[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SA selectors

To: ipsec@lists.tislabs.com
Subject: SA selectors
From: Michael Boehmer <mboehmer@bintec.de>
Date: Thu, 19 Aug 1999 12:17:58 +0000
Organization: BinTec Communications AG
Sender: owner-ipsec@lists.tislabs.com

Hello!

I have a question concerning the SA selectors:

RFC 2401 requires support for the following SA selectors:
- single source/dest address
- source/dest address range
- source/dest subnet with netmask
- wildcard for source/dest address

Does anyone support an SA to have multiple of these selector values at
the same time?

This is mainly a configuration issue:
consider a huge corporate network and a policy affording the traffic of
some selected machines to be protected with ipsec when traversing the
internet to some remote site, protected by a security gateway. 
This would result in as many entries in the SAD as there are machines
which must be protected. It would be much easier to configure
-especially with manual keying- and much easier to monitor, if this
setup would result in only one SA (which defines the same security
parameters for all machines).

All comments appreciated!

Thanks, 

Michael.

Follow-Ups:

Re: SA selectors

From: "Aaron Griggs" <agriggs@east.isi.edu>

Re: SA selectors

From: Stephen Kent <kent@bbn.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-isakmp-mode-cfg-05.txt
Next by Date: Re: SA selectors
Prev by thread: I-D ACTION:draft-ietf-ipsec-isakmp-mode-cfg-05.txt
Next by thread: Re: SA selectors
Index(es):
- Main
- Thread