[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: selector exclusion lists/ranges
On Tue, 27 Nov 2001, Steven M. Bellovin wrote:
> In message <3C03FC66.74EEEA37@redcreek.com>, Ricky Charlet writes:
> >Michael Thomas wrote:
> >> Thus I think we should have a requirement which
> >> states:
> >>
> >> "The protocol MUST have the ability to express
> >> port ranges for flow selectors, as well as have
> >> the ability to selectively enumerate ports which
> >> fall outside of the flow selector."
> >>
> >> Mike
> >
> >
> >
> > Ooh, ooh, ooh!! And lists (not restricted to ranges) of subnets bound
> >to a single SA too please!
>
> In principle, both make sense. In practice, I'm hearing that a lot of
> IPsec interoperability problems are due to different notions of what
> has to be supported in SAs.
In practice I don't think most of our interop problems stem from SA
negotiations, i.e. phase 2. I think phase 1 (and certificate)
interoperability is by far the bigger problem.
A well defined and flexible ID payload would do wonders....
jan
> We should think about simplifying that,
> too. (I plan on making some concrete suggestions on that, but I ran
> out of time to write anything up before the I-D cut-off.)
>
> --Steve Bellovin, http://www.research.att.com/~smb
> Full text of "Firewalls" book now at http://www.wilyhacker.com
>
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: