[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On the Use of SCTP with IPsec
Jari Arkko wrote:
>
> First, I'd like to note that the recursive identity
> type might be useful for also other purposes. For
> instance, I could specify that a per-port tunnel
> includes not just e.g. TCP:23 but also ICMP traffic,
> by using an identity (TCP:23 n.n.n.n) AND (ICMP n.n.n.n).
> If the recursive type is to be used for such purposes,
> then we should allow more component types than
> IPSEC_ID_IPV4_ADDR, and we would need a clear
> semantics for the treatment of the multiple protocol
> and port fields in the recursive identity payload.
I haven't read that draft you refer to, but I'd vote against
'recursive identity types'. An ordinary identity type is
already pretty complex to encode/decode, with all checks.
I'd be very happy, however, if we could have the identity payload have
1) minimum and maximum protocol ID, if both are zero then to be ignored
2) minimum and maximum port, if both are zero then to be ignored
3) In QM we could have several identity payloads for allowed
initiator traffic values, and similarly several identity payloads
for allowed responder traffic values
This would enable tight integration of firewall aspects of
our product with the IPsec aspects. Customers would be mighty happy.
Ari
--
Ari Huttunen phone: +358 9 2520 0700
Software Architect fax : +358 9 2520 5001
F-Secure Corporation http://www.F-Secure.com
F-Secure products: Integrated Solutions for Enterprise Security
Follow-Ups:
References: