[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple payloads via "ID_LIST"

To: "Michael C. Richardsom" <mcr@sandelman.ottawa.on.ca>
Subject: Re: multiple payloads via "ID_LIST"
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Tue, 22 Sep 1998 13:58:04 -0700
CC: ipsec@tis.com
Organization: RedCreek Communications
References: <3608096F.D5C56A69@ix.netcom.com>
Sender: owner-ipsec@ex.tis.com

Michael C. Richardson wrote:

<trimmed...>

>   Do we really need port ranges? I.e. is there a situation where you want
> a range, but not all ports? The only situation I can think of is something
> like:
>         A<------>B   all ports, ESP with DES
>         A<------>B   port 23, ESP with 3DES
> 
>   And that can be negotiated just fine, since the specific port address
> should take priority in the SPD over the port wildcard.
> 
It could be argued that you might have different policies (under some
circumstances) for 'privileged' ports (for example).

<trimmed...>
>     Scott> As an aside, we're ignoring the overloaded-id-payload arguments
>     Scott> here...
> 
>   Please elucidate, I don't follow.
> 

In an earlier email, Dan said 

> Addressing Scott's point: the ID payload is woefully overloaded. We're
> trying to express SPD policy in it and that was not its original purpose. 
> If I remember correctly Steve Kent removed some selector types from the
> Architecture Draft because IKE was unable to express them. It would not
> only be nice to have lists of address ranges, it would be nice to express
> the "everything but" construct: "this SA is to be used for all TCP except
> port 80". But I'm not sure the poor ID payload is the place to do it.

I think the general 'overload' argument may hinge on the fact that
what's being represented in phase 1 by the ID payload is different than
what's being represented in phase 2. While I think semantic arguments
could be made on either side, I will point out that using the ID payload
in phase 1 would appear to contradict the notion that DOI-specific
issues only relate to phase 2. In the ISAKMP-10 doc, the following text
appears on page 31:
------------
3.8 Identification Payload

The Identification Payload contains DOI-specific data used to exchange
identification information.  This information is used for determining
the
identities of communicating peers and may be used for determining
authen-
ticity of information.  Figure 9 shows the format of the Identification
Payload.
------------

This would tend to indicate a conflict with current usage, i.e. that the
ID payload should not be used at all in phase 1.

Scott

Follow-Ups:

Re: multiple payloads via "ID_LIST"

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: issues with IKE that need resolution
Next by Date: Re: multiple payloads via "ID_LIST"
Prev by thread: Re: multiple payloads via "ID_LIST"
Next by thread: Re: multiple payloads via "ID_LIST"
Index(es):
- Main
- Thread