[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple payloads via "ID_LIST"

To: mcr@solidum.com
Subject: Re: multiple payloads via "ID_LIST"
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Tue, 22 Sep 1998 12:16:19 -0700
CC: ipsec@tis.com
Organization: RedCreek Communications
Sender: owner-ipsec@ex.tis.com

mcr writes: 
> >>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:
> Scott> I'm still thinking about your proposal, and while I like the
> Scott> simplicity, there is one remaining issue: neither my nor your
> Scott> proposal addresses port/protocol lists. This is a difficult > 
> I keep thinking we already have that. But, we don't have 
> port/protocol
> in IKE yet, correct?
> 
We have them, but we only permit one port/protocol pair in the ID
payload, e.g. the ID_IPV4_ADDR payload:
                       1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload  !   RESERVED    !         Payload Length        !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!   ID Type     !  Protocol     |             Port              !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!                 IP  Address                                   !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

> Perhaps we need to have two types of ID_LIST: AND and OR.
> Add to that ID_IPV4_PROTOCOL, ID_IPV6_PROTOCOL, ID_TRANSPORT_PORT.
> 
> Thus, to negotiate a secure Telnet session, one says gives one end as
> being:
> src: ID_AND_LIST:
>      [ID_IPV4_ADDR: client, ID_IPV4_PROTOCOL: TCP,
>      ID_TRANSPORT_PORT: 65418]
> 
>   dst: ID_AND_LIST:
>         [ID_IPV4_ADDR: server, ID_IPV4_PROTOCOL: TCP, 
>         ID_TRANSPORT_PORT: 23]
> 
> Scott> is almost certain to provoke strong resistance), or adding new
> Scott> ones. Have you considered this problem?
> 
> I think we have to add new ones.
> 
> { One alternative is a declarative packet description language (an 
> internet draft describing ours will be published very soon):
>         "ip4TcpConn(client, server, 65418, 23)"
> }

The ID_AND_LIST + ID_TRANSPORT_PORT payloads may resolve this issue, but
we should think a bit more about this. It could get a bit ugly if
someone starts mixing these up with existing ID payloads that contain
ports/protocols, and I'm not sure (without giving it a lot more thought)
that we won't break something.

As an aside, we're ignoring the overloaded-id-payload arguments here...

Follow-Ups:

Re: multiple payloads via "ID_LIST"

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: multiple payloads via "ID_LIST"
Next by Date: Re: multiple payloads via "ID_LIST"
Prev by thread: RE: multiple payloads via "ID_LIST"
Next by thread: Re: multiple payloads via "ID_LIST"
Index(es):
- Main
- Thread