[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On the Use of SCTP with IPsec
Hi,
I've read the draft draft-ietf-ipsec-sctp-00.txt
and I agree with the need for this document and
with the presented requirements and design
decisions.
I have four comments or questions.
First, I'd like to note that the recursive identity
type might be useful for also other purposes. For
instance, I could specify that a per-port tunnel
includes not just e.g. TCP:23 but also ICMP traffic,
by using an identity (TCP:23 n.n.n.n) AND (ICMP n.n.n.n).
If the recursive type is to be used for such purposes,
then we should allow more component types than
IPSEC_ID_IPV4_ADDR, and we would need a clear
semantics for the treatment of the multiple protocol
and port fields in the recursive identity payload.
Second, I wonder where the necessary protocol
enhancements such as the recursive identity
type will be defined -- are they going to be a part
of a future revision of this draft or do you expect
to make another one which defines them?
Third, the definition of the new recursive type --
is your plan to have the new identity payload
simply contain perhaps first a count of the
'subidentities', then followed by actual
Identity Payloads? Or something more specialized,
such as omitting the Payload header for the subidentities?
When in section 3 you oppose arbitrary recursion,
I suppose you mean depth <= 2 but width could still
be unlimited?
Fourth, do you have an idea how typical SCTP policies/
selectors look like? Are they protocol and port
specific, or is everything from the particular addresses
covered by the SAs? If former, is SCTP relying on
ICMP in any way?
Jari
Follow-Ups: