SOI: selector exclusion lists/ranges

[Michael Thomas <mat@cisco.com>]

A while back I think we had a discussion about
IKE's inability to express port ranges for
selectors. I have an admittedly parochial desire
for this feature because I'd like to have the
ability to protect all traffic to a node except
where I'm protecting things at application layer,
ala SRTP. Currently, the only way to do that would
be to enumerate every port that you want
protected; with 65k ports, that's a bit hard to
swallow. In reality, I really don't think this
ability is all that unique when you think beyond
IKE/IPsec as being a VPN establishment mechanism;
other things are surely in this situation. Indeed,
this may be one way to fix the current implicit
meaning of an IKE selector which is "everything
but port 500". Since KINK will also have a well
known port for key management, this would give the
implementation an unambiguous way to express
whether it wants other key management protocols
inside or outside of the selector.

Thus I think we should have a requirement which
states:

"The protocol MUST have the ability to express
 port ranges for flow selectors, as well as have
 the ability to selectively enumerate ports which
 fall outside of the flow selector."

      Mike

---

Follow-Ups:

• Re: SOI: selector exclusion lists/ranges
• From: Dan Harkins <dharkins@tibernian.com>
• Re: SOI: selector exclusion lists/ranges
• From: Ricky Charlet <rcharlet@redcreek.com>
• Re: SOI: selector exclusion lists/ranges
• From: Jan Vilhuber <vilhuber@cisco.com>

---

• Prev by Date: Updated ID: draft-touch-ipsec-vpn-02.txt
• Next by Date: Re: On shared keys (was RE: SOI: identity protection and DOS)
• Next by thread: Re: Status of ID: IPsec Flow Monitoring MIB
• Index(es):
  • Main
  • Thread