[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: phase 2 and ports
Stephen Kent wrote:
>
> Jan is right. We used to have port ranges and similar features for
> SPD configuration in the I-D precursor to RFC 2401, but they were
> deleted because IKE didn't support them and nobody wanted to change
> the IKE spec.
>
> Note, that we have a WG on IP security policy and it is exploring
> ways to offer real negotiation for IPsec peers, prior to IKE
> exchanges. That way one need not add complexity to IKE but one can
> offer more sophisticated negotiation capabilities.
>
> Steve
I agree that actual policy exchange might be better handled within ipsp,
but I would really like to see ike support something more comprehensive
than the current mechanism. If we wished to minimize complexity, this
could consist in simply permitting multiple ID payloads, and/or adding
some new ID payloads to facilitate ranges. I think this is a serious
shortcoming in terms of real-world requirements.
On a related note, I think we may be getting bogged down with this
notion that we can't change ike in any way. While I think it would be
ill-advised to change ike in a fundamental way (i.e. changing one of the
existing exchanges in a way that creates interoperability and
compatibility issues), I think we should be open to extending ike when a
solid case for it exists.
Scott
Follow-Ups:
References: