[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Addresses in traffic selectors in IKEv2



We took the same approach as Markku mentioned.  We allow the user to specify
individual addresses, subnets or ranges, but implementation only sees
ranges.

Looking up using CAM is hard whatever, due to the SPD ordering and multiple
fields.

We haven't implemented a hardware CAM yet but the plan is to use the CAM to
cache SPD look-up results, rather than implement the whole SPD as a CAM.

Chris

-----Original Message-----
From: dracca@quarrytech.com [mailto:dracca@quarrytech.com]
Sent: 19 March 2002 12:20
To: msa@burp.tkv.asdf.org; kent@bbn.com
Cc: andrew.krywaniuk@alcatel.com; paul.hoffman@vpnc.org;
ipsec@lists.tislabs.com
Subject: RE: Addresses in traffic selectors in IKEv2


Have you ever tried to implement a range using a CAM-based lookup engine for
policy matching?  Masks are easy  - (arbitrary) ranges are most definitely
not.  If you're going to do away with something, get rid of the range.  At
the risk of stirring the pot a bit more, since I was neither in Mr.
Simpson's hotel room, nor anywhere near San Diego in '93 (or whatever the
year was), I might ask, who thought up this range thing, and why was it
thought to be a good idea, anyway?

regards

-----Original Message-----
From: Markku Savela [mailto:msa@burp.tkv.asdf.org]
Sent: Tuesday, March 19, 2002 12:06 AM
To: kent@bbn.com
Cc: andrew.krywaniuk@alcatel.com; paul.hoffman@vpnc.org;
ipsec@lists.tislabs.com
Subject: Re: Addresses in traffic selectors in IKEv2


> From: Stephen Kent <kent@bbn.com>

> Ranges can be used to express what masks can express and so we should 
> probably do away with masks. We should also prohibit trivial ranges 
> that define a single address.

Or more uniform, express all in ranges, including single address.

> We are adding enumerated lists for all selector types, and that 
> should replace the singleton  selector values.
> 
> Any more suggestions for reducing ambiguity in expressing selectors?

Everyone seems to ignore my previous comment about TS: they should not
been as SPD selectors, but SAD information instead.

SPD selectors are not needed for any IKE, the SAD values are.

As to other suggestions: can your TS handle connection specific SA's?
For that you need both src and dst ports.

I repeat my earlier example: if you want connection specific SA's for
all of your SMTP connections to a specific mail server, you can write
a policy

   dst=mailserveraddress, remote-port=25 -> SA-requirements

where, SA-requirements include the bit of information that each
connection is to have a different SA, and thus the port information
from the matched packets is passed to the IKE. And IKE needs a way to
pass this info over while negotiating the SAs. I assumed TS was
representing this information set. If not, what payload will do it
then?

Note the on server side the policy line is naturally expressed

  local-port=25 -> SA-requirements


Note, that SPD selectors do not match. It would be pointless to
transfer them.


This footnote confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.


-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended 
for the addressee(s) only.  If you have received this message in error or 
there are any problems please notify the originator immediately.  The 
unauthorized use, disclosure, copying or alteration of this message is 
strictly forbidden. Baltimore Technologies plc will not be liable for direct, 
special, indirect or consequential damages arising from alteration of the 
contents of this message by a third party or as a result of any virus being 
passed on.

In addition, certain Marketing collateral may be added from time to time to 
promote Baltimore Technologies products, services, Global e-Security or 
appearance at trade shows and conferences.
 
This footnote confirms that this email message has been swept by 
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.