[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On the Use of SCTP with IPsec

To: jarkko@piuha.net
Subject: Re: On the Use of SCTP with IPsec
From: "Randall R. Stewart" <rrs@cisco.com>
Date: Thu, 22 Feb 2001 09:22:43 -0600
CC: smb@research.att.com, ji@research.att.com, angelos@cis.upenn.edu, ipsec@lists.tislabs.com
References: <3A946389.7010009@piuha.net>
Sender: owner-ipsec@lists.tislabs.com

Jari Arkko wrote:
 > 
 > Hi,
 > 
 > I've read the draft draft-ietf-ipsec-sctp-00.txt
 > and I agree with the need for this document and
 > with the presented requirements and design
 > decisions.
 > 
 > I have four comments or questions.
 > 
 > First, I'd like to note that the recursive identity
 > type might be useful for also other purposes. For
 > instance, I could specify that a per-port tunnel
 > includes not just e.g. TCP:23 but also ICMP traffic,
 > by using an identity (TCP:23 n.n.n.n) AND (ICMP n.n.n.n).
 > If the recursive type is to be used for such purposes,
 > then we should allow more component types than
 > IPSEC_ID_IPV4_ADDR, and we would need a clear
 > semantics for the treatment of the multiple protocol
 > and port fields in the recursive identity payload.
 > 
 > Second, I wonder where the necessary protocol
 > enhancements such as the recursive identity
 > type will be defined -- are they going to be a part
 > of a future revision of this draft or do you expect
 > to make another one which defines them?
 > 
 > Third, the definition of the new recursive type --
 > is your plan to have the new identity payload
 > simply contain perhaps first a count of the
 > 'subidentities', then followed by actual
 > Identity Payloads? Or something more specialized,
 > such as omitting the Payload header for the subidentities?
 > When in section 3 you oppose arbitrary recursion,
 > I suppose you mean depth <= 2 but width could still
 > be unlimited?
 > 

All of the above I will leave to others to answer :)


 > Fourth, do you have an idea how typical SCTP policies/
 > selectors look like? Are they protocol and port
 > specific, or is everything from the particular addresses
 > covered by the SAs? If former, is SCTP relying on
 > ICMP in any way?
 > 

I don't know what a policy selector looks like for SCTP :) 
But yes SCTP does rely on ICMP for Path MTU discovery ... just
like TCP.. This is the only place where SCTP uses ICMP though...

R

 > Jari

-- 
Randall R. Stewart
Systems & Solutions Engineering
Cisco Systems Inc.
rrs@cisco.com 815-342-5222 or 815-477-2127

References:

Re: On the Use of SCTP with IPsec

From: Jari Arkko <jari.arkko@piuha.net>

Prev by Date: Re: exchange type 6?
Next by Date: Re: exchange type 6?
Prev by thread: Re: On the Use of SCTP with IPsec
Next by thread: Re: On the Use of SCTP with IPsec
Index(es):
- Main
- Thread