Re: IKEv2 traffic selector subsetting.

["Valery Smyslov" <svan@trustworks.com>]

On 13 Dec 01, at 18:43, Bill Sommerfeld wrote:

Bill,

> Section 2.9 of draft-ietf-ipsec-ikev2-00.txt says:
>    The Responder is allowed to narrow the choices by selecting a subset
>    of the traffic, for instance by eliminating one or more members of
>    the set of traffic selectors provided the set does not become the
>    NULL set.
> 
> In many (most) cases, the Initiator is initiating because it has a
> packet it needs to send and doesn't have an appropriate SA for it.
> 
> Given this, it's not immediately clear how the responder is supposed
> to select a meaningful subset of the initiator-proposed traffic
> selectors.

That's exactly what I was talking about in my post to this list a few 
days ago.

> If you want to support a capability like this, it seems like the
> traffic selector payload should also include the actual packet field
> values in the packet which triggered the exchange, so the responder
> can select a *useful* subset if it's not prepared to accept the entire
> selector set..

I can see two ways to achieve this. 

1) It is possible to introduce new payload type, similar in format to 
TS payload, that will contain actual packet field values. 

2) Instead of increasing number of payload types, it is possible to 
require, that the very first TSS in TS payload must always contain 
actual packet field values in the packet, which triggered the 
exchange.

> 					- Bill

Regards,
Valery Smyslov.

---

References:

• IKEv2 traffic selector subsetting.
• From: Bill Sommerfeld <sommerfeld@east.sun.com>

---

• Prev by Date: RE: ikev2 questions arising from Radia's presentation
• Next by Date: RE: IKEv2 traffic selector subsetting.
• Prev by thread: IKEv2 traffic selector subsetting.
• Next by thread: RE: IKEv2 traffic selector subsetting.
• Index(es):
  • Main
  • Thread