[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: selector exclusion lists/ranges

To: Ricky Charlet <rcharlet@redcreek.com>
Subject: Re: SOI: selector exclusion lists/ranges
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Tue, 27 Nov 2001 16:07:05 -0500
Cc: Michael Thomas <mat@cisco.com>, ipsec list <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

In message <3C03FC66.74EEEA37@redcreek.com>, Ricky Charlet writes:
>Michael Thomas wrote:
>> Thus I think we should have a requirement which
>> states:
>> 
>> "The protocol MUST have the ability to express
>>  port ranges for flow selectors, as well as have
>>  the ability to selectively enumerate ports which
>>  fall outside of the flow selector."
>> 
>>       Mike
>
>
>
>	Ooh, ooh, ooh!! And lists (not restricted to ranges) of subnets bound
>to a single SA too please!

In principle, both make sense.  In practice, I'm hearing that a lot of 
IPsec interoperability problems are due to different notions of what 
has to be supported in SAs.  We should think about simplifying that, 
too.  (I plan on making some concrete suggestions on that, but I ran 
out of time to write anything up before the I-D cut-off.)

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com

Follow-Ups:

Re: SOI: selector exclusion lists/ranges

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: SOI: selector exclusion lists/ranges
Next by Date: Re: [NAT] ipsec/NAT query
Next by thread: Re: Status of ID: IPsec Flow Monitoring MIB
Index(es):
- Main
- Thread