[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: selector exclusion lists/ranges

To: Michael Thomas <mat@cisco.com>
Subject: Re: SOI: selector exclusion lists/ranges
From: Dan Harkins <dharkins@tibernian.com>
Date: Tue, 27 Nov 2001 05:33:03 -0800
Cc: ipsec list <ipsec@lists.tislabs.com>
In-Reply-To: Your message of "Tue, 27 Nov 2001 12:09:14 PST." <15363.62186.160914.487198@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

   The Traffic Selector Payload consists of a list of Traffic Selector
Substructures each of which have start-port and end-port entries.
So you can specify ports 1-78 and 80-1023 if you wanted to protect
all ports less than 1024 except 79.

   They can't represent things that fall outside of a selector since
they are designed to represent the selector itself. But I think they
can do what you want. Check out section 7.13 in the IKEv2 draft.

   Note that while IKEv2 can express this an RFC2401-compliant IPsec
implementation could not have a selector like this for IKEv2 to 
represent. The restriction in RFC2401 was because of a limitation in
RFC2408 though so hopefully a rev of RFC2401 will include port ranges.

   Dan.

On Tue, 27 Nov 2001 12:09:14 PST you wrote
 > 
 > Thus I think we should have a requirement which
 > states:
 > 
 > "The protocol MUST have the ability to express
 >  port ranges for flow selectors, as well as have
 >  the ability to selectively enumerate ports which
 >  fall outside of the flow selector."
 > 
 >       Mike

Follow-Ups:

Re: SOI: selector exclusion lists/ranges

From: Michael Thomas <mat@cisco.com>

References:

SOI: selector exclusion lists/ranges

From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: SOI: identity protection and DOS
Next by Date: ipsec/NAT query
Next by thread: Re: Status of ID: IPsec Flow Monitoring MIB
Index(es):
- Main
- Thread