[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Protocol specific and port specific SAs
>>>>> "antonio" == antonio barrera <antonio.barrera@nokia.com> writes:
antonio> But what if I only want my IPSEC to be applied to TCP & ICMP (only 2
antonio> selectors defined)?
As soon as the WG decides how to handle ICMP, we can resolve this question.
There are two possibilities:
1) ICMP error codes are considered to be a meta-protocol (which is
architecturally correct), and thus they "fit" into TCP-only
protocols because ICMP error codes contain an IP/TCP header that
(once Src<->Dst swapped) fits into that SA.
2) We modify IKE in some way to permit multiple sets of selectors to
be negotiated for a single SA. I.e. union, enumerations, etc. of
selectors in a proposal.
Of course, we could decide to do #1, and have a special proposal type that
indicates that one should do this, so that we can be backwards
compatible. You could even do this in your product using Vendor IDs and
private proposal numbers.
See
http://www.sandelman.ottawa.on.ca/SSW/ietf/ipsec/icmp/top.html
http://www.sandelman.ottawa.on.ca/SSW/ietf/ipsec-icmp-options-01.txt
http://www.sandelman.ottawa.on.ca/SSW/ietf/ipsec-icmp-handle-v4-01.txt
Also: http://www.sandelman.ottawa.on.ca/cgi-bin/webglimpse/n/ietf/ipsec?localcopy=n&query=icmp&errors=0&age=
:!mcr!: | Solidum Systems Corporation, http://www.solidum.com
Michael Richardson |For a better connected world,where data flows faster<tm>
Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
mailto:mcr@sandelman.ottawa.on.ca mailto:mcr@solidum.com
Follow-Ups:
References: