[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On the Use of SCTP with IPsec
Jari Arkko wrote:
>
> Hi,
>
> I've read the draft draft-ietf-ipsec-sctp-00.txt
> and I agree with the need for this document and
> with the presented requirements and design
> decisions.
>
> I have four comments or questions.
>
> First, I'd like to note that the recursive identity
> type might be useful for also other purposes. For
> instance, I could specify that a per-port tunnel
> includes not just e.g. TCP:23 but also ICMP traffic,
> by using an identity (TCP:23 n.n.n.n) AND (ICMP n.n.n.n).
> If the recursive type is to be used for such purposes,
> then we should allow more component types than
> IPSEC_ID_IPV4_ADDR, and we would need a clear
> semantics for the treatment of the multiple protocol
> and port fields in the recursive identity payload.
>
> Second, I wonder where the necessary protocol
> enhancements such as the recursive identity
> type will be defined -- are they going to be a part
> of a future revision of this draft or do you expect
> to make another one which defines them?
>
> Third, the definition of the new recursive type --
> is your plan to have the new identity payload
> simply contain perhaps first a count of the
> 'subidentities', then followed by actual
> Identity Payloads? Or something more specialized,
> such as omitting the Payload header for the subidentities?
> When in section 3 you oppose arbitrary recursion,
> I suppose you mean depth <= 2 but width could still
> be unlimited?
>
All of the above I will leave to others to answer :)
> Fourth, do you have an idea how typical SCTP policies/
> selectors look like? Are they protocol and port
> specific, or is everything from the particular addresses
> covered by the SAs? If former, is SCTP relying on
> ICMP in any way?
>
I don't know what a policy selector looks like for SCTP :)
But yes SCTP does rely on ICMP for Path MTU discovery ... just
like TCP.. This is the only place where SCTP uses ICMP though...
R
> Jari
--
Randall R. Stewart
Systems & Solutions Engineering
Cisco Systems Inc.
rrs@cisco.com 815-342-5222 or 815-477-2127
References: