[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

unsubscribe jrodriguez@intellinet-tech.com





-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Markku Savela
Sent: Tuesday, March 19, 2002 1:01 PM
To: ipsec@lists.tislabs.com
Subject: Re: Addresses in traffic selectors in IKEv2



> From: Chris Trobridge <CTrobridge@baltimore.com>
>
> We took the same approach as Markku mentioned.  We allow the user to
> specify individual addresses, subnets or ranges, but implementation
> only sees ranges.

Actually I don't prefer ranges, I only implemented address/mask.

What I was trying to say, choose one: either ranges only or
address/mask, but not both.

The SPD policy selectors will consist following components

  - IP protocol number (8 bits)
  - src address 128 bits (IPv6/IPv4)
  - dst address 128 bits ( -"-)
  - source port 16 bits
  - destination port 16 bits
and for IPv6 scoped architecture, we need at least locally
  - destination scope identifier (32 bits)
  - source scope identifies (32)
and private addition
  - ICMP type and code (16 bits)
--------
total selector bits 376 bits!

It just gets pretty messy if some of these can be expressed as
ranges. You have to compare each field separately.

It's much simpler if you don't implement ranges, then you can just
construct the 376 bits and compare under mask.

Now above was all for SPD side.

The traffic selector in IKE payload (IMHO) is supposed to describe
"qualifiers" for the negotiated SA. Scope identifiers are local issue,
so they don't need to be included. Pretty much all of the rest is
needed.

It's okay to use ranges here, as masks are easy to translate into
ranges.

It should be noted, that address ranges are not needed (or meaningful)
with transport mode SA's.

Again, I wish to express the difference between SPD selector and SAD
"qualifier", for example VPN tunnel

  dst=company/x -> "SA spec for SG"

Now if you want communications to all hosts within "company/x" to use
same sa, you specify "company/x" (=range) in traffic selector. If you
want each host behind the SG to get own SA, you specify individual
address in traffic selecter. Again, this choice is part of the "SA spec
for SG". Again, SPD entry is same for both variations.