Re: On the Use of SCTP with IPsec

[Ari Huttunen <Ari.Huttunen@F-Secure.com>]

Jari Arkko wrote:
> 
> First, I'd like to note that the recursive identity
> type might be useful for also other purposes. For
> instance, I could specify that a per-port tunnel
> includes not just e.g. TCP:23 but also ICMP traffic,
> by using an identity (TCP:23 n.n.n.n) AND (ICMP n.n.n.n).
> If the recursive type is to be used for such purposes,
> then we should allow more component types than
> IPSEC_ID_IPV4_ADDR, and we would need a clear
> semantics for the treatment of the multiple protocol
> and port fields in the recursive identity payload.

I haven't read that draft you refer to, but I'd vote against
'recursive identity types'. An ordinary identity type is
already pretty complex to encode/decode, with all checks.

I'd be very happy, however, if we could have the identity payload have
1) minimum and maximum protocol ID, if both are zero then to be ignored
2) minimum and maximum port, if both are zero then to be ignored
3) In QM we could have several identity payloads for allowed
   initiator traffic values, and similarly several identity payloads
   for allowed responder traffic values

This would enable tight integration of firewall aspects of
our product with the IPsec aspects. Customers would be mighty happy.

Ari

-- 
Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security

---

Follow-Ups:

• Re: On the Use of SCTP with IPsec
• From: Stephen Kent <kent@bbn.com>

References:

• Re: On the Use of SCTP with IPsec
• From: Jari Arkko <jari.arkko@piuha.net>

---

• Prev by Date: Re: exchange type 6?
• Next by Date: Re: exchange type 6?
• Prev by thread: Re: On the Use of SCTP with IPsec
• Next by thread: Re: On the Use of SCTP with IPsec
• Index(es):
  • Main
  • Thread