEQUENCE {
				mode	BOOELAN,
					 -- TRUE = transport, FALSE = tunnel
				extSeqNum	BOOLEAN,
					 -- TRUE = 64 bit, FALSE = 32 bit
				CHOICE {
					aH	integrityAlgs,
					eSP	SEQUENCE {
						integrityAlgs,
						confidentialityAlgs} } }

BypassOrDropEntry ::= SEQUENCE {
	action		BOOLEAN,	-- TRUE = bypass, FALSE = drop
	outbound  [0]	SelectorList,	OPTIONAL, -- both may be present
	inbound   [1]	SelectorList 	OPTIONAL ) -- or just one of them

TrafficSelectorList ::= SET OF SEQUENCE { pFP BIT STRING { -- applies to ALL of the corresponding traffic selectors addrFlag (0), protocolFlag (1), portFlag (2) } trafficSelector TrafficSelector }


TrafficSelector ::= SEQUENCE {
			-- either source or destination selector
		addr		IPRange,
		protocol	INTEGER,	-- 8 bits
		next CHOICE {
			ports	SEQUENCE {
				portStart	INTEGER, -- 16 bits
				portEnd }	INTEGER, -- 16 bits
			mobilityHeader	INTEGER, -- 16 bits
			ICMP [0] SEQUENCE {
				typeStart	INTEGER,	-- 8 bits
				codeStart	INTEGER,	-- 8 bits
				typeEnd		INTEGER,	-- 8 bits
				codeEnd		INTEGER } } }	-- 8 bits

SeletorList ::= SEQUENCE {
		source		Addr
		destination	Addr
		protocol	INTEGER  -- 8 bits
		next CHOICE {
			ports	SEQUENCE {
				portStart	INTEGER, -- 16 bits
				portEnd }	INTEGER, -- 16 bits
			mobilityHeader	INTEGER, -- 16 bits
			ICMP [0] SEQUENCE {
				typeStart	INTEGER, -- 8 bits
				codeStart	INTEGER, -- 8 bits
				typeEnd		INTEGER, -- 8 bits
				codeEnd		INTEGER } } } -- 8 bits


IPRange	::=	CHOICE {
			v4range		SEQUENCE {
						start	INTEGER, -- 32 bits
						end	INTEGER } -- 32 bits
			v6range [0]	SEQUENCE {
						start	INTEGER, -- 128 bits
						end	INTEGER } } -- 128 bits

IntegrityAlgs ::= SEQUENCE OF AlgorithmIdentifier - list ordered by preference ConfidentialityAlgs ::= SEQUENCE OF AlgorithmIdentifier - list ordered by preference

AlgorithmIdentifier  ::=  SEQUENCE  {
        algorithm               OBJECT IDENTIFIER,
        parameters              ANY DEFINED BY algorithm OPTIONAL  }

Prev by Date: Re: SPD name entries & IKE
Next by Date: RE: an SPD syntax example
Previous by thread: Re: SPD Syntax Example
Next by thread: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
Index(es):
- Date
- Thread