Re: Re: Some comments to draft-ietf-ipsec-ikev2-00.txt

[Charles Lynn <clynn@bbn.com>]

    >> I think it would be better to change the format of subnet selectors
    >> to be IPVx_ADDRESS + Number of bits in the mask. It would remove the
    >> problems what to do when the other end proposes mask 0xff00ff00?
    >> (According to above it is completely valid :-)
    Dan> A mask of 0xff00ff00 _is_ completely valid.
Michael> CIDR routing people would strongly disagree.

The format that the routing folk use to identify networks to be advertised
has little to do with what IPsec uses to identify systems that may use a
particular SA (other than both being aggregations of IP addresses).  The
two have different requirements.

One could make the argument that it would simplify the jobs of the security
admins and the O&M folk if IPsec were to use ranges --
	<minimum IP address, maximum IP address>
as that frees the admins not to have to be as concerned with how they
divide up their address space, what to do if a power of two block needs
to include one more address, etc. (it also uses same number of bits as
address+mask, but does have different aggregation characteristics).

(another)
Charlie

---

Follow-Ups:

• Re: Some comments to draft-ietf-ipsec-ikev2-00.txt
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:

• Re: Some comments to draft-ietf-ipsec-ikev2-00.txt
• From: Dan Harkins <dharkins@tibernian.com>
• Re: Some comments to draft-ietf-ipsec-ikev2-00.txt
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

---

• Prev by Date: RE: IKEv2 and SIGMA
• Next by Date: Re: comments on jfk and ikev2 drafts
• Prev by thread: Re: Some comments to draft-ietf-ipsec-ikev2-00.txt
• Next by thread: Re: Some comments to draft-ietf-ipsec-ikev2-00.txt
• Index(es):
  • Main
  • Thread