[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: selector exclusion lists/ranges
The Traffic Selector Payload consists of a list of Traffic Selector
Substructures each of which have start-port and end-port entries.
So you can specify ports 1-78 and 80-1023 if you wanted to protect
all ports less than 1024 except 79.
They can't represent things that fall outside of a selector since
they are designed to represent the selector itself. But I think they
can do what you want. Check out section 7.13 in the IKEv2 draft.
Note that while IKEv2 can express this an RFC2401-compliant IPsec
implementation could not have a selector like this for IKEv2 to
represent. The restriction in RFC2401 was because of a limitation in
RFC2408 though so hopefully a rev of RFC2401 will include port ranges.
Dan.
On Tue, 27 Nov 2001 12:09:14 PST you wrote
>
> Thus I think we should have a requirement which
> states:
>
> "The protocol MUST have the ability to express
> port ranges for flow selectors, as well as have
> the ability to selectively enumerate ports which
> fall outside of the flow selector."
>
> Mike
Follow-Ups:
References: