[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: selector exclusion lists/ranges
Again, I'm pleased as punch if they're part of the
proposed protocols. I just want them to also be
reflected in the requirements so that we all agree
what are features vs. misfeatures, etc.
Mike
Dan Harkins writes:
> The Traffic Selector Payload consists of a list of Traffic Selector
> Substructures each of which have start-port and end-port entries.
> So you can specify ports 1-78 and 80-1023 if you wanted to protect
> all ports less than 1024 except 79.
>
> They can't represent things that fall outside of a selector since
> they are designed to represent the selector itself. But I think they
> can do what you want. Check out section 7.13 in the IKEv2 draft.
>
> Note that while IKEv2 can express this an RFC2401-compliant IPsec
> implementation could not have a selector like this for IKEv2 to
> represent. The restriction in RFC2401 was because of a limitation in
> RFC2408 though so hopefully a rev of RFC2401 will include port ranges.
>
> Dan.
>
> On Tue, 27 Nov 2001 12:09:14 PST you wrote
> >
> > Thus I think we should have a requirement which
> > states:
> >
> > "The protocol MUST have the ability to express
> > port ranges for flow selectors, as well as have
> > the ability to selectively enumerate ports which
> > fall outside of the flow selector."
> >
> > Mike
References: