[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 selectors for IPsec?


What do folks think of making the IPsec (AH/ESP) protocol and SPI an
IKEv2 selector?

Its use gets into the area of dynamically created policy, e.g., when
an end-to-end SA has to traverse intermediate security gateways. The
question might be more appropriate for the IP Security Policy WG (is
there any progress there or have folks lost interest?).  A catch-22
might be that AH is not currently treated as an "upper layer protocol",
so the processing model might need to be extended a bit.

That in turn leads to the question of whether folks see any advantage
to having IPv6 extension headers -- fragmentation header, routing header,
jumbogram, destination options (and maybe Option Type), be selectors.
One might argue that they are useful for filtering (access control) but
not not useful as items that would select a policy action -- i.e., IPsec
should use them but there is no need for IKEv2 negotiation.