[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: selector exclusion lists/ranges
In message <3C03FC66.74EEEA37@redcreek.com>, Ricky Charlet writes:
>Michael Thomas wrote:
>> Thus I think we should have a requirement which
>> states:
>>
>> "The protocol MUST have the ability to express
>> port ranges for flow selectors, as well as have
>> the ability to selectively enumerate ports which
>> fall outside of the flow selector."
>>
>> Mike
>
>
>
> Ooh, ooh, ooh!! And lists (not restricted to ranges) of subnets bound
>to a single SA too please!
In principle, both make sense. In practice, I'm hearing that a lot of
IPsec interoperability problems are due to different notions of what
has to be supported in SAs. We should think about simplifying that,
too. (I plan on making some concrete suggestions on that, but I ran
out of time to write anything up before the I-D cut-off.)
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
Follow-Ups: