[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IpHeadersFilter (Re: Address ranges)



Works for me.

Casey
-----Original Message-----
From: owner-ipsec-policy@xxxxxxxxxxxxx
[mailto:owner-ipsec-policy@xxxxxxxxxxxxx]On Behalf Of Lee Rafalow
Sent: Friday, February 01, 2002 8:47 AM
To: policy@xxxxxxxx; wg-network@xxxxxxxx; wg-policy@xxxxxxxx;
ipsec-policy@xxxxxxxx
Subject: IpHeadersFilter (Re: Address ranges)



Yes, this is an oversight.  We need to fix IpHeadersFilter to support
ranges.  Good catch Casey!

The current class definition is:

NAME IpHeadersFilter
DESCRIPTION A class representing an entire IP
header filter, or any subset of one.
DERIVED FROM FilterEntryBase
TYPE Concrete
PROPERTIES HdrIpVersion, HdrSrcAddress, HdrSrcMask,
HdrDestAddress, HdrDestMask, HdrProtocolID,
HdrSrcPortStart, HdrSrcPortEnd,
HdrDestPortStart, HdrDestPortEnd, HdrDSCP,
HdrFlowLabel

I suggest the following changes.

Add HdrSrcAddressEndOfRange and HdrDestAddressEndOfRange.  When non-null,
the start of range value is in the corresponding HdrXxxxAddress property.
When null, the corresponding HdrXxxxAddress property is interpreted as today
as a single address filter that may have a mask.  And the
HdrXxxxAddressEndOfRange properties MUST be null when their corresponding
HdrXxxxMask property is non-null and vice-versa (i.e., no mask on ranges).

For consistency, I'd also have us rename the HdrXxxxPortStart properties to
drop the "Start" and rename the HdrXxxxPortEnd properties to "EndOfRange"
and change the semantics so that the EndOfRange properties are null when the
filter is not specifying a port range instead of the current both values are
the same definition.

Comments?

----- Original Message -----
From: "Scott G. Kelly" <skelly@xxxxxxxxxxxxx>
To: "Eric Vyncke" <evyncke@xxxxxxxxx>
Cc: "Casey Carr" <kcarr@xxxxxxxxx>; "IPSec Policy WG"
<ipsec-policy@xxxxxxxx>
Sent: Thursday, January 31, 2002 5:56 PM
Subject: Re: Address ranges


>
> Eric Vyncke wrote:
> >
> > At 11:15 30/01/2002 -0500, Casey Carr wrote:
> >
> > >Could someone please give me some guidance on how the IPSec policy
model
> > >addresses (no pun intended) filtering on a range of IPv4 addresses?
> > >
> > >The IPSec library we are using supports defining filters based on
address
> > >ranges but it doesn't appear to me that the model supports this.  I've
> >
> > This is correct as ICPM tried to re-use as much as possible of
PCIM/PCIMe
> > which does not understand IP address ranges
> >
> > -eric
>
> Since RFC2401 mandates support for address ranges, shouldn't the policy
> model support them?
>
> Scott
>