[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Addresses in traffic selectors in IKEv2

To: kent@bbn.com
Subject: Re: Addresses in traffic selectors in IKEv2
From: Mike Ditto <ford@incog.com>
Date: Mon, 18 Mar 2002 17:30:29 -0800 (PST)
CC: ipsec@lists.tislabs.com
In-reply-to: <p05100309b8bbff8fe896@[192.168.123.144]> (message from StephenKent on Mon, 18 Mar 2002 15:36:15 -0500)
Sender: owner-ipsec@lists.tislabs.com

> >There is no advantage to having multiple types in this case, so we should
> >ditch the less generic ones.
> 
> Paul makes a good point.
> 
> Ranges can be used to express what masks can express and so we should 
> probably do away with masks. We should also prohibit trivial ranges 
> that define a single address.

I disagree; that seems to miss Paul's point.  Ranges are necessary and
sufficient, and an address set should be composed of a list of ranges.
(I sugggest that "address set" is the superior term rather than range,
list, "multiple addresses" or other often used terms for this concept --
a set is unordered, possibly empty, and can not have duplicate members.)
One can define a normal form of address set representation comprising
zero or more mutually discontiguous ranges listed in increasing
numerical order.  The normal form can be memcmp-compared for
equivalence, or binary searched for membership.

					-=] Mike [=-

Sun Microsystems
Solaris Security Technologies

Follow-Ups:
- Re: Addresses in traffic selectors in IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:
- RE: Addresses in traffic selectors in IKEv2
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: 10 years and no ubiquitous security
Next by Date: RE: 10 years and no ubiquitous security
Prev by thread: RE: Addresses in traffic selectors in IKEv2
Next by thread: Re: Addresses in traffic selectors in IKEv2
Index(es):
- Date
- Thread