[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Addresses in traffic selectors in IKEv2
At 10:25 AM -0500 3/12/02, Andrew Krywaniuk wrote:
>I agree with this. There are lots of little pitfalls that I have seen when
>dealing with subnets:
>
>e.g. does 192.168.10.0/24 == 192.168.10.30/24? Not if you use memcmp.
>
>What happens if someone receives a QM1 containing subnets and the peer
>returns a QM2 containing ranges?
>
>We would have liked to implement QM using only ranges, but we were forced to
>convert to subnets whenever possible because some of the other IPsec
>implementations aren't (or at least weren't at the time) able to handle
>ranges.
>
>There is no advantage to having multiple types in this case, so we should
>ditch the less generic ones.
>
Paul makes a good point.
Ranges can be used to express what masks can express and so we should
probably do away with masks. We should also prohibit trivial ranges
that define a single address.
We are adding enumerated lists for all selector types, and that
should replace the singleton selector values.
Any more suggestions for reducing ambiguity in expressing selectors?
Steve