Re: SOI: selector exclusion lists/ranges

[Jan Vilhuber <vilhuber@cisco.com>]

On Tue, 27 Nov 2001, Steven M. Bellovin wrote:

> In message <3C03FC66.74EEEA37@redcreek.com>, Ricky Charlet writes:
> >Michael Thomas wrote:
> >> Thus I think we should have a requirement which
> >> states:
> >> 
> >> "The protocol MUST have the ability to express
> >>  port ranges for flow selectors, as well as have
> >>  the ability to selectively enumerate ports which
> >>  fall outside of the flow selector."
> >> 
> >>       Mike
> >
> >
> >
> >	Ooh, ooh, ooh!! And lists (not restricted to ranges) of subnets bound
> >to a single SA too please!
> 
> In principle, both make sense.  In practice, I'm hearing that a lot of 
> IPsec interoperability problems are due to different notions of what 
> has to be supported in SAs.

In practice I don't think most of our interop problems stem from SA
negotiations, i.e. phase 2. I think phase 1 (and certificate)
interoperability is by far the bigger problem.

A well defined and flexible ID payload would do wonders....

jan

> We should think about simplifying that, 
> too.  (I plan on making some concrete suggestions on that, but I ran 
> out of time to write anything up before the I-D cut-off.)
> 
> 		--Steve Bellovin, http://www.research.att.com/~smb
> 		Full text of "Firewalls" book now at http://www.wilyhacker.com
> 
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

---

References:

• Re: SOI: selector exclusion lists/ranges
• From: "Steven M. Bellovin" <smb@research.att.com>

---

• Prev by Date: Re: SOI: selector exclusion lists/ranges
• Next by Date: Re: SOI: selector exclusion lists/ranges
• Next by thread: Re: Status of ID: IPsec Flow Monitoring MIB
• Index(es):
  • Main
  • Thread