[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 traffic selector subsetting.



Section 2.9 of draft-ietf-ipsec-ikev2-00.txt says:
   The Responder is allowed to narrow the choices by selecting a subset
   of the traffic, for instance by eliminating one or more members of
   the set of traffic selectors provided the set does not become the
   NULL set.

In many (most) cases, the Initiator is initiating because it has a
packet it needs to send and doesn't have an appropriate SA for it.

Given this, it's not immediately clear how the responder is supposed
to select a meaningful subset of the initiator-proposed traffic
selectors.

If you want to support a capability like this, it seems like the
traffic selector payload should also include the actual packet field
values in the packet which triggered the exchange, so the responder
can select a *useful* subset if it's not prepared to accept the entire
selector set..

					- Bill





Follow-Ups: