[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Addresses in traffic selectors in IKEv2

To: ipsec@lists.tislabs.com
Subject: Addresses in traffic selectors in IKEv2
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Mon, 11 Mar 2002 20:06:47 -0800
Sender: owner-ipsec@lists.tislabs.com

One of the most common configuration errors found in VPNC conformance 
testing is that people use the wrong address type in their traffic 
selectors. There are two ways to specify multiple addresses (ranges 
and subnets) and three ways to specify a single address (ranges, 
subnets, and address). This is silly.

IKEv2 should have exactly one way to specify either a single or 
multiple addresses: a range. IKE implementations *could* match the 
different types to each other (some implementations do that), but 
there is no reason to force them to.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- RE: Addresses in traffic selectors in IKEv2
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: Re: Choosing between IKEv2 and JFK
Next by Date: Remove SHOULD for elliptic curve groups in IKEv2
Prev by thread: Re: How to pass AES rounds number through PF_KEY interface
Next by thread: RE: Addresses in traffic selectors in IKEv2
Index(es):
- Date
- Thread