The idea was to have the ability of setting up one SA for multiple source and destinations instead of having to setup multiple SAs for these combinations that would all have the same SA parameters. If you consider a group of non-adjacent nodes part of the same entity, then why can't we identify these nodes in an ID payload?
For example:
If in my policy I had placed (a) 10.0.0.1, (b) 10.0.1.*, (c) 10.0.2.* all in the same object (O1) and I had (d) 11.0.0.*, (e) 11.0.1.* in another object (O2) and I want to set up a tunnel between those two objects.
Right now I would have to setup 6 SAs (a->d, a->e, b->d, d->e, c->d, c->e), even though that only one policy rule exists between these two objects (O1->O2).
A better approach would be to have a MetaID type that can accomodate multiple ID types. Then I could setup one SA per (logical) policy rule instead of the physical network layout.
When you add ports to this picture, it seams even more important to create a MetaID type.
> -----Original Message-----
> From: Michael C. Richardson [mailto:mcr@sandelman.ottawa.on.ca]
> Sent: Friday, September 18, 1998 6:01 PM
> To: ipsec@tis.com
> Subject: multiple payloads via "ID_LIST"
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> >>>>> "Rodney" == Rodney Thayer <rodney@tillerman.nu> writes:
>
> Rodney> I like this. What would you want the cert to have in it?
> Rodney> (Again, all I'm asking is how you want people to
> decide which
> Rodney> cert to use given this payload...)
>
> Rodney, you ask such difficult questions.
>
> In my mind, this is useful only during phase II.
> That should eliminate the need for this question since the ID field
> to be compared to the certificate would be the one used in phase I.
>
> If you want to use this in phase I, then I think you need Kent's
> work on delegating ownership of IP address ranges. The things
> in the list
> much all be covered by one or more certificates.
>
> [i.e. if I ask for a list of ports that I wish to protect,
> then I can do it
> with a certificate that only has my IP address in it. Asking
> for a list of
> ports would be quite reasonable for FTP-like applications,
> although perhaps
> not FTP itself]
>
>
> :!mcr!: | Network and security
> consulting/contract programming
> Michael Richardson | Firewalls, TCP/IP and Unix
> administration
> Personal:
> http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bi
o.html
Corporate: http://www.sandelman.ottawa.on.ca/SSW/
ON HUMILITY: To err is human, to moo bovine.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNgLYE9iXVu0RiA21AQERCgL/Y0djVSU4N2JdRa/X2i70AbfYIQH3wbGc
vm1Ms5122aoIgctLFd1cfb0e4MDykvuFxZqq4q/Yqc3wv7W35m+BGl9SJ9O/RlpX
bwB0WyjP/FpKVa5QJutSpHAHAa9XsVKB
=z5zD
-----END PGP SIGNATURE-----