[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Addresses in traffic selectors in IKEv2




We recommend against ranges and for masks for two reasons:

 - ranges are less natural to network administrators; they tend to
   work more with IP prefixes (masks) when handling configuration
   tasks; IP prefixes also tend to reflect the sub-topology of a local
   network, while ranges don't.  (However, ranges are more flexible,
   and *don't* bind you to subnet topology, so they're also useful,
   especially for things like web farms.)

 - (as stated already) arbitrary ranges don't compile into ternary
   CAMs very well, especially if there are multiple range-based
   selectors in a policy or SAD entry; in the worst case, it uses
   2*(log2 rangeSize)-1 entries per range; if multiple ranges are
   found in the same selector, you need the *product* of the number of
   CAM entries for each field, in total.  (Don't expect this happens
   much in the real world, though.)  IP prefixes (or other mask/value
   entries) only require a single CAM entry.

-david waitzman
 BBN Technologies Internetwork Research Department