[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-ipsec-ikev2-01.txt
My comment about Traffic Selector Payload...
..basic idea is acceptable, if it is also understood that it specifies
the values for the negotiated SAs (into SAD). It has nothing to
do with the policy selectors in SPD.
However, I cannot find a way to specify information concerning both
source and destination (ports and addresses). This required.
To clarify, and example, I can have a policy selector
remote-port = 25 -> "protection suite"
The "protection suite" could be
1) all connections the same host use the same SA's (sharing), then the
traffic selector payload will need contain following info
protocol ID = TCP
remote-start-port = 25
remote-end-port = 25
local-start-port = 0
local-start-port = 65535
I suppose I don't need to specify any addresses in this case, as
they are implicit from the phase 1. Unless either or both host is
multihomed, and SA's are to be limited to specific addresses.
2) each connection will have own SA's, traffic selector will be
protocol ID = TCP
remote-start-port = 25
remote-end-port = 25
local-start-port = 'x'
local-end-port = 'x'
where 'x' is the local port chosen for the particular connection.
Another example: I want all TCP connections to a specified destination
to be protected, e.g. policy selector
protocol = TCP, dest='d' -> "require own SA for each connection"
the traffic selector will be
protocol ID = TCP
remote-start-port = 'x'
remote-end-port = 'x'
local-start-port = 'y'
local-end-port = 'y'
dest-address = 'd'
where 'x' and 'y' the ports chosen for the particular TCP
connection. If I want to share the same SA with all TCP, then traffic
selector becomes
protocol ID = TCP
remote-start-port = 0
remote-end-port = 65535
local-start-port = 0
local-end-port = 65535
dest-address = 'd'
Note, that the *SPD policy selector* doesn't change! WHat does change
in policy, is the SA requirements.