Re: issues with IKE that need resolution

["Scott G. Kelly" <skelly@redcreek.com>]

Let me preface this by saying that I agree that the whole thing needs
more thought, and that my original proposal is probably not the best
approach.

Daniel Harkins wrote:
<trimmed...>
> 
>   Addressing Scott's point: the ID payload is woefully overloaded. We're
> trying to express SPD policy in it and that was not its original purpose.
> If I remember correctly Steve Kent removed some selector types from the
> Architecture Draft because IKE was unable to express them. It would not
> only be nice to have lists of address ranges, it would be nice to express
> the "everything but" construct: "this SA is to be used for all TCP except
> port 80". But I'm not sure the poor ID payload is the place to do it.
> 

That the ID payload is overloaded when used as a policy selector has
been stated in previous discussions, but I can't quite get on top of the
argument. I respect the people who have presented the argument, so I
assume I'm missing something. Please indulge me by elaborating on this.

Regarding the everything-but construct, this is covered by lists of
ranges, although a more succinct expression would be nice.

Scott

---

References:

• Re: issues with IKE that need resolution
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: Re: issues with IKE that need resolution
• Next by Date: Re: issues with IKE that need resolution
• Prev by thread: Re: issues with IKE that need resolution
• Next by thread: Re: issues with IKE that need resolution
• Index(es):
  • Main
  • Thread